View Rule

Statement of Need: Adversaries target Defense Industrial Base (DIB) unclassified networks daily. Unauthorized access and compromise of DoD unclassified information poses an unacceptable risk and imminent threat to U.S. national and economic security. DoD's voluntary DIB Cyber Security and Information Assurance (CS/IA) program enhances and supplements DIB participants' capabilities to safeguard DoD information on DIB unclassified information systems.

Summary of the Legal Basis: Government and private sector information assurance, which includes cyber threat information sharing, is an urgent U.S. national and economic security priority. The following authorities and policy guidance identify government-industry partnerships as necessary to contend with advanced cyber threats and support the collection of cyber incident information from the DIB. DoD Information Assurance (IA): DoD is required by statute to establish programs and activities to protect DoD information and DoD information systems, including information and information systems operated and maintained by contractors or others in support of DoD activities. Section 2224 of title 10, U.S. Code (U.S.C.), requires DoD to establish a Defense IA Program to protect and defend DoD information, information systems, and information networks that are critical to the Department during day to day operations and operations in times of crisis. (10 U.S.C. section 2224(a)). The program must provide continuously for the availability, integrity, authentication, confidentiality, non-repudiation, and rapid restitution of information and information systems that are essential elements of the Defense information infrastructure. (10 U.S.C. section 2224(b)). The program strategy also must include vulnerability and threat assessments for defense and supporting non-defense information infrastructures, joint activities with elements of the national information infrastructure, and coordination with representatives of those national critical infrastructure systems that are essential to DoD operations. (10 U.S.C. section 2224(c)). The program must provide for coordination, as appropriate, with the heads of any relevant federal agency and with representatives of those national critical information infrastructure systems that are essential to the operations of the Department regarding information assurance measures necessary to the protection of these systems. (10 U.S.C. section 2224(d)). Federal Information Security: The Defense IA Program also must ensure compliance with Federal information security requirements of the Federal Information Security Management Act (FISMA), 44 U.S.C. section 3541 et seq. FISMA requires all federal agencies to provide information security protections for information collected or maintained by, or on behalf of, the agency. Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency must be in accordance with 44 U.S.C. section 3544(a)(1)(A). Agencies are expressly required to develop, document, and implement programs to provide information security for information and information systems that support the operations and assets of the agency, including those provided by another agency, contractor, or other source in accordance with 44 U.S.C. section 3544(b). Critical Infrastructure Protection (CIP): Under Homeland Security Presidential Directive 7 (HSPD-7), "Critical Infrastructure Identification, Prioritization, and Protection," the Department of Defense is the Sector Specific Agency (SSA) for the Defense Industrial Base (DIB) sector (HSPD-7), (18)(g)), and thus engages with the DIB on a wide range of CIP matters, including but not limited to cyber security. HSPD-7 charges the SSAs to: collaborate with all relevant Federal departments and agencies, State and local governments, and the private sector, including with key persons and entities in their infrastructure sector; conduct or facilitate vulnerability assessments of the sector; and encourage risk management strategies to protect against and mitigate the effects of attacks against critical infrastructure and key resources. (HSPD-7), (19)). The Department of Homeland Security (DHS) leads the national effort to protect public and private critical infrastructure. (HSPD-7), (7)). This includes coordinating implementation activities between federal agencies, state and local authorities, and the private sector. Regarding cyber security, these efforts are to include analysis, warning, information sharing, vulnerability reduction, mitigation, and aiding national recovery efforts for critical infrastructure information systems. (HSPD-7), (12)) More specifically, regarding coordination with the private sector, HSPD-7 provides that DHS and the SSAs "will collaborate with appropriate private sector entities and continue to encourage the development of information sharing and analysis mechanisms [to] identify, prioritize, and coordinate the protection of critical infrastructure and key resources; and to facilitate sharing of information about physical and cyber threats, vulnerabilities, incidents, potential protective measures, and best practices." (HSPD-7), (25)).

Alternatives: Private sector DIB company participation in the DIB CS/IA program is completely voluntary, allowing DIB companies to elect whether to participate in the program, or to choose from any other available alternatives, based on their individual approaches to cyber security and information security. The DIB CS/IA bilateral information sharing activities are a core element of the DoD's multi-pronged approach to fulfill its information assurance responsibilities and cyber security. The program enhances and supplements DIB participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.

Anticipated Costs and Benefits: Participation in the DIB CS/IA program is voluntary and does not obligate the DIB participant to use government furnished information (GFI) in, or otherwise to implement any changes to, its information systems. Any action taken by the DIB participant based on GFI or other participation in this program is taken on the DIB participant's own volition and at the participant's own risk and expense. As a voluntary program in which the DIB participants and the Government each bear independent responsibility for their own activities, the costs to both the private sector and to the government are minimized. This voluntary participation will not create an inconsistency or otherwise interfere with any action taken or planned by another Agency. We do not believe that it raises novel legal policy issues arising out of legal mandates, the President's priorities, or principles set forth in Executive Orders. All DIB participants must have or obtain DoD-approved, medium assurance certificates to enable encrypted unclassified information sharing between DoD and DIB participants. Cost of the DoD approved medium assurance certificates is approximately $175 for each individual identified by the DIB participant. See http://iase.disa.mil/pki/eca/ for more information about DoD-approved certificates. For classified information sharing, each DIB participant will have start up costs of approximately $3,000 per DIBNet-Secret terminal installed in their cleared facility(ies). An estimate of $1,000 per year is projected as sustainment costs for each classified DIBNet-Secret terminal, including associated personnel costs for maintaining software updates for each stand-alone terminal. There is an estimated annual burden for DIB participants projected at $1,367 for incident reporting. This is based on a DIB participant reporting average of 5 cyber incidents a year affecting DoD information, with 7 hours of labor per incident, at a cost of $39.06 per man hour. These man hour costs are according to the Bureau of Labor Statistics, Occupational Employment and Wages, May 2010, and depending upon the number of cyber incidents experienced and their severity, the annual burden could increase. These costs provide beneficial capabilities to enhance and supplement DIB participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.

Risks: Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and pose an imminent threat to U.S. national security and economic security interests. DoD's voluntary DIB CS/IA program enhances and supplements DIB participant's capabilities to safeguard DIB information that resides on, or transits, DIB unclassified information systems.