DoD Significantly Expands Voluntary Cybersecurity Program for Defense Contractors

Bottom Line Up Front

The U.S. Department of Defense (DoD) published a finalized rule on March 12, 2024, which expands access to defense contractors who wish to participate in the Defense Industrial Base (DIB) Cybersecurity (CS) Program. The new rule and the changes that flow from this rule will allow all defense contractors, who own or operate unclassified information systems that process, store, or transmit covered defense information, to benefit from information sharing about emergent cybersecurity threats that occur between participants in the DIB CS Program.  Access to the DIB CS Program has historically been restricted to cleared defense contractors that have active facility security clearances and a DoD-approved medium assurance certificate. Those qualifications have greatly limited the number of defense contractors that may participate in the program. The rule will become effective on April 11, 2024, and on that date the eligibility requirements for participation will change. All defense contractors should make themselves aware of this program and plan to become a part of it.

Origins of the DIB CS Program

The DIB CS Program seeks to enhance participants’ capabilities to safeguard DoD information that resides on, or transits through, DIB unclassified information systems. The DIB CS Program has historically encouraged greater sharing of threat information to compliment contractual requirements that are imposed upon DIB contractors when DFARS 252.204–7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”) is included in a prime contract or subcontract.

Established in 2012, the DIB CS Program was initially constructed as a voluntary cyber threat information sharing program for cleared defense contractors that possessed the ability to safeguard classified information. Pursuant to the 2012 rule that established the Program, a cleared defense contractor was defined as a private entity granted clearance by DoD to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any DoD program. At the time, the DoD estimated that the number of defense contractors qualified for the Program was under 2,700.

In 2015 – in response to emerging statutory requirements related to cyber incident reporting applicable to defense contractors, subcontractors, and those providing operationally critical support – the DoD expanded eligibility for the DIB CS Program to all cleared defense contractors, regardless of whether the contractors were able to safeguard classified information. This change opened the Program to roughly 5,300 additional cleared defense contractors, although the DoD estimated that only a small percentage of those eligible companies actually participated in the Program.

DIB CS Program Purpose

Under the DIB CS Program, the DoD and defense contractors voluntarily share unclassified and classified cyber threat information. Companies that participate in the DIB CS Program have access to technical exchange meetings, a collaborative web platform, and information and tools shared through the DoD’s Cyber Crime Center, which is a clearinghouse for both mandatory and voluntary incident reports. The Program endeavors to complement FAR and DFARS regulations that impose mandatory reporting obligations on defense contractors when cybersecurity incidents occur, such as DFARS 252.204-7012. The Program’s goals also include facilitating information sharing on cybersecurity threats and incidents, and related mitigation strategies. The stated objectives of the DIB CS Program include:

• The establishment of a voluntary, mutually acceptable framework to protect information from unauthorized access;
• The protection of confidential information exchanged, to the maximum extent authorized by law; and
• The creation of a trusted environment to maximize network defense and remediation efforts by sharing cyber threat information and incident reports, and providing mitigation and remediation strategies and malware analysis.

The New Rule and DIB CS Program Eligibility

When the finalized rule becomes effective in April, DIB CS Program eligibility will be expanded to all defense contractors subject to DoD’s mandatory cybersecurity incident reporting requirement. By removing the requirement for participants to be cleared defense contractors with active facility security clearances, the DoD estimates that close to 68,000 additional defense contractors will become eligible to participate in the Program, from an estimated 2,700 eligible contractors in 2012.

The finalized rule also modifies the requirement for Program participants to obtain a medium assurance certificate, which can be used to validate digital identity and facilitate the exchange of encrypted information, and cost approximately $175 per year. Defense contractors will instead be required to register with Procurement Integrated Enterprise Environment, which is the primary enterprise procure-to-pay (P2P) application for the DoD and its supporting agencies.

Takeaways

The expansion of eligibility will allow all defense contractors to participate in bilateral information sharing regarding cybersecurity threats via the DIB CS Program, as opposed to only cleared defense contractors with a facility security clearance. In addition, the removal of the requirement to obtain a medium assurance certificate will reduce the cost of participation, which will likely be appealing to small business entities now eligible to participate in the Program but looking to minimize the cost burden associated with this volunteer effort. Defense contractors and those seeking to become defense contractors should give thought to the ways that participating in the Program could reduce the risk of cybersecurity incidents by increasing  knowledge of potential cyber threats, mitigation strategies, and industry best practices. The expansion of this Program could be a win/win for the DIB and the DoD because the reduction of contractor risks associated with cybersecurity incidents will likely reduce the government’s risk of cybersecurity incidents, and ultimately support the DoD’s national security objectives.