View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/OS RIN: 0790-AK86 Publication ID: Fall 2021 
Title: Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities  

The DIB CS Program is currently only permitted to provide cyber threat information to cleared defense contractors, per the Program eligibility requirements within 32 CFR part 236. However, this proposed revision to the Federal rule would allow all defense contractors who process, store, develop, or transit DoD CUI to be eligible to participate and begin receiving critical cyber threat information. Expanding participation in the DIB CS Program is part of DoD’s comprehensive approach to collaborate with the DIB to counter cyber threats through information sharing between the Government and DIB participants. The expanded eligibility criteria will allow a broader community of defense contractors to participate in the DIB CS Program, in alignment with the National Defense Strategy.

Agency: Department of Defense(DOD)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Proposed Rule Stage 
Major: No  Unfunded Mandates: No 
CFR Citation: 32 CFR 236   
Legal Authority: 10 U.S.C. 391    10 U.S.C. 2224    44 U.S.C. 3541    10 U.S.C. 393   
Legal Deadline:  None

Statement of Need:

Unauthorized access and compromise of DoD unclassified information and operations poses an imminent threat to U.S. national security and economic security interests. Defense contractors with this information are being targeted on a daily basis. Many of these contractors are small and medium size contractors that can benefit from partnering with DoD to enhance and supplement their cybersecurity capabilities.

Summary of the Legal Basis:

This revised regulation supports the Administration’s effort to promote public-private cyber collaboration by expanding eligibility for the DIB CS voluntary cyber threat information sharing program to all defense contractors. This regulation aligns with DoD’s statutory responsibilities for cybersecurity engagement with those contractors supporting the Department.


(1) No action alternative: Maintain status quo with the ongoing voluntary cybersecurity program for cleared contractors. (2) Next best alternative: DoD posts generic cyber threat information and cybersecurity best practices on a public accessible website without directly engaging participating companies.


Anticipated Costs and Benefits:

Participation in the voluntary DIB CS Program enables DoD contractors to access Government Furnished Information and collaborate with the DoD Cyber Crime Center (DC3) to better respond to and mitigate the cyber threat. To participate in the DIB CS Program, DoD contractors must have or obtain a DoD-approved, medium assurance certificate to enable access to a secure DoD unclassified web portal. Cost of the DoD-approved medium assurance certificate is approximately $175 for each individual identified by the DoD contractor. See for more information about DoD-approved certificates.

Contractors are encouraged to voluntarily report information to promote sharing of cyber threat indicators that they believe are valuable in alerting the Government and others, as appropriate, in order to better counter cyber threat actor activity. This cyber information may be of interest to the DIB and DoD for situational awareness and does not include mandatory cyber incident reporting included under DFARS 252.204-7012.

The costs are under review.


Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and mission and pose an imminent threat to U.S. national security and economic security interests. This threat is particularly acute for those small and medium size companies with less mature cybersecurity capabilities. The combination of mandatory cyber activities under DFARS 252.204-7012, combined with the voluntary participation in the DIB CS Program, will enhance and supplement DoD contractors capabilities to safeguard DoD information that resides on, or transits, DoD contractors unclassified network or information systems. Through collaboration with DoD and the sharing with other contractors in the DIB CS Program, defense contractors will be better prepared to mitigate the cyber risk they face today and in the future.

Action Date FR Cite
NPRM  06/00/2022 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: Federal 
Small Entities Affected: No  Federalism: No 
Included in the Regulatory Plan: Yes 
RIN Data Printed in the FR: No 
Agency Contact:
Kevin Dulany
Director, Cybersecurity Policy and Partnerships CIO
Department of Defense
Office of the Secretary
4800 Mark Center,
Alexandria, VA 22311
Phone:571 372-4699