This rule revises the DoD-DIB cybersecurity information sharing program regulation to implement new statutory requirements for DoD contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support. The program also retains the voluntary information sharing activities for cybersecurity information that is outside the scope of the mandatory reporting requirements.

Regarding the mandatory reporting, this part has been revised to set forth mandatory cyber incident reporting requirements that will apply to all forms of contracts or other agreements between DoD and DIB companies (e.g., procurement contracts, cooperative agreements, other transaction agreements). Thus, all relevant contracts or agreements are required to include these cyber reporting requirements (e.g., through incorporation of the reporting requirements by reference, or by expressly setting forth reporting requirements consistent with this part). The revisions provided in this rule are part of DoD’s efforts to establish a single reporting mechanism for such cyber incidents on unclassified DoD contractor information systems. These requirements are focused on cyber incidents that threaten specific types of DoD program information, such as technical information controlled under the International Traffic in Arms Regulations or the Export Administration Regulations or otherwise controlled by DOD and operational security information that relates to DoD activities. Additional cyber incident reporting requirements for other important types of controlled unclassified information (CUI) (e.g., personally identifiable information (PII), budget or financial information) are more specifically addressed through other regulatory mechanisms, and thus are outside the scope of this rule. To clarify this distinction, the rule explicitly states that reporting under this program does not abrogate the contractor’s responsibility for any other applicable cyber incident reporting requirements (§ 236.4(o)).

The rule also revises the program’s definitions to better harmonize with definitions that are already established and used by DoD and other Government agencies in similar contexts, such as those relating to the handling and safeguarding of Controlled Unclassified Information as used by the National Archives and Records Administration pursuant to Executive Order 13556 “Controlled Unclassified Information” (November 4, 2010) (see http://www.archives.gov/cui/), and those widely used in the context of cybersecurity activities (see the Committee on National Security Systems Instruction No. 4009, “National Information Assurance Glossary”).

This rule is intended to streamline the reporting process for DoD contractors and minimize duplicative reporting processes, while preserving distinctions where appropriate. Cyber incident reporting involving classified information on classified contractor systems will be in accordance with the National Industrial Security Program Operating Manual (DoD-M 5220.22 (http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf)).

This rule also modifies eligibility criteria to permit greater participation in the voluntary DoD-DIB CS information sharing program. Expanding participation in the DoD-DIB CS information sharing program is part of DoD’s comprehensive approach to counter cyber threats through information sharing between the Government and DIB participants. The DoD-DIB CS information sharing program allows eligible DIB participants to receive Government furnished information (GFI) and cyber threat information from other DIB participants, thereby providing greater insights into adversarial activity targeting the DIB. The activities in this rule implement DoD statutory authorities to establish programs and activities to protect sensitive DoD information, including when such information resides on or transits information systems operated by contractors or others in support of DoD activities (e.g., 10 U.S.C. 391 and 2224, the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. 3551 et seq., section 941 of the NDAA for FY 2013 (Public Law 112-239)). Activities under this rule also fulfill important elements of DoD’s critical infrastructure protection responsibilities, as the sector specific agency for the DIB sector (see Presidential Policy Directive 21 (PPD-21), “Critical Infrastructure Security and Resilience,” available at https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil).

Under this rule, contractors will incur costs associated with requirements for reporting cyber incidents of covered defense information on their covered contractor information system(s) or those affecting the contractor’s ability to provide operationally critical support. Costs for contractors include identifying and analyzing cyber incidents and their impact on covered defense information, or a contractor’s ability to provide operationally critical support, as well as obtaining DoD-approved medium assurance certificates to ensure authentication and identification when reporting cyber incidents to DoD. Government costs include onboarding new companies under the voluntary DoD-DIB CS information sharing program, and collecting and analyzing cyber incident reports, malicious software, and media.

A foundational element of these new mandatory reporting requirements, as well as the voluntary DoD-DIB CS information sharing activities, is the recognition that the information being shared between the parties includes extremely sensitive information that requires protection. For additional information regarding the Government’s safeguarding of information received from the contractors that require protection, see the Privacy Impact Assessment (PIA) for the DIB Cybersecurity/Information Assurance Activities located at http://dodcio.defense.gov/Portals/0/Documents/DIB%20CS-IA%20PIA_FINAL_signed_30jun2011_VMSS_GGMR_RC.pdf. The PIA provides detailed procedures for handling personally identifiable information (PII), attributional information about the strengths or vulnerabilities of specific covered contractor information systems, information providing a perceived or real competitive advantage on future procurement action, and contractor information marked as proprietary or commercial or financial information.