* Associates Tom Pettit and Ryan Woo also contributed to this post
On October 4, 2016, the Department of Defense (DoD) issued a Final Rule for DoD’s Defense Industrial Base (DIB) Cybersecurity (CS) Activities program. The rule amends the cyber incident reporting requirements and the voluntary DIB CS information sharing program in 32 CFR Part 236. It will take effect on November 3, 2016. Key highlights of the final rule are:
- While the voluntary element of the DIB program has been in place since 2008, the real changes are to the mandatory cyber incident reporting requirements for DIB entities that have “agreements” with DoD and “covered defense information” (CDI) on their information systems.
- The final rule applies to “all forms of agreements (e.g., contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement).’’ 81 Fed. Reg. 68314.
- Thus the coverage of the DIB final rule is broader than the Defense Federal Acquisition Regulation Supplement (DFARS) cyber incident reporting rule and clauses at DFARS 252.204-7012 , 252.204-7009, and 252.204-7008 (which apply only to DoD procurement contracts). See our initial coverage of the latest version of that DFARS rule here.
- Rather than the four types of information that appeared in the earlier DFARS clause, the DIB CS final rule now defines CDI as any information in the Controlled Unclassified Information (CUI) Registry so long as the information is either marked or identified in the agreement or received or created during performance of the agreement. 81 Fed. Reg. 68314. See our analysis of the CUI program here. The parallel rulemaking for the DFARS clause has also updated the same definitions to mirror the DIB final rule.
- This is not a retroactive rule, so DIB entities will continue to be governed by the requirements in their current agreements. However, DoD retains “the option to modify such pre-existing agreements where deemed appropriate.” 81 Fed. Reg. 68313.
In 2008, the DoD established the DIB Cyber Security/Information Assurance (CS/IA) pilot program to address the increased targeting by cyberattackers of DoD and DoD contractor information. Recognizing that the success of the program depended on widespread participation and information sharing between the DoD and the DIB, the DoD published an interim final rule in 2012 that expanded the eligibility criteria and sought to encourage greater participation by industry.
In 2013, the DoD published a final rule amending the DFARS to address requirements for contractor safeguarding of DoD unclassified controlled technical information (UCTI). This DFARS rulemaking included cyber incident reporting for certain DoD contractor systems using the same processes and DIB online portal established during the CS/IA pilot program. As discussed in a previous blog post, DoD then revised the 2013 UCTI rule in August 2015 and again in December 2015. A parallel rulemaking for the DIB CS/IA program resulted in an interim final rule dated October 2, 2015, that aligned the DIB cyber incident reporting requirements in 32 CFR §236.4 with the requirements in the amended DFARS 252.204-7012. The establishment of mandatory reporting requirements in the October 2, 2015 DIB interim final rule for any entity with “agreements” with DoD changed the nature of the DoD-DIB CS/IA program from a purely voluntary program.
MANDATORY AND VOLUNTARY COMPONENTS OF THE CURRENT DIB CS PROGRAM
The DIB CS program is a cyber incident reporting and information sharing regime that has:
- A mandatory incident reporting component; and
- A voluntary information sharing component.
Under the mandatory component, all DIB organizations that (1) have “agreements” with the DoD and (2) have CDI on their information systems must report cyber incidents to the DoD. The voluntary information sharing component of the program allows eligible DIB companies to “share cyber threat information and cybersecurity best practices” with other program members. The 2016 DIB final rule states that “through cyber incident reporting and voluntary cyber threat information sharing, both DoD and the DIB have a better understanding of adversary actions and the impact on DoD information and warfighting capabilities.” 81 Fed. Reg. 68313.
- Mandatory Incident ReportingAgreements: The mandatory reporting component applies to all forms of DoD agreements, which the 2016 DIB final rule defines broadly to include not only procurement contracts but also “grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement.” 81 Fed. Reg. 68314.
Covered Defense Information: The 2015 interim final rule defined CDI using the same four categories as the 2015 DFARS rulemakings. The 2016 DIB final rule now defines CDI as DoD UCTI or other information identified on the CUI Registry that is either (1) “marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement” or (2) “collected, developed, received, transmitted, used, or stored by or on behalf the contractor in support of the performance of the agreement.” 81 Fed. Reg. 68317, 32 CFR § 236.2 Definitions.
Covered Defense Information System: “Covered contractor information system” was revised in the 2016 DIB final rule to mean an unclassified information system that is owned or operated by or for a DIB contractor and that processes, stores, or transmits CDI. 81 Fed. Reg. 68317, 32 CFR § 236.2 Definitions.
Reporting Obligations: DIB companies that have agreements with the DoD must investigate and report cyber incidents to the DoD. Specifically, the DIB company must:
(1) analyze the covered contractor information systems for evidence of compromise of CDI including identifying compromised computers, servers, specific data, and user accounts; and
(2) report the incident to the DoD within 72 hours, using the reporting fields at http://dibnet.dod.mil.
32 CFR § 236.5 Cyber security information sharing.
If the DIB company identifies malicious software during its review, it must isolate the malicious software and submit it to the DoD Cyber Crime Center (DC3) for forensic analysis. Additionally, the DIB company must preserve and protect images of known affected information systems and all relevant monitoring/packet capture data for at least 90 days from submission of the cyber incident report to allow DoD to request the media or decline interest. If requested by the DoD, the contractor shall provide DoD with access to additional information or equipment necessary for forensic analysis of the incident. 32 CFR § 236.5.
Information Protection: The DoD is committed to share only non-attributional data and to protect proprietary information. To aid the DoD in this effort, DIB entities should identify and mark attributional and proprietary information as such when they provide it to the DoD. 32 CFR § 236.5 (e)-(f).
Flow-Down Requirement: Contractors must also flow-down the cyber incident reporting requirement to ‘‘subcontractors that are providing operationally critical support or for which subcontract performance will involve a covered contractor information system.” Subcontractors must report incidents to both the DoD and to the prime contractor. 32 CFR 236.4(d).
- Voluntary DIB CS Information Sharing ProgramParticipants in the DIB CS program receive non-attributional cyber threat information from, and share non-attributional cyber threat information with, DoD and other DIB participants. The government also offers participants access to the DC3, including analyst-analyst exchanges, best practices, and mitigation and remediation strategies. The program is intended to provide participants with a better understanding of adversaries’ actions and foster collaboration between the private sector and government.
Eligibility: DIB entities that wish to participate in the voluntary information sharing program must meet all of the following requirements:
(1) Be a Cleared Defense Contractor (CDC). CDCs are private entities granted a security clearance by DoD to access, receive, or store classified information.
(2) Have an existing Facility Security Clearance (FCL) granted under the National Industrial Security Program Operating Manual (NIPSOM) (DoD 5220.22-M).
(3) Execute the standardized Framework Agreement (FA) for the timely, secure, and recurring sharing of cybersecurity information to the greatest extent possible.
(4) Have or acquire DoD-approved medium assurance certificates to enable encrypted unclassified information sharing between DoD and DIB participants.
(5) In order to receive classified cyber threat information electronically, CDCs must:
(A) Have or acquire a Communication Security (COMSEC) account in accordance with NIPSOM Chapter 9, Section 4;
(B) Have or acquire approved safeguarding for classified information at the Secret level, and continue to qualify under the NIPSOM for retention of its FCL and approved safeguarding; and
(C) Obtain access to DoD’s secure voice and transmission systems supporting the voluntary DoD-DIB CS information sharing program.
32 CFR § 236.7 DIB participant eligibility requirements.