On March 12, the Department of Defense (DOD) promulgated a final rule that expands the eligibility criteria for the Defense Industrial Base (DIB) Cybersecurity Program, a voluntary initiative aimed at bolstering the DIB’s ability to safeguard critical information.
The rule will now allow any defense contractor who “owns or operates an unclassified information system that processes, stores, or transmits covered defense information to” take part in the program, removing certain requirements that created obstacles hindering participation.
The Program
The DIB Cybersecurity Program is a voluntary effort meant to “enhance and supplement participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.” The program complements contractual requirements stipulated by DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, to encourage better threat reporting and information sharing throughout the DIB. Part of a broader DOD project to protect critical information that is handled by the DIB, it also provides a platform to share risk mitigation and remediation strategies.
The program was established in May 2022. However, participation was initially reserved for “cleared defense contractors (CDCs) with the ability to safeguard classified information.” A CDC is defined as “a private entity granted clearance by DoD to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of the DoD.” A 2015 rule expanded the program to remove the requirements that CDCs have “the ability to safeguard classified information,” “have or acquire a Communications Security account,” and “obtain access to DoD’s secure voice and data transmission system.” However, a cleared defense contractor still needed to have “DoD-approved medium assurance certificates, an existing facility clearance to at least the secret level, and the ability to execute the standardized Framework agreement,” which is a DOD-provided document after a DIB has been verified as eligible for the program.
What Does the New Rule Do?
In short, the final rule removes certain requirements to allow additional participants. Since its inception, interest in the program has only increased. However, not all contractors have been eligible under existing eligibility criteria. In fact, the percentage of ineligible contractors applying for the program rose at an average rate of 5% per year, with 45% of applications in 2022 coming from ineligible contractors. Here are the highlights:
- First, the rule eliminates the requirement that eligible contractors maintain a secret-level facility clearance and instead applies to any contractor that “owns or operates an unclassified information system.”
- Second, the rule eliminates the requirement that contractors obtain a medium assurance certificate and pay the associated fee. Now, contractors must only register with Procurement Integrity Enterprise Environment (PIEE), satisfying the identity proofing requirements for the voluntary and mandatory programs.
Conclusion
The Biden administration has made strengthening the DIB a priority; cybersecurity, in particular, has been a focus area. This rule will be particularly important for small businesses that have fewer resources to allocate to cybersecurity efforts. Also, the changes will make it easier for all contractors to participate in the program if they so choose. The rule eliminates obstacles that could cause unnecessary hurdles in the application process. In fact, the DOD rule predicts the changes will increase program involvement by at least 68,000 contractors. For the sake of our cybersecurity protection efforts, let’s hope that prediction is true!
If you have any questions about the voluntary DIB cybersecurity program or cyber rules in general, please contact the author.