View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/OS RIN: 0790-AK86 Publication ID: Fall 2022 
Title: Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities  
Abstract:

The DIB CS Program currently provides cyber threat information to cleared defense contractors. Proposed revisions would allow all defense contractors who process, store, develop, or transit DoD controlled unclassified information to be eligible for the program and to  receive cyber threat information. Expanding participation will allow a broader community of defense contractors to participate in the DIB CS Program and is  in alignment with the National Defense Strategy.

 
Agency: Department of Defense(DOD)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Proposed Rule Stage 
Major: No  Unfunded Mandates: No 
CFR Citation: 32 CFR 236   
Legal Authority: 10 U.S.C. 391    10 U.S.C. 2224    44 U.S.C. 3541    10 U.S.C. 393   
Legal Deadline:  None

Statement of Need:

The unauthorized access and compromise of DoD unclassified information and operations poses an imminent threat to U.S. national security and economic security interests and contractors  are being targeted on a daily basis. Many of these contractors are small and medium size contractors that can benefit from partnering with DoD to enhance and supplement their cybersecurity capabilities.

Summary of the Legal Basis:

This revised regulation supports the Administration’s effort to promote public-private cyber collaboration by expanding eligibility for the DIB CS voluntary cyber threat information sharing program to all defense contractors. This regulation aligns with DoD’s statutory responsibilities for cybersecurity engagement with those contractors supporting the Department.

Alternatives:

(1) No action alternative: Maintain status quo with the ongoing voluntary cybersecurity program for cleared contractors. (2) Next best alternative: DoD posts generic cyber threat information and cybersecurity best practices on a public accessible website without directly engaging participating companies.

 

Anticipated Costs and Benefits:

Participation in the voluntary DIB CS Program enables DoD contractors to access Government Furnished Information and collaborate with the DoD Cyber Crime Center (DC3) to better respond to and mitigate cyber threats. In order to join the DIB CS Program, there is an initial labor burden to apply to the program and provide point of contact information which is estimated to take 20 minutes per company. In addition, there is a cost for defense contractors to voluntarily share cyber indicator information. DoD estimates that each response will take a respondent two hours to complete. The costs are under review as part of 0704-0489 and 0704-0490. For DIB participants, this program provides cyber threat information and technical assistance through analyst-to-analyst exchanges, mitigation and remediation strategies, and cybersecurity best practices in a collaborative environment for participating companies.

 

Risks:

Threats to unclassified information systems represent a risk of compromise of DoD information and mission. This threat is particularly acute for  small and medium size companies with less mature cybersecurity capabilities. Through collaboration with DoD and the sharing with other contractors in the DIB CS Program, defense contractors will be better prepared to mitigate the cyber risk they face today and in the future.

Timetable:
Action Date FR Cite
NPRM  04/00/2023 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: Federal 
Small Entities Affected: No  Federalism: No 
Included in the Regulatory Plan: Yes 
RIN Data Printed in the FR: No 
Agency Contact:
McKay Tolboe
Director, Cybersecurity Policy and Partnerships CIO
Department of Defense
Office of the Secretary
4800 Mark Center,
Alexandria, VA 22311
Phone:571 372-4640
Email: mckay.r.tolboe.civ@mail.mil