bottom line up front
The U.S. Department of Defense (DoD) announced a final rule on March 12, 2024 that expands access for defense contractors wishing to participate in the Defense Industrial Base (DIB) Cybersecurity (CS) Program. The new rule and the changes it makes will require all defense contractors who own or operate unclassified information systems that process, store, or transmit covered defense information to You can benefit from information sharing. DIB CS program. Access to the DIB CS program has historically been limited to licensed defense contractors with a valid facility security clearance and a Department of Defense-approved Medium Quality Assurance Certificate. These qualifications significantly limit the number of defense contractors that can participate in the program. This rule will go into effect on April 11, 2024, and the eligibility requirements will change from that date. All defense contractors should be aware of this program and plan to be a part of it.
Origin of the DIB CS program
The DIB CS program seeks to enhance participants' ability to protect DoD information residing on or passing through DIB unclassified information systems. The DIB CS program has historically supplemented contract requirements imposed on DIB contractors when DFARS 252.204–7012 (“Covered Defense Information Protection and Cyber Incident Reporting”) is included in the prime contract or subcontract. has encouraged greater sharing of threat information.
Established in 2012, the DIB CS program was initially constructed as a voluntary cyber threat information sharing program for licensed defense contractors with the ability to protect classified information. According to the 2012 regulations that established the program, authorized defense contractors must not access, receive, or store classified information for the purpose of bidding for contracts or conducting activities in support of Department of Defense programs. It is defined as a private organization licensed by the Ministry of Internal Affairs and Communications. . At the time, the Department of Defense estimated that the number of defense contractors eligible to participate in the program was less than 2,700.
In 2015, in response to new legal requirements for cyber incident reporting applicable to defense contractors, subcontractors, and those providing operationally critical support, the Department of Defense expanded DIB CS program eligibility to all licensed defense contractors. To protect confidential information. Although this change allows approximately 5,300 additional licensed defense contractors to participate in the program, the Department of Defense estimates that only a small number of these eligible companies are actually participating in the program. It is estimated that this is the department.
Purpose of the DIB CS program
Under the DIB CS program, the Department of Defense and defense contractors voluntarily share unclassified and classified cyber threat information. Companies participating in the DIB CS program have access to information and tools shared through technology exchange conferences, a collaborative web platform, and the Department of Defense Cyber Crime Center, a clearinghouse for mandatory and voluntary incident reporting. This program seeks to complement FAR and DFARS regulations, such as DFARS 252.204-7012, which impose reporting requirements on defense contractors in the event of a cybersecurity incident. The program's goals also include facilitating information sharing about cybersecurity threats and incidents and related mitigation strategies. The goals of the DIB CS program include:
- Establishment of a voluntary and mutually acceptable framework to protect information from unauthorized access.
- We will protect the confidential information exchanged to the fullest extent permitted by law.and
- Creating a trusted environment to maximize network defense and remediation efforts by sharing cyber threat information and incident reports, and providing mitigation and remediation strategies and malware analysis.
New rules and eligibility for the DIB CS program
When the final rule takes effect in April, eligibility for the DIB CS program will be expanded to all defense contractors subject to the Department of Defense's mandatory cybersecurity incident reporting requirements. By removing the requirement for participants to be defense contractors with active facility security clearance, the Department of Defense will increase the number of defense contractors from an estimated 2,700 eligible defense contractors in 2012 to nearly 68,000. We estimate that you will be eligible to participate in the program.
The final rule also changes the requirement for program participants to obtain a moderate assurance certificate that can be used to verify digital identities and facilitate the exchange of encrypted information, at a cost of approximately $175 per year. It takes. Instead, defense contractors must enroll in the Acquisition Integrated Enterprise Environment, the leading enterprise procurement payment (P2P) application for the Department of Defense and its supporting agencies.
Take-out
Expanded eligibility allows all defense contractors to participate in bilateral information sharing on cybersecurity threats through the DIB CS program, rather than only those with facility security clearances participating . Additionally, the cost of participation is reduced by removing the requirement to obtain a medium assurance certificate. This will be attractive to small businesses that are currently eligible to participate in the program but wish to minimize the cost burden associated with this volunteering activity. How defense contractors and companies seeking to become defense contractors can reduce the risk of cybersecurity incidents by increasing their knowledge of potential cyber threats, mitigation strategies, industry best practices, and participating in the program. should be considered. Expanding this program could be a win-win for DIB and the Department of Defense. Because reducing contractor risk associated with cybersecurity incidents is likely to reduce government risk to cybersecurity incidents and ultimately support the Department of Defense's national security objectives. is.
[View source.]