New DoD final rule focuses on cybersecurity efforts, safeguarding DIB CS Program participants

The U.S. Department of Defense’s Office of the DoD Chief Information Officer recently published a final rule that solidifies revisions to the eligibility criteria for the voluntary Defense Industrial Base (DIB) Cybersecurity (CS) Program. These revisions to the DIB CS program will allow all defense contractors who own or operate an unclassified information system that processes, stores, or transmits covered defense information to benefit from bilateral information sharing. DoD is also finalizing changes to definitions and some technical corrections for readability.

In a Federal Register notice, the DoD said the rule is effective on April 11, 2024. As the DoD is modifying the requirement for industry to obtain a medium assurance certificate with this final rule, the Department believes the burden to companies participating in the DIB CS Program is being reduced. 

The DoD is amending mandatory cyber incident reporting procedures, in response to public comments received about the burden associated with medium assurance certificates. It is also bringing about changes to the department’s DIB CS program to align the program description with the revised eligibility requirements. As a result, references to cleared defense contractors have been replaced with contractors that own or operate a covered contractor information system. Security clearance information is only collected, when applicable, if a company elects and is eligible to participate in classified information sharing. 

Lastly, DoD is amending its DIB CS program requirements to remove the requirement that a company have an existing active facility clearance (FCL) to at least the Secret level granted under 32 CFR part, National Industrial Security Program Operating Manual (NISPOM),  to be eligible to participate in the DIB CS Program. In addition, references to cleared defense contractors have been replaced with contractors that own or operate a covered contractor information system.

The DIB CS program enhances the Department’s security by raising awareness and improving assessments of cyber incidents that could impact critical capabilities. It plays a vital role in defending DoD information, safeguarding U.S. national interests, and supporting global military operations. 

Defense contractors are encouraged to share cyber threat indicators to enable the development of mitigation strategies and counter adversary activity. DC3 produces threat analysis reports, including mitigation strategies and adversary indicators, even for incidents not involving covered defense information. This information is shared with authorized personnel, federal agencies, and DIB CS Program participants. 

The eligibility revisions aim to reduce cyber threats on DIB networks, preserving technological advantage and protecting DoD information. The program offers tailored cyber threat information, technical assistance, and best practices to enhance cybersecurity posture for companies of all sizes. It remains a crucial component of DoD’s cybersecurity efforts, safeguarding DIB CS Program participants and sensitive DoD information.

In response to concerns about submitting a nearly identical report for multiple contracts, DoD would like to clarify that a contractor may submit one report for an event that impacts multiple contracts. Finally, DoD would like to clarify the estimate of 30 minutes to review changes to this final rule and choose whether to apply to the voluntary DIB CS Program, which does not include time for contractors to develop in-depth familiarity with existing policies and compliance requirements. It is expected DoD contractors will invest time to familiarize themselves with contractually mandated requirements in addition to this estimate.

Currently, a contractor may authorize a third-party service provider to report incidents on behalf of the contractor. If that contractor and the third-party service provider are interested in participating in the DIB CS Program, an amendment to the DIB CS Program Framework Agreement is available to authorize the third-party service provider access to DIB CS resources. 

The agreement details whether the third-party service provider will provide on-site or off-site support; and clarifies the respective roles of the contractor and the third-party service provider regarding accessing the government-furnished information on the DIB CS web portal and voluntary reporting of cyber incidents and indicators to the government.

The DoD notes that all companies currently participating in the DIB CS Program are eligible to receive Government Furnished Information (GFI) under the voluntary DIB CS Program. Cybersecurity information is shared to the greatest extent possible under the Program’s SCG. Information about a company’s certification level or assessment score is controlled information and is not available to the DIB CS Program at this time.

Currently, the objectives of the DIB CS Program are to establish a voluntary, mutually acceptable framework to protect information from unauthorized access; protect the confidentiality of information exchanged to the maximum extent authorized by law; and create a trusted environment to maximize network defense and remediation efforts by sharing cyber threat information and incident reports and providing mitigation/remediation strategies and malware analysis.

The program is part of DoD’s larger portfolio of work to protect DoD information handled by the DIB by understanding and sharing information, building security partnerships, implementing long-term risk management programs, and maximizing the efficient use of resources. It supports two-way information sharing and maintains meaningful relationships and frequent dialogue across the diverse array of eligible defense contractors. 

For eligible defense contractors, the program maintains a capability for companies to access classified government cyber threat information providing additional context to better understand the cyber threats targeting their networks and information systems.

With this rule, the Department is expanding eligibility requirements to allow greater program participation and increase the benefits of bilateral information sharing, which helps protect DoD-controlled unclassified information from cyberattack, as well as to better align the voluntary DIB CS Program with DoD’s mandatory cyber incident reporting requirements. 

The current eligibility requirements, based on the October 2016 rule, require a company to be a cleared defense contractor who has DoD-approved medium assurance certificates; ^has an existing facility clearance  to at least the Secret level; and can execute the standardized Framework Agreement  provided to interested contractors after the Department has verified the DIB company is eligible.

Currently, the DIB CS Program has approximately 1,000 cleared defense contractors participating in the program. Program participants have access to technical exchange meetings, a collaborative web platform (DIBNet-U), and threat information products and services through the DoD Cyber Crime Center (DC3). DC3 implements the program’s operations by sharing cyber threat information and intelligence with the DIB and offering a variety of products, tools, services, and events. DC3 serves as the single clearinghouse for unclassified Mandatory Incident Reports (MIRs) and voluntary threat information-sharing reports.

The Department is working on providing more tailored threat information to support the needs of a broader community of defense contractors with varying cybersecurity capabilities. The gap in eligibility in the current program, feedback from interested but ineligible contractors, a vulnerable DoD supply chain, and a pervasive cyber threat have prompted the DoD to propose revising the eligibility requirements of the DIB CS Program to allow participation by non-cleared defense contractors.

The DoD is removing the requirement for the DIB to have a DoD-approved medium assurance certificate to report cyber incidents. The requirement is being replaced with the requirement to register in PIEE which has established procedures to perform digital identity proofing. The basis for the cost estimate for a company to familiarize themselves with changes to this rule and determine if they would like to apply to the DIB CS Program does not include time for a company to perform an in-depth review of preexisting contractually mandated requirements. 

Last month, the C2M2-CMMC Supplemental Guidance was published to help Cybersecurity Capability Maturity Model (C2M2) users prepare to meet the DoD’s recently published Cybersecurity Maturity Model Certification (CMMC) Proposed Rule.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.