View Rule

The rule will modify eligibility in voluntary DoD-DIB cyber threat information sharing activities to include participation by more defense contractors. Through this updated rule, all defense contractors with DFARS clause 252.204-7012 in a contract could participate in DIB CS activities. This voluntary DIB CS information-sharing program enhances and supplements DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems. This rule supports a recommendation of the DoD Regulatory Reform Task Force.

Statement of Need:

Unauthorized access and compromise of DoD unclassified information and operations poses an imminent threat to U.S. national security and economic security interests. Defense contractors are being targeted on a daily basis. Many of these contractors are small and medium size contractors that can benefit from partnering with DoD to enhance and supplement their cybersecurity capabilities.

Summary of the Legal Basis:

This revised regulation supports the Administration’s effort to promote public-private cyber collaboration by expanding eligibility for the DIB CS voluntary cyber threat information sharing program to all defense contractors. This regulation aligns with DoD’s statutory responsibilities for cybersecurity engagement with those contractors supporting the Department.

Alternatives:

(1) No action alternative: Maintain status quo with the ongoing voluntary cybersecurity program for cleared contractors. (2) Next best alternative: DoD posts generic cyber threat information and cybersecurity best practices on a public accessible website without directly engaging participating companies.

Anticipated Costs and Benefits:

Participation in the voluntary DIB CS Program enables DoD contractors to access GFI and collaborate with DC3 to better respond to and mitigate the cyber threat. The voluntary DIB CS Program is open to all defense contractors. DoD contractors must have or obtain a DoD-approved, medium assurance certificate to enable access to a secure DoD unclassified web portal. Cost of the DoD-approved medium assurance certificate is approximately $175 for each individual identified by the DoD contractor. See   https://public.cyber.mil/eca/ for more information about DoD-approved certificates.

Contractors are encouraged to report information to promote sharing of cyber threat indicators that they believe are valuable in alerting the Government and others, as appropriate, in order to better counter cyber threat actor activity. This cyber information may be of interest to the DIB and DoD for situational awareness and does not include mandatory cyber incident reporting included under DFARS 252.204-7012. There is an estimated annual burden projected at $450 for defense contractors voluntarily sharing cyber information. This is based on a defense contractor responding with an average of five cyber events a year with two hours of labor per voluntary submission, at a cost of $45.01 per man hour. These man-hour costs are according to the Bureau of Labor Statistics for a Computer Systems Analysts, Occupational Employment and Wages, May 2018.  

In addition, there is an estimated annual burden for each company participating in the DIB CS Program at $15.00 for providing Point of Contact (POC) information. This is based on a company submitting an average of one submission a year, with 20 minutes of labor per submission, at a cost of $45.01 per man hour. These man-hour costs are according to the Bureau of Labor Statistics, Occupational Employment and Wages, May 2018.

Risks:

Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and mission and pose an imminent threat to U.S. national security and economic security interests. This threat is particularly acute for those small and medium size companies with less mature cybersecurity capabilities. The combination of mandatory cyber activities under DFARS 252.204-7012, combined with the voluntary participation in the DIB CS Program, will enhance and supplement DoD contractors capabilities to safeguard DoD information that resides on, or transits, DoD contractors unclassified network or information systems. Through collaboration with DoD and the sharing with other contractors in the DIB CS Program, defense contractors will be better prepared to mitigate the cyber risk they face today and in the future.