View Rule
View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
DOD/OS | RIN: 0790-AJ29 | Publication ID: Fall 2015 |
Title: Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities | |
Abstract:
DoD is revising its DoD-DIB Cybersecurity (CS) Activities regulation to mandate reporting of cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support, and modify eligibility criteria to permit greater participation in the voluntary DoD-Defense Industrial Base (DIB) Cybersecurity (CS) information sharing program. |
|
Agency: Department of Defense(DOD) | Priority: Other Significant |
RIN Status: Previously published in the Unified Agenda | Agenda Stage of Rulemaking: Final Rule Stage |
Major: No | Unfunded Mandates: No |
CFR Citation: 32 CFR 236 | |
Legal Authority: 10 U.S.C. 391 10 U.S.C. 2224 44 U.S.C. 3506 44 U.S.C. 3544 and sec 941 Pub. L. 112-239, 126 Stat. 1632 |
Legal Deadline:
None |
|||||||||||||||
Statement of Need: This rule complies with statutory guidance under section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013, and section 391 of Title 10, United States Code (U.S.C.), requiring defense contractors to rapidly report cyber incidents on their unclassified networks or information systems that may affect unclassified defense information, or that affect their ability to provide operationally critical support to the Department. This rule underscores the importance of better protecting unclassified defense information against the immediate cyber threat, while preserving the intellectual property and competitive capabilities of our national defense industrial base. The rule enables DoD to better assess, in the near term, when mission critical capabilities and services are affected by cyber incidents and reinforces DoD’s overall efforts to defend DoD information, protect U.S. national interests against cyber-attacks, and support military operations and contingency plans worldwide. Cybersecurity is a Congressional priority and this rule supports the Administration’s national cybersecurity strategy emphasizing public-private information sharing. |
|||||||||||||||
Summary of the Legal Basis: The activities in this rule implement DoD statutory authorities to establish programs and activities to protect sensitive DoD information, including when such information resides on or transits information systems operated by contractors or others in support of DoD activities (e.g., 10 U.S.C. sections 391 and 2224, the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. sections 3551 et seq., section 941 of the NDAA for FY 2013 (Pub. L. 112-239)). Activities under this rule also fulfill important elements of DoD’s critical infrastructure protection responsibilities, as the sector specific agency for the DIB sector (see Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience, available at https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil). |
|||||||||||||||
Alternatives: None. This is revision to an existing regulation (32 CFR part 236). |
|||||||||||||||
Anticipated Costs and Benefits: Under this rule, contractors will incur costs associated with requirements for reporting cyber incidents of covered defense information on their covered contractor information system(s) or those affecting the contractor’s ability to provide operationally critical support. Costs for contractors include identifying and analyzing cyber incidents and their impact on covered defense information, or a contractor’s ability to provide operationally critical support, as well as obtaining DoD-approved medium assurance certificates to ensure authentication and identification when reporting cyber incidents to DoD. Government costs include onboarding new companies under the voluntary DoD-DIB CS information sharing program, and collecting and analyzing cyber incident reports, malicious software, and media. |
|||||||||||||||
Risks: Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and mission and pose an imminent threat to U.S. national security and economic security interests. The combination of the mandatory DoD contractor cyber incident reporting, combined with the voluntary participation in the DIB CS program, will enhance and supplement DoD contractor capabilities to safeguard DoD information that resides on, or transits, DoD contractor unclassified network or information systems. |
|||||||||||||||
Timetable:
|
Regulatory Flexibility Analysis Required: No | Government Levels Affected: None |
Small Entities Affected: No | Federalism: No |
Included in the Regulatory Plan: Yes | |
RIN Data Printed in the FR: No | |
Agency Contact: Vicki D. Michetti Director Policy and Partnerships, DoD CIO Department of Defense Office of the Secretary 6000 Defense Pentagon, Room 3D1048, Washington, DC 20301-6000 Phone:703 695-0906 Email: vicki.d.michetti.civ@mail.mil |