On March 12, 2024, the U.S. Department of Defense (DoD) announced that it is providing access to defense contractors seeking to participate in the Department of Defense's voluntary Defense Industrial Base Cybersecurity Program (the “DIB CS Program” or the “Program”). We have published a significantly expanded final rule (pdf). ). The decision to revise eligibility criteria for the DIB CS program is a coordinated effort by the Department of Defense to encourage and improve overall participation of the defense contractor community in programs that enable bilateral information sharing following cyber incidents. This seems to be part of a similar initiative.
The final rule is scheduled to go into effect on April 11, 2024, according to the Federal Register. Under the final rule, all defense contractors will be eligible to participate in her DIB cybersecurity program. This program enhances cyber threat and incident reporting by contractors to protect the Department of Defense's unclassified information residing in and/or transmitted to DIB's unclassified information systems. It is intended to. Strengthen information sharing efforts.
Purpose of the DIB CS program
The primary purpose of the DIB CS program is to improve the ability of defense contractors to protect DoD information residing on or transmitted through DIB's unclassified information systems. When the program began, stated goals included:
- Establish a voluntary and mutually acceptable framework designed to protect government information from unauthorized access
- To the fullest extent permitted by law, we will protect the exchange of confidential information exchanged.
- Create a trusted environment designed to maximize network defense and remediation efforts by sharing cyber threat information and incident reports among participants.
- Provide mitigation and remediation strategies and malware analysis to participants
In addition, the DIB CS program is subject to the contractual requirements imposed on DIB-eligible defense contractors when DFARS 252.204-7012 (contractual provision entitled “Protection of Covered Defense Information and Cyber Incident Reporting'') is included in the law. It was conceived as a complementary tool aimed at enhancing the Main contractor or subcontractor.
Although the stated objectives were laudable, the original structure of the DIB CS program was narrow and limited eligibility to a small portion of the defense contractor community. The new rules are an effort to address this issue.
what has changed
When the final rule becomes fully effective, eligibility for the DIB CS program will be expanded to: all Defense contractors subject to Department of Defense cybersecurity incident reporting requirements. Previously, the DIB CS program was only available to “certified” defense contractors with a valid facility security clearance. The Department of Defense defines “authorized” defense contractors as authorized by the Department of Defense to “access, receive, or store classified information for the purpose of bidding for contracts or conducting activities in support of Department of Defense programs.” defined as a private organization.
This narrow definition meant fewer than 2,800 defense contractors were eligible to participate in the DIB CS program, which first launched in 2012. Then, in 2015, the Department of Defense expanded eligibility to participate in the DIB CS program to all authorized defense contractors, effectively a requirement that defense contractors be able to protect classified information. This amendment expanded eligibility for the DIB CD program to approximately 5,300 additional “authorized” defense contractors.
The new rule removes the “cleared” requirement and opens the DIB CS program to all defense contractors that own or operate unclassified information systems that process, store, or transmit covered defense information. The Department of Defense estimates that once the new rules go into effect, nearly 68,000 additional defense contractors will be eligible to participate in his DIB CS program.
Program changes may benefit current DIB CS program participants
In addition to expanding eligibility for the DIB CS program, the new rules also provide for securing media endorsement certificates used to verify a contractor's digital identity and facilitate the exchange of encrypted information. Removes the requirement for DIB CS program participants. Participating defense contractors were required to spend an estimated $175 annually to obtain this certification.
Under the new rules, participating defense contractors will instead be required to enroll in the Acquisition Integrated Enterprise Environment, the leading enterprise procurement payment (P2P) application for the Department of Defense and its supporting agencies.
Removing the requirement to secure a moderate assurance certificate may encourage defense contractor participation by reducing the cost of participation. As a result, smaller defense contractors who want to participate but are unwilling to bear the direct costs associated with voluntary programs may be more likely to do so in the future.
For the future
It will be interesting to see whether the revisions to the DIB CS program have a significant impact on participating defense contractors. Just because you're eligible doesn't necessarily mean you'll be able to participate. In fact, according to the Department of Defense's own estimates, only a small percentage of eligible defense contractors actually participate in his DIB CS program. These estimates are subject to change once the new rules take effect on April 11, 2024.
Efforts to expand eligibility and participation in the DIB CS program appear to be part of a broader effort by the Department of Defense to prioritize cybersecurity in the defense contracting arena. For example, the Department of Defense recently released proposed regulations to implement the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC program will impose comprehensive cybersecurity requirements on defense contractors. If enacted, CMMC would require contractors to take steps to protect sensitive and unclassified government information. The Department of Defense will incorporate the new CMMC cybersecurity requirements into the solicitation regulations and implement those requirements by October 1, 2026.
Under the proposed CMMC rule, the National Institute of Standards and Technology will be required to protect non-classified and classified information, along with revised cybersecurity procedures that government contracts and broader federal agencies should take when protecting the government. We have released draft guidance (pdf) on data.
