DoD Finalizes Cyber Security Threat Sharing Program
On October 22, the Department of Defense (DoD) finalized the details for its DoD-Defense Industrial Base (DIB) Voluntary Cyber Security and Information Assurance (CS/IA) threat sharing program with defense industrial base companies. No changes have been made to the interim final rule published in May 2012.
This final rule responds to public comments regarding the establishment of the DIB CS/IA program, a voluntary cyber security information sharing activity between DoD and eligible DIB companies to enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems. The program is codified at 32 CFR Part 236 and implements DoD statutory authorities to establish programs and activities to protect DoD information and DoD information systems, including information and information systems operated and maintained by contractors or others in support of DoD activities (see 10 U.S.C. 2224 and the Federal Information Security Management Act (FISMA), codified at 44 U.S.C. 3541 et seq.). It also fulfills important elements of DoD’s critical infrastructure protection responsibilities, as the sector specific agency for the DIB sector see (Presidential Policy Directive 21 (PPD-21), “Critical Infrastructure Security and Resilience”). This program allows eligible DIB companies to receive U.S. Government (USG) threat information and to share information about network intrusions that could compromise DoD programs and missions. In addition, the program permits DIB companies and DoD to assess and reduce damage to DoD programs and missions when DoD information is potentially compromised. Furthermore, the information sharing arrangements between the DoD and each participating DIB company that implement the requirements of this are memorialized in a standardized bilateral agreement, known as a Framework Agreement (FA), signed by the participating DIB company and the Government.
The rule also provides the eligibility requirements for a company to participate in the DIB CS/IA program.
Costs for DIB participants include obtaining access to DoD’s secure voice and data transmission systems supporting the DIB CS/IA program and acquiring DoD approved medium assurance certificates. There also are costs associated with the collection requirements for providing point of contact information and cyber incident reporting. Government costs include onboarding new companies and collecting and analyzing cyber incidents from DIB participants.
A foundational element of this bilateral information sharing model is the recognition that the information being shared between the parties includes extremely sensitive nonpublic information, which must be protected against unauthorized uses and disclosures in order to preserve the integrity of the program.
For additional information regarding the Government’s safeguarding of information received from the DIB companies, with specific focus on PII, see the Privacy Impact Assessment (PIA) for the DIB CS/IA Program.
In addition, this rule and program are intended to be consistent and coordinated with, and updated as necessary to ensure consistency with and support for, other federal activities related to the handling and safeguarding of controlled unclassified information, such as those that are being led by the National Archives and Records Administration pursuant to Executive Order 13556 Controlled Unclassified Information (November 4, 2010).
This rule is not intended to implement the new requirements from section 941 of the National Defense Authorization Act for Fiscal Year 2013.
For more information, read the full final DIB CS/IA rule in the Federal Register.
