New DoD Rule Expands Defense Industrial Base Cyber Information Sharing Program and Harmonizes Incident Reporting
The government has finalized a rule that expands the number of contractors eligible to participate in the Department of Defense (DoD) Defense Industrial Base (DIB) voluntary cybersecurity information sharing program. The program enables DIB contractors to receive government-furnished cyber threat information and thus improves their ability to develop stronger network defenses and stop malicious attacks on their networks that would jeopardize valuable national security information.
The rule, which was published on October 4, 2016 by the Office of the Chief Information Officer of the DoD and will be effective on November 3, 2016, also harmonizes the DIB cybersecurity sharing program with DoD’s recent Defense Federal Acquisition Regulation Supplement (DFARS) amendments1 requiring similar reporting for all defense contractors2. Through these new reporting requirements, DoD aims to establish a single reporting mechanism for cyber incidents on unclassified DIB networks or information systems. These requirements focus on specific types of DoD program information (covered defense information, or CDI) using the same definition as the DFARS rule. This information is unclassified controlled technical information or other information, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and that is either marked or otherwise identified in an agreement or provided to the contractor by or on behalf of the DoD in support of the performance of the agreement; or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement. However, the rule also clarifies that these reporting requirements do not alter or displace a contractor’s responsibility to abide by any other applicable cyber incident reporting requirements, such as requirements for other controlled unclassified information (CUI)3 (which includes personally identifiable information (PII), budget or financial information, and other similar confidential information).
The final rule does not significantly change the requirements of the draft version of this rule that was released on October 2, 2015, instead it clarifies the requirements set forth in the draft rule:
First, the definition of covered defense information now aligns with the definitions in the CUI Registry that is maintained by the National Archives and Records Administration pursuant to the recent Final Rule on September 14, 2016 and the DFARS.4
Second, like the existing DFARS clause, contractors subject to this rule must flow down reporting requirements to subcontractors providing operationally critical support.Third, the cybersecurity incident reporting requirements apply to all types of DoD-DIB agreements (contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement).
Expanded Eligibility for Contractors to Participate in DoD-DIB ProgramThe final rule expands what eligible contractors are able to participate in the voluntary DoD-DIB cybersecurity information sharing program. Now, contractors are eligible if they are cleared defense contractors, have an existing active Facility Security Clearance and execute a standardized Framework Agreement with the government. In the Framework Agreement, the government and each contractor must agree to share cybersecurity information as quickly and as much as possible. Further, the rule establishes programs and activities to protect sensitive DoD information residing on DIB contractor–operated information systems.
Pursuant to the new rule, contractors no longer have to obtain a DoD-approved medium assurance certificate, a Communication Security account, or access to DoD’s secure voice and data transmission systems in order to participate in the basic information sharing program.5 However, there are additional requirements for eligible DIB contractors to receive classified cyber threat information electronically.
Mandatory Reporting Requirements for DIB ContractorsSimilar to the draft rule, the final rule requires that the mandatory reporting requirement for cyber incidents be included in all agreements between the government and the contractor if covered defense information resides on or transits the information systems or if the contractor provides operationally critical support.
- Pursuant to these reporting requirements, a contractor that discovers a cybersecurity incident must conduct a review for evidence that CDI has been compromised and report the incident to the DoD within 72 hours.
- The contractor must share information such as an assessment of the impact of the cyber incident, description of the technique or method used, and a summary of information compromised.6
- Though not required in order to receive government-furnished information, to be able to report cybersecurity incidents, contractors must have or acquire a DoD-approved medium assurance certificate, which is an individually issued set of digital identity credentials used to ensure the identity of the user.
ConclusionThe final rule goes into effect on November 4, 2016. Until that time, DIB contractors should review whether they store or access covered defense information, or whether they provide operationally critical support, such that they would be subject to the reporting requirements. Contractors should also consider whether their subcontractors, including IT service providers, meet the flow down criteria and thus would be subject to the reporting requirements as well. Finally, contractors should consider whether they should participate in the DoD’s cybersecurity information sharing program and, if so, take all necessary steps to ensure they are prepared to execute a Framework Agreement with the government to take advantage of the program.
*Amanda Claire Hoover contributed to this article. She is a Harvard Law School graduate employed at Arnold & Porter LLP and not admitted to the bar.
It also implements statutory requirements that DIB contractors and subcontractors report cybersecurity incidents that result in actual or potentially adverse effects on a covered contractor information system or covered defense information, or on a contractor’s ability to provide operationally critical support. 10 U.S.C. §§ 391, 393, and 2224.
Compare Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities, 80 Fed. Reg. 59581 (proposed Oct. 2, 2015) (to be codified at 32 C.F.R. § 236.7), with 32 C.F.R. § 236.7 (2015).