The government has finalized a rule that expands the number of contractors eligible to participate in the Department of Defense (DoD) Defense Industrial Base (DIB) voluntary cybersecurity information sharing program. The program enables DIB contractors to receive government-furnished cyber threat information and thus improves their ability to develop stronger network defenses and stop malicious attacks on their networks that would jeopardize valuable national security information.
The rule, which was published on October 4, 2016 by the Office of the Chief Information Officer of the DoD and will be effective on November 3, 2016, also harmonizes the DIB cybersecurity sharing program with DoD’s recent Defense Federal Acquisition Regulation Supplement (DFARS) amendments
requiring similar reporting for all defense contractors. Through these new reporting requirements, DoD aims to establish a single reporting mechanism for cyber incidents on unclassified DIB networks or information systems. These requirements focus on specific types of DoD program information (covered defense information, or CDI) using the same definition as the DFARS rule. This information is unclassified controlled technical information or other information, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and that is either marked or otherwise identified in an agreement or provided to the contractor by or on behalf of the DoD in support of the performance of the agreement; or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement. However, the rule also clarifies that these reporting requirements do not alter or displace a contractor’s responsibility to abide by any other applicable cyber incident reporting requirements, such as requirements for other controlled unclassified information (CUI) (which includes personally identifiable information (PII), budget or financial information, and other similar confidential information).
The final rule does not significantly change the requirements of the draft version of this rule that was released on October 2, 2015, instead it clarifies the requirements set forth in the draft rule:
First, the definition of covered defense information now aligns with the definitions in the CUI Registry that is maintained by the National Archives and Records Administration pursuant to the recent Final Rule on September 14, 2016 and the DFARS.
Second, like the existing DFARS clause, contractors subject to this rule must flow down reporting requirements to subcontractors providing operationally critical support.
Third, the cybersecurity incident reporting requirements apply to all types of DoD-DIB agreements (contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement).
Expanded Eligibility for Contractors to Participate in DoD-DIB Program
The final rule expands what eligible contractors are able to participate in the voluntary DoD-DIB cybersecurity information sharing program. Now, contractors are eligible if they are cleared defense contractors, have an existing active Facility Security Clearance and execute a standardized Framework Agreement with the government. In the Framework Agreement, the government and each contractor must agree to share cybersecurity information as quickly and as much as possible. Further, the rule establishes programs and activities to protect sensitive DoD information residing on DIB contractor–operated information systems.
Pursuant to the new rule, contractors no longer have to obtain a DoD-approved medium assurance certificate, a Communication Security account, or access to DoD’s secure voice and data transmission systems in order to participate in the basic information sharing program.
However, there are additional requirements for eligible DIB contractors to receive classified cyber threat information electronically.
Mandatory Reporting Requirements for DIB Contractors
Similar to the draft rule, the final rule requires that the mandatory reporting requirement for cyber incidents be included in all agreements between the government and the contractor if covered defense information resides on or transits the information systems or if the contractor provides operationally critical support.
- Pursuant to these reporting requirements, a contractor that discovers a cybersecurity incident must conduct a review for evidence that CDI has been compromised and report the incident to the DoD within 72 hours.
- The contractor must share information such as an assessment of the impact of the cyber incident, description of the technique or method used, and a summary of information compromised.
- Though not required in order to receive government-furnished information, to be able to report cybersecurity incidents, contractors must have or acquire a DoD-approved medium assurance certificate, which is an individually issued set of digital identity credentials used to ensure the identity of the user.
The rule also encourages contractors to report cybersecurity incidents that do not compromise CDI but that may be valuable to the government and other contractors in better countering threats to cybersecurity.
Finally, the rule provides for DoD safeguarding of contractors’ proprietary information submitted to it but allows the DoD to release such information not created by or for the DoD in limited circumstances. The rule also recognizes that information shared between and among DIB contractors and the government implicates privacy concerns for extremely sensitive information. The rule and comments to the draft rule reference the Privacy Impact Assessment for this program, which emphasized that PII will be used in DoD forensic analyses only if relevant and, if not, the contractor will be notified and the PII will be purged. Nonetheless, other types of sensitive information, including contractor proprietary program information, may be exposed or analyzed in forensic analyses. Contractors continue to express concerns about the scope of protections for such information under DoD’s cybersecurity reporting and sharing programs. These requirements all mirror the requirements that have been implemented under the DFARS for defense contractors, but the new rule covers all members of the DIB and all types of DoD agreements.
The final rule goes into effect on November 4, 2016. Until that time, DIB contractors should review whether they store or access covered defense information, or whether they provide operationally critical support, such that they would be subject to the reporting requirements. Contractors should also consider whether their subcontractors, including IT service providers, meet the flow down criteria and thus would be subject to the reporting requirements as well. Finally, contractors should consider whether they should participate in the DoD’s cybersecurity information sharing program and, if so, take all necessary steps to ensure they are prepared to execute a Framework Agreement with the government to take advantage of the program.
*Amanda Claire Hoover contributed to this article. She is a Harvard Law School graduate employed at Arnold & Porter LLP and not admitted to the bar.