View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/OS RIN: 0790-AJ29 Publication ID: Fall 2016 
Title: Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities 

The final rule responded to public comments to the interim final rule published on October 2, 2015. The rule implemented statutory requirements for DoD contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor's ability to provide operationally critical support.

The mandatory reporting applies to all forms of agreements between DoD and DIB companies (contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement). The revisions are part of DoD's effects to establish a single reporting mechanism for such cyber incidents on unclassified DoD contractor networks or information systems. Reporting under this rule does not abrogate the contractor's responsibility for any other applicable cyber incident reporting requirement. Cyber incident reporting involving classified information on classified contractor systems will be in accordance with the National Industrial Security Program Operating Manual (DoD-M 5220.22 (

The rule also addressed the voluntary DIB CS information sharing program that is outside the scope of the mandatory reporting requirements. By modifying the eligibility critiera for the DIB CS program, the rule enabled greater participation in the voluntary program. Expanding participation in the DIB CS program is part of DoD's comprehensive approach to counter cyber threats through information sharing between the Government and DIB participants.

Agency: Department of Defense(DOD)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: No  Unfunded Mandates: No 
CFR Citation: 32 CFR 236   
Legal Authority: 10 U.S.C. 391    10 U.S.C. 393    10 U.S.C. 2224    44 U.S.C. 3506    44 U.S.C. 3544    50 U.S.C. 3330   
Legal Deadline:  None
Action Date FR Cite
Interim Final Rule  10/02/2015  80 FR 59581   
Interim Final Rule Effective  10/02/2015 
Interim Final Rule Comment Period End  12/01/2015 
Final Action  10/04/2016  81 FR 68312   
Final Action Effective  11/03/2016 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: None 
Small Entities Affected: No  Federalism: No 
Included in the Regulatory Plan: No 
RIN Data Printed in the FR: No 
Agency Contact:
Vicki D. Michetti
Director Policy and Partnerships, DoD CIO
Department of Defense
Office of the Secretary
6000 Defense Pentagon, Room 3D1048,
Washington, DC 20301-6000
Phone:703 695-0906