DoD puts forward revision to eligibility criteria of its DIB cybersecurity program, asks for public feedback

The U.S. Department of Defense (DoD) is proposing revisions to the eligibility criteria for the voluntary defense industrial base (DIB) Cybersecurity (CS) program. These revisions will allow a broader community of defense contractors to benefit from bilateral information sharing as when this proposed rule is finalized all defense contractors who are subject to mandatory cyber incident reporting will be able to participate. DoD is also proposing changes to definitions and some technical corrections for readability.

The defense agency has called for feedback by Jun. 20, according to a notice published Wednesday in the Federal Register. 

“With this rule, the Department proposes to expand eligibility requirements to allow greater program participation and increase the benefits of bilateral information sharing, which helps protect DoD-controlled unclassified information from cyberattack, as well as to better align the voluntary DIB CS program with DoD’s mandatory cyber incident reporting requirements,” the DoD outlined in the notice.

The current eligibility requirements, based on the October 2016 rule, requires a company to be a cleared defense contractor  who has DoD-approved medium assurance certificates, holds an existing facility clearance to at least the Secret level, and can execute the standardized Framework Agreement  provided to interested contractors after the Department has verified the DIB company is eligible.

The program has experienced steady growth, with the annual number of applications tripling since 2016 (80 total applications received in 2016, 266 total applications received in 2022), the notice disclosed. “It has also seen a steady increase in the percentage of defense contractors who are interested in participating but do not meet current eligibility requirements,” it added. 

The notice said that the percentage of applications received from ineligible defense contractors has risen at an average rate of 5 percent per year since 2016; 10 percent of applications received in 2016 were from ineligible defense contractors, while 45 percent of applicants in 2022 were ineligible. “This steady increase in ineligible applicants indicates an increasing desire amongst defense contractors to participate in a cyber threat information sharing program,” it added.

The department has also actively engaged defense associations, universities, and companies in the DIB, as well as participated in many public forums discussing cyber threats and the way forward. “The overwhelming feedback was for the Department to facilitate engagement with the broader community of defense contractors beyond just the cleared defense community. In general, smaller defense contractors have fewer resources to devote to cybersecurity, which may provide a vector for adversaries to access information critical to national security,” it added.

In addition, the department is working on providing more tailored threat information to support the needs of a broader community of defense contractors with varying cybersecurity capabilities, the notice said. The gap in eligibility in the current program, feedback from interested but ineligible contractors, a vulnerable DoD supply chain, and a pervasive cyber threat has prompted DoD to propose revising the eligibility requirements of the DIB CS Program to allow participation by non-cleared defense contractors.

At present, the DIB CS Program has approximately 1,000 cleared defense contractors participating in the program. Program participants have access to technical exchange meetings, a collaborative web platform (DIBNet-U), and threat products and services through the DoD Cyber Crime Center (DC3). 

The DC3 implements the program’s operations by sharing cyber threat information and intelligence with the DIB and offering a variety of products, tools, services, and events. DC3 serves as the single clearinghouse for unclassified Mandatory Incident Reports (MIRs) and voluntary threat information sharing reports.

The Federal Register notice said that the DoD is amending the DIB CS program to align the program description with the revised eligibility requirements. As a result, references to cleared defense contractors have been replaced with contractors that own or operate a covered contractor information system. Security clearance information is only collected, when applicable if a company elects to participate in classified information sharing.

In addition, the language stating participation is typically three to ten company-designated points of contact (POC) has been removed, to avoid confusion regarding the number of POCs, as some larger companies may wish to nominate a larger number of POCs and smaller companies may wish to nominate fewer.

DoD is amending its DIB CS program requirements to remove the requirement that a company has an existing active facility clearance (FCL) to at least the Secret level granted under 32 CFR part 117, National Industrial Security Program Operating Manual (NISPOM), to be eligible to participate in the DIB CS Program. In addition, references to cleared defense contractors have been replaced with contractors that own or operate a covered contractor information system.

The Federal Register notice said that the DoD had identified general areas of costs related to the operation of this program. “First, DoD incurs costs to implement this program operationally by responding to inquiries, processing application submissions and collecting, sharing, and managing POC information for program administration and management purposes. Second, DoD incurs costs to collect, analyze, and disseminate threat information,” it added.

The DIB CS program benefits the DoD by increasing awareness and improving assessments of cyber incidents that may affect mission-critical capabilities and services. It continues to be an important element of the Department’s comprehensive effort to defend DoD information, protect U.S. national interests against cyber-attacks, and support military operations and contingency plans worldwide. Once a defense contractor joins the program, they are encouraged to share information, including cyber threat indicators, that they believe may be of value in alerting the Government and others, as appropriate, of adversary activity to enable the development of mitigation strategies and proactively counter threat actor activity. 

The notice added that DC3 develops written products that include analysis of the threat, mitigations, and indicators of adversary activity. Even cyber incidents that are not compromises of covered defense information may be of interest to DoD for situational awareness purposes. This information is disseminated as anonymized threat products that are shared with authorized DoD personnel, other federal agencies, and company-designated POCs participating in the DIB CS Program. 

With the revisions to the eligibility criteria, the DoD will be able to reduce the impact of cyber threat activity on DIB networks and information systems and, in turn, preserve its technological advantage and protect DoD information and warfighting capabilities. The mitigation of the cyber threat targeting defense contractors reinforces the nation’s national security and economic vitality.

For DIB participants, the program provides valuable cyber threat information they cannot obtain from anywhere else and technical assistance through analyst-to-analyst exchanges, mitigation and remediation strategies, and cybersecurity best practices in a collaborative environment, the Federal Register notice said. “The shared unclassified and classified cyber threat information is used to bolster a company’s cybersecurity posture and mitigate the growing cyber threat. The program’s tailored support for small, mid-size, and large companies with varying cybersecurity maturity levels is an asset for participants. The program remains a key element of DoD’s cybersecurity efforts by providing services to help protect DIB CS Program participants and the sensitive DoD information they handle,” it added. 

Last month, the DoD announced that its Software Modernization Implementation Plan (I-Plan) was approved on Mar. 30 by the DoD CIO. The plan recognizes that software is essential to modern military operations. From business systems to weapons systems, software defines military capabilities, enabling the detection and tracking of adversaries, protecting operations from cyber threats, and improving the accuracy and effectiveness of decisions and actions. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.