The Department of Defense earlier this month published a proposed rule change that would expand its voluntary Defense Industrial Base Cybersecurity Program — a key mechanism for the Pentagon and its industry partners to bidirectionally share cyber threat information and report incidents.
With the proposed rule change, the DOD’s Office of the Chief Information Officer hopes to expand eligibility beyond “cleared contractors” to allow thousands more vendors from the defense industrial base to participate in the voluntary program, which supplements the department’s mandatory cyber incident reporting requirements.
The Pentagon believes this is incredibly important as more threats are targeting weak points in the defense industrial base as vectors for larger cyberattacks on the DOD. Similarly, the department is also looking to shore up cybersecurity across the DIB through its Cybersecurity Maturity Model Certification (CMMC) program.
Currently, about 1,000 cleared contractors participate in the voluntary Defense Industrial Base Cybersecurity Program program and share classified information bidirectionally with the Pentagon. Their participation also grants them “access to technical exchange meetings, a collaborative web platform (DIBNet-U), and threat products and services through the DoD Cyber Crime Center (DC3).”
Through ongoing engagement with private sector and academic partners, “the overwhelming feedback was for the Department to facilitate engagement with the broader community of defense contractors beyond just the cleared defense community,” the DOD wrote in its proposed rule, posted to the Federal Register on May 3.
“In general, smaller defense contractors have fewer resources to devote to cybersecurity, which may provide a vector for adversaries to access information critical to national security. In addition, the Department is working on providing more tailored threat information to support the needs of a broader community of defense contractors with varying cybersecurity capabilities. The gap in eligibility in the current program, feedback from interested but ineligible contractors, a vulnerable DoD supply chain, and a pervasive cyber threat have prompted DoD to propose revising the eligibility requirements of the DIB CS Program to allow participation by non-cleared defense contractors,” it added.
The DOD estimates that roughly 80,000 contractors are subject to its mandatory cyber incident reporting requirement under Defense Federal Acquisition Regulation Supplement clause 252.204–7012. Under the existing rule that allows only cleared contractors to participate, just 12,000 of that larger 80,000 are eligible.
With the rule change, the full 80,000 would be open to participating and sharing controlled unclassified information; though based on past experience with cleared contractors, the DOD understands only about 10% of those do.
The Pentagon also has evidence to show there’s a demand for the expansion, claiming the “percentage of applications received from ineligible defense contractors has risen at an average rate of 5% per year since 2016,” up to 45% last year.
The costs for the rule change, the DOD says, would be minimal, while the benefits could be huge.
“This program benefits the Department by increasing awareness and improving assessments of cyber incidents that may affect mission critical capabilities and services,” the rule reads.
And for the expanded pool of industry participants, “this program provides valuable cyber threat information they cannot obtain from anywhere else and technical assistance through analyst-to-analyst exchanges, mitigation and remediation strategies, and cybersecurity best practices in a collaborative environment. The shared unclassified and classified cyber threat information is used to bolster a company’s cybersecurity posture and mitigate the growing cyber threat. The program’s tailored support for small, mid-size, and large companies with varying cybersecurity maturity levels is an asset for participants.”
The Pentagon will accept comments on the proposed change through June 20.