View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/OS RIN: 0790-AJ29 Publication ID: Fall 2015 
Title: Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities 
Abstract:

DoD is revising its DoD-DIB Cybersecurity (CS) Activities regulation to mandate reporting of cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support, and modify eligibility criteria to permit greater participation in the voluntary DoD-Defense Industrial Base (DIB) Cybersecurity (CS) information sharing program.

 
Agency: Department of Defense(DOD)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: No  Unfunded Mandates: No 
EO 13771 Designation: uncollected 
CFR Citation: 32 CFR 236   
Legal Authority: 10 U.S.C. 391    10 U.S.C. 2224    44 U.S.C. 3506    44 U.S.C. 3544    and sec 941    Pub. L. 112-239, 126 Stat. 1632   
Legal Deadline:  None

Statement of Need:

This rule complies with statutory guidance under section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013, and section 391 of Title 10, United States Code (U.S.C.), requiring defense contractors to rapidly report cyber incidents on their unclassified networks or information systems that may affect unclassified defense information, or that affect their ability to provide operationally critical support to the Department.   This rule underscores the importance of better protecting unclassified defense information against the immediate cyber threat, while preserving the intellectual property and competitive capabilities of our national defense industrial base. The rule enables DoD to better assess, in the near term, when mission critical capabilities and services are affected by cyber incidents and reinforces DoD’s overall efforts to defend DoD information, protect U.S. national interests against cyber-attacks, and support military operations and contingency plans worldwide. Cybersecurity is a Congressional priority and this rule supports the Administration’s national cybersecurity strategy emphasizing public-private information sharing.

Summary of the Legal Basis:

The activities in this rule implement DoD statutory authorities to establish programs and activities to protect sensitive DoD information, including when such information resides on or transits information systems operated by contractors or others in support of DoD activities (e.g., 10 U.S.C. sections 391 and 2224, the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. sections 3551 et seq., section 941 of the NDAA for FY 2013 (Pub. L. 112-239)). Activities under this rule also fulfill important elements of DoD’s critical infrastructure protection responsibilities, as the sector specific agency for the DIB sector (see Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience, available at https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil).

Alternatives:

None. This is revision to an existing regulation (32 CFR part 236).

Anticipated Costs and Benefits:

Under this rule, contractors will incur costs associated with requirements for reporting cyber incidents of covered defense information on their covered contractor information system(s) or those affecting the contractor’s ability to provide operationally critical support. Costs for contractors include identifying and analyzing cyber incidents and their impact on covered defense information, or a contractor’s ability to provide operationally critical support, as well as obtaining DoD-approved medium assurance certificates to ensure authentication and identification when reporting cyber incidents to DoD. Government costs include onboarding new companies under the voluntary DoD-DIB CS information sharing program, and collecting and analyzing cyber incident reports, malicious software, and media.

Risks:

Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and mission and pose an imminent threat to U.S. national security and economic security interests. The combination of the mandatory DoD contractor cyber incident reporting, combined with the voluntary participation in the DIB CS program, will enhance and supplement DoD contractor capabilities to safeguard DoD information that resides on, or transits, DoD contractor unclassified network or information systems.

Timetable:
Action Date FR Cite
Interim Final Rule  10/02/2015  80 FR 59581   
Interim Final Rule Effective  10/02/2015 
Interim Final Rule Comment Period End  12/01/2015 
Final Action  08/00/2016 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: None 
Small Entities Affected: No  Federalism: No 
Included in the Regulatory Plan: Yes 
RIN Data Printed in the FR: No 
Agency Contact:
Vicki D. Michetti
Director Policy and Partnerships, DoD CIO
Department of Defense
Office of the Secretary
6000 Defense Pentagon, Room 3D1048,
Washington, DC 20301-6000
Phone:703 695-0906
Email: vicki.d.michetti.civ@mail.mil