View Rule

The DIB CS Program currently provides cyber threat information to cleared defense contractors. Proposed revisions would allow all defense contractors who process, store, develop, or transit DoD controlled unclassified information to be eligible for the program and to  receive cyber threat information. Expanding participation will allow a broader community of defense contractors to participate in the DIB CS Program and is  in alignment with the National Defense Strategy.

Statement of Need:

The unauthorized access and compromise of DoD unclassified information and operations poses an imminent threat to U.S. national security and economic security interests and contractors  are being targeted on a daily basis. Many of these contractors are small and medium size contractors that can benefit from partnering with DoD to enhance and supplement their cybersecurity capabilities.

Summary of the Legal Basis:

This revised regulation supports the Administration’s effort to promote public-private cyber collaboration by expanding eligibility for the DIB CS voluntary cyber threat information sharing program to all defense contractors. This regulation aligns with DoD’s statutory responsibilities for cybersecurity engagement with those contractors supporting the Department.

Alternatives:

(1) No action alternative: Maintain status quo with the ongoing voluntary cybersecurity program for cleared contractors. (2) Next best alternative: DoD posts generic cyber threat information and cybersecurity best practices on a public accessible website without directly engaging participating companies.

Anticipated Costs and Benefits:

Participation in the voluntary DIB CS Program enables DoD contractors to access Government Furnished Information and collaborate with the DoD Cyber Crime Center (DC3) to better respond to and mitigate cyber threats. In order to join the DIB CS Program, there is an initial labor burden to apply to the program and provide point of contact information which is estimated to take 20 minutes per company. In addition, there is a cost for defense contractors to voluntarily share cyber indicator information. DoD estimates that each response will take a respondent two hours to complete. The costs are under review as part of 0704-0489 and 0704-0490. For DIB participants, this program provides cyber threat information and technical assistance through analyst-to-analyst exchanges, mitigation and remediation strategies, and cybersecurity best practices in a collaborative environment for participating companies.

Risks:

Threats to unclassified information systems represent a risk of compromise of DoD information and mission. This threat is particularly acute for  small and medium size companies with less mature cybersecurity capabilities. Through collaboration with DoD and the sharing with other contractors in the DIB CS Program, defense contractors will be better prepared to mitigate the cyber risk they face today and in the future.