View Rule

The DIB CS Program is currently only permitted to provide cyber threat information to cleared defense contractors, per the Program eligibility requirements within 32 CFR part 236. However, this proposed revision to the Federal rule would allow all defense contractors who process, store, develop, or transit DoD CUI to be eligible to participate and begin receiving critical cyber threat information. Expanding participation in the DIB CS Program is part of DoD’s comprehensive approach to collaborate with the DIB to counter cyber threats through information sharing between the Government and DIB participants. The expanded eligibility criteria will allow a broader community of defense contractors to participate in the DIB CS Program, in alignment with the National Defense Strategy.

Statement of Need:

Unauthorized access and compromise of DoD unclassified information and operations poses an imminent threat to U.S. national security and economic security interests. Defense contractors with this information are being targeted on a daily basis. Many of these contractors are small and medium size contractors that can benefit from partnering with DoD to enhance and supplement their cybersecurity capabilities.

Summary of the Legal Basis:

This revised regulation supports the Administration’s effort to promote public-private cyber collaboration by expanding eligibility for the DIB CS voluntary cyber threat information sharing program to all defense contractors. This regulation aligns with DoD’s statutory responsibilities for cybersecurity engagement with those contractors supporting the Department.

Alternatives:

(1) No action alternative: Maintain status quo with the ongoing voluntary cybersecurity program for cleared contractors. (2) Next best alternative: DoD posts generic cyber threat information and cybersecurity best practices on a public accessible website without directly engaging participating companies.

Anticipated Costs and Benefits:

Participation in the voluntary DIB CS Program enables DoD contractors to access Government Furnished Information and collaborate with the DoD Cyber Crime Center (DC3) to better respond to and mitigate the cyber threat. To participate in the DIB CS Program, DoD contractors must have or obtain a DoD-approved, medium assurance certificate to enable access to a secure DoD unclassified web portal. Cost of the DoD-approved medium assurance certificate is approximately $175 for each individual identified by the DoD contractor. See   https://public.cyber.mil/eca/ for more information about DoD-approved certificates.

Contractors are encouraged to voluntarily report information to promote sharing of cyber threat indicators that they believe are valuable in alerting the Government and others, as appropriate, in order to better counter cyber threat actor activity. This cyber information may be of interest to the DIB and DoD for situational awareness and does not include mandatory cyber incident reporting included under DFARS 252.204-7012.

The costs are under review.

Risks:

Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and mission and pose an imminent threat to U.S. national security and economic security interests. This threat is particularly acute for those small and medium size companies with less mature cybersecurity capabilities. The combination of mandatory cyber activities under DFARS 252.204-7012, combined with the voluntary participation in the DIB CS Program, will enhance and supplement DoD contractors capabilities to safeguard DoD information that resides on, or transits, DoD contractors unclassified network or information systems. Through collaboration with DoD and the sharing with other contractors in the DIB CS Program, defense contractors will be better prepared to mitigate the cyber risk they face today and in the future.