The Defense Department has finalized a rulemaking to expand eligibility requirements for its defense industrial base information sharing program.
“The DIB Cybersecurity Program is a voluntary program to enhance and supplement participants’ capabilities to safeguard DOD information that resides on, or transits, DIB unclassified information systems. The program encourages greater threat information sharing to complement mandatory aspects of DOD’s DIB cybersecurity activities which are contractually mandated through DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” the final rule says.
The final rule was published today in the Federal Register and will go into effect in 30 days.
The rule says, “This program is part of DOD’s larger portfolio of work to protect DoD information handled by the DIB by understanding and sharing information, building security partnerships, implementing long-term risk management programs, and maximizing efficient use of resources.”
“It supports two-way information sharing and maintains meaningful relationships and frequent dialogue across the diverse array of eligible defense contractors. For eligible defense contractors, the program maintains a capability for companies to access classified government cyber threat information providing additional context to better understand the cyber threats targeting their networks and information systems,” the rule says.
DOD issued a proposed rule in May 2023 on expanding the program. The final rule responds to public comments and makes small changes to address stakeholder requests.
The final rule notes that the program has “experienced steady growth” since it was established with the number of annual applicants “more than tripling since 2016.” However, DOD says there has also been a “steady increase in the percentage of defense contractors who are participating but do not meet current eligibility requirements.”
“The maximum number of defense contractors estimated to be subject to mandatory cyber incident reporting under DFARS clause 252.204-7012 is 80,000. The presence of the clause in a contract does not establish that covered defense information is shared. DoD is working on reporting mechanisms to better assess contractors managing covered defense information,” the rule says.
With the changes to the criteria, the final rule says DOD expects an estimated additional 68,000 will be able to participate.
The rule makes changes to the requirement for industry to obtain a “medium assurance certificate” for participation. DOD will now require “registration with Procurement Integrated Enterprise Environment (PIEE) when submitting mandatory cyber incident reports,” according to the rule.
DOD is also removing the “requirement that a company have an existing active facility clearance (FCL) to at least the Secret level granted under 32 CFR part 117, National Industrial Security Program Operating Manual (NISPOM), to be eligible to participate in the DIB CS Program,” according to the rule.
The rule has also replaced references to “cleared defense contractors . . . with contractors that own or operate a covered contractor information system.”