View Rule

The rule will modify eligibility criteria in voluntary DoD-DIB cyber threat information sharing activities to include participation by more defense contractors. Through this updated rule, all defense contractors with DFARS clause 252.204-7012 in a contract would be eligible to participate in DIB CS activities. This voluntary DIB CS information-sharing program enhances and supplements DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems. This rule supports a recommendation of the DoD Regulatory Reform Task Force.

Statement of Need:

Unauthorized access and compromise of DoD unclassified information and operations poses an imminent threat to U.S. national security and economic security interests. Defense contractors with this information are being targeted on a daily basis. Many of these contractors are small and medium size contractors that can benefit from partnering with DoD to enhance and supplement their cybersecurity capabilities.

Summary of the Legal Basis:

This revised regulation supports the Administration’s effort to promote public-private cyber collaboration by expanding eligibility for the DIB CS voluntary cyber threat information sharing program to all defense contractors. This regulation aligns with DoD’s statutory responsibilities for cybersecurity engagement with those contractors supporting the Department.

Alternatives:

(1) No action alternative: Maintain status quo with the ongoing voluntary cybersecurity program for cleared contractors. (2) Next best alternative: DoD posts generic cyber threat information and cybersecurity best practices on a public accessible website without directly engaging participating companies.

Anticipated Costs and Benefits:

Participation in the voluntary DIB CS Program enables DoD contractors to access Government Furnished Information and collaborate with the DoD Cyber Crime Center (DC3) to better respond to and mitigate the cyber threat. To participate in the DIB CS Program, DoD contractors must have or obtain a DoD-approved, medium assurance certificate to enable access to a secure DoD unclassified web portal. Cost of the DoD-approved medium assurance certificate is approximately $175 for each individual identified by the DoD contractor. See   https://public.cyber.mil/eca/ for more information about DoD-approved certificates.

Contractors are encouraged to voluntarily report information to promote sharing of cyber threat indicators that they believe are valuable in alerting the Government and others, as appropriate, in order to better counter cyber threat actor activity. This cyber information may be of interest to the DIB and DoD for situational awareness and does not include mandatory cyber incident reporting included under DFARS 252.204-7012.

The costs are under review.

Risks:

Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and mission and pose an imminent threat to U.S. national security and economic security interests. This threat is particularly acute for those small and medium size companies with less mature cybersecurity capabilities. The combination of mandatory cyber activities under DFARS 252.204-7012, combined with the voluntary participation in the DIB CS Program, will enhance and supplement DoD contractors capabilities to safeguard DoD information that resides on, or transits, DoD contractors unclassified network or information systems. Through collaboration with DoD and the sharing with other contractors in the DIB CS Program, defense contractors will be better prepared to mitigate the cyber risk they face today and in the future.