Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities, 59581-59588 [2015-24296]

Download as PDF Federal Register / Vol. 80, No. 191 / Friday, October 2, 2015 / Rules and Regulations How This Document Complies With the Federal Administrative Requirements for Rulemaking A. Executive Order 12866 and Executive Order 13563 This final rule has been drafted and reviewed in accordance with Executive Order 12866, ‘‘Regulatory Planning and Review,’’ section 1(b), The Principles of Regulation, and Executive Order 13563, ‘‘Improving Regulation and Regulatory Review,’’ section 1, General Principles of Regulation. This rule is limited to agency organization, management, or personnel matters as described by Executive Order 12866, section 3(d)(3) and, therefore, is not a ‘‘regulation’’ or ‘‘rule’’ as defined by that Executive Order. B. Executive Order 13132 This final rule will not have substantial direct effects on the States, on the relationship between the Federal Government and the States, or on the distribution of power and responsibilities among the various levels of government. Therefore, in accordance with section 6 of Executive Order 13132, ‘‘Federalism,’’ the Attorney General has determined that this regulation does not have sufficient federalism implications to warrant the preparation of a federalism summary impact statement. C. Executive Order 12988 This regulation meets the applicable standards set forth in sections 3(a) and 3(b)(2) of Executive Order 12988, ‘‘Civil Justice Reform.’’ asabaliauskas on DSK5VPTVN1PROD with RULES D. Administrative Procedure Act This final rule is purely a matter of agency management. Accordingly, this rule is exempt from the usual requirements of prior notice and comment and a 30-day delay in the effective date. See 5 U.S.C. 553(a)(2). In addition, prior notice and comment are not required because the final rule is a rule of agency organization, procedure, or practice. See 5 U.S.C. 553(b). Moreover, the Department finds good cause for exempting the rule from those requirements. Because this final rule makes a technical correction for accuracy and to improve the clarity of the regulations, the Department finds it unnecessary to publish this rule for public notice and comment. See 5 U.S.C. 553(b). Similarly, because delaying the effective date of this rule would serve no purpose, the Department also finds good cause to make this rule effective upon publication. See 5 U.S.C. 553(d)(3). VerDate Sep<11>2014 20:30 Oct 01, 2015 Jkt 238001 59581 E. Regulatory Flexibility Act List of Subjects in 27 CFR Part 555 The Attorney General, in accordance with the Regulatory Flexibility Act, 5 U.S.C. 605(b), has reviewed this rule and, by approving it, certifies that it will not have a significant economic impact on a substantial number of small entities because it pertains to personnel and administrative matters affecting the Department. Further, a Regulatory Flexibility Analysis is not required for this final rule because the Department was not required to publish a general notice of proposed rulemaking for this matter. See 5 U.S.C. 604. Administrative practice and procedure, Customs duties and inspection, Explosives, Hazardous substances, Imports, Penalties, Reporting and recordkeeping requirements, Safety, Security measures, Seizures and forfeitures, Transportation, and Warehouses. F. Small Business Regulatory Enforcement Fairness Act of 1996 This rule is not a major rule as defined by section 251 of the Small Business Regulatory Enforcement Fairness Act of 1996, 5 U.S.C. 804. This rule will not result in an annual effect on the economy of $100 million or more; a major increase in costs or prices; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based enterprises to compete with foreignbased enterprises in domestic and export markets. G. Unfunded Mandates Reform Act of 1995 This rule was not preceded by a published notice of proposed rulemaking; will not result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year; will not significantly or uniquely affect small governments; and does not contain significant intergovernmental mandates. Therefore, no actions were deemed necessary under the provisions of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1531–1535. H. Paperwork Reduction Act of 1995 This final rule does not impose any new reporting or recordkeeping requirements under the Paperwork Reduction Act, 44 U.S.C. 3501–3521. I. Congressional Review Act This action pertains to agency organization, procedure, or practice, and does not substantially affect the rights or obligations of non-agency parties and, accordingly, is not a ‘‘rule’’ as that term is used by the Congressional Review Act (Subtitle E of the Small Business Regulatory Enforcement Fairness Act of 1996). See 5 U.S.C. 804(3). Therefore, the reporting requirement of 5 U.S.C. 801 does not apply. PO 00000 Frm 00033 Fmt 4700 Sfmt 4700 Authority and Issuance Accordingly, for the reasons discussed in the preamble, 27 CFR part 555 is amended as follows: PART 555—COMMERCE IN EXPLOSIVES 1. The authority citation for 27 CFR part 555 continues to read as follows: ■ Authority: 18 U.S.C. 847. 2. Revise the definition of ‘‘Customs officer’’ in § 555.11 to read as follows: ■ § 555.11 Meaning of terms. * * * * * Customs officer. Any officer of U.S. Customs and Border Protection, any commissioned, warrant, or petty officer of the Coast Guard, or any agent or other person authorized by law to perform the duties of a customs officer. * * * * * Dated: September 28, 2015. Loretta E. Lynch, Attorney General. [FR Doc. 2015–25190 Filed 10–1–15; 8:45 am] BILLING CODE 4410–FY–P DEPARTMENT OF DEFENSE Office of the Secretary 32 CFR Part 236 [DOD–2014–OS–0097] RIN 0790–AJ29 Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities Office of the DoD Chief Information Officer, DoD. ACTION: Interim final rule. AGENCY: DoD is revising its DoD–DIB Cybersecurity (CS) Activities regulation to mandate reporting of cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support, and modify eligibility criteria to permit greater participation in the voluntary SUMMARY: E:\FR\FM\02OCR1.SGM 02OCR1 59582 Federal Register / Vol. 80, No. 191 / Friday, October 2, 2015 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES DoD-Defense Industrial Base (DIB) Cybersecurity (CS) information sharing program. DATES: Effective Date: This rule if effective October 2, 2015. Comments must be received by December 1, 2015. ADDRESSES: You may submit comments, identified by docket number and/or Regulatory Information Number (RIN) number and title, by any of the following methods: • Federal Rulemaking Portal: https:// www.regulations.gov. Follow the instructions for submitting comments. • Mail: Department of Defense, Office of the Deputy Chief Management Officer, Directorate of Oversight and Compliance, Regulatory and Audit Matters Office, 9010 Defense Pentagon, Washington, DC 20301-9010. FOR FURTHER INFORMATION CONTACT: DoD–DIB Cybersecurity Activities Office: (703) 604–3167, toll free (855) 363–4227. SUPPLEMENTARY INFORMATION: Executive Summary This rule revises the DoD–DIB cybersecurity information sharing program regulation to implement new statutory requirements for DoD contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support. The program also retains the voluntary information sharing activities for cybersecurity information that is outside the scope of the mandatory reporting requirements. Regarding the mandatory reporting, this part has been revised to set forth mandatory cyber incident reporting requirements that will apply to all forms of contracts or other agreements between DoD and DIB companies (e.g., procurement contracts, cooperative agreements, other transaction agreements). Thus, all relevant contracts or agreements are required to include these cyber reporting requirements (e.g., through incorporation of the reporting requirements by reference, or by expressly setting forth reporting requirements consistent with this part). The revisions provided in this rule are part of DoD’s efforts to establish a single reporting mechanism for such cyber incidents on unclassified DoD contractor information systems. These requirements are focused on cyber incidents that threaten specific types of DoD program information, such as technical information controlled under the International Traffic in Arms VerDate Sep<11>2014 20:30 Oct 01, 2015 Jkt 238001 Regulations or the Export Administration Regulations or otherwise controlled by DOD and operational security information that relates to DoD activities. Additional cyber incident reporting requirements for other important types of controlled unclassified information (CUI) (e.g., personally identifiable information (PII), budget or financial information) are more specifically addressed through other regulatory mechanisms, and thus are outside the scope of this rule. To clarify this distinction, the rule explicitly states that reporting under this program does not abrogate the contractor’s responsibility for any other applicable cyber incident reporting requirements (§ 236.4(o)). The rule also revises the program’s definitions to better harmonize with definitions that are already established and used by DoD and other Government agencies in similar contexts, such as those relating to the handling and safeguarding of Controlled Unclassified Information as used by the National Archives and Records Administration pursuant to Executive Order 13556 ‘‘Controlled Unclassified Information’’ (November 4, 2010) (see https:// www.archives.gov/cui/), and those widely used in the context of cybersecurity activities (see the Committee on National Security Systems Instruction No. 4009, ‘‘National Information Assurance Glossary’’). This rule is intended to streamline the reporting process for DoD contractors and minimize duplicative reporting processes, while preserving distinctions where appropriate. Cyber incident reporting involving classified information on classified contractor systems will be in accordance with the National Industrial Security Program Operating Manual (DoD–M 5220.22 (https://www.dtic.mil/whs/directives/ corres/pdf/522022m.pdf)). This rule also modifies eligibility criteria to permit greater participation in the voluntary DoD–DIB CS information sharing program. Expanding participation in the DoD–DIB CS information sharing program is part of DoD’s comprehensive approach to counter cyber threats through information sharing between the Government and DIB participants. The DoD–DIB CS information sharing program allows eligible DIB participants to receive Government furnished information (GFI) and cyber threat information from other DIB participants, thereby providing greater insights into adversarial activity targeting the DIB. The activities in this rule implement DoD statutory authorities to establish programs and activities to protect PO 00000 Frm 00034 Fmt 4700 Sfmt 4700 sensitive DoD information, including when such information resides on or transits information systems operated by contractors or others in support of DoD activities (e.g., 10 U.S.C. 391 and 2224, the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. 3551 et seq., section 941 of the NDAA for FY 2013 (Public Law 112– 239)). Activities under this rule also fulfill important elements of DoD’s critical infrastructure protection responsibilities, as the sector specific agency for the DIB sector (see Presidential Policy Directive 21 (PPD– 21), ‘‘Critical Infrastructure Security and Resilience,’’ available at https:// www.whitehouse.gov/the-press-office/ 2013/02/12/presidential-policydirective-critical-infrastructure-securityand-resil). Under this rule, contractors will incur costs associated with requirements for reporting cyber incidents of covered defense information on their covered contractor information system(s) or those affecting the contractor’s ability to provide operationally critical support. Costs for contractors include identifying and analyzing cyber incidents and their impact on covered defense information, or a contractor’s ability to provide operationally critical support, as well as obtaining DoD-approved medium assurance certificates to ensure authentication and identification when reporting cyber incidents to DoD. Government costs include onboarding new companies under the voluntary DoD–DIB CS information sharing program, and collecting and analyzing cyber incident reports, malicious software, and media. A foundational element of these new mandatory reporting requirements, as well as the voluntary DoD–DIB CS information sharing activities, is the recognition that the information being shared between the parties includes extremely sensitive information that requires protection. For additional information regarding the Government’s safeguarding of information received from the contractors that require protection, see the Privacy Impact Assessment (PIA) for the DIB Cybersecurity/Information Assurance Activities located at https:// dodcio.defense.gov/Portals/0/ Documents/DIB%20CS–IA%20PIA_ FINAL_signed_30jun2011_VMSS_ GGMR_RC.pdf. The PIA provides detailed procedures for handling personally identifiable information (PII), attributional information about the strengths or vulnerabilities of specific covered contractor information systems, information providing a perceived or real competitive advantage on future E:\FR\FM\02OCR1.SGM 02OCR1 Federal Register / Vol. 80, No. 191 / Friday, October 2, 2015 / Rules and Regulations procurement action, and contractor information marked as proprietary or commercial or financial information. Interim Final Rule Justification This rule is being published as an interim rule in order to comply with statutory guidance under Section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013, and section 391 of Title 10, United States Code (U.S.C.), requiring defense contractors to rapidly report cyber incidents on their unclassified networks or information systems that may affect unclassified defense information, or that affect their ability to provide operationally critical support to the Department. Issuing this rule as an interim final rule underscores the importance of better protecting unclassified defense information against the immediate cyber threat, while preserving the intellectual property and competitive capabilities of our national defense industrial base. The interim final rule enables DoD to better assess, in the near term, when mission critical capabilities and services are affected by cyber incidents and reinforces DoD’s overall efforts to defend DoD information, protect U.S. national interests against cyber-attacks, and support military operations and contingency plans worldwide. Cybersecurity is a Congressional priority and this interim final rule supports the Administration’s national cybersecurity strategy emphasizing public-private information sharing. Regulatory Procedures asabaliauskas on DSK5VPTVN1PROD with RULES Executive Orders 12866, ‘‘Regulatory Planning and Review’’ and 13563, ‘‘Improving Regulation and Regulatory Review’’ Executive Orders 13563 and 12866 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distribute impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This rule has been designated a ‘‘significant regulatory action,’’ although not economically significant, under section 3(f) of Executive Order 12866. Accordingly, the rule has been reviewed by the Office of Management and Budget (OMB). VerDate Sep<11>2014 20:30 Oct 01, 2015 Jkt 238001 Public Law 104–121, ‘‘Congressional Review Act’’ (5 U.S.C. 801) It has been determined that this rule is not a ‘‘major’’ rule under 5 U.S.C. 801, enacted by Public Law 104–121, because it will not result in an annual effect on the economy of $100 million or more; a major increase in costs or prices for consumers, individual industries, Federal, State, or local Government agencies, or geographic regions; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based enterprises to compete with foreignbased enterprises in domestic and export markets. Sec. 202, Public Law 104–4, ‘‘Unfunded Mandates Reform Act’’ It has been determined that this rule does not contain a Federal mandate that may result in expenditure by State, local and tribal Governments, in aggregate, or by the private sector, of $100 million or more in any one year. Public Law 96–354, ‘‘Regulatory Flexibility Act’’ (5 U.S.C. 601) It has been certified that this rule is not subject to the Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if promulgated, have a significant economic impact on a substantial number of small entities. Therefore, the Regulatory Flexibility Act, as amended, does not require us to prepare a regulatory flexibility analysis. Public Law 96–511, ‘‘Paperwork Reduction Act’’ (44 U.S.C. Chapter 35) It has been determined that 32 CFR part 236 does contain reporting or recordkeeping requirements under the Paper Reduction Act (PRA) of 1995. These reporting requirements apply existing collection approvals under Office of Management and Budget (OMB) Control Numbers: 0704–0489, ‘‘Defense Industrial Base Cyber Security/Information Assurance (DIB CS/IA) Cyber Incident Reporting,’’ and 0704–0490, ‘‘Defense Industrial Base Cyber Security/Information Assurance (DIB CS/IA) Points of Contact (POC) Information.’’ DoD has submitted a revision for the 0704–0489 collection to OMB under the provisions of the Paperwork Reduction Act (44 U.S.C. Chapter 35) in response to 32 CFR part 236 expanding the number of companies under mandatory cyber incident reporting requirements. Comments are invited on: (a) whether the proposed collection of information is necessary for the proper performance of the functions of DoD, including whether the information will have PO 00000 Frm 00035 Fmt 4700 Sfmt 4700 59583 practical utility; (b) the accuracy of the estimate of the burden of the proposed information collection; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the information collection on respondents, including the use of automated collection techniques or other forms of information technology. Title: Cyber Incident Reporting by DoD Contractors Type of Request: Revision. Number of DoD contractors impacted is 10,000. Projected Responses Per Participant Per Year: 5. Annual Total Responses: Up to 50,000. Average Burden Per Response: 7 hours (this includes searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information). Annual Total Burden Hours: 250,000 hours for all participants. Needs and Uses: The requested information supports the mandatory cyber incident reporting requirements under Section 941 of the NDAA for Fiscal Year (FY) 13 and Section 1632 of the NDAA for FY 15, and facilitates cyber situational awareness and cyber threat information sharing. DoD contractors report incidents using the standard Incident Collection Format (ICF). The primary means of reporting is through a secure unclassified web portal, but a company may report incidents through other communication means if necessary. Affected Public: DoD contractors with the provisions of 32 CFR part 236 in their agreements with DoD. Frequency: On occasion. Respondent’s Obligation: Mandatory. DoD has submitted a revision for the 0704–0490 collection to OMB under the provisions of the Paperwork Reduction Act (44 U.S.C. Chapter 35) in response to 32 CFR part 236 expanding the number of companies eligible to participate in the voluntary DIB CS information sharing program. Comments are invited on: (a) whether the proposed collection of information is necessary for the proper performance of the functions of DoD, including whether the information will have practical utility; (b) the accuracy of the estimate of the burden of the proposed information collection; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the information collection on respondents, including the use of automated collection techniques or other forms of information technology. E:\FR\FM\02OCR1.SGM 02OCR1 asabaliauskas on DSK5VPTVN1PROD with RULES 59584 Federal Register / Vol. 80, No. 191 / Friday, October 2, 2015 / Rules and Regulations Title: Defense Industrial Base Cybersecurity Activities Points of Contact (POC) Information. Type of Request: Revision. Number of DoD contractors impacted is 8,500. DoD estimates that no more than 10% of the total eligible population of cleared defense contractors will apply to the voluntary DIB Cybersecurity Activities program resulting in 850 cleared defense contractors impacted annually. An additional 10% of the population or 85 contractors may provide updated points of contact for the program, as required. Projected Responses Per Participant: Initial collection is one per company with updates on a case-by-case basis. Annual Total Responses: 935. Average Burden Per Response: 20 minutes. Annual Total Burden Hours: 312 hours for all participants. Needs and Uses: The Government will collect business points of contact (POC) information from all Defense Industrial Base (DIB) Cybersecurity program participants on a one-time basis, with updates as necessary, to facilitate communications and the sharing of share unclassified and classified cyber threat information. Affected Public: Business or other forprofit and not-for-profit institutions. Frequency: On occasion. Respondent’s Obligation: Voluntary. OMB Desk Officer: Written comments and recommendations on these information collections should be sent to Ms. Jasmeet Seehra at the Office of Management and Budget, DoD Desk Officer, Room 10102, New Executive Office Building, Washington, DC 20503, with a copy to the Director, DoD–DIB Cybersecurity Activities Office, at the Office of the DoD Chief Information Officer, 6000 Defense Pentagon, Attn: DIB CS Activities Office, Washington, DC 20301–6000, or email at OSD.DIBCSIA@mail.mil. You may also submit comments, identified by docket number and title, by the following method: Federal Rulemaking Portal: https:// www.regulations.gov. Follow the instructions for submitting comments. All submissions received must include the agency name, docket number and title for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the Internet at https:// www.regulations.gov as they are received without change, including any personal identifiers or contact information. VerDate Sep<11>2014 20:30 Oct 01, 2015 Jkt 238001 Executive Order 13132, ‘‘Federalism’’ It has been determined that this rule does not have federalism implications, as set forth in Executive Order 13132. This rule does not have substantial direct effects on: (a) The States; (b) The relationship between the National Government and the States; or (c) The distribution of power and responsibilities among the various levels of Government. List of Subjects in 32 CFR Part 236 Government contracts, Security measures. Accordingly, 32 CFR part 236 is revised to read as follows: PART 236—DEPARTMENT OF DEFENSE (DoD)-DEFENSE INDUSTRIAL BASE (DIB) CYBERSECURITY (CS) ACTIVITIES Sec. 236.1 Purpose. 236.2 Definitions. 236.3 Policy. 236.4 Mandatory cyber incident reporting procedures. 236.5 DoD–DIB CS information sharing program. 236.6 General provisions of the DoD–DIB CS information sharing program. 236.7 DoD–DIB CS information sharing program requirements. Authority: 10 U.S.C. 391; 10 U.S.C. 2224; 44 U.S.C. 3506; 44 U.S.C. 3544; and Section 941, Publ. L. 112–239, 126 Stat. 1632. §236.1 Purpose. Cyber threats to contractor unclassified information systems represent an unacceptable risk of compromise of DoD information and pose an imminent threat to U.S. national security and economic security interests. This part requires all DoD contractors to rapidly report cyber incidents involving covered defense information on their covered contractor information systems or cyber incidents affecting the contractor’s ability to provide operationally critical support. The part also modifies the eligibility criteria to permit greater participation in the voluntary DoD–DIB CS information sharing program in which DoD provides cyber threat information and cybersecurity best practices to DIB participants. The DoD–DIB CS information sharing program enhances and supplements DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems. §236.2 Definitions. As used in this part: Access to media means provision of media, or access to media physically or PO 00000 Frm 00036 Fmt 4700 Sfmt 4700 remotely to DoD personnel, as determined by the contractor. Cleared defense contractor (CDC) means a private entity granted clearance by DoD to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of DoD. Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. Contractor means an individual or organization outside the U.S. Government who has accepted any type of agreement or order to provide research, supplies, or services to DoD, including prime contractors and subcontractors. Contractor attributional/proprietary information means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company. Controlled Technical Information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, ‘‘Distribution Statements of Technical Documents,’’ available at https:// www.dtic.mil/whs/directives/corres/pdf/ 523024p.pdf. The term does not include information that is lawfully publicly available without restrictions. Covered contractor information system means an information system that is owned or operated by or for a contractor and that processes, stores, or transmits covered defense information. Covered defense information means unclassified information that: (1) Is: (i) Provided to the contractor by or on behalf of the DoD in connection with the performance of a contract; or (ii) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of a contract; and E:\FR\FM\02OCR1.SGM 02OCR1 asabaliauskas on DSK5VPTVN1PROD with RULES Federal Register / Vol. 80, No. 191 / Friday, October 2, 2015 / Rules and Regulations (2) Falls in any of the following categories: (i) Controlled Technical Information; (ii) Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process); (iii) Export Control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and munitions list; license applications; and sensitive nuclear technology information; (iv) Any other information, marked or otherwise identified by the Government, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies (e.g., privacy, proprietary business information). Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Cyber incident damage assessment means a managed, coordinated process to determine the effect on defense programs, defense scientific and research projects, or defense warfighting capabilities resulting from compromise of a contractor’s unclassified computer system or network. Defense Industrial Base (DIB) means the Department of Defense, Government, and private sector worldwide industrial complex with capabilities to perform research and development, design, produce, and maintain military weapon systems, subsystems, components, or parts to satisfy military requirements. DIB participant means a CDC that has met all of the eligibility requirements to participate in the voluntary DoD–DIB CS Information Sharing Program as set forth in this part (see § 236.7). Forensic analysis means the practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. Government furnished information (GFI) means information provided by the Government under the voluntary DoD–DIB CS information sharing VerDate Sep<11>2014 20:30 Oct 01, 2015 Jkt 238001 program including but not limited to cyber threat information and cybersecurity practices. Information means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Malicious software means software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware. Media means physical devices or writing surfaces, including but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered Contractor information system. Operationally critical support means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. Rapid(ly) report(ing) means within 72 hours of discovery of any cyber incident. Technical Information means technical data or computer software, as those terms are defined in DFARS 252.227–7013, ‘‘Rights in Technical Data—Noncommercial Items’’ (48 CFR 252.227–7013). Examples of technical information include research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code. Threat means any circumstance or event with the potential to adversely impact organization operations (including mission, functions, image, or reputation), organization assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service. PO 00000 Frm 00037 Fmt 4700 Sfmt 4700 59585 U.S. based means provisioned, maintained, or operated within the physical boundaries of the United States. U.S. citizen means a person born in the United States or naturalized. §236.3 Policy. It is DoD policy to: (a) Establish a comprehensive approach to require safeguarding of covered defense information on covered contractor information systems and to require contractor cyber incident reporting. (b) Increase Government stakeholder and DIB situational awareness of the extent and severity of cyber threats to DoD information by implementing a streamlined approval process that enables the contractor to elect, in conjunction with the cyber incident reporting and sharing, the extent to which DoD may share cyber threat information obtained from a contractor (or derived from information obtained from the company) under this part that is not information created by or for DoD with: (1) DIB contractors participating in the DoD–DIB CS information sharing program to enhance their cybersecurity posture to better protect covered defense information on covered contractor information systems, or a contractor’s ability to provide operationally critical support; and (2) Other Government stakeholders for lawful Government activities, including cybersecurity for the protection of Government information or information systems, law enforcement and counterintelligence (LE/CI), and other lawful national security activities directed against the cyber threat (e.g., those attempting to infiltrate and compromise information on the contractor information systems). (c) Modify eligibility criteria to permit greater participation in the voluntary DoD–DIB CS information sharing program. § 236.4 Mandatory cyber incident reporting procedures. (a) Applicability and order of precedence. The requirement to report cyber incidents shall be included in all applicable agreements between the Government and the contractor in which covered defense information resides on, or transits covered contractor information systems or under which a contractor provides operationally critical support, and shall be identical to those requirements provided in this section (e.g., by incorporating the requirements of this section by reference, or by expressly setting forth E:\FR\FM\02OCR1.SGM 02OCR1 asabaliauskas on DSK5VPTVN1PROD with RULES 59586 Federal Register / Vol. 80, No. 191 / Friday, October 2, 2015 / Rules and Regulations such reporting requirements consistent with those of this section). Any inconsistency between the relevant terms and condition of any such agreement and this section shall be resolved in favor of the terms and conditions of the agreement, provided and to the extent that such terms and conditions are authorized to have been included in the agreement in accordance with applicable laws and regulations. (b) Cyber incident reporting requirement. When a contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein or that affects the contractor’s ability to provide operationally critical support, the contractor shall: (1) Conduct a review for evidence of compromise of covered defense information including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the contractor’s ability to provide operationally critical support; and (2) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil. (c) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https:// dibnet.dod.mil. (d) Subcontractor reporting procedures. Contractors shall flow down the cyber incident reporting requirements of this part to their subcontractors, as appropriate. Contractors shall require subcontractors to rapidly report cyber incidents directly to DoD at https://dibnet.dod.mil and the prime contractor. This includes providing the incident report number, automatically assigned by DoD, to the prime contractor (or next higher-tier subcontractor) as soon as practicable. (e) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this part, the contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see https:// iase.disa.mil/pki/eca/certificate.html. VerDate Sep<11>2014 20:30 Oct 01, 2015 Jkt 238001 (f) If the contractor utilizes a thirdparty service provider (SP) for information system security services, the SP may report cyber incidents on behalf of the contractor. (g) Contractors are encouraged to report information to promote sharing of cyber threat indicators that they believe are valuable in alerting the Government and others, as appropriate in order to better counter threat actor activity. Cyber incidents that are not compromises of covered defense information or do not adversely affect the contractor’s ability to perform operationally critical support may be of interest to the DIB and DoD for situational awareness purposes. (h) Malicious software. Malicious software discovered and isolated by the contractor will be submitted to the DoD Cyber Crime Center (DC3) for forensic analysis. (i) Media preservation and protection. When a contractor discovers a cyber incident has occurred, the contractor shall preserve and protect images of known affected information systems identified in paragraph (b) of this section and all relevant monitoring/ packet capture data for at least 90 days from submission of the cyber incident report to allow DoD to request the media or decline interest. (j) Access to additional information or equipment necessary for forensics analysis. Upon request by DoD, the contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis. (k) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, DoD will request that the contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this section. (l) DoD safeguarding and use of contractor attributional/proprietary information. The Government shall protect against the unauthorized use or release of information obtained from the contractor (or derived from information obtained from the contractor) under this part that includes contractor attributional/proprietary information, including such information submitted in accordance with paragraph (b) of this section. To the maximum extent practicable, the contractor shall identify and mark attributional/proprietary information. In making an authorized release of such information, the Government will implement appropriate procedures to minimize the contractor attributional/proprietary information that is included in such authorized release, seeking to include only that PO 00000 Frm 00038 Fmt 4700 Sfmt 4700 information that is necessary for the authorized purpose(s) for which the information is being released. (m) Use and release of contractor attributional/proprietary information not created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this part that is not created by or for DoD is authorized to be released outside of DoD: (1) To entities with missions that may be affected by such information; (2) To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents; (3) To Government entities that conduct LE/CI investigations; (4) For national security purposes, including cyber situational awareness and defense purposes (including sharing with DIB contractors participating in the DIB CS program authorized by this part); or (5) To a support services contractor (‘‘recipient’’) that is directly supporting Government activities related to this part and is bound by use and nondisclosure restrictions that include all of the following conditions: (i) The recipient shall access and use the information only for the purpose of furnishing advice or technical assistance directly to the Government in support of the Government’s activities related to this part, and shall not be used for any other purpose; (ii) The recipient shall protect the information against unauthorized release or disclosure; (iii) The recipient shall ensure that its employees are subject to use and nondisclosure obligations consistent with this part prior to the employees being provided access to or use of the information; (iv) The third-party contractor that reported the cyber incident is a thirdparty beneficiary of the non-disclosure agreement between the Government and the recipient, as required by paragraph (m)(5)(iii) of this section; (v) That a breach of these obligations or restrictions may subject the recipient to: (A) Criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United States; and (B) Civil actions for damages and other appropriate remedies by the third party that reported the incident, as a third party beneficiary of the nondisclosure agreement. (6) Use and release of contractor attributional/proprietary information created by or for DoD. Information that E:\FR\FM\02OCR1.SGM 02OCR1 asabaliauskas on DSK5VPTVN1PROD with RULES Federal Register / Vol. 80, No. 191 / Friday, October 2, 2015 / Rules and Regulations is obtained from the contractor (or derived from information obtained from the contractor) under this part that is created by or for DoD (including the information submitted pursuant to paragraph (b) of this section) is authorized to be used and released outside of DoD for purposes and activities authorized by this section, and for any other lawful Government purpose or activity, subject to all applicable statutory, regulatory, and policy based restrictions on the Government’s use and release of such information. (n) Contractors shall conduct their respective activities under this part in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data. (o) Freedom of Information Act (FOIA). Agency records, which may include qualifying information received from non-federal entities, are subject to request under the Freedom of Information Act (5 U.S.C. 552) (FOIA), which is implemented in the DoD by DoD Directive 5400.07 and DoD Regulation 5400.7–R (see 32 CFR parts 285 and 286, respectively). Pursuant to established procedures and applicable regulations, the Government will protect sensitive nonpublic information reported under mandatory reporting requirements against unauthorized public disclosure by asserting applicable FOIA exemptions. The Government will inform the nonGovernment source or submitter (e.g., contractor or DIB participant of any such information that may be subject to release in response to a FOIA request), in order to permit the source or submitter to support the withholding of such information or pursue any other available legal remedies. (p) Other reporting requirements. Cyber incident reporting required by this part in no way abrogates the contractor’s responsibility for other cyber incident reporting pertaining to its unclassified information systems under other clauses that may apply to its contract(s), or as a result of other applicable U.S. Government statutory or regulatory requirements, including Federal or DoD requirements for Controlled Unclassified Information as established by Executive Order 13556, as well as regulations and guidance established pursuant thereto. § 236.5 DoD–DIB CS information sharing program. (a) All contractors that are CDCs and meet the requirements set forth in § 236.7 are eligible to join the voluntary VerDate Sep<11>2014 20:30 Oct 01, 2015 Jkt 238001 DoD–DIB CS information sharing program as a DIB participant. (b) Under the voluntary activities of the DoD–DIB CS information sharing program, the Government and each DIB participant will execute a standardized agreement, referred to as a Framework Agreement (FA) to share, in a timely and secure manner, on a recurring basis, and to the greatest extent possible, cybersecurity information. (c) Each such FA between the Government and a DIB participant must comply with and implement the requirements of this part, and will include additional terms and conditions as necessary to effectively implement the voluntary information sharing activities described in this part with individual DIB participants. (d) The DoD–DIB CS Activities Office is the overall point of contact for the program. The DC3 managed DoD–DIB Collaborative Information Sharing Environment (DCISE) is the operational focal point for cyber threat information sharing and incident reporting under the DoD–DIB CS information sharing program. (e) The Government will maintain a Web site or other internet-based capability to provide potential DIB participants with information about eligibility and participation in the program, to enable online application or registration for participation, and to support the execution of necessary agreements with the Government. (f) GFI. The Government shall share GFI with DIB participants or designated SP in accordance with this part. (g) Prior to receiving GFI from the Government, each DIB participant shall provide the requisite points of contact information, to include security clearance and citizenship information, for the designated personnel within their company (e.g., typically 3–10 company designated points of contact) in order to facilitate the DoD–DIB interaction in the DoD–DIB CS information sharing program. The Government will confirm the accuracy of the information provided as a condition of that point of contact being authorized to act on behalf of the DIB participant for this program. (h) GFI will be issued via both unclassified and classified means. DIB participant handling and safeguarding of classified information shall be in compliance with DoD 5220.22–M, ‘‘National Industrial Security Program Operating Manual (NISPOM),’’ available at https://www.dss.mil/documents/odaa/ nispom2006-5220.pdf. The Government shall specify transmission and distribution procedures for all GFI, and shall inform DIB participants of any PO 00000 Frm 00039 Fmt 4700 Sfmt 4700 59587 revisions to previously specified transmission or procedures. (i) Except as authorized in this part or in writing by the Government, DIB participants may: (1) Use GFI only on U.S. based covered contractor information systems, or U.S. based networks or information systems used to provide operationally critical support; and (2) Share GFI only within their company or organization, on a need-toknow basis, with distribution restricted to U.S. citizens. (j) In individual cases DIB participants may request, and the Government may authorize, disclosure and use of GFI under applicable terms and conditions when the DIB participant can demonstrate that appropriate information handling and protection mechanisms are in place and has determined that it requires the ability: (1) To share the GFI with a non-U.S. citizen; or (2) To use the GFI on a non-U.S. based covered contractor information system; or (3) To use the GFI on a non-U.S. based network or information system in order to better protect a contractor’s ability to provide operationally critical support. (k) DIB participants shall maintain the capability to electronically disseminate GFI within the Company in an encrypted fashion (e.g., using Secure/ Multipurpose Internet Mail Extensions (S/MIME), secure socket layer (SSL), Transport Layer Security (TLS) protocol version 1.2, DoD-approved medium assurance certificates). (l) DIB participants shall not share GFI outside of their company or organization, regardless of personnel clearance level, except as authorized in this part or otherwise authorized in writing by the Government. (m) If the DIB participant utilizes a SP for information system security services, the DIB participant may share GFI with that SP under the following conditions and as authorized in writing by the Government: (1) The DIB participant must identify the SP to the Government and request permission to share or disclose any GFI with that SP (which may include a request that the Government share information directly with the SP on behalf of the DIB participant) solely for the authorized purposes of this program. (2) The SP must provide the Government with sufficient information to enable the Government to determine whether the SP is eligible to receive such information, and possesses the capability to provide appropriate protections for the GFI. E:\FR\FM\02OCR1.SGM 02OCR1 59588 Federal Register / Vol. 80, No. 191 / Friday, October 2, 2015 / Rules and Regulations (3) Upon approval by the Government, the SP must enter into a legally binding agreement with the DIB participant (and also an appropriate agreement with the Government in any case in which the SP will receive or share information directly with the Government on behalf of the DIB participant) under which the SP is subject to all applicable requirements of this part and of any supplemental terms and conditions in the DIB participant’s FA with the Government, and which authorizes the SP to use the GFI only as authorized by the Government. (n) The DIB participant may not sell, lease, license, or otherwise incorporate the GFI into its products or services, except that this does not prohibit a DIB participant from being appropriately designated an SP in accordance with paragraph (m) of this section. asabaliauskas on DSK5VPTVN1PROD with RULES § 236.6 General provisions of the DoD–DIB CS information sharing program. (a) Confidentiality of information that is exchanged under the DoD–DIB CS information sharing program will be protected to the maximum extent authorized by law, regulation, and policy. DoD and DIB participants each bear responsibility for their own actions under the voluntary DoD–DIB CS information sharing program. (b) All DIB CS participants may participate in the Department of Homeland Security’s Enhanced Cybersecurity Services (ECS) program (https://www.dhs.gov/enhancedcybersecurity-services). (c) Participation in the voluntary DoD–DIB CS information sharing program does not obligate the DIB participant to utilize the GFI in, or otherwise to implement any changes to, its information systems. Any action taken by the DIB participant based on the GFI or other participation in this program is taken on the DIB participant’s own volition and at its own risk and expense. (d) A DIB participant’s participation in the voluntary DoD–DIB CS information sharing program is not intended to create any unfair competitive advantage or disadvantage in DoD source selections or competitions, or to provide any other form of unfair preferential treatment, and shall not in any way be represented or interpreted as a Government endorsement or approval of the DIB participant, its information systems, or its products or services. (e) The DIB participant and the Government may each unilaterally limit or discontinue participation in the voluntary DoD–DIB CS information sharing program at any time. VerDate Sep<11>2014 20:30 Oct 01, 2015 Jkt 238001 Termination shall not relieve the DIB participant or the Government from obligations to continue to protect against the unauthorized use or disclosure of GFI, attribution information, contractor proprietary information, third-party proprietary information, or any other information exchanged under this program, as required by law, regulation, contract, or the FA. (f) Upon termination of the FA, and/ or change of Facility Security Clearance (FCL) status below Secret, GFI must be returned to the Government or destroyed pursuant to direction of, and at the discretion of, the Government. (g) Participation in these activities does not abrogate the Government’s, or the DIB participants’ rights or obligations regarding the handling, safeguarding, sharing, or reporting of information, or regarding any physical, personnel, or other security requirements, as required by law, regulation, policy, or a valid legal contractual obligation. However, participation in the voluntary activities of the DoD–DIB CS information sharing program does not eliminate the requirement for DIB participants to report cyber incidents in accordance with § 236.4. § 236.7 DoD–DIB CS information sharing program requirements. (a) To participate in the DoD–DIB CS information sharing program, a contractor must be a CDC and shall: (1) Have an existing active FCL granted under the NISPOM (DoD 5220.22–M); and (2) Execute the standardized FA with the Government (available during the application process), which implements the requirements set forth in §§ 236.5 through 236.7, and allows the CDC to select their level of participation in the voluntary DoD–DIB CS information sharing program. (3) In order for participating CDCs to receive classified cyber threat information electronically, they must: (i) Have or acquire a Communication Security (COMSEC) account in accordance with the NISPOM Chapter 9, Section 4 (DoD 5220.22–M), which provides procedures and requirements for COMSEC activities; and (ii) Have or acquire approved safeguarding for at least Secret information, and continue to qualify under the NISPOM for retention of its FCL and approved safeguarding; and (iii) Obtain access to DoD’s secure voice and data transmission systems supporting the voluntary DoD–DIB CS information sharing program. (b) [Reserved] PO 00000 Frm 00040 Fmt 4700 Sfmt 4700 Dated: September 14, 2015. Patricia L. Toppings, OSD Federal Register, Liaison Officer, Department of Defense. [FR Doc. 2015–24296 Filed 10–1–15; 8:45 am] BILLING CODE 5001–06–P LIBRARY OF CONGRESS Copyright Royalty Board 37 CFR Part 380 [Docket No. 2014–CRB–0001–WR (2016– 2020) (Web IV)] Digital Performance Right in Sound Recordings and Ephemeral Recordings Copyright Royalty Board, Library of Congress. ACTION: Final rule. AGENCY: The Copyright Royalty Judges publish final regulations that set the rates and terms for the digital performances of sound recordings by certain public radio stations and for the making of ephemeral recordings necessary to facilitate those transmissions for the period commencing January 1, 2016, and ending on December 31, 2020. DATES: Effective: January 1, 2016. FOR FURTHER INFORMATION CONTACT: LaKeshia Keys, Program Specialist, by telephone at (202) 707–7658, or by email at crb@loc.gov. SUPPLEMENTARY INFORMATION: The Copyright Royalty Judges (‘‘Judges’’) received a joint motion from SoundExchange, Inc. (‘‘SoundExchange’’), National Public Radio, Inc. (‘‘NPR’’) and the Corporation for Public Broadcasting (‘‘CPB’’) in which they announced a partial settlement in the above proceeding (‘‘Settlement’’) regarding royalty rates and terms for certain internet transmissions by NPR, American Public Media, Public Radio International, and certain public radio stations (‘‘covered entities’’). The parties to the agreement requested that the Judges adopt the Settlement as a determination of rates and terms under Sections 112(e) and 114 of the Copyright Act for eligible transmissions by covered entities through their Web sites and related ephemeral recordings, as more specifically set forth in the Settlement. The Judges published the proposed Settlement and requested comments from the public. 80 FR 15958 (March 26, 2015). SUMMARY: E:\FR\FM\02OCR1.SGM 02OCR1

Agencies

[Federal Register Volume 80, Number 191 (Friday, October 2, 2015)]
[Rules and Regulations]
[Pages 59581-59588]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-24296]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 236

[DOD-2014-OS-0097]
RIN 0790-AJ29


Department of Defense (DoD)-Defense Industrial Base (DIB) 
Cybersecurity (CS) Activities

AGENCY: Office of the DoD Chief Information Officer, DoD.

ACTION: Interim final rule.

-----------------------------------------------------------------------

SUMMARY: DoD is revising its DoD-DIB Cybersecurity (CS) Activities 
regulation to mandate reporting of cyber incidents that result in an 
actual or potentially adverse effect on a covered contractor 
information system or covered defense information residing therein, or 
on a contractor's ability to provide operationally critical support, 
and modify eligibility criteria to permit greater participation in the 
voluntary

[[Page 59582]]

DoD-Defense Industrial Base (DIB) Cybersecurity (CS) information 
sharing program.

DATES: Effective Date: This rule if effective October 2, 2015. Comments 
must be received by December 1, 2015.

ADDRESSES: You may submit comments, identified by docket number and/or 
Regulatory Information Number (RIN) number and title, by any of the 
following methods:
     Federal Rulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     Mail: Department of Defense, Office of the Deputy Chief 
Management Officer, Directorate of Oversight and Compliance, Regulatory 
and Audit Matters Office, 9010 Defense Pentagon, Washington, DC 20301-
9010.

FOR FURTHER INFORMATION CONTACT: DoD-DIB Cybersecurity Activities 
Office: (703) 604-3167, toll free (855) 363-4227.

SUPPLEMENTARY INFORMATION:

Executive Summary

    This rule revises the DoD-DIB cybersecurity information sharing 
program regulation to implement new statutory requirements for DoD 
contractors and subcontractors to report cyber incidents that result in 
an actual or potentially adverse effect on a covered contractor 
information system or covered defense information residing therein, or 
on a contractor's ability to provide operationally critical support. 
The program also retains the voluntary information sharing activities 
for cybersecurity information that is outside the scope of the 
mandatory reporting requirements.
    Regarding the mandatory reporting, this part has been revised to 
set forth mandatory cyber incident reporting requirements that will 
apply to all forms of contracts or other agreements between DoD and DIB 
companies (e.g., procurement contracts, cooperative agreements, other 
transaction agreements). Thus, all relevant contracts or agreements are 
required to include these cyber reporting requirements (e.g., through 
incorporation of the reporting requirements by reference, or by 
expressly setting forth reporting requirements consistent with this 
part). The revisions provided in this rule are part of DoD's efforts to 
establish a single reporting mechanism for such cyber incidents on 
unclassified DoD contractor information systems. These requirements are 
focused on cyber incidents that threaten specific types of DoD program 
information, such as technical information controlled under the 
International Traffic in Arms Regulations or the Export Administration 
Regulations or otherwise controlled by DOD and operational security 
information that relates to DoD activities. Additional cyber incident 
reporting requirements for other important types of controlled 
unclassified information (CUI) (e.g., personally identifiable 
information (PII), budget or financial information) are more 
specifically addressed through other regulatory mechanisms, and thus 
are outside the scope of this rule. To clarify this distinction, the 
rule explicitly states that reporting under this program does not 
abrogate the contractor's responsibility for any other applicable cyber 
incident reporting requirements (Sec.  236.4(o)).
    The rule also revises the program's definitions to better harmonize 
with definitions that are already established and used by DoD and other 
Government agencies in similar contexts, such as those relating to the 
handling and safeguarding of Controlled Unclassified Information as 
used by the National Archives and Records Administration pursuant to 
Executive Order 13556 ``Controlled Unclassified Information'' (November 
4, 2010) (see https://www.archives.gov/cui/), and those widely used in 
the context of cybersecurity activities (see the Committee on National 
Security Systems Instruction No. 4009, ``National Information Assurance 
Glossary'').
    This rule is intended to streamline the reporting process for DoD 
contractors and minimize duplicative reporting processes, while 
preserving distinctions where appropriate. Cyber incident reporting 
involving classified information on classified contractor systems will 
be in accordance with the National Industrial Security Program 
Operating Manual (DoD-M 5220.22 (https://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf)).
    This rule also modifies eligibility criteria to permit greater 
participation in the voluntary DoD-DIB CS information sharing program. 
Expanding participation in the DoD-DIB CS information sharing program 
is part of DoD's comprehensive approach to counter cyber threats 
through information sharing between the Government and DIB 
participants. The DoD-DIB CS information sharing program allows 
eligible DIB participants to receive Government furnished information 
(GFI) and cyber threat information from other DIB participants, thereby 
providing greater insights into adversarial activity targeting the DIB. 
The activities in this rule implement DoD statutory authorities to 
establish programs and activities to protect sensitive DoD information, 
including when such information resides on or transits information 
systems operated by contractors or others in support of DoD activities 
(e.g., 10 U.S.C. 391 and 2224, the Federal Information Security 
Modernization Act (FISMA), codified at 44 U.S.C. 3551 et seq., section 
941 of the NDAA for FY 2013 (Public Law 112-239)). Activities under 
this rule also fulfill important elements of DoD's critical 
infrastructure protection responsibilities, as the sector specific 
agency for the DIB sector (see Presidential Policy Directive 21 (PPD-
21), ``Critical Infrastructure Security and Resilience,'' available at 
https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil).
    Under this rule, contractors will incur costs associated with 
requirements for reporting cyber incidents of covered defense 
information on their covered contractor information system(s) or those 
affecting the contractor's ability to provide operationally critical 
support. Costs for contractors include identifying and analyzing cyber 
incidents and their impact on covered defense information, or a 
contractor's ability to provide operationally critical support, as well 
as obtaining DoD-approved medium assurance certificates to ensure 
authentication and identification when reporting cyber incidents to 
DoD. Government costs include onboarding new companies under the 
voluntary DoD-DIB CS information sharing program, and collecting and 
analyzing cyber incident reports, malicious software, and media.
    A foundational element of these new mandatory reporting 
requirements, as well as the voluntary DoD-DIB CS information sharing 
activities, is the recognition that the information being shared 
between the parties includes extremely sensitive information that 
requires protection. For additional information regarding the 
Government's safeguarding of information received from the contractors 
that require protection, see the Privacy Impact Assessment (PIA) for 
the DIB Cybersecurity/Information Assurance Activities located at 
https://dodcio.defense.gov/Portals/0/Documents/DIB%20CS-IA%20PIA_FINAL_signed_30jun2011_VMSS_GGMR_RC.pdf. The PIA provides 
detailed procedures for handling personally identifiable information 
(PII), attributional information about the strengths or vulnerabilities 
of specific covered contractor information systems, information 
providing a perceived or real competitive advantage on future

[[Page 59583]]

procurement action, and contractor information marked as proprietary or 
commercial or financial information.

Interim Final Rule Justification

    This rule is being published as an interim rule in order to comply 
with statutory guidance under Section 941 of the National Defense 
Authorization Act (NDAA) for Fiscal Year (FY) 2013, and section 391 of 
Title 10, United States Code (U.S.C.), requiring defense contractors to 
rapidly report cyber incidents on their unclassified networks or 
information systems that may affect unclassified defense information, 
or that affect their ability to provide operationally critical support 
to the Department. Issuing this rule as an interim final rule 
underscores the importance of better protecting unclassified defense 
information against the immediate cyber threat, while preserving the 
intellectual property and competitive capabilities of our national 
defense industrial base. The interim final rule enables DoD to better 
assess, in the near term, when mission critical capabilities and 
services are affected by cyber incidents and reinforces DoD's overall 
efforts to defend DoD information, protect U.S. national interests 
against cyber-attacks, and support military operations and contingency 
plans worldwide. Cybersecurity is a Congressional priority and this 
interim final rule supports the Administration's national cybersecurity 
strategy emphasizing public-private information sharing.

Regulatory Procedures

Executive Orders 12866, ``Regulatory Planning and Review'' and 13563, 
``Improving Regulation and Regulatory Review''

    Executive Orders 13563 and 12866 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distribute impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This rule has been designated a ``significant regulatory 
action,'' although not economically significant, under section 3(f) of 
Executive Order 12866. Accordingly, the rule has been reviewed by the 
Office of Management and Budget (OMB).

Public Law 104-121, ``Congressional Review Act'' (5 U.S.C. 801)

    It has been determined that this rule is not a ``major'' rule under 
5 U.S.C. 801, enacted by Public Law 104-121, because it will not result 
in an annual effect on the economy of $100 million or more; a major 
increase in costs or prices for consumers, individual industries, 
Federal, State, or local Government agencies, or geographic regions; or 
significant adverse effects on competition, employment, investment, 
productivity, innovation, or on the ability of United States-based 
enterprises to compete with foreign-based enterprises in domestic and 
export markets.

Sec. 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    It has been determined that this rule does not contain a Federal 
mandate that may result in expenditure by State, local and tribal 
Governments, in aggregate, or by the private sector, of $100 million or 
more in any one year.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601)

    It has been certified that this rule is not subject to the 
Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if 
promulgated, have a significant economic impact on a substantial number 
of small entities. Therefore, the Regulatory Flexibility Act, as 
amended, does not require us to prepare a regulatory flexibility 
analysis.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

    It has been determined that 32 CFR part 236 does contain reporting 
or recordkeeping requirements under the Paper Reduction Act (PRA) of 
1995. These reporting requirements apply existing collection approvals 
under Office of Management and Budget (OMB) Control Numbers: 0704-0489, 
``Defense Industrial Base Cyber Security/Information Assurance (DIB CS/
IA) Cyber Incident Reporting,'' and 0704-0490, ``Defense Industrial 
Base Cyber Security/Information Assurance (DIB CS/IA) Points of Contact 
(POC) Information.''
    DoD has submitted a revision for the 0704-0489 collection to OMB 
under the provisions of the Paperwork Reduction Act (44 U.S.C. Chapter 
35) in response to 32 CFR part 236 expanding the number of companies 
under mandatory cyber incident reporting requirements. Comments are 
invited on: (a) whether the proposed collection of information is 
necessary for the proper performance of the functions of DoD, including 
whether the information will have practical utility; (b) the accuracy 
of the estimate of the burden of the proposed information collection; 
(c) ways to enhance the quality, utility, and clarity of the 
information to be collected; and (d) ways to minimize the burden of the 
information collection on respondents, including the use of automated 
collection techniques or other forms of information technology.
    Title: Cyber Incident Reporting by DoD Contractors
    Type of Request: Revision.
    Number of DoD contractors impacted is 10,000.
    Projected Responses Per Participant Per Year: 5.
    Annual Total Responses: Up to 50,000.
    Average Burden Per Response: 7 hours (this includes searching 
existing data sources, gathering and maintaining the data needed, and 
completing and reviewing the collection of information).
    Annual Total Burden Hours: 250,000 hours for all participants.
    Needs and Uses: The requested information supports the mandatory 
cyber incident reporting requirements under Section 941 of the NDAA for 
Fiscal Year (FY) 13 and Section 1632 of the NDAA for FY 15, and 
facilitates cyber situational awareness and cyber threat information 
sharing. DoD contractors report incidents using the standard Incident 
Collection Format (ICF). The primary means of reporting is through a 
secure unclassified web portal, but a company may report incidents 
through other communication means if necessary.
    Affected Public: DoD contractors with the provisions of 32 CFR part 
236 in their agreements with DoD.
    Frequency: On occasion.
    Respondent's Obligation: Mandatory.
    DoD has submitted a revision for the 0704-0490 collection to OMB 
under the provisions of the Paperwork Reduction Act (44 U.S.C. Chapter 
35) in response to 32 CFR part 236 expanding the number of companies 
eligible to participate in the voluntary DIB CS information sharing 
program. Comments are invited on: (a) whether the proposed collection 
of information is necessary for the proper performance of the functions 
of DoD, including whether the information will have practical utility; 
(b) the accuracy of the estimate of the burden of the proposed 
information collection; (c) ways to enhance the quality, utility, and 
clarity of the information to be collected; and (d) ways to minimize 
the burden of the information collection on respondents, including the 
use of automated collection techniques or other forms of information 
technology.

[[Page 59584]]

    Title: Defense Industrial Base Cybersecurity Activities Points of 
Contact (POC) Information.
    Type of Request: Revision.
    Number of DoD contractors impacted is 8,500. DoD estimates that no 
more than 10% of the total eligible population of cleared defense 
contractors will apply to the voluntary DIB Cybersecurity Activities 
program resulting in 850 cleared defense contractors impacted annually. 
An additional 10% of the population or 85 contractors may provide 
updated points of contact for the program, as required.
    Projected Responses Per Participant: Initial collection is one per 
company with updates on a case-by-case basis.
    Annual Total Responses: 935.
    Average Burden Per Response: 20 minutes.
    Annual Total Burden Hours: 312 hours for all participants.
    Needs and Uses: The Government will collect business points of 
contact (POC) information from all Defense Industrial Base (DIB) 
Cybersecurity program participants on a one-time basis, with updates as 
necessary, to facilitate communications and the sharing of share 
unclassified and classified cyber threat information.
    Affected Public: Business or other for-profit and not-for-profit 
institutions.
    Frequency: On occasion.
    Respondent's Obligation: Voluntary.
    OMB Desk Officer:
    Written comments and recommendations on these information 
collections should be sent to Ms. Jasmeet Seehra at the Office of 
Management and Budget, DoD Desk Officer, Room 10102, New Executive 
Office Building, Washington, DC 20503, with a copy to the Director, 
DoD-DIB Cybersecurity Activities Office, at the Office of the DoD Chief 
Information Officer, 6000 Defense Pentagon, Attn: DIB CS Activities 
Office, Washington, DC 20301-6000, or email at OSD.DIBCSIA@mail.mil.
    You may also submit comments, identified by docket number and 
title, by the following method:
    Federal Rulemaking Portal: https://www.regulations.gov. Follow the 
instructions for submitting comments.
    All submissions received must include the agency name, docket 
number and title for this Federal Register document. The general policy 
for comments and other submissions from members of the public is to 
make these submissions available for public viewing on the Internet at 
https://www.regulations.gov as they are received without change, 
including any personal identifiers or contact information.

Executive Order 13132, ``Federalism''

    It has been determined that this rule does not have federalism 
implications, as set forth in Executive Order 13132. This rule does not 
have substantial direct effects on:
    (a) The States;
    (b) The relationship between the National Government and the 
States; or
    (c) The distribution of power and responsibilities among the 
various levels of Government.

List of Subjects in 32 CFR Part 236

    Government contracts, Security measures.
    Accordingly, 32 CFR part 236 is revised to read as follows:

PART 236--DEPARTMENT OF DEFENSE (DoD)-DEFENSE INDUSTRIAL BASE (DIB) 
CYBERSECURITY (CS) ACTIVITIES

Sec.
236.1 Purpose.
236.2 Definitions.
236.3 Policy.
236.4 Mandatory cyber incident reporting procedures.
236.5 DoD-DIB CS information sharing program.
236.6 General provisions of the DoD-DIB CS information sharing 
program.
236.7 DoD-DIB CS information sharing program requirements.

    Authority: 10 U.S.C. 391; 10 U.S.C. 2224; 44 U.S.C. 3506; 44 
U.S.C. 3544; and Section 941, Publ. L. 112-239, 126 Stat. 1632.


Sec. 236.1  Purpose.

    Cyber threats to contractor unclassified information systems 
represent an unacceptable risk of compromise of DoD information and 
pose an imminent threat to U.S. national security and economic security 
interests. This part requires all DoD contractors to rapidly report 
cyber incidents involving covered defense information on their covered 
contractor information systems or cyber incidents affecting the 
contractor's ability to provide operationally critical support. The 
part also modifies the eligibility criteria to permit greater 
participation in the voluntary DoD-DIB CS information sharing program 
in which DoD provides cyber threat information and cybersecurity best 
practices to DIB participants. The DoD-DIB CS information sharing 
program enhances and supplements DIB participants' capabilities to 
safeguard DoD information that resides on, or transits, DIB 
unclassified information systems.


Sec. 236.2  Definitions.

    As used in this part:
    Access to media means provision of media, or access to media 
physically or remotely to DoD personnel, as determined by the 
contractor.
    Cleared defense contractor (CDC) means a private entity granted 
clearance by DoD to access, receive, or store classified information 
for the purpose of bidding for a contract or conducting activities in 
support of any program of DoD.
    Compromise means disclosure of information to unauthorized persons, 
or a violation of the security policy of a system, in which 
unauthorized intentional or unintentional disclosure, modification, 
destruction, or loss of an object, or the copying of information to 
unauthorized media may have occurred.
    Contractor means an individual or organization outside the U.S. 
Government who has accepted any type of agreement or order to provide 
research, supplies, or services to DoD, including prime contractors and 
subcontractors.
    Contractor attributional/proprietary information means information 
that identifies the contractor(s), whether directly or indirectly, by 
the grouping of information that can be traced back to the 
contractor(s) (e.g., program description, facility locations), 
personally identifiable information, as well as trade secrets, 
commercial or financial information, or other commercially sensitive 
information that is not customarily shared outside of the company.
    Controlled Technical Information means technical information with 
military or space application that is subject to controls on the 
access, use, reproduction, modification, performance, display, release, 
disclosure, or dissemination. Controlled technical information would 
meet the criteria, if disseminated, for distribution statements B 
through F using the criteria set forth in DoD Instruction 5230.24, 
``Distribution Statements of Technical Documents,'' available at https://www.dtic.mil/whs/directives/corres/pdf/523024p.pdf. The term does not 
include information that is lawfully publicly available without 
restrictions.
    Covered contractor information system means an information system 
that is owned or operated by or for a contractor and that processes, 
stores, or transmits covered defense information.
    Covered defense information means unclassified information that:
    (1) Is:
    (i) Provided to the contractor by or on behalf of the DoD in 
connection with the performance of a contract; or
    (ii) Collected, developed, received, transmitted, used, or stored 
by or on behalf of the contractor in support of the performance of a 
contract; and

[[Page 59585]]

    (2) Falls in any of the following categories:
    (i) Controlled Technical Information;
    (ii) Critical information (operations security). Specific facts 
identified through the Operations Security process about friendly 
intentions, capabilities, and activities vitally needed by adversaries 
for them to plan and act effectively so as to guarantee failure or 
unacceptable consequences for friendly mission accomplishment (part of 
Operations Security process);
    (iii) Export Control. Unclassified information concerning certain 
items, commodities, technology, software, or other information whose 
export could reasonably be expected to adversely affect the United 
States national security and nonproliferation objectives. To include 
dual use items; items identified in export administration regulations, 
international traffic in arms regulations and munitions list; license 
applications; and sensitive nuclear technology information;
    (iv) Any other information, marked or otherwise identified by the 
Government, that requires safeguarding or dissemination controls 
pursuant to and consistent with law, regulations, and Government-wide 
policies (e.g., privacy, proprietary business information).
    Cyber incident means actions taken through the use of computer 
networks that result in a compromise or an actual or potentially 
adverse effect on an information system and/or the information residing 
therein.
    Cyber incident damage assessment means a managed, coordinated 
process to determine the effect on defense programs, defense scientific 
and research projects, or defense warfighting capabilities resulting 
from compromise of a contractor's unclassified computer system or 
network.
    Defense Industrial Base (DIB) means the Department of Defense, 
Government, and private sector worldwide industrial complex with 
capabilities to perform research and development, design, produce, and 
maintain military weapon systems, subsystems, components, or parts to 
satisfy military requirements.
    DIB participant means a CDC that has met all of the eligibility 
requirements to participate in the voluntary DoD-DIB CS Information 
Sharing Program as set forth in this part (see Sec.  236.7).
    Forensic analysis means the practice of gathering, retaining, and 
analyzing computer-related data for investigative purposes in a manner 
that maintains the integrity of the data.
    Government furnished information (GFI) means information provided 
by the Government under the voluntary DoD-DIB CS information sharing 
program including but not limited to cyber threat information and 
cybersecurity practices.
    Information means any communication or representation of knowledge 
such as facts, data, or opinions in any medium or form, including 
textual, numerical, graphic, cartographic, narrative, or audiovisual.
    Information system means a discrete set of information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information.
    Malicious software means software or firmware intended to perform 
an unauthorized process that will have adverse impact on the 
confidentiality, integrity, or availability of an information system. 
This definition includes a virus, worm, Trojan horse, or other code-
based entity that infects a host, as well as spyware and some forms of 
adware.
    Media means physical devices or writing surfaces, including but not 
limited to, magnetic tapes, optical disks, magnetic disks, large-scale 
integration memory chips, and printouts onto which covered defense 
information is recorded, stored, or printed within a covered Contractor 
information system.
    Operationally critical support means supplies or services 
designated by the Government as critical for airlift, sealift, 
intermodal transportation services, or logistical support that is 
essential to the mobilization, deployment, or sustainment of the Armed 
Forces in a contingency operation.
    Rapid(ly) report(ing) means within 72 hours of discovery of any 
cyber incident.
    Technical Information means technical data or computer software, as 
those terms are defined in DFARS 252.227-7013, ``Rights in Technical 
Data--Noncommercial Items'' (48 CFR 252.227-7013). Examples of 
technical information include research and engineering data, 
engineering drawings and associated lists, specifications, standards, 
process sheets, manuals, technical reports, technical orders, catalog-
item identifications, data sets, studies and analyses and related 
information, and computer software executable code and source code.
    Threat means any circumstance or event with the potential to 
adversely impact organization operations (including mission, functions, 
image, or reputation), organization assets, individuals, other 
organizations, or the Nation through an information system via 
unauthorized access, destruction, disclosure, modification of 
information and/or denial of service.
    U.S. based means provisioned, maintained, or operated within the 
physical boundaries of the United States.
    U.S. citizen means a person born in the United States or 
naturalized.


Sec. 236.3  Policy.

    It is DoD policy to:
    (a) Establish a comprehensive approach to require safeguarding of 
covered defense information on covered contractor information systems 
and to require contractor cyber incident reporting.
    (b) Increase Government stakeholder and DIB situational awareness 
of the extent and severity of cyber threats to DoD information by 
implementing a streamlined approval process that enables the contractor 
to elect, in conjunction with the cyber incident reporting and sharing, 
the extent to which DoD may share cyber threat information obtained 
from a contractor (or derived from information obtained from the 
company) under this part that is not information created by or for DoD 
with:
    (1) DIB contractors participating in the DoD-DIB CS information 
sharing program to enhance their cybersecurity posture to better 
protect covered defense information on covered contractor information 
systems, or a contractor's ability to provide operationally critical 
support; and
    (2) Other Government stakeholders for lawful Government activities, 
including cybersecurity for the protection of Government information or 
information systems, law enforcement and counterintelligence (LE/CI), 
and other lawful national security activities directed against the 
cyber threat (e.g., those attempting to infiltrate and compromise 
information on the contractor information systems).
    (c) Modify eligibility criteria to permit greater participation in 
the voluntary DoD-DIB CS information sharing program.


Sec.  236.4  Mandatory cyber incident reporting procedures.

    (a) Applicability and order of precedence. The requirement to 
report cyber incidents shall be included in all applicable agreements 
between the Government and the contractor in which covered defense 
information resides on, or transits covered contractor information 
systems or under which a contractor provides operationally critical 
support, and shall be identical to those requirements provided in this 
section (e.g., by incorporating the requirements of this section by 
reference, or by expressly setting forth

[[Page 59586]]

such reporting requirements consistent with those of this section). Any 
inconsistency between the relevant terms and condition of any such 
agreement and this section shall be resolved in favor of the terms and 
conditions of the agreement, provided and to the extent that such terms 
and conditions are authorized to have been included in the agreement in 
accordance with applicable laws and regulations.
    (b) Cyber incident reporting requirement. When a contractor 
discovers a cyber incident that affects a covered contractor 
information system or the covered defense information residing therein 
or that affects the contractor's ability to provide operationally 
critical support, the contractor shall:
    (1) Conduct a review for evidence of compromise of covered defense 
information including, but not limited to, identifying compromised 
computers, servers, specific data, and user accounts. This review shall 
also include analyzing covered contractor information system(s) that 
were part of the cyber incident, as well as other information systems 
on the contractor's network(s), that may have been accessed as a result 
of the incident in order to identify compromised covered defense 
information, or that affect the contractor's ability to provide 
operationally critical support; and
    (2) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.
    (c) Cyber incident report. The cyber incident report shall be 
treated as information created by or for DoD and shall include, at a 
minimum, the required elements at https://dibnet.dod.mil.
    (d) Subcontractor reporting procedures. Contractors shall flow down 
the cyber incident reporting requirements of this part to their 
subcontractors, as appropriate. Contractors shall require 
subcontractors to rapidly report cyber incidents directly to DoD at 
https://dibnet.dod.mil and the prime contractor. This includes providing 
the incident report number, automatically assigned by DoD, to the prime 
contractor (or next higher-tier subcontractor) as soon as practicable.
    (e) Medium assurance certificate requirement. In order to report 
cyber incidents in accordance with this part, the contractor or 
subcontractor shall have or acquire a DoD-approved medium assurance 
certificate to report cyber incidents. For information on obtaining a 
DoD-approved medium assurance certificate, see https://iase.disa.mil/pki/eca/certificate.html.
    (f) If the contractor utilizes a third-party service provider (SP) 
for information system security services, the SP may report cyber 
incidents on behalf of the contractor.
    (g) Contractors are encouraged to report information to promote 
sharing of cyber threat indicators that they believe are valuable in 
alerting the Government and others, as appropriate in order to better 
counter threat actor activity. Cyber incidents that are not compromises 
of covered defense information or do not adversely affect the 
contractor's ability to perform operationally critical support may be 
of interest to the DIB and DoD for situational awareness purposes.
    (h) Malicious software. Malicious software discovered and isolated 
by the contractor will be submitted to the DoD Cyber Crime Center (DC3) 
for forensic analysis.
    (i) Media preservation and protection. When a contractor discovers 
a cyber incident has occurred, the contractor shall preserve and 
protect images of known affected information systems identified in 
paragraph (b) of this section and all relevant monitoring/packet 
capture data for at least 90 days from submission of the cyber incident 
report to allow DoD to request the media or decline interest.
    (j) Access to additional information or equipment necessary for 
forensics analysis. Upon request by DoD, the contractor shall provide 
DoD with access to additional information or equipment that is 
necessary to conduct a forensic analysis.
    (k) Cyber incident damage assessment activities. If DoD elects to 
conduct a damage assessment, DoD will request that the contractor 
provide all of the damage assessment information gathered in accordance 
with paragraph (e) of this section.
    (l) DoD safeguarding and use of contractor attributional/
proprietary information. The Government shall protect against the 
unauthorized use or release of information obtained from the contractor 
(or derived from information obtained from the contractor) under this 
part that includes contractor attributional/proprietary information, 
including such information submitted in accordance with paragraph (b) 
of this section. To the maximum extent practicable, the contractor 
shall identify and mark attributional/proprietary information. In 
making an authorized release of such information, the Government will 
implement appropriate procedures to minimize the contractor 
attributional/proprietary information that is included in such 
authorized release, seeking to include only that information that is 
necessary for the authorized purpose(s) for which the information is 
being released.
    (m) Use and release of contractor attributional/proprietary 
information not created by or for DoD. Information that is obtained 
from the contractor (or derived from information obtained from the 
contractor) under this part that is not created by or for DoD is 
authorized to be released outside of DoD:
    (1) To entities with missions that may be affected by such 
information;
    (2) To entities that may be called upon to assist in the diagnosis, 
detection, or mitigation of cyber incidents;
    (3) To Government entities that conduct LE/CI investigations;
    (4) For national security purposes, including cyber situational 
awareness and defense purposes (including sharing with DIB contractors 
participating in the DIB CS program authorized by this part); or
    (5) To a support services contractor (``recipient'') that is 
directly supporting Government activities related to this part and is 
bound by use and non-disclosure restrictions that include all of the 
following conditions:
    (i) The recipient shall access and use the information only for the 
purpose of furnishing advice or technical assistance directly to the 
Government in support of the Government's activities related to this 
part, and shall not be used for any other purpose;
    (ii) The recipient shall protect the information against 
unauthorized release or disclosure;
    (iii) The recipient shall ensure that its employees are subject to 
use and non-disclosure obligations consistent with this part prior to 
the employees being provided access to or use of the information;
    (iv) The third-party contractor that reported the cyber incident is 
a third-party beneficiary of the non-disclosure agreement between the 
Government and the recipient, as required by paragraph (m)(5)(iii) of 
this section;
    (v) That a breach of these obligations or restrictions may subject 
the recipient to:
    (A) Criminal, civil, administrative, and contractual actions in law 
and equity for penalties, damages, and other appropriate remedies by 
the United States; and
    (B) Civil actions for damages and other appropriate remedies by the 
third party that reported the incident, as a third party beneficiary of 
the non-disclosure agreement.
    (6) Use and release of contractor attributional/proprietary 
information created by or for DoD. Information that

[[Page 59587]]

is obtained from the contractor (or derived from information obtained 
from the contractor) under this part that is created by or for DoD 
(including the information submitted pursuant to paragraph (b) of this 
section) is authorized to be used and released outside of DoD for 
purposes and activities authorized by this section, and for any other 
lawful Government purpose or activity, subject to all applicable 
statutory, regulatory, and policy based restrictions on the 
Government's use and release of such information.
    (n) Contractors shall conduct their respective activities under 
this part in accordance with applicable laws and regulations on the 
interception, monitoring, access, use, and disclosure of electronic 
communications and data.
    (o) Freedom of Information Act (FOIA). Agency records, which may 
include qualifying information received from non-federal entities, are 
subject to request under the Freedom of Information Act (5 U.S.C. 552) 
(FOIA), which is implemented in the DoD by DoD Directive 5400.07 and 
DoD Regulation 5400.7-R (see 32 CFR parts 285 and 286, respectively). 
Pursuant to established procedures and applicable regulations, the 
Government will protect sensitive nonpublic information reported under 
mandatory reporting requirements against unauthorized public disclosure 
by asserting applicable FOIA exemptions. The Government will inform the 
non-Government source or submitter (e.g., contractor or DIB participant 
of any such information that may be subject to release in response to a 
FOIA request), in order to permit the source or submitter to support 
the withholding of such information or pursue any other available legal 
remedies.
    (p) Other reporting requirements. Cyber incident reporting required 
by this part in no way abrogates the contractor's responsibility for 
other cyber incident reporting pertaining to its unclassified 
information systems under other clauses that may apply to its 
contract(s), or as a result of other applicable U.S. Government 
statutory or regulatory requirements, including Federal or DoD 
requirements for Controlled Unclassified Information as established by 
Executive Order 13556, as well as regulations and guidance established 
pursuant thereto.


Sec.  236.5  DoD-DIB CS information sharing program.

    (a) All contractors that are CDCs and meet the requirements set 
forth in Sec.  236.7 are eligible to join the voluntary DoD-DIB CS 
information sharing program as a DIB participant.
    (b) Under the voluntary activities of the DoD-DIB CS information 
sharing program, the Government and each DIB participant will execute a 
standardized agreement, referred to as a Framework Agreement (FA) to 
share, in a timely and secure manner, on a recurring basis, and to the 
greatest extent possible, cybersecurity information.
    (c) Each such FA between the Government and a DIB participant must 
comply with and implement the requirements of this part, and will 
include additional terms and conditions as necessary to effectively 
implement the voluntary information sharing activities described in 
this part with individual DIB participants.
    (d) The DoD-DIB CS Activities Office is the overall point of 
contact for the program. The DC3 managed DoD-DIB Collaborative 
Information Sharing Environment (DCISE) is the operational focal point 
for cyber threat information sharing and incident reporting under the 
DoD-DIB CS information sharing program.
    (e) The Government will maintain a Web site or other internet-based 
capability to provide potential DIB participants with information about 
eligibility and participation in the program, to enable online 
application or registration for participation, and to support the 
execution of necessary agreements with the Government.
    (f) GFI. The Government shall share GFI with DIB participants or 
designated SP in accordance with this part.
    (g) Prior to receiving GFI from the Government, each DIB 
participant shall provide the requisite points of contact information, 
to include security clearance and citizenship information, for the 
designated personnel within their company (e.g., typically 3-10 company 
designated points of contact) in order to facilitate the DoD-DIB 
interaction in the DoD-DIB CS information sharing program. The 
Government will confirm the accuracy of the information provided as a 
condition of that point of contact being authorized to act on behalf of 
the DIB participant for this program.
    (h) GFI will be issued via both unclassified and classified means. 
DIB participant handling and safeguarding of classified information 
shall be in compliance with DoD 5220.22-M, ``National Industrial 
Security Program Operating Manual (NISPOM),'' available at https://www.dss.mil/documents/odaa/nispom2006-5220.pdf. The Government shall 
specify transmission and distribution procedures for all GFI, and shall 
inform DIB participants of any revisions to previously specified 
transmission or procedures.
    (i) Except as authorized in this part or in writing by the 
Government, DIB participants may:
    (1) Use GFI only on U.S. based covered contractor information 
systems, or U.S. based networks or information systems used to provide 
operationally critical support; and
    (2) Share GFI only within their company or organization, on a need-
to-know basis, with distribution restricted to U.S. citizens.
    (j) In individual cases DIB participants may request, and the 
Government may authorize, disclosure and use of GFI under applicable 
terms and conditions when the DIB participant can demonstrate that 
appropriate information handling and protection mechanisms are in place 
and has determined that it requires the ability:
    (1) To share the GFI with a non-U.S. citizen; or
    (2) To use the GFI on a non-U.S. based covered contractor 
information system; or
    (3) To use the GFI on a non-U.S. based network or information 
system in order to better protect a contractor's ability to provide 
operationally critical support.
    (k) DIB participants shall maintain the capability to 
electronically disseminate GFI within the Company in an encrypted 
fashion (e.g., using Secure/Multipurpose Internet Mail Extensions (S/
MIME), secure socket layer (SSL), Transport Layer Security (TLS) 
protocol version 1.2, DoD-approved medium assurance certificates).
    (l) DIB participants shall not share GFI outside of their company 
or organization, regardless of personnel clearance level, except as 
authorized in this part or otherwise authorized in writing by the 
Government.
    (m) If the DIB participant utilizes a SP for information system 
security services, the DIB participant may share GFI with that SP under 
the following conditions and as authorized in writing by the 
Government:
    (1) The DIB participant must identify the SP to the Government and 
request permission to share or disclose any GFI with that SP (which may 
include a request that the Government share information directly with 
the SP on behalf of the DIB participant) solely for the authorized 
purposes of this program.
    (2) The SP must provide the Government with sufficient information 
to enable the Government to determine whether the SP is eligible to 
receive such information, and possesses the capability to provide 
appropriate protections for the GFI.

[[Page 59588]]

    (3) Upon approval by the Government, the SP must enter into a 
legally binding agreement with the DIB participant (and also an 
appropriate agreement with the Government in any case in which the SP 
will receive or share information directly with the Government on 
behalf of the DIB participant) under which the SP is subject to all 
applicable requirements of this part and of any supplemental terms and 
conditions in the DIB participant's FA with the Government, and which 
authorizes the SP to use the GFI only as authorized by the Government.
    (n) The DIB participant may not sell, lease, license, or otherwise 
incorporate the GFI into its products or services, except that this 
does not prohibit a DIB participant from being appropriately designated 
an SP in accordance with paragraph (m) of this section.


Sec.  236.6  General provisions of the DoD-DIB CS information sharing 
program.

    (a) Confidentiality of information that is exchanged under the DoD-
DIB CS information sharing program will be protected to the maximum 
extent authorized by law, regulation, and policy. DoD and DIB 
participants each bear responsibility for their own actions under the 
voluntary DoD-DIB CS information sharing program.
    (b) All DIB CS participants may participate in the Department of 
Homeland Security's Enhanced Cybersecurity Services (ECS) program 
(https://www.dhs.gov/enhanced-cybersecurity-services).
    (c) Participation in the voluntary DoD-DIB CS information sharing 
program does not obligate the DIB participant to utilize the GFI in, or 
otherwise to implement any changes to, its information systems. Any 
action taken by the DIB participant based on the GFI or other 
participation in this program is taken on the DIB participant's own 
volition and at its own risk and expense.
    (d) A DIB participant's participation in the voluntary DoD-DIB CS 
information sharing program is not intended to create any unfair 
competitive advantage or disadvantage in DoD source selections or 
competitions, or to provide any other form of unfair preferential 
treatment, and shall not in any way be represented or interpreted as a 
Government endorsement or approval of the DIB participant, its 
information systems, or its products or services.
    (e) The DIB participant and the Government may each unilaterally 
limit or discontinue participation in the voluntary DoD-DIB CS 
information sharing program at any time. Termination shall not relieve 
the DIB participant or the Government from obligations to continue to 
protect against the unauthorized use or disclosure of GFI, attribution 
information, contractor proprietary information, third-party 
proprietary information, or any other information exchanged under this 
program, as required by law, regulation, contract, or the FA.
    (f) Upon termination of the FA, and/or change of Facility Security 
Clearance (FCL) status below Secret, GFI must be returned to the 
Government or destroyed pursuant to direction of, and at the discretion 
of, the Government.
    (g) Participation in these activities does not abrogate the 
Government's, or the DIB participants' rights or obligations regarding 
the handling, safeguarding, sharing, or reporting of information, or 
regarding any physical, personnel, or other security requirements, as 
required by law, regulation, policy, or a valid legal contractual 
obligation. However, participation in the voluntary activities of the 
DoD-DIB CS information sharing program does not eliminate the 
requirement for DIB participants to report cyber incidents in 
accordance with Sec.  236.4.


Sec.  236.7  DoD-DIB CS information sharing program requirements.

    (a) To participate in the DoD-DIB CS information sharing program, a 
contractor must be a CDC and shall:
    (1) Have an existing active FCL granted under the NISPOM (DoD 
5220.22-M); and
    (2) Execute the standardized FA with the Government (available 
during the application process), which implements the requirements set 
forth in Sec. Sec.  236.5 through 236.7, and allows the CDC to select 
their level of participation in the voluntary DoD-DIB CS information 
sharing program.
    (3) In order for participating CDCs to receive classified cyber 
threat information electronically, they must:
    (i) Have or acquire a Communication Security (COMSEC) account in 
accordance with the NISPOM Chapter 9, Section 4 (DoD 5220.22-M), which 
provides procedures and requirements for COMSEC activities; and
    (ii) Have or acquire approved safeguarding for at least Secret 
information, and continue to qualify under the NISPOM for retention of 
its FCL and approved safeguarding; and
    (iii) Obtain access to DoD's secure voice and data transmission 
systems supporting the voluntary DoD-DIB CS information sharing 
program.
    (b) [Reserved]

    Dated: September 14, 2015.
Patricia L. Toppings,
OSD Federal Register, Liaison Officer, Department of Defense.
[FR Doc. 2015-24296 Filed 10-1-15; 8:45 am]
 BILLING CODE 5001-06-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.