[Federal Register Volume 88, Number 85 (Wednesday, May 3, 2023)]
[Proposed Rules]
[Pages 27832-27839]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-09021]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 236
[Docket ID: DOD-2019-OS-0112]
RIN 0790-AK86
Department of Defense (DoD) Defense Industrial Base (DIB)
Cybersecurity (CS) Activities
AGENCY: Office of the DoD Chief Information Officer, Department of
Defense (DoD).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The DoD is proposing revisions to the eligibility criteria for
the voluntary Defense Industrial Base (DIB) Cybersecurity (CS) Program.
These revisions will allow a broader community of defense contractors
to benefit from bilateral information sharing as when this proposed
rule is finalized all defense contractors who are subject to mandatory
cyber incident reporting will be able to participate. DoD is also
proposing changes to definitions and some technical corrections for
readability.
DATES: Comments must be received by June 20, 2023.
ADDRESSES: Please submit comments on this proposed rule, identified by
32 CFR part 236, Docket ID: DOD-2019-OS-0112 and/or by Regulatory
Information Number (RIN) 0790-AK86, by any of the following methods:
Federal Rulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments.
Mail: Department of Defense, Office of the Assistant to
the Secretary of Defense for Privacy, Civil Liberties, and
Transparency, Regulatory Directorate, 4800 Mark Center Drive, Mailbox
#24, Suite 08D09, Alexandria, VA 22350-1700.
Instructions: The general policy for comments is to make these
submissions available for public viewing as they are received without
change, including any personal identifiers or contact information
provided by the commenter.
FOR FURTHER INFORMATION CONTACT:
Stacy Bostjanick, Chief Defense Industrial Base
Cybersecurity, Office: 703-604-3167.
DIB CS Program Management Office: [email protected].
Instructions: DO NOT submit comments to this email address.
SUPPLEMENTARY INFORMATION:
Background and Authority
The Defense Industrial Base (DIB) means the Department of Defense,
Government, and private sector worldwide industrial complex with
capabilities to perform research and development, design, produce, and
maintain military weapon systems, subsystems, components, or parts to
satisfy military requirements. The DIB Cybersecurity Program is a
voluntary program to enhance and supplement participants' capabilities
to safeguard DoD information that resides on, or transits, DIB
unclassified information systems. The program encourages greater threat
information sharing to complement mandatory aspects of DoD's DIB
cybersecurity activities which are contractually mandated through
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012,
Safeguarding Covered Defense Information and Cyber Incident
Reporting.\1\ This program supports and complements DoD-specific
authorities at 10 U.S.C. 2224 and the Federal Information Security
Management Act (FISMA) (44 U.S.C. 3541 et seq.). Cyber threat
information sharing activities under this proposed rule also fulfill
important elements of DoD's critical infrastructure protection
responsibilities, as the sector risk management agency for the DIB (see
Presidential Policy Directive 21 (PPD-21),\2\ ``Critical Infrastructure
Security and Resilience''). Expanding eligibility requirements for the
DIB CS Program will augment DoD's information sharing activities with
the DIB.
---------------------------------------------------------------------------
\1\ https://www.ecfr.gov/current/title-48/chapter-2/subchapter-H/part-252/subpart-252.2/section-252.204-7012.
\2\ https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
---------------------------------------------------------------------------
Currently, the DIB CS Program has the following objectives:
Establish a voluntary, mutually acceptable framework to
protect information from unauthorized access.
Protect the confidentiality of information exchanged to
the maximum extent authorized by law.
Create a trusted environment to maximize network defense
and remediation efforts by:
1. Sharing cyber threat information and incident reports.
2. Providing mitigation/remediation strategies and malware
analysis.
This program is part of DoD's larger portfolio of work to protect
DoD information handled by the DIB by understanding and sharing
information, building security partnerships, implementing long-term
risk management programs, and maximizing efficient use of resources. It
supports two-way information sharing and maintains meaningful
relationships and frequent dialogue across the diverse array of
eligible defense contractors. For eligible defense contractors, the
program maintains a capability for companies to access classified
government cyber threat information providing additional context to
better understand the cyber threats targeting their networks and
information systems.
In May 2012, DoD published an interim final rule establishing the
voluntary DIB CS Program and the bilateral information sharing model
still used today.\3\ The 2012 rule established a voluntary cyber threat
information sharing program for cleared defense contractors (CDC) with
the ability to safeguard classified information, estimated at 2,650 in
2012. Under the rule cleared defense contractor is defined as a private
entity granted clearance by DoD to access, receive, or store classified
information for the purpose of bidding for a contract or conducting
activities in support of any program of DoD. The 2012 rule stated DoD
would maintain a website to facilitate the following aspects of program
participation: (1) sharing information regarding eligibility and
participation in the program with potential participants, (2) applying
to the program online, and (3) executing the necessary agreements with
the Government. DoD has established this capability as an online portal
referred to as ``DIBNet,'' located at https://dibnet.dod.mil. A final
rule responding to public comments was published in October 2013.\4\ In
October 2015, responding to new statutory requirements for cyber
incident reporting for DoD contractors,
[[Page 27833]]
subcontractors, and those providing operationally critical support, DoD
published another interim final rule \5\ to expand eligibility to all
cleared defense contractors (estimated at 8,500 in 2015 and 12,000 in
2022), subject to program eligibility requirements. The 2015 rule
removed the safeguarding requirement to participate in the program. The
rule also removed the mandatory program eligibility requirement to have
or acquire a Communications Security (COMSEC) account \6\ and obtain
access to DoD's secure voice and data transmission systems, although
participants still have to fulfill these requirements to receive
classified cyber threat information electronically. A final rule
responding to public comments was published in October 2016.\7\
---------------------------------------------------------------------------
\3\ 77 FR 27615, May 11, 2012 (https://www.govinfo.gov/content/pkg/FR-2012-05-11/pdf/2012-10651.pdf).
\4\ 78 FR 62430, October 22, 2013 (https://www.govinfo.gov/content/pkg/FR-2013-10-22/pdf/2013-24256.pdf).
\5\ 80 FR 59581, October 2, 2015 (https://www.govinfo.gov/content/pkg/FR-2015-10-02/pdf/2015-24296.pdf).
\6\ The National Security Agency administers COMSEC accounts.
\7\ 81 FR 68312, October 4, 2016 (https://www.govinfo.gov/content/pkg/FR-2016-10-04/pdf/2016-23968.pdf).
---------------------------------------------------------------------------
Discussion of the Proposed Rule
With this rule, the Department proposes to expand eligibility
requirements to allow greater program participation and increase the
benefits of bilateral information sharing, which helps protect DoD
controlled unclassified information from cyberattack, as well as to
better align the voluntary DIB CS Program with DoD's mandatory cyber
incident reporting requirements. The current eligibility requirements,
based on the October 2016 rule, requires a company to be a cleared
defense contractor \8\ who:
---------------------------------------------------------------------------
\8\ 32 CFR 236.2 defines cleared defense contractor to mean a
subset of contractors cleared under the National Industrial Security
Program (NISP) who have classified contracts with the DoD.
---------------------------------------------------------------------------
Has DoD-approved medium assurance certificates; \9\
---------------------------------------------------------------------------
\9\ The DoD has established the External Certification Authority
(ECA) program to support the issuance of DoD-approved certificates
to industry partners and other external entities and organizations.
The ECA program is designed to provide the mechanism for these
entities to securely communicate with the DoD and authenticate to
DoD Information Systems. [https://public.cyber.mil/eca/].
---------------------------------------------------------------------------
Has an existing facility clearance \10\ to at least the
Secret level;
---------------------------------------------------------------------------
\10\ Entities (including companies and academic institutions)
engaged in providing goods or services to the U.S. Government
involving access to or creation of classified information may be
granted a Facility Clearance (FCL). The Defense Counterintelligence
and Security Agency (DCSA) processes, issues, and monitors the
continued eligibility of entities for an FCL. [https://www.dcsa.mil/mc/isd/fc/].
---------------------------------------------------------------------------
Can execute the standardized Framework Agreement \11\
provided to interested contractors after the Department has verified
the DIB company is eligible.
---------------------------------------------------------------------------
\11\ Applicants to the DIB CS Program submit an application from
https://dibnet.dod.mil. Once a company has been verified, the
Framework Agreement is made available for review.
---------------------------------------------------------------------------
The program has experienced steady growth, with the annual number
of applications tripling since 2016 (80 total applications received in
2016, 266 total applications received in 2022). It has also seen a
steady increase in the percentage of defense contractors who are
interested in participating but do not meet current eligibility
requirements. The percentage of applications received from ineligible
defense contractors has risen at an average rate of 5% per year since
2016; 10% of applications received in 2016 were from ineligible defense
contractors, while 45% of applicants in 2022 were ineligible. This
steady increase in ineligible applicants indicates an increasing desire
amongst defense contractors to participate in a cyber threat
information sharing program.
In addition, the Department has actively engaged defense
associations, universities, and companies in the DIB, as well as
participated in many public forums discussing cyber threats and the way
forward. The overwhelming feedback was for the Department to facilitate
engagement with the broader community of defense contractors beyond
just the cleared defense community. In general, smaller defense
contractors have fewer resources to devote to cybersecurity, which may
provide a vector for adversaries to access information critical to
national security. In addition, the Department is working on providing
more tailored threat information to support the needs of a broader
community of defense contractors with varying cybersecurity
capabilities. The gap in eligibility in the current program, feedback
from interested but ineligible contractors, a vulnerable DoD supply
chain, and a pervasive cyber threat have prompted DoD to propose
revising the eligibility requirements of the DIB CS Program to allow
participation by non-cleared defense contractors.
The maximum number of defense contractors estimated to be subject
to mandatory cyber incident reporting under DFARS clause 252.204-7012
is 80,000. The presence of the clause in a contract does not establish
that covered defense information is shared. DoD is working on reporting
mechanisms to better assess contractors managing covered defense
information. The population of defense contractors in possession of
covered defense information and subject to mandatory incident reporting
requirements far exceeds the population of defense contractors
currently eligible to participate in the voluntary DIB CS Program. With
the proposed changes to the eligibility criteria, an estimated
additional 68,000 defense contractors will be eligible to participate
in the voluntary DIB CS Program. Based on prior participation
statistics, it is estimated that about 10% of the eligible contractors
(12,000 + 68,000 = 80,000) will actually apply to join the voluntary
DIB CS Program (80,000 x 0.10 = 8,000).
Currently, the DIB CS Program has approximately 1,000 cleared
defense contractors participating in the program. Program participants
have access to technical exchange meetings, a collaborative web
platform (DIBNet-U), and threat products and services through the DoD
Cyber Crime Center (DC3). DC3 implements the program's operations by
sharing cyber threat information and intelligence with the DIB, and
offering a variety of products, tools, services, and events. DC3 serves
as the single clearinghouse for unclassified Mandatory Incident Reports
(MIRs) and voluntary threat information sharing reports.
Changes to Definitions
In addition to the program eligibility changes described above, DoD
is also proposing the following changes.
Sec. 236.2 Definitions
1. Access to media--This definition is being removed as it is no
longer used in the rule text.
3. DIB CS Program participant--This definition has been revised to
align with the revised eligibility requirements set forth in this
proposed rule.
4. Government furnished information (GFI)--This definition was
revised to adopt the convention of referring to the DIB CS Program with
a capital `P'.
Other Proposed Changes
DoD is amending Sec. 236.5 (DoD's DIB CS program) in order to
align the program description with the revised eligibility
requirements. As a result, references to cleared defense contractors
have been replaced with contractors that own or operate a covered
contractor information system. Security clearance information is only
collected, when applicable, if a company elects to participate in
classified information sharing. In addition, the language stating
participation is typically three to ten company-designated points of
contact (POC) has been removed, to avoid confusion regarding the number
of POCs, as some larger companies may wish to nominate a larger number
of
[[Page 27834]]
POCs and smaller companies may wish to nominate fewer.
DoD is amending Sec. 236.7 (DoD's DIB CS program requirements) to
remove the requirement that a company have an existing active facility
clearance (FCL) to at least the Secret level granted under 32 CFR part
117, National Industrial Security Program Operating Manual
(NISPOM),\12\ to be eligible to participate in the DIB CS Program. In
addition, references to cleared defense contractors have been replaced
with contractors that own or operate a covered contractor information
system.
---------------------------------------------------------------------------
\12\ https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-117.
---------------------------------------------------------------------------
A foundational element of the activities described in this part is
the recognition that the information shared between DoD and DIB CS
Program participants pursuant to the DIB CS Program includes extremely
sensitive information that requires protection. For additional
information regarding the Government's safeguarding of information
received from contractors that requires protection, see the Privacy
Impact Assessment (PIA) for the DIB Cybersecurity Activities located
at: https://dodcio.defense.gov/Portals/0/Documents/DIB_PIA.pdf. The PIA
provides detailed procedures for handling personally identifiable
information (PII), attributional information about the strengths or
vulnerabilities of specific covered contractor information systems,
information providing a perceived or real competitive advantage on
future procurement action, and contractor information marked as
proprietary or commercial or financial information. In addition,
personnel information is covered by Office of the Secretary of Defense
(OSD) System of Records Notice (SORN) DCIO 01 (https://dpcld.defense.gov/Portals/49/Documents/Privacy/SORNs/OSDJS/DCIO-01.pdf). No changes to the PIA or SORN are being proposed in
conjunction with this proposed rule.
Expected Impact of the Proposed Rule
Costs
DoD believes the cost impact of the proposed changes to this
proposed rule is not significant, as the changes primarily expand the
availability of the established DIB CS Program to additional defense
contractors. The newly eligible population of defense contractors may
incur costs to familiarize themselves with the rule and those who elect
to participate in the program will incur costs related to program
participation. The Government will continue to incur costs related to
operating the program. The DIB CS Program conducts outreach activities
to defense contractors through press releases, participation in
defense-oriented conferences, speaking engagements, and through digital
media. The program will leverage pre-established channels to message
changes to the program and engage with the eligible population of
defense contractors. Based on the program growth experienced that
during the last phase of program expansion the program is forecasting
annual growth at just over 1% of the eligible population. At a growth
rate of 1% per year it will take the program approximately 10 years to
achieve the estimated 10% participation rate of the eligible DIB.
Costs to DIB Participants
In order to join the DIB CS Program there is an initial labor
burden for a defense contractor to familiarize themselves with the rule
and subsequently apply to the program and provide POC information. In
total, if it takes each contractor 30 minutes to read and familiarize
him/herself with the rule, it will take contractors 4,000 hours to
familiarize themselves with the rule (8,000 participants x .5 = 4,000
hours). At an hourly wage of $108.92, the total cost incurred by
contractors for rule familiarization will amount to $108,920 dollars
($108.92 x .5 hours = $54.46 x 4,000 hours = $217,840). The hourly
labor cost is based on the mean wage estimate from the Bureau of Labor
Statistics for an Information Security Analysts, Occupational
Employment and Wages, May 2021 and is covered under information
collection 0704-0490. This hourly wage is adjusted upward by 100% to
account for overhead and benefits, which implies a value of $108.92 per
hour.
The estimated annual burden for a company to apply to the program
or for a participating company to update POC information is $36.31,
with a total annual cost to all participants of $319,498.67 at peak
program participation. This calculation is based on 8,000 participants
submitting an average of one application per year and 10% of the
population (800 participants) submitting an update each year, with 20
minutes of labor per submission, at a cost of $108.92 per hour ($36.31
($108.92 x \1/3\ hours) x 8,800 events = $319,498.67).
There is an estimated annual burden projected at $544.60 for
defense contractors voluntarily sharing cyber threat information. This
is based on a defense contractor electing to submit an average of five
informational reports per year with two hours of labor per voluntary
submission, at a cost of $108.92 per hour ($108.92 x 2 hours each =
$217.84 x 5 reports = $1,089.20). It is estimated that 1% of the newly
eligible population will elect to join the DIB CS Program annually,
which currently has approximately 1,000 participants, with program
growth plateauing at 10% of the population by Year 9. The table below
shows the costs to industry to voluntarily sharing cyber threat
information over a 9-year period. If, in the first year of the program
expanding there are 980 participants and 800 new participants join the
program, there will be a total of 1,780 participants. Assuming each
participant responds five times, this totals 8,900 annual responses
times $217.84 per response and will equal $1,938,776 in total annual
cost to participants, which is covered in information collection 0704-
0489.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9
--------------------------------------------------------------------------------------------------------------------------------------------------------
DIB CS Participants................ 1,780 2,580 3,380 4,180 4,980 5,780 6,580 7,380 8,000
Voluntary Reports Received......... 8,900 12,900 16,900 20,900 24,900 28,900 32,900 36,900 40,000
Annual Cost........................ $1,938,776 $2,810,136 $3,681,496 $4,552,856 $5,424,216 $6,295,576 $7,166,936 $8,038,296 $8,713,600
--------------------------------------------------------------------------------------------------------------------------------------------------------
In addition, DIB CS Program participants may choose to attend
meetings in conjunction with the DIB CS Program. All new participants
are invited to attend an orientation session and all existing
participants are invited to attend meetings on a quarterly basis. If a
defense contractor chooses to send an employee to a day-long meeting
each quarter, the defense contractor would incur a cost of $1,742
($108.92 x 8 hours = $871.36 x 4 meetings = $3,485.44).
[[Page 27835]]
Costs to the Government
The DoD has identified general areas of costs related to the
operation of this program. First, DoD incurs costs to implement this
program operationally by responding to inquiries, processing
application submissions and collecting, sharing, and managing POC
information for program administration and management purposes. Second,
DoD incurs costs to collect, analyze, and disseminate threat
information.
DoD responds to an average of 2,000 questions each year and these
responses are estimated to take 20 minutes per response. If it takes 20
minutes to respond to each question, it will take 667 hours to respond
to questions. At an hourly wage of $51.16,\13\ it will cost the DoD
$34,107 dollars to respond to questions ($51.16 x (.333 x 2,000) =
$34,107). Costs to the government are incurred when a company applies
to the DIB CS Program to validate and store POC information and to
perform follow-up activities with a company when the information is
outdated. The processing time for these activities is estimated to be
one hour per company. If 8,000 companies participate in the program and
10% of the companies update information with the program annually the
labor cost to the government is expected to be $450,208 = (8,800 x
$51.16).
---------------------------------------------------------------------------
\13\ This is based upon the 2022 General Schedule (GS) pay scale
for a GS-9 Step 5 and is adjusted upward by 100% to adjust for
overhead and benefits.
---------------------------------------------------------------------------
In addition, there is a cost incurred by the DoD to receive cyber
threat information submitted by defense contractors to have it analyzed
by cyber threat experts at DC3. By year 9 of the expanded program, it
is estimated DC3 will receive 40,000 responses per year, based on the
estimate that each participating company elects to submit 5
informational reports (8,000 participants x 5 reports). Each product
takes approximately two hours to create and incurs an hourly labor cost
of $51.16 per hour. This equals $102.32 (2 hours x 51.16) per response.
The labor cost to the government is forecasted to be $4,092,800
annually after 9 years of growth. In addition to processing cyber
threat information, the DoD incurs operational and maintenance costs
for the system receiving and storing cyber threat information. This
system costs the DoD $5,100,000 annually to maintain (covered under
information collection 0704-0489).
Benefits
This program benefits the Department by increasing awareness and
improving assessments of cyber incidents that may affect mission
critical capabilities and services. It continues to be an important
element of the Department's comprehensive effort to defend DoD
information, protect U.S. national interests against cyber-attacks, and
support military operations and contingency plans worldwide. Once a
defense contractor joins the program, they are encouraged to share
information, including cyber threat indicators, that they believe may
be of value in alerting the Government and others, as appropriate, of
adversary activity to enable the development of mitigation strategies
and proactively counter threat actor activity. DC3 develops written
products that include analysis of the threat, mitigations, and
indicators of adversary activity. Even cyber incidents that are not
compromises of covered defense information may be of interest to DoD
for situational awareness purposes. This information is disseminated as
anonymized threat products that are shared with authorized DoD
personnel, other Federal agencies, and company-designated POCs
participating in the DIB CS Program. With the revisions to the
eligibility criteria, the Department will be able to reduce the impact
of cyber threat activity on DIB networks and information systems and,
in turn, preserve its technological advantage and protect DoD
information and warfighting capabilities. The mitigation of the cyber
threat targeting defense contractors reinforces the nation's national
security and economic vitality.
For DIB participants, this program provides valuable cyber threat
information they cannot obtain from anywhere else and technical
assistance through analyst-to-analyst exchanges, mitigation and
remediation strategies, and cybersecurity best practices in a
collaborative environment. The shared unclassified and classified cyber
threat information is used to bolster a company's cybersecurity posture
and mitigate the growing cyber threat. The program's tailored support
for small, mid-size, and large companies with varying cybersecurity
maturity levels is an asset for participants. The program remains a key
element of DoD's cybersecurity efforts by providing services to help
protect DIB CS Program participants and the sensitive DoD information
they handle.
Alternatives
Alternative #1
Maintain status quo with the ongoing voluntary cybersecurity
program for cleared defense contractors.
Reason for Not Selecting Alternative #1
This option is not selected as it does not allow DoD to increase
bilateral information sharing to bolster DIB cybersecurity and
safeguard DoD information transiting on DIB networks. In addition, the
population of defense contractors with mandatory reporting requirements
would continue to exceed those eligible to participate in the DIB CS
Program. Companies that submit mandatory reports but are not eligible
for the DIB CS Program would continue to be excluded from receiving
cyber threat information and technical assistance.
Alternative #2
DoD posts generic cyber threat information and cybersecurity best
practices on a publicly accessible website without directly engaging
participating companies.
Reason for Not Selecting Alternative #2
This alternative was not selected as companies already have access
to open-source cyber threat information and best practices from
multiple sources in the public sector. This alternative does not afford
access by defense contractors to government-furnished cyber threat
information, specifically tailored for the DIB. In addition, this
alternative does not enable defense contractor interaction with DC3.
Alternative #3
Revise eligibility requirements to permit all defense contractors
who own or operate a covered contractor information system
(approximately 80,000 defense contractors) to participate in the DIB CS
Program. Using the 10% estimation used for past program participation,
the program is forecasted to grow to approximately 8,000 defense
contractors.
Reason for Selecting Alternative #3
The revised eligibility criteria allow DoD to perform outreach to a
broader DIB community. Being able to share pertinent cyber threat
information with the DIB will increase both the DoD and defense
contractors' knowledge of the cyber threat landscape. Giving DoD the
ability to have greater visibility over issues affecting unclassified
networks will allow DoD to share pertinent alerts and threat
information with a larger number of DIB organizations. DoD believes
that revising the eligibility criteria to apply to contractors that own
or operate covered contractor information systems is an important step
in managing DoD's operational risk because it will allow additional
companies to begin receiving cyber
[[Page 27836]]
threat information to inform and harden their cybersecurity posture.
DIB organizations that do not meet the current eligibility requirements
to be in a DoD-sponsored cyber threat information sharing program have
expressed interest in this change as noted previously by the growing
percentage of ineligible applicants.
Regulatory Compliance Analysis
A. Executive Order 12866, ``Regulatory Planning and Review'' and
Executive Order 13563, ``Improving Regulation and Regulatory Review''
Executive Order 12866 direct agencies to assess all costs,
benefits, and available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health, safety
effects, distributive impacts, and equity). Executive Order 13563
emphasizes the importance of quantifying both costs and benefits, of
reducing costs, of harmonizing rules, and of promoting flexibility.
This proposed rule has been designated ``significant,'' under Executive
Order 12866.
B. Congressional Review Act (5 U.S.C. 801 et seq.)
Pursuant to the Congressional Review Act, this proposed rule has
not been designated a major rule, as defined by 5 U.S.C. 804(2). This
proposed rule will not have an economic effect above the $100 million
threshold defined in 5 U.S.C. 804(2) or spur a major increase in costs
or prices for consumers, individual industries, Federal, State, or
local government agencies, or geographic regions; or have significant
adverse effects on competition, employment, investment, productivity,
innovation, or on the ability of United States-based enterprises to
compete with foreign-based enterprises in domestic and export markets.
C. Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601)
The Office of the DoD Chief Information Officer certifies that this
proposed rule is not subject to the Regulatory Flexibility Act (5
U.S.C. 601) because it would not, if promulgated, have a significant
economic impact on a substantial number of small entities. This
proposed rule will have a significant positive impact on small entities
that will become eligible to participate in and receive benefits
through the DIB CS Program. For DIB participants, this program provides
cyber threat information and technical assistance through analyst-to-
analyst exchanges, mitigation and remediation strategies, and
cybersecurity best practices in a collaborative environment. The shared
threat information is used to bolster a company's cybersecurity posture
and mitigate the growing cyber threat. The program's tailored support
for small, mid-size, and large companies with varying cybersecurity
maturity levels is an asset for participants.
Participation in the DIB CS Program is voluntary. Program
application and participation costs are described in the cost analysis
section of this proposed rule. These costs are voluntarily incurred and
associated with the labor and resource costs to complete the required
program paperwork, including execution of the Framework Agreement, to
submit information to the Government, and to receive information from
the Government. The costs associated with applying to the DIB CS
Program are associated exclusively with labor costs and estimated to be
$18.15 per company. None of the program's offering come at an
additional fee to DIB participants and additional costs related to
participation are estimated based on the time investment (labor hours)
required to obtain the benefits as described in the cost analysis of
this preamble. Therefore, the Regulatory Flexibility Act, as amended,
does not require us to prepare a regulatory flexibility analysis.
D. Sec. 202, Public Law 104-4, ``Unfunded Mandates Reform Act''
Section 202 of the Unfunded Mandates Reform Act of 1995 (2 U.S.C.
1532) requires agencies to assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any one year of
$100 million in 1995 dollars, updated annually for inflation. When the
Federal Government passes legislation requiring a State, local, or
tribal government to perform certain actions or offer certain programs
but does not include any funds for the actions or programs in the law,
an unfunded mandate results. This proposed rule will not mandate any
requirements for State, local, or tribal governments, and will not
mandate private sector incurred costs above the $100 million threshold
defined in 2 U.S.C. 1532.
E. Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter
35)
This proposed rule contains the following information collection
requirements under the Paperwork Reduction Act (PRA) of 1995.
0704-0489, ``DoD's Defense Industrial Base (DIB)
Cybersecurity (CS) Activities Cyber Incident Reporting,''
0704-0490, ``DoD's Defense Industrial Base (DIB)
Cybersecurity (CS) Points of Contact (POC) Information.''
With the revisions in eligibility criteria, DoD expects the burden
associated with both collections to increase as additional defense
contractors join the DIB CS Program and additional cyber threat
information is reported. DOD is requesting comments on both collections
as part of this proposed rule. Additional information regarding these
collections of information--including all background materials--can be
found at https://www.reginfo.gov/public/do/PRAMain by using the search
function to enter either the title of the collection or the Office of
Management and Budget (OMB) Control Number.
Comments are invited on: (a) whether the proposed collections of
information are necessary for the proper performance of the functions
of DoD, including whether the information will have practical utility;
(b) the accuracy of the estimate of the burden for both information
collections; (c) ways to enhance the quality, utility, and clarity of
the information to be collected; and (d) ways to minimize the burden on
respondents, including the use of automated collection techniques or
other forms of information technology. Specific information on both
collections is below.
DoD's Defense Industrial Base (DIB) Cybersecurity (CS) Activities Cyber
Incident Reporting--OMB Control Number 0704-0489
Title: DoD's Defense Industrial Base (DIB) Cybersecurity (CS)
Activities Cyber Incident Reporting.
Type of Request: Revision.
Number of Participants: Number of DoD contractors eligible to
participate in the voluntary program is 80,000. DoD estimates that
approximately 1% of the newly eligible population will elect to join
the program each year with program growth plateauing at approximately
10% of the population by Year 9. Based on this estimate, after the
first three years of the program expansion, 2,400 defense contractors
will join the existing 980 participating companies resulting in 3,380
defense contractors submitting voluntary cyber threat information
reports.
Projected Responses per Participant: Five reports per participant.
Annual Total Responses: 16,900.
Average Burden per Response: Two hours.
[[Page 27837]]
Annual Total Burden Hours: 33,800 hours for all voluntary
submissions.
Needs and Uses: DoD designated DC3 as the single focal point for
receiving all cyber incident reporting affecting the unclassified
networks of DoD contractors from industry and other government
agencies. DoD collects cyber incident and threat reports using the
Defense Industrial Base Network (DIBNet) portal (https://dibnet.dod.mil). Cyber threat reports are analyzed by experts at DC3
and they, in turn, develop written products that include analysis of
the threat, mitigations, and indicators of adversary activity. These
anonymized products are shared with authorized DoD personnel,
authorized personnel from other Federal agencies, and authorized POCs
from the DIB CS Program.
Affected Public: Business or other for-profit and not-for-profit
institutions.
Frequency: On occasion.
Respondent's Obligation: Voluntary.
DoD's Defense Industrial Base (DIB) Cybersecurity (CS) Points of
Contact (POC) Information--OMB Control Number 0704-0490
Title: DoD's Defense Industrial Base (DIB) Cybersecurity (CS)
Activities Points of Contact (POC) Information.
Type of Request: Revision.
Number of Participants: DoD contractors impacted is 80,000. DoD
estimates that approximately 1% of the newly eligible population (800
defense contractors) will elect to join the program each year with
program growth plateauing at approximately 10% of the population by
Year 9. Each year, approximately 10% of participating companies will
report changes to company contacts. If 10% of the pre-existing
companies (2,580 in year 2) submit updates to the POC information and
800 new companies join, by year 3 this would result in 1,058 annual
updates.
Projected Responses per Participant: Initial collection is one per
company with updates on a case-by-case basis.
Annual Total Responses: 1,058.
Average Burden per Response: 20 minutes.
Annual Total Burden Hours: 353 hours for all participants.
Needs and Uses: Defense contractors complete a program application
and sign the DIB CS Program Framework to initiate participation. The
Government will collect business POC information from all DIB CS
Program participants on a one-time basis, with updates as necessary, to
facilitate communications and the sharing of share unclassified and
classified cyber threat information.
Affected Public: Business or other for-profit and not-for-profit
institutions.
Frequency: On occasion.
Respondent's Obligation: Voluntary.
F. Executive Order 13132, ``Federalism''
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on State
and local governments, preempts State law, or otherwise has federalism
implications. This proposed rule will not have a substantial effect on
State and local governments.
G. Executive Order 13175, ``Consultation and Coordination With Indian
Tribal Governments''
Executive Order 13175 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct compliance costs on one or
more Indian tribes, preempts tribal law, or effects the distribution of
power and responsibilities between the Federal Government and Indian
tribes. This proposed rule will not have a substantial effect on Indian
tribal governments.
List of Subjects in 32 CFR Part 236
Government contracts, Security measures.
Accordingly, DoD proposes to amend 32 CFR part 236 as follows:
PART 236--DEPARTMENT OF DEFENSE (DoD) DEFENSE INDUSTRIAL BASE (DIB)
CYBERSECURITY (CS) ACTIVITIES
0
1. The authority citation for 32 CFR part 236 continues to read as
follows:
Authority: 10 U.S.C. 391, 393, and 2224; 44 U.S.C. 3506 and
3544; 50 U.S.C. 3330.
0
2. Revise the heading of 32 CFR part 236 to read as set forth above.
Sec. 236.1 [Amended]
0
3. Amend Sec. 236.1 by:
0
a. Removing ``eligible DIB participants'' and adding in its place
``eligible DoD contractors''.
0
b. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program'' wherever it appears.
0
c. Removing ``DIB CS participants'' and adding in its place ``DIB CS
Program participants''.
0
d. Removing ``DIB participants' capabilities'' and adding in its place
``DIB CS Program participants' capabilities''.
Sec. 236.2 [Amended]
0
4. Amend Sec. 236.2 by:
0
a. Removing the definition of ``Access to media''.
0
b. In the definition of ``DIB participant'':
0
i. Removing ``DIB participant'' and adding in its place ``DIB CS
Program participant''.
0
ii. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program''.
0
c. Removing ``DIB CS program'' in the definition of ``Government
furnished information (GFI)'' and adding in its place ``DIB CS
Program''.
Sec. 236.3 [Amended]
0
5. Amend Sec. 236.3 by:
0
a. Removing ``program'' and adding in its place ``Program
participants'' in paragraph (b)(1).
0
b. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program'' in paragraph (c).
0
6. Amend Sec. 236.4 by:
0
a. Removing ``http'' and adding in its place ``https'' in paragraphs
(b)(2), (c), and (d).
0
b. Removing ``http://iase.disa.mil/pki/eca/Pages/index.aspx'' and
adding in its place ``https://public.cyber.mil/eca/'' in paragraph (e).
0
c. Revising paragraph (f).
0
d. Adding a comma after ``as appropriate'' in the first sentence in
paragraph (g).
0
e. Removing ``paragraph (e)'' and adding in its place ``paragraph (i)''
in paragraph (k).
0
f. In paragraph (m)(4):
0
i. Removing ``DIB contractors'' and adding in its place ``defense
contractors''.
0
ii. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program''.
0
g. Revising paragraph (p).
The revisions read as follows:
Sec. 236.4 Mandatory cyber incident reporting procedures.
* * * * *
(f) Third-party service provider support. If the contractor
utilizes a third-party service provider (SP) for information system
security services, the contractor may authorize the SP to report cyber
incidents on behalf of the contractor.
* * * * *
(p) Freedom of Information Act (FOIA). Agency records, which may
include qualifying information received from non-Federal entities, are
subject to request under the Freedom of Information Act (5 U.S.C. 552).
The Government will notify the non-Government source or submitter
(e.g., contractor or DIB CS Program participant) of the information in
[[Page 27838]]
accordance with the procedures in 32 CFR 286.10.
* * * * *
0
7. Amend Sec. 236.5 by:
0
a. Revising section heading and paragraph (a).
0
b. In paragraph (b):
0
i. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program''.
0
ii. Removing ``DIB participant'' and adding in its place ``DIB CS
Program participant''.
0
c. In paragraph (c):
0
i. Removing ``DIB participant'' and adding in its place ``DIB CS
Program participant''.
0
ii. Removing ``individual DIB participants'' and adding in its place
``individual DIB CS Program participants.''
0
d. In paragraph (d):
0
i. Removing ``DoD's DIB CS Program Office'' and adding in its place
``DoD's DIB CS Program Management Office''.
0
ii. Removing ``DoD DIB'' and adding in its place ``DoD-DIB''.
0
iii. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program''.
0
e. Removing ``DIB participants'' and adding in its place ``DIB CS
Program participants'' in paragraph (e).
0
f. Redesignating paragraphs (f) through (n) as paragraphs (g) through
(o).
0
g. Adding new paragraph (f).
0
h. In newly redesignated paragraph (g):
0
i. Removing the heading.
0
ii. Removing ``DIB participants'' and adding in its place ``DIB CS
Program participants''.
0
i. Revising newly redesignated paragraphs (h) and (i).
0
j. Removing ``DIB participants'' and adding in its place ``DIB CS
Program participants'' in newly redesignated paragraph (j) introductory
text.
0
k. In newly redesignated paragraph (k):
0
i. Removing ``DIB participants'' and adding in its place ``DIB CS
Program participants''.
0
ii. Removing ``DIB participant'' and adding in its place ``DIB CS
Program participant''.
0
l. Removing ``DIB participants'' and adding in its place ``DIB CS
Program participants'' in newly redesignated paragraph (l).
0
m. Removing ``DIB participants'' and adding in its place ``DIB CS
Program participants'' in newly redesignated paragraph (m).
0
n. In newly redesignated paragraph (n):
0
i. Removing ``DIB participant'' and adding in its place ``DIB CS
Program participant'' wherever it appears.
0
ii. Removing ``DIB participant's FA'' and adding in its place ``DIB CS
Program participant's FA''.
0
o. In newly redesignated paragraph (o):
0
i. Removing ``DIB participant'' and adding in its place ``DIB CS
Program participant'' wherever it appears.
0
ii. Removing ``paragraph (m) of this section'' and adding in its place
``paragraph (n) of this section.''
The revisions and addition read as follows:
Sec. 236.5 DoD's DIB CS Program.
(a) All defense contractors that meet the requirements set forth in
Sec. 236.7 are eligible to join the DIB CS Program as a DIB CS Program
participant. Defense contractors meeting the additional eligibility
requirements in Sec. 236.7 can elect to access and receive classified
information electronically.
* * * * *
(f) As participants of the DIB CS Program, defense contractors are
encouraged to share cyber threat indicators and information that they
believe are valuable in alerting the Government and other DIB CS
Program participants to better counter threat actor activity. Cyber
activity that is not covered under Sec. 236.4 may be of interest to
DIB CS Program participants and DoD.
* * * * *
(h) Prior to receiving GFI, each DIB CS Program participant shall
provide the requisite points of contact information, to include U.S.
citizenship and security clearance information, as applicable, for the
designated personnel within their company in order to facilitate the
DoD-DIB interaction in the DIB CS Program. The Government will confirm
the accuracy of the information provided as a condition of that point
of contact being authorized to act on behalf of the DIB CS Program
participant for this program.
(i) GFI will be issued via both unclassified and classified means.
DIB CS Program participants handling and safeguarding of classified
information shall be in compliance with 32 CFR part 117. The Government
shall specify transmission and distribution procedures for all GFI, and
shall inform DIB CS Program participants of any revisions to previously
specified transmission or procedures.
* * * * *
Sec. 236.6 [Amended]
0
8. Amend Sec. 236.6 by:
0
a. Removing ``program'' and adding in its place ``Program'' in the
section heading.
0
b. In paragraph (a):
0
i. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program'' wherever it appears.
0
ii. Removing ``DIB participants'' and adding in its place ``DIB CS
Program participants''.
0
c. In paragraph (b):
0
i. Removing ``DIB CS participants'' and adding in its place ``DIB CS
Program participants''.
0
ii. Removing ``http://www.dhs.gov/enhanced-cybersecurity-services'' and
adding in its place ``https://www.cisa.gov/enhanced-cybersecurity-services-ecs''.
0
d. In paragraph (c):
0
i. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program''.
0
ii. Removing ``obligate the DIB participant'' and adding in its place
``obligate the DIB CS Program participant''.
0
iii. Removing ``taken by the DIB participant'' and adding in its place
``taken by the DIB CS Program participant''.
0
iv. Removing ``taken on the DIB participant's'' and adding in its place
``taken on the DIB CS Program participant's''.
0
e. In paragraph (d):
0
i. Removing ``DIB participant's participation'' and adding in its place
``DIB CS Program participant's participation''.
0
ii. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program''.
0
iii. Removing ``approval of the DIB participant'' and adding in its
place ``approval of the DIB CS Program participant''.
0
f. In paragraph (e):
0
i. Removing ``DIB participant'' and adding in its place ``DIB CS
Program participant'' wherever it appears.
0
ii. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program''.
0
g. Adding ``change of status as a defense contractor,'' after ``Upon
termination of the FA,'' in paragraph (f).
0
h. In paragraph (g):
0
i. Removing ``DIB participants' rights'' and adding in its place ``DIB
CS Program participants' rights''.
0
ii. Removing ``DIB CS program'' and adding in its place ``DIB CS
Program''.
0
iii. Removing ``the requirement for DIB participants'' and adding in
its place ``the requirement for DIB CS Program participants''.
0
9. Revise Sec. 236.7 to read as follows:
Sec. 236.7 DoD's DIB CS Program requirements.
(a) To participate in the DIB CS Program, a contractor must own or
operate a covered contractor information system and shall execute
[[Page 27839]]
the standardized FA with the Government (available during the
application process), which implements the requirements set forth in
Sec. Sec. 236.5 and 236.6 and this section.
(b) In order for DIB CS Program participants to receive classified
cyber threat information electronically, the company must be a cleared
defense contractor and must:
(1) Have an existing active facility clearance level (FCL) to at
least the Secret level in accordance with 32 CFR part 117;
(2) Have or acquire a Communication Security (COMSEC) account in
accordance with 32 CFR part 117, which provides procedures and
requirements for COMSEC activities;
(3) Have or acquire approved safeguarding for at least Secret
information, and continue to qualify under 32 CFR part 117 for
retention of its FCL and approved safeguarding; and
(4) Obtain access to DoD's secure voice and data transmission
systems supporting the voluntary DIB CS Program.
Dated: April 25, 2023.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2023-09021 Filed 5-2-23; 8:45 am]
BILLING CODE 5001-06-P