[Federal Register Volume 80, Number 191 (Friday, October 2, 2015)]
[Rules and Regulations]
[Pages 59581-59588]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-24296]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 236

[DOD-2014-OS-0097]
RIN 0790-AJ29


Department of Defense (DoD)-Defense Industrial Base (DIB) 
Cybersecurity (CS) Activities

AGENCY: Office of the DoD Chief Information Officer, DoD.

ACTION: Interim final rule.

-----------------------------------------------------------------------

SUMMARY: DoD is revising its DoD-DIB Cybersecurity (CS) Activities 
regulation to mandate reporting of cyber incidents that result in an 
actual or potentially adverse effect on a covered contractor 
information system or covered defense information residing therein, or 
on a contractor's ability to provide operationally critical support, 
and modify eligibility criteria to permit greater participation in the 
voluntary

[[Page 59582]]

DoD-Defense Industrial Base (DIB) Cybersecurity (CS) information 
sharing program.

DATES: Effective Date: This rule if effective October 2, 2015. Comments 
must be received by December 1, 2015.

ADDRESSES: You may submit comments, identified by docket number and/or 
Regulatory Information Number (RIN) number and title, by any of the 
following methods:
     Federal Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Mail: Department of Defense, Office of the Deputy Chief 
Management Officer, Directorate of Oversight and Compliance, Regulatory 
and Audit Matters Office, 9010 Defense Pentagon, Washington, DC 20301-
9010.

FOR FURTHER INFORMATION CONTACT: DoD-DIB Cybersecurity Activities 
Office: (703) 604-3167, toll free (855) 363-4227.

SUPPLEMENTARY INFORMATION:

Executive Summary

    This rule revises the DoD-DIB cybersecurity information sharing 
program regulation to implement new statutory requirements for DoD 
contractors and subcontractors to report cyber incidents that result in 
an actual or potentially adverse effect on a covered contractor 
information system or covered defense information residing therein, or 
on a contractor's ability to provide operationally critical support. 
The program also retains the voluntary information sharing activities 
for cybersecurity information that is outside the scope of the 
mandatory reporting requirements.
    Regarding the mandatory reporting, this part has been revised to 
set forth mandatory cyber incident reporting requirements that will 
apply to all forms of contracts or other agreements between DoD and DIB 
companies (e.g., procurement contracts, cooperative agreements, other 
transaction agreements). Thus, all relevant contracts or agreements are 
required to include these cyber reporting requirements (e.g., through 
incorporation of the reporting requirements by reference, or by 
expressly setting forth reporting requirements consistent with this 
part). The revisions provided in this rule are part of DoD's efforts to 
establish a single reporting mechanism for such cyber incidents on 
unclassified DoD contractor information systems. These requirements are 
focused on cyber incidents that threaten specific types of DoD program 
information, such as technical information controlled under the 
International Traffic in Arms Regulations or the Export Administration 
Regulations or otherwise controlled by DOD and operational security 
information that relates to DoD activities. Additional cyber incident 
reporting requirements for other important types of controlled 
unclassified information (CUI) (e.g., personally identifiable 
information (PII), budget or financial information) are more 
specifically addressed through other regulatory mechanisms, and thus 
are outside the scope of this rule. To clarify this distinction, the 
rule explicitly states that reporting under this program does not 
abrogate the contractor's responsibility for any other applicable cyber 
incident reporting requirements (Sec.  236.4(o)).
    The rule also revises the program's definitions to better harmonize 
with definitions that are already established and used by DoD and other 
Government agencies in similar contexts, such as those relating to the 
handling and safeguarding of Controlled Unclassified Information as 
used by the National Archives and Records Administration pursuant to 
Executive Order 13556 ``Controlled Unclassified Information'' (November 
4, 2010) (see http://www.archives.gov/cui/), and those widely used in 
the context of cybersecurity activities (see the Committee on National 
Security Systems Instruction No. 4009, ``National Information Assurance 
Glossary'').
    This rule is intended to streamline the reporting process for DoD 
contractors and minimize duplicative reporting processes, while 
preserving distinctions where appropriate. Cyber incident reporting 
involving classified information on classified contractor systems will 
be in accordance with the National Industrial Security Program 
Operating Manual (DoD-M 5220.22 (http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf)).
    This rule also modifies eligibility criteria to permit greater 
participation in the voluntary DoD-DIB CS information sharing program. 
Expanding participation in the DoD-DIB CS information sharing program 
is part of DoD's comprehensive approach to counter cyber threats 
through information sharing between the Government and DIB 
participants. The DoD-DIB CS information sharing program allows 
eligible DIB participants to receive Government furnished information 
(GFI) and cyber threat information from other DIB participants, thereby 
providing greater insights into adversarial activity targeting the DIB. 
The activities in this rule implement DoD statutory authorities to 
establish programs and activities to protect sensitive DoD information, 
including when such information resides on or transits information 
systems operated by contractors or others in support of DoD activities 
(e.g., 10 U.S.C. 391 and 2224, the Federal Information Security 
Modernization Act (FISMA), codified at 44 U.S.C. 3551 et seq., section 
941 of the NDAA for FY 2013 (Public Law 112-239)). Activities under 
this rule also fulfill important elements of DoD's critical 
infrastructure protection responsibilities, as the sector specific 
agency for the DIB sector (see Presidential Policy Directive 21 (PPD-
21), ``Critical Infrastructure Security and Resilience,'' available at 
https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil).
    Under this rule, contractors will incur costs associated with 
requirements for reporting cyber incidents of covered defense 
information on their covered contractor information system(s) or those 
affecting the contractor's ability to provide operationally critical 
support. Costs for contractors include identifying and analyzing cyber 
incidents and their impact on covered defense information, or a 
contractor's ability to provide operationally critical support, as well 
as obtaining DoD-approved medium assurance certificates to ensure 
authentication and identification when reporting cyber incidents to 
DoD. Government costs include onboarding new companies under the 
voluntary DoD-DIB CS information sharing program, and collecting and 
analyzing cyber incident reports, malicious software, and media.
    A foundational element of these new mandatory reporting 
requirements, as well as the voluntary DoD-DIB CS information sharing 
activities, is the recognition that the information being shared 
between the parties includes extremely sensitive information that 
requires protection. For additional information regarding the 
Government's safeguarding of information received from the contractors 
that require protection, see the Privacy Impact Assessment (PIA) for 
the DIB Cybersecurity/Information Assurance Activities located at 
http://dodcio.defense.gov/Portals/0/Documents/DIB%20CS-IA%20PIA_FINAL_signed_30jun2011_VMSS_GGMR_RC.pdf. The PIA provides 
detailed procedures for handling personally identifiable information 
(PII), attributional information about the strengths or vulnerabilities 
of specific covered contractor information systems, information 
providing a perceived or real competitive advantage on future

[[Page 59583]]

procurement action, and contractor information marked as proprietary or 
commercial or financial information.

Interim Final Rule Justification

    This rule is being published as an interim rule in order to comply 
with statutory guidance under Section 941 of the National Defense 
Authorization Act (NDAA) for Fiscal Year (FY) 2013, and section 391 of 
Title 10, United States Code (U.S.C.), requiring defense contractors to 
rapidly report cyber incidents on their unclassified networks or 
information systems that may affect unclassified defense information, 
or that affect their ability to provide operationally critical support 
to the Department. Issuing this rule as an interim final rule 
underscores the importance of better protecting unclassified defense 
information against the immediate cyber threat, while preserving the 
intellectual property and competitive capabilities of our national 
defense industrial base. The interim final rule enables DoD to better 
assess, in the near term, when mission critical capabilities and 
services are affected by cyber incidents and reinforces DoD's overall 
efforts to defend DoD information, protect U.S. national interests 
against cyber-attacks, and support military operations and contingency 
plans worldwide. Cybersecurity is a Congressional priority and this 
interim final rule supports the Administration's national cybersecurity 
strategy emphasizing public-private information sharing.

Regulatory Procedures

Executive Orders 12866, ``Regulatory Planning and Review'' and 13563, 
``Improving Regulation and Regulatory Review''

    Executive Orders 13563 and 12866 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distribute impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This rule has been designated a ``significant regulatory 
action,'' although not economically significant, under section 3(f) of 
Executive Order 12866. Accordingly, the rule has been reviewed by the 
Office of Management and Budget (OMB).

Public Law 104-121, ``Congressional Review Act'' (5 U.S.C. 801)

    It has been determined that this rule is not a ``major'' rule under 
5 U.S.C. 801, enacted by Public Law 104-121, because it will not result 
in an annual effect on the economy of $100 million or more; a major 
increase in costs or prices for consumers, individual industries, 
Federal, State, or local Government agencies, or geographic regions; or 
significant adverse effects on competition, employment, investment, 
productivity, innovation, or on the ability of United States-based 
enterprises to compete with foreign-based enterprises in domestic and 
export markets.

Sec. 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    It has been determined that this rule does not contain a Federal 
mandate that may result in expenditure by State, local and tribal 
Governments, in aggregate, or by the private sector, of $100 million or 
more in any one year.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601)

    It has been certified that this rule is not subject to the 
Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if 
promulgated, have a significant economic impact on a substantial number 
of small entities. Therefore, the Regulatory Flexibility Act, as 
amended, does not require us to prepare a regulatory flexibility 
analysis.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

    It has been determined that 32 CFR part 236 does contain reporting 
or recordkeeping requirements under the Paper Reduction Act (PRA) of 
1995. These reporting requirements apply existing collection approvals 
under Office of Management and Budget (OMB) Control Numbers: 0704-0489, 
``Defense Industrial Base Cyber Security/Information Assurance (DIB CS/
IA) Cyber Incident Reporting,'' and 0704-0490, ``Defense Industrial 
Base Cyber Security/Information Assurance (DIB CS/IA) Points of Contact 
(POC) Information.''
    DoD has submitted a revision for the 0704-0489 collection to OMB 
under the provisions of the Paperwork Reduction Act (44 U.S.C. Chapter 
35) in response to 32 CFR part 236 expanding the number of companies 
under mandatory cyber incident reporting requirements. Comments are 
invited on: (a) whether the proposed collection of information is 
necessary for the proper performance of the functions of DoD, including 
whether the information will have practical utility; (b) the accuracy 
of the estimate of the burden of the proposed information collection; 
(c) ways to enhance the quality, utility, and clarity of the 
information to be collected; and (d) ways to minimize the burden of the 
information collection on respondents, including the use of automated 
collection techniques or other forms of information technology.
    Title: Cyber Incident Reporting by DoD Contractors
    Type of Request: Revision.
    Number of DoD contractors impacted is 10,000.
    Projected Responses Per Participant Per Year: 5.
    Annual Total Responses: Up to 50,000.
    Average Burden Per Response: 7 hours (this includes searching 
existing data sources, gathering and maintaining the data needed, and 
completing and reviewing the collection of information).
    Annual Total Burden Hours: 250,000 hours for all participants.
    Needs and Uses: The requested information supports the mandatory 
cyber incident reporting requirements under Section 941 of the NDAA for 
Fiscal Year (FY) 13 and Section 1632 of the NDAA for FY 15, and 
facilitates cyber situational awareness and cyber threat information 
sharing. DoD contractors report incidents using the standard Incident 
Collection Format (ICF). The primary means of reporting is through a 
secure unclassified web portal, but a company may report incidents 
through other communication means if necessary.
    Affected Public: DoD contractors with the provisions of 32 CFR part 
236 in their agreements with DoD.
    Frequency: On occasion.
    Respondent's Obligation: Mandatory.
    DoD has submitted a revision for the 0704-0490 collection to OMB 
under the provisions of the Paperwork Reduction Act (44 U.S.C. Chapter 
35) in response to 32 CFR part 236 expanding the number of companies 
eligible to participate in the voluntary DIB CS information sharing 
program. Comments are invited on: (a) whether the proposed collection 
of information is necessary for the proper performance of the functions 
of DoD, including whether the information will have practical utility; 
(b) the accuracy of the estimate of the burden of the proposed 
information collection; (c) ways to enhance the quality, utility, and 
clarity of the information to be collected; and (d) ways to minimize 
the burden of the information collection on respondents, including the 
use of automated collection techniques or other forms of information 
technology.

[[Page 59584]]

    Title: Defense Industrial Base Cybersecurity Activities Points of 
Contact (POC) Information.
    Type of Request: Revision.
    Number of DoD contractors impacted is 8,500. DoD estimates that no 
more than 10% of the total eligible population of cleared defense 
contractors will apply to the voluntary DIB Cybersecurity Activities 
program resulting in 850 cleared defense contractors impacted annually. 
An additional 10% of the population or 85 contractors may provide 
updated points of contact for the program, as required.
    Projected Responses Per Participant: Initial collection is one per 
company with updates on a case-by-case basis.
    Annual Total Responses: 935.
    Average Burden Per Response: 20 minutes.
    Annual Total Burden Hours: 312 hours for all participants.
    Needs and Uses: The Government will collect business points of 
contact (POC) information from all Defense Industrial Base (DIB) 
Cybersecurity program participants on a one-time basis, with updates as 
necessary, to facilitate communications and the sharing of share 
unclassified and classified cyber threat information.
    Affected Public: Business or other for-profit and not-for-profit 
institutions.
    Frequency: On occasion.
    Respondent's Obligation: Voluntary.
    OMB Desk Officer:
    Written comments and recommendations on these information 
collections should be sent to Ms. Jasmeet Seehra at the Office of 
Management and Budget, DoD Desk Officer, Room 10102, New Executive 
Office Building, Washington, DC 20503, with a copy to the Director, 
DoD-DIB Cybersecurity Activities Office, at the Office of the DoD Chief 
Information Officer, 6000 Defense Pentagon, Attn: DIB CS Activities 
Office, Washington, DC 20301-6000, or email at [email protected].
    You may also submit comments, identified by docket number and 
title, by the following method:
    Federal Rulemaking Portal: http://www.regulations.gov. Follow the 
instructions for submitting comments.
    All submissions received must include the agency name, docket 
number and title for this Federal Register document. The general policy 
for comments and other submissions from members of the public is to 
make these submissions available for public viewing on the Internet at 
http://www.regulations.gov as they are received without change, 
including any personal identifiers or contact information.

Executive Order 13132, ``Federalism''

    It has been determined that this rule does not have federalism 
implications, as set forth in Executive Order 13132. This rule does not 
have substantial direct effects on:
    (a) The States;
    (b) The relationship between the National Government and the 
States; or
    (c) The distribution of power and responsibilities among the 
various levels of Government.

List of Subjects in 32 CFR Part 236

    Government contracts, Security measures.
    Accordingly, 32 CFR part 236 is revised to read as follows:

PART 236--DEPARTMENT OF DEFENSE (DoD)-DEFENSE INDUSTRIAL BASE (DIB) 
CYBERSECURITY (CS) ACTIVITIES

Sec.
236.1 Purpose.
236.2 Definitions.
236.3 Policy.
236.4 Mandatory cyber incident reporting procedures.
236.5 DoD-DIB CS information sharing program.
236.6 General provisions of the DoD-DIB CS information sharing 
program.
236.7 DoD-DIB CS information sharing program requirements.

    Authority: 10 U.S.C. 391; 10 U.S.C. 2224; 44 U.S.C. 3506; 44 
U.S.C. 3544; and Section 941, Publ. L. 112-239, 126 Stat. 1632.


Sec. 236.1  Purpose.

    Cyber threats to contractor unclassified information systems 
represent an unacceptable risk of compromise of DoD information and 
pose an imminent threat to U.S. national security and economic security 
interests. This part requires all DoD contractors to rapidly report 
cyber incidents involving covered defense information on their covered 
contractor information systems or cyber incidents affecting the 
contractor's ability to provide operationally critical support. The 
part also modifies the eligibility criteria to permit greater 
participation in the voluntary DoD-DIB CS information sharing program 
in which DoD provides cyber threat information and cybersecurity best 
practices to DIB participants. The DoD-DIB CS information sharing 
program enhances and supplements DIB participants' capabilities to 
safeguard DoD information that resides on, or transits, DIB 
unclassified information systems.


Sec. 236.2  Definitions.

    As used in this part:
    Access to media means provision of media, or access to media 
physically or remotely to DoD personnel, as determined by the 
contractor.
    Cleared defense contractor (CDC) means a private entity granted 
clearance by DoD to access, receive, or store classified information 
for the purpose of bidding for a contract or conducting activities in 
support of any program of DoD.
    Compromise means disclosure of information to unauthorized persons, 
or a violation of the security policy of a system, in which 
unauthorized intentional or unintentional disclosure, modification, 
destruction, or loss of an object, or the copying of information to 
unauthorized media may have occurred.
    Contractor means an individual or organization outside the U.S. 
Government who has accepted any type of agreement or order to provide 
research, supplies, or services to DoD, including prime contractors and 
subcontractors.
    Contractor attributional/proprietary information means information 
that identifies the contractor(s), whether directly or indirectly, by 
the grouping of information that can be traced back to the 
contractor(s) (e.g., program description, facility locations), 
personally identifiable information, as well as trade secrets, 
commercial or financial information, or other commercially sensitive 
information that is not customarily shared outside of the company.
    Controlled Technical Information means technical information with 
military or space application that is subject to controls on the 
access, use, reproduction, modification, performance, display, release, 
disclosure, or dissemination. Controlled technical information would 
meet the criteria, if disseminated, for distribution statements B 
through F using the criteria set forth in DoD Instruction 5230.24, 
``Distribution Statements of Technical Documents,'' available at http://www.dtic.mil/whs/directives/corres/pdf/523024p.pdf. The term does not 
include information that is lawfully publicly available without 
restrictions.
    Covered contractor information system means an information system 
that is owned or operated by or for a contractor and that processes, 
stores, or transmits covered defense information.
    Covered defense information means unclassified information that:
    (1) Is:
    (i) Provided to the contractor by or on behalf of the DoD in 
connection with the performance of a contract; or
    (ii) Collected, developed, received, transmitted, used, or stored 
by or on behalf of the contractor in support of the performance of a 
contract; and

[[Page 59585]]

    (2) Falls in any of the following categories:
    (i) Controlled Technical Information;
    (ii) Critical information (operations security). Specific facts 
identified through the Operations Security process about friendly 
intentions, capabilities, and activities vitally needed by adversaries 
for them to plan and act effectively so as to guarantee failure or 
unacceptable consequences for friendly mission accomplishment (part of 
Operations Security process);
    (iii) Export Control. Unclassified information concerning certain 
items, commodities, technology, software, or other information whose 
export could reasonably be expected to adversely affect the United 
States national security and nonproliferation objectives. To include 
dual use items; items identified in export administration regulations, 
international traffic in arms regulations and munitions list; license 
applications; and sensitive nuclear technology information;
    (iv) Any other information, marked or otherwise identified by the 
Government, that requires safeguarding or dissemination controls 
pursuant to and consistent with law, regulations, and Government-wide 
policies (e.g., privacy, proprietary business information).
    Cyber incident means actions taken through the use of computer 
networks that result in a compromise or an actual or potentially 
adverse effect on an information system and/or the information residing 
therein.
    Cyber incident damage assessment means a managed, coordinated 
process to determine the effect on defense programs, defense scientific 
and research projects, or defense warfighting capabilities resulting 
from compromise of a contractor's unclassified computer system or 
network.
    Defense Industrial Base (DIB) means the Department of Defense, 
Government, and private sector worldwide industrial complex with 
capabilities to perform research and development, design, produce, and 
maintain military weapon systems, subsystems, components, or parts to 
satisfy military requirements.
    DIB participant means a CDC that has met all of the eligibility 
requirements to participate in the voluntary DoD-DIB CS Information 
Sharing Program as set forth in this part (see Sec.  236.7).
    Forensic analysis means the practice of gathering, retaining, and 
analyzing computer-related data for investigative purposes in a manner 
that maintains the integrity of the data.
    Government furnished information (GFI) means information provided 
by the Government under the voluntary DoD-DIB CS information sharing 
program including but not limited to cyber threat information and 
cybersecurity practices.
    Information means any communication or representation of knowledge 
such as facts, data, or opinions in any medium or form, including 
textual, numerical, graphic, cartographic, narrative, or audiovisual.
    Information system means a discrete set of information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information.
    Malicious software means software or firmware intended to perform 
an unauthorized process that will have adverse impact on the 
confidentiality, integrity, or availability of an information system. 
This definition includes a virus, worm, Trojan horse, or other code-
based entity that infects a host, as well as spyware and some forms of 
adware.
    Media means physical devices or writing surfaces, including but not 
limited to, magnetic tapes, optical disks, magnetic disks, large-scale 
integration memory chips, and printouts onto which covered defense 
information is recorded, stored, or printed within a covered Contractor 
information system.
    Operationally critical support means supplies or services 
designated by the Government as critical for airlift, sealift, 
intermodal transportation services, or logistical support that is 
essential to the mobilization, deployment, or sustainment of the Armed 
Forces in a contingency operation.
    Rapid(ly) report(ing) means within 72 hours of discovery of any 
cyber incident.
    Technical Information means technical data or computer software, as 
those terms are defined in DFARS 252.227-7013, ``Rights in Technical 
Data--Noncommercial Items'' (48 CFR 252.227-7013). Examples of 
technical information include research and engineering data, 
engineering drawings and associated lists, specifications, standards, 
process sheets, manuals, technical reports, technical orders, catalog-
item identifications, data sets, studies and analyses and related 
information, and computer software executable code and source code.
    Threat means any circumstance or event with the potential to 
adversely impact organization operations (including mission, functions, 
image, or reputation), organization assets, individuals, other 
organizations, or the Nation through an information system via 
unauthorized access, destruction, disclosure, modification of 
information and/or denial of service.
    U.S. based means provisioned, maintained, or operated within the 
physical boundaries of the United States.
    U.S. citizen means a person born in the United States or 
naturalized.


Sec. 236.3  Policy.

    It is DoD policy to:
    (a) Establish a comprehensive approach to require safeguarding of 
covered defense information on covered contractor information systems 
and to require contractor cyber incident reporting.
    (b) Increase Government stakeholder and DIB situational awareness 
of the extent and severity of cyber threats to DoD information by 
implementing a streamlined approval process that enables the contractor 
to elect, in conjunction with the cyber incident reporting and sharing, 
the extent to which DoD may share cyber threat information obtained 
from a contractor (or derived from information obtained from the 
company) under this part that is not information created by or for DoD 
with:
    (1) DIB contractors participating in the DoD-DIB CS information 
sharing program to enhance their cybersecurity posture to better 
protect covered defense information on covered contractor information 
systems, or a contractor's ability to provide operationally critical 
support; and
    (2) Other Government stakeholders for lawful Government activities, 
including cybersecurity for the protection of Government information or 
information systems, law enforcement and counterintelligence (LE/CI), 
and other lawful national security activities directed against the 
cyber threat (e.g., those attempting to infiltrate and compromise 
information on the contractor information systems).
    (c) Modify eligibility criteria to permit greater participation in 
the voluntary DoD-DIB CS information sharing program.


Sec.  236.4  Mandatory cyber incident reporting procedures.

    (a) Applicability and order of precedence. The requirement to 
report cyber incidents shall be included in all applicable agreements 
between the Government and the contractor in which covered defense 
information resides on, or transits covered contractor information 
systems or under which a contractor provides operationally critical 
support, and shall be identical to those requirements provided in this 
section (e.g., by incorporating the requirements of this section by 
reference, or by expressly setting forth

[[Page 59586]]

such reporting requirements consistent with those of this section). Any 
inconsistency between the relevant terms and condition of any such 
agreement and this section shall be resolved in favor of the terms and 
conditions of the agreement, provided and to the extent that such terms 
and conditions are authorized to have been included in the agreement in 
accordance with applicable laws and regulations.
    (b) Cyber incident reporting requirement. When a contractor 
discovers a cyber incident that affects a covered contractor 
information system or the covered defense information residing therein 
or that affects the contractor's ability to provide operationally 
critical support, the contractor shall:
    (1) Conduct a review for evidence of compromise of covered defense 
information including, but not limited to, identifying compromised 
computers, servers, specific data, and user accounts. This review shall 
also include analyzing covered contractor information system(s) that 
were part of the cyber incident, as well as other information systems 
on the contractor's network(s), that may have been accessed as a result 
of the incident in order to identify compromised covered defense 
information, or that affect the contractor's ability to provide 
operationally critical support; and
    (2) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil.
    (c) Cyber incident report. The cyber incident report shall be 
treated as information created by or for DoD and shall include, at a 
minimum, the required elements at http://dibnet.dod.mil.
    (d) Subcontractor reporting procedures. Contractors shall flow down 
the cyber incident reporting requirements of this part to their 
subcontractors, as appropriate. Contractors shall require 
subcontractors to rapidly report cyber incidents directly to DoD at 
http://dibnet.dod.mil and the prime contractor. This includes providing 
the incident report number, automatically assigned by DoD, to the prime 
contractor (or next higher-tier subcontractor) as soon as practicable.
    (e) Medium assurance certificate requirement. In order to report 
cyber incidents in accordance with this part, the contractor or 
subcontractor shall have or acquire a DoD-approved medium assurance 
certificate to report cyber incidents. For information on obtaining a 
DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/certificate.html.
    (f) If the contractor utilizes a third-party service provider (SP) 
for information system security services, the SP may report cyber 
incidents on behalf of the contractor.
    (g) Contractors are encouraged to report information to promote 
sharing of cyber threat indicators that they believe are valuable in 
alerting the Government and others, as appropriate in order to better 
counter threat actor activity. Cyber incidents that are not compromises 
of covered defense information or do not adversely affect the 
contractor's ability to perform operationally critical support may be 
of interest to the DIB and DoD for situational awareness purposes.
    (h) Malicious software. Malicious software discovered and isolated 
by the contractor will be submitted to the DoD Cyber Crime Center (DC3) 
for forensic analysis.
    (i) Media preservation and protection. When a contractor discovers 
a cyber incident has occurred, the contractor shall preserve and 
protect images of known affected information systems identified in 
paragraph (b) of this section and all relevant monitoring/packet 
capture data for at least 90 days from submission of the cyber incident 
report to allow DoD to request the media or decline interest.
    (j) Access to additional information or equipment necessary for 
forensics analysis. Upon request by DoD, the contractor shall provide 
DoD with access to additional information or equipment that is 
necessary to conduct a forensic analysis.
    (k) Cyber incident damage assessment activities. If DoD elects to 
conduct a damage assessment, DoD will request that the contractor 
provide all of the damage assessment information gathered in accordance 
with paragraph (e) of this section.
    (l) DoD safeguarding and use of contractor attributional/
proprietary information. The Government shall protect against the 
unauthorized use or release of information obtained from the contractor 
(or derived from information obtained from the contractor) under this 
part that includes contractor attributional/proprietary information, 
including such information submitted in accordance with paragraph (b) 
of this section. To the maximum extent practicable, the contractor 
shall identify and mark attributional/proprietary information. In 
making an authorized release of such information, the Government will 
implement appropriate procedures to minimize the contractor 
attributional/proprietary information that is included in such 
authorized release, seeking to include only that information that is 
necessary for the authorized purpose(s) for which the information is 
being released.
    (m) Use and release of contractor attributional/proprietary 
information not created by or for DoD. Information that is obtained 
from the contractor (or derived from information obtained from the 
contractor) under this part that is not created by or for DoD is 
authorized to be released outside of DoD:
    (1) To entities with missions that may be affected by such 
information;
    (2) To entities that may be called upon to assist in the diagnosis, 
detection, or mitigation of cyber incidents;
    (3) To Government entities that conduct LE/CI investigations;
    (4) For national security purposes, including cyber situational 
awareness and defense purposes (including sharing with DIB contractors 
participating in the DIB CS program authorized by this part); or
    (5) To a support services contractor (``recipient'') that is 
directly supporting Government activities related to this part and is 
bound by use and non-disclosure restrictions that include all of the 
following conditions:
    (i) The recipient shall access and use the information only for the 
purpose of furnishing advice or technical assistance directly to the 
Government in support of the Government's activities related to this 
part, and shall not be used for any other purpose;
    (ii) The recipient shall protect the information against 
unauthorized release or disclosure;
    (iii) The recipient shall ensure that its employees are subject to 
use and non-disclosure obligations consistent with this part prior to 
the employees being provided access to or use of the information;
    (iv) The third-party contractor that reported the cyber incident is 
a third-party beneficiary of the non-disclosure agreement between the 
Government and the recipient, as required by paragraph (m)(5)(iii) of 
this section;
    (v) That a breach of these obligations or restrictions may subject 
the recipient to:
    (A) Criminal, civil, administrative, and contractual actions in law 
and equity for penalties, damages, and other appropriate remedies by 
the United States; and
    (B) Civil actions for damages and other appropriate remedies by the 
third party that reported the incident, as a third party beneficiary of 
the non-disclosure agreement.
    (6) Use and release of contractor attributional/proprietary 
information created by or for DoD. Information that

[[Page 59587]]

is obtained from the contractor (or derived from information obtained 
from the contractor) under this part that is created by or for DoD 
(including the information submitted pursuant to paragraph (b) of this 
section) is authorized to be used and released outside of DoD for 
purposes and activities authorized by this section, and for any other 
lawful Government purpose or activity, subject to all applicable 
statutory, regulatory, and policy based restrictions on the 
Government's use and release of such information.
    (n) Contractors shall conduct their respective activities under 
this part in accordance with applicable laws and regulations on the 
interception, monitoring, access, use, and disclosure of electronic 
communications and data.
    (o) Freedom of Information Act (FOIA). Agency records, which may 
include qualifying information received from non-federal entities, are 
subject to request under the Freedom of Information Act (5 U.S.C. 552) 
(FOIA), which is implemented in the DoD by DoD Directive 5400.07 and 
DoD Regulation 5400.7-R (see 32 CFR parts 285 and 286, respectively). 
Pursuant to established procedures and applicable regulations, the 
Government will protect sensitive nonpublic information reported under 
mandatory reporting requirements against unauthorized public disclosure 
by asserting applicable FOIA exemptions. The Government will inform the 
non-Government source or submitter (e.g., contractor or DIB participant 
of any such information that may be subject to release in response to a 
FOIA request), in order to permit the source or submitter to support 
the withholding of such information or pursue any other available legal 
remedies.
    (p) Other reporting requirements. Cyber incident reporting required 
by this part in no way abrogates the contractor's responsibility for 
other cyber incident reporting pertaining to its unclassified 
information systems under other clauses that may apply to its 
contract(s), or as a result of other applicable U.S. Government 
statutory or regulatory requirements, including Federal or DoD 
requirements for Controlled Unclassified Information as established by 
Executive Order 13556, as well as regulations and guidance established 
pursuant thereto.


Sec.  236.5  DoD-DIB CS information sharing program.

    (a) All contractors that are CDCs and meet the requirements set 
forth in Sec.  236.7 are eligible to join the voluntary DoD-DIB CS 
information sharing program as a DIB participant.
    (b) Under the voluntary activities of the DoD-DIB CS information 
sharing program, the Government and each DIB participant will execute a 
standardized agreement, referred to as a Framework Agreement (FA) to 
share, in a timely and secure manner, on a recurring basis, and to the 
greatest extent possible, cybersecurity information.
    (c) Each such FA between the Government and a DIB participant must 
comply with and implement the requirements of this part, and will 
include additional terms and conditions as necessary to effectively 
implement the voluntary information sharing activities described in 
this part with individual DIB participants.
    (d) The DoD-DIB CS Activities Office is the overall point of 
contact for the program. The DC3 managed DoD-DIB Collaborative 
Information Sharing Environment (DCISE) is the operational focal point 
for cyber threat information sharing and incident reporting under the 
DoD-DIB CS information sharing program.
    (e) The Government will maintain a Web site or other internet-based 
capability to provide potential DIB participants with information about 
eligibility and participation in the program, to enable online 
application or registration for participation, and to support the 
execution of necessary agreements with the Government.
    (f) GFI. The Government shall share GFI with DIB participants or 
designated SP in accordance with this part.
    (g) Prior to receiving GFI from the Government, each DIB 
participant shall provide the requisite points of contact information, 
to include security clearance and citizenship information, for the 
designated personnel within their company (e.g., typically 3-10 company 
designated points of contact) in order to facilitate the DoD-DIB 
interaction in the DoD-DIB CS information sharing program. The 
Government will confirm the accuracy of the information provided as a 
condition of that point of contact being authorized to act on behalf of 
the DIB participant for this program.
    (h) GFI will be issued via both unclassified and classified means. 
DIB participant handling and safeguarding of classified information 
shall be in compliance with DoD 5220.22-M, ``National Industrial 
Security Program Operating Manual (NISPOM),'' available at http://www.dss.mil/documents/odaa/nispom2006-5220.pdf. The Government shall 
specify transmission and distribution procedures for all GFI, and shall 
inform DIB participants of any revisions to previously specified 
transmission or procedures.
    (i) Except as authorized in this part or in writing by the 
Government, DIB participants may:
    (1) Use GFI only on U.S. based covered contractor information 
systems, or U.S. based networks or information systems used to provide 
operationally critical support; and
    (2) Share GFI only within their company or organization, on a need-
to-know basis, with distribution restricted to U.S. citizens.
    (j) In individual cases DIB participants may request, and the 
Government may authorize, disclosure and use of GFI under applicable 
terms and conditions when the DIB participant can demonstrate that 
appropriate information handling and protection mechanisms are in place 
and has determined that it requires the ability:
    (1) To share the GFI with a non-U.S. citizen; or
    (2) To use the GFI on a non-U.S. based covered contractor 
information system; or
    (3) To use the GFI on a non-U.S. based network or information 
system in order to better protect a contractor's ability to provide 
operationally critical support.
    (k) DIB participants shall maintain the capability to 
electronically disseminate GFI within the Company in an encrypted 
fashion (e.g., using Secure/Multipurpose Internet Mail Extensions (S/
MIME), secure socket layer (SSL), Transport Layer Security (TLS) 
protocol version 1.2, DoD-approved medium assurance certificates).
    (l) DIB participants shall not share GFI outside of their company 
or organization, regardless of personnel clearance level, except as 
authorized in this part or otherwise authorized in writing by the 
Government.
    (m) If the DIB participant utilizes a SP for information system 
security services, the DIB participant may share GFI with that SP under 
the following conditions and as authorized in writing by the 
Government:
    (1) The DIB participant must identify the SP to the Government and 
request permission to share or disclose any GFI with that SP (which may 
include a request that the Government share information directly with 
the SP on behalf of the DIB participant) solely for the authorized 
purposes of this program.
    (2) The SP must provide the Government with sufficient information 
to enable the Government to determine whether the SP is eligible to 
receive such information, and possesses the capability to provide 
appropriate protections for the GFI.

[[Page 59588]]

    (3) Upon approval by the Government, the SP must enter into a 
legally binding agreement with the DIB participant (and also an 
appropriate agreement with the Government in any case in which the SP 
will receive or share information directly with the Government on 
behalf of the DIB participant) under which the SP is subject to all 
applicable requirements of this part and of any supplemental terms and 
conditions in the DIB participant's FA with the Government, and which 
authorizes the SP to use the GFI only as authorized by the Government.
    (n) The DIB participant may not sell, lease, license, or otherwise 
incorporate the GFI into its products or services, except that this 
does not prohibit a DIB participant from being appropriately designated 
an SP in accordance with paragraph (m) of this section.


Sec.  236.6  General provisions of the DoD-DIB CS information sharing 
program.

    (a) Confidentiality of information that is exchanged under the DoD-
DIB CS information sharing program will be protected to the maximum 
extent authorized by law, regulation, and policy. DoD and DIB 
participants each bear responsibility for their own actions under the 
voluntary DoD-DIB CS information sharing program.
    (b) All DIB CS participants may participate in the Department of 
Homeland Security's Enhanced Cybersecurity Services (ECS) program 
(http://www.dhs.gov/enhanced-cybersecurity-services).
    (c) Participation in the voluntary DoD-DIB CS information sharing 
program does not obligate the DIB participant to utilize the GFI in, or 
otherwise to implement any changes to, its information systems. Any 
action taken by the DIB participant based on the GFI or other 
participation in this program is taken on the DIB participant's own 
volition and at its own risk and expense.
    (d) A DIB participant's participation in the voluntary DoD-DIB CS 
information sharing program is not intended to create any unfair 
competitive advantage or disadvantage in DoD source selections or 
competitions, or to provide any other form of unfair preferential 
treatment, and shall not in any way be represented or interpreted as a 
Government endorsement or approval of the DIB participant, its 
information systems, or its products or services.
    (e) The DIB participant and the Government may each unilaterally 
limit or discontinue participation in the voluntary DoD-DIB CS 
information sharing program at any time. Termination shall not relieve 
the DIB participant or the Government from obligations to continue to 
protect against the unauthorized use or disclosure of GFI, attribution 
information, contractor proprietary information, third-party 
proprietary information, or any other information exchanged under this 
program, as required by law, regulation, contract, or the FA.
    (f) Upon termination of the FA, and/or change of Facility Security 
Clearance (FCL) status below Secret, GFI must be returned to the 
Government or destroyed pursuant to direction of, and at the discretion 
of, the Government.
    (g) Participation in these activities does not abrogate the 
Government's, or the DIB participants' rights or obligations regarding 
the handling, safeguarding, sharing, or reporting of information, or 
regarding any physical, personnel, or other security requirements, as 
required by law, regulation, policy, or a valid legal contractual 
obligation. However, participation in the voluntary activities of the 
DoD-DIB CS information sharing program does not eliminate the 
requirement for DIB participants to report cyber incidents in 
accordance with Sec.  236.4.


Sec.  236.7  DoD-DIB CS information sharing program requirements.

    (a) To participate in the DoD-DIB CS information sharing program, a 
contractor must be a CDC and shall:
    (1) Have an existing active FCL granted under the NISPOM (DoD 
5220.22-M); and
    (2) Execute the standardized FA with the Government (available 
during the application process), which implements the requirements set 
forth in Sec. Sec.  236.5 through 236.7, and allows the CDC to select 
their level of participation in the voluntary DoD-DIB CS information 
sharing program.
    (3) In order for participating CDCs to receive classified cyber 
threat information electronically, they must:
    (i) Have or acquire a Communication Security (COMSEC) account in 
accordance with the NISPOM Chapter 9, Section 4 (DoD 5220.22-M), which 
provides procedures and requirements for COMSEC activities; and
    (ii) Have or acquire approved safeguarding for at least Secret 
information, and continue to qualify under the NISPOM for retention of 
its FCL and approved safeguarding; and
    (iii) Obtain access to DoD's secure voice and data transmission 
systems supporting the voluntary DoD-DIB CS information sharing 
program.
    (b) [Reserved]

    Dated: September 14, 2015.
Patricia L. Toppings,
OSD Federal Register, Liaison Officer, Department of Defense.
[FR Doc. 2015-24296 Filed 10-1-15; 8:45 am]
 BILLING CODE 5001-06-P