Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity (CS) Activities, 17741-17749 [2024-04752]

Agencies

• DEPARTMENT OF DEFENSE
• Office of the Secretary

[Federal Register Volume 89, Number 49 (Tuesday, March 12, 2024)]
[Rules and Regulations]
[Pages 17741-17749]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-04752]



[[Page 17741]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 236

[Docket ID: DoD-2019-OS-0112]
RIN 0790-AK86


Department of Defense (DoD) Defense Industrial Base (DIB) 
Cybersecurity (CS) Activities

AGENCY: Office of the DoD Chief Information Officer, Department of 
Defense (DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The DoD is finalizing revisions to the eligibility criteria 
for the voluntary Defense Industrial Base (DIB) Cybersecurity (CS) 
Program. These revisions will allow all defense contractors who own or 
operate an unclassified information system that processes, stores, or 
transmits covered defense information to benefit from bilateral 
information sharing. DoD is also finalizing changes to definitions and 
some technical corrections for readability.

DATES: This rule is effective on April 11, 2024.

FOR FURTHER INFORMATION CONTACT: 
     Stacy Bostjanick, Chief Defense Industrial Base 
Cybersecurity, Office: 703-604-3167.
     DIB CS Program Management Office: [email protected].

SUPPLEMENTARY INFORMATION:

Discussion of Comments and Changes

    The proposed rule was published in the Federal Register (88 FR 
27832-27839) on May 3, 2023. Four submissions were received and are 
summarized below.
    A commenter suggested DoD should redefine terms and should change 
the regulations for the program. However, the commenter did not provide 
any additional detail which would allow DoD to consider possible 
changes.
    A commenter suggested DoD use this opportunity to run a targeted 
marketing campaign to assist small businesses with explaining a medium 
assurance certificate's purpose and procuring the hardware in advance 
of needing it.
    After consideration, DoD is modifying the requirement for industry 
to obtain a medium assurance certificate. Medium assurance certificates 
can be used to validate digital identity and facilitate the exchange of 
encrypted information. However, it is not the only technical solution 
available to support identity proofing requirements. So, DoD is 
revising paragraph (e) in Sec.  236.4, and separately in Department of 
Defense Instruction (DoDI) 8582.01, ``Security of Non-DoD Information 
Systems Processing Unclassified Nonpublic DoD Information,'' to require 
registration with Procurement Integrated Enterprise Environment (PIEE) 
\1\ when submitting mandatory cyber incident reports. This change will 
reduce the burden of having to procure a medium assurance certificate 
which costs approximately $175 annually. All DoD contracts contain 
Defense Federal Acquisition Regulation Supplement (DFARS) clause 
252.232-7003 (48 CFR 252.232-7003), which specifies requirements for 
electronic submission of payment requests. In order to access the 
electronic systems associated with electronic payments the contractor 
must also complete the required identity proofing and registration 
process with PIEE.
---------------------------------------------------------------------------

    \1\ https://piee.eb.mil/.
---------------------------------------------------------------------------

    Multiple commenters provided input on the accuracy of the burden 
estimates. One commentor recommended allowing one report to cover 
multiple contracts to reduce the administrative reporting burden on all 
parties and enhance consistency across DoD data. Another commentor 
noted that many firms will lack in-depth familiarity with existing 
policy, compliance requirements, and other details of the DIB CS 
Program and, as such, the estimate of 30 minutes for new entrants to 
familiarize themselves with the rule is an underestimate.
    As DoD is modifying the requirement for industry to obtain a medium 
assurance certificate with this final rule, the Department believes the 
burden to companies participating in the DIB CS Program is being 
reduced. In response to concerns about submitting a nearly identical 
report for multiple contracts, DoD would like to clarify that a 
contractor may submit one report for an event that impacts multiple 
contracts. Finally, DoD would like to clarify the estimate of 30 
minutes to review changes to this final rule and choose whether to 
apply to the voluntary DIB CS Program does not include time for 
contractors to develop in-depth familiarity with existing policies and 
compliance requirements. It is expected DoD contractors will invest 
time to familiarize themselves with contractually mandated requirements 
in addition to this estimate.
    A commenter highlighted the revision to the DIB CS Program omits a 
key component of the Critical Infrastructure Protection Act (CIPA) of 
2001, and the revisions to the DIB CS Program will exclude 
operationally critical support (OCS) contractors from its provisions 
unless such contractors have covered defense information (CDI) resident 
in their information systems (IS). The commenter recommended including 
contractors performing under contracts that are designated as providing 
OCS, regardless of whether those IS contain CDI.
    In accordance with 10 U.S.C. 391, the DoD must include mechanisms 
for Department personnel to, if requested, assist operationally 
critical contractors in detecting and mitigating penetrations. Pursuant 
to section 1642(b) of the National Defense Authorization Act for Fiscal 
Year 2019 DoD has authority to engage with the DIB that is 
complementary to, but distinct from, the DIB Cybersecurity Activities 
that implement the requirements levied upon the Department in 10 U.S.C. 
391 and 393. To meet the requirements specified in 10 U.S.C. 391, the 
DIB CS program will refer ineligible applicants to other U.S. 
Government Departments and Agencies sharing cybersecurity equities to 
ensure Federal unity of effort.
    A commenter posed several questions about the role of third-party 
service providers seeking to understand if a third-party service 
provider may submit reports on behalf of a client, and if a third-party 
service provider must own or operate covered contractor information 
systems.
    Currently, a contractor may authorize a third-party service 
provider to report incidents on behalf of the contractor. If that 
contractor and the third-party service provider are interested in 
participating in the DIB CS Program, an amendment to the DIB CS Program 
Framework Agreement is available to authorize the third-party service 
provider access to DIB CS resources. This agreement details whether the 
third-party service provider will provide on-site or off-site support; 
clarifies the respective roles of the contractor and the third-party 
service provider regarding accessing the government-furnished 
information on the DIB CS web portal and voluntary reporting of cyber 
incidents and indicators to the Government. The Framework Agreement and 
all Program amendments are made available through https://dibnet.dod.mil to an eligible company after the company has been 
verified by the DoD. The third-party service provider does not need to 
own or operate a covered defense system.
    Two commenters reiterated the need for training and best practices 
but did not indicate if they are familiar with DoD's current training 
programs or if they believe the programs are adequate.

[[Page 17742]]

    DoD notes the DIB CS Program offers training and best practices 
through in-person and virtual meetings and provides information about 
digital resources on https://dibnet.dod.mil.
    One commenter stated a link or a copy of the ``standardized'' 
Government Framework Agreement on the website will help contractors 
better understand their ability to meet the requirement before 
submitting an application--potentially saving all parties time and 
resources.
    DoD notes factsheets and informational materials are publicly 
available on https://dibnet.dod.mil. The Framework Agreement between 
the Government and a DIB participant is made available after the 
company applies to the program and DoD verifies the company meets the 
eligibility requirements set forth in Sec.  236.7.
    A commenter suggested access and information for cleared companies 
should remain as it is today and recommended an ``impact statement'' to 
information released to uncleared firms to help contextualize the 
information and the reason for disseminating it.
    The Privacy Impact Assessment (PIA) for DoD's DIB CS Activities 
provides procedures on how the Government handles personally 
identifiable information (PII), as well as other forms of sensitive 
contractor information (e.g., contractor attributional/proprietary). 
The PIA is publicly available at https://dodcio.defense.gov/Portals/0/Documents/DIB_PIA.pdf and no changes to the PIA are being proposed. The 
Security Classification Guide (SCG) \2\ is the tool used by DoD 
Personnel to identify and safeguard national security information when 
derivatively classifying information. All information will be 
designated and handled in accordance with the DIB CS Activities SCG, 
the NISPOM Program as defined in 32 CFR part 117 and the Controlled 
Unclassified Information (CUI) Program as defined in 32 CFR part 2002.
---------------------------------------------------------------------------

    \2\ DIB CS Activities Security Classification Guide is available 
via https://www.DTIC.mil.
---------------------------------------------------------------------------

    A commenter asked about a future opportunity to map the level of 
access to DIB CS resources to a company's certification(s) level or 
assessment scoring.
    DoD notes all companies currently participating in the DIB CS 
Program are eligible to receive Government Furnished Information (GFI) 
under the voluntary DIB CS Program and cybersecurity information is 
shared to the greatest extent possible in accordance with the Program's 
SCG. Information about a company's certification level or assessment 
score is controlled information and not available to the DIB CS Program 
at this time.
    A commenter recommended providing consistent controls and data 
access channels to help companies synthesize and apply the threat 
information to their market.
    The DIB CS Program marks all documents in accordance with the SCG 
\3\ and DIBNet remains the primary channel for disseminating threat 
products. DoD has recently relaunched DIBNet to provide an API-based 
data access channel to complement the ability for a DIB CS Participant 
to download PDF, TXT, and CSV based products which should allow a 
participating company to analyze threat information unique to their 
market.
    A commenter recommended adding headers to Sec.  236.4 for paragraph 
(f), (g), (j), and (o) to increase uniformity.
    DoD has added headers to Sec.  236.4 for paragraphs (f), (g), and 
(o). Paragraph (j) has a header, and an administrative correction will 
be made to correct the format of paragraph (n).
    A commenter asked if the rights and responsibilities for submittals 
under the DIB CS Program have changed with respect to Freedom of 
Information Act (FOIA).
    The rights and responsibilities for submittals under the DIB CS 
Program have not changed with respect to Freedom of Information Act 
(FOIA). The Office of the Assistant to the Secretary of Defense for 
Privacy, Civil Liberties, and Transparency (OATSD(PCLT)) maintains a 
DoD FOIA Handbook available at https://open.defense.gov/Transparency/FOIA/FOIAHandbook.aspx.

Background and Authority

    The DIB means the DoD, Government, and private sector worldwide 
industrial complex with capabilities to perform research and 
development, design, produce, and maintain military weapon systems, 
subsystems, components, or parts to satisfy military requirements. The 
DIB Cybersecurity Program is a voluntary program to enhance and 
supplement participants' capabilities to safeguard DoD information that 
resides on, or transits, DIB unclassified information systems. The 
program encourages greater threat information sharing to complement 
mandatory aspects of DoD's DIB cybersecurity activities which are 
contractually mandated through DFARS 252.204-7012, Safeguarding Covered 
Defense Information and Cyber Incident Reporting.\4\ This program 
supports and complements DoD-specific authorities at 10 U.S.C. 2224 and 
the Federal Information Security Management Act (FISMA 2002) as amended 
by the Federal Information Security Modernization Act, 2014. Cyber 
threat information sharing activities under this final rule also 
fulfill important elements of DoD's critical infrastructure protection 
responsibilities, as the sector risk management agency for the DIB (see 
Presidential Policy Directive 21 (PPD-21),\5\ ``Critical Infrastructure 
Security and Resilience''). This program is aligned with the 
requirements of the Controlled Unclassified Information (CUI) program 
established in Executive Order 13556. Expanding eligibility 
requirements for the DIB CS Program will augment DoD's information 
sharing activities with the DIB.
---------------------------------------------------------------------------

    \4\ https://www.ecfr.gov/current/title-48/chapter-2/subchapter-H/part-252/subpart-252.2/section-252.204-7012.
    \5\ https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
---------------------------------------------------------------------------

    Currently, the DIB CS Program has the following objectives:
     Establish a voluntary, mutually acceptable framework to 
protect information from unauthorized access.
     Protect the confidentiality of information exchanged to 
the maximum extent authorized by law.
     Create a trusted environment to maximize network defense 
and remediation efforts by:
    1. Sharing cyber threat information and incident reports.
    2. Providing mitigation/remediation strategies and malware 
analysis.
    This program is part of DoD's larger portfolio of work to protect 
DoD information handled by the DIB by understanding and sharing 
information, building security partnerships, implementing long-term 
risk management programs, and maximizing efficient use of resources. It 
supports two-way information sharing and maintains meaningful 
relationships and frequent dialogue across the diverse array of 
eligible defense contractors. For eligible defense contractors, the 
program maintains a capability for companies to access classified 
government cyber threat information providing additional context to 
better understand the cyber threats targeting their networks and 
information systems.
    In May 2012, DoD published an interim final rule establishing the 
voluntary DIB CS Program and the bilateral information sharing model 
still used today.\6\ The 2012 rule established

[[Page 17743]]

a voluntary cyber threat information sharing program for cleared 
defense contractors (CDC) with the ability to safeguard classified 
information, estimated at 2,650 in 2012. Under the rule CDC is defined 
as a private entity granted clearance by DoD to access, receive, or 
store classified information for the purpose of bidding for a contract 
or conducting activities in support of any program of DoD. The 2012 
rule stated DoD would maintain a website to facilitate the following 
aspects of program participation: (1) sharing information regarding 
eligibility and participation in the program with potential 
participants, (2) applying to the program online, and 3) executing the 
necessary agreements with the Government. DoD has established this 
capability as an online portal referred to as ``DIBNet,'' located at 
https://dibnet.dod.mil. A final rule responding to public comments was 
published in October 2013.\7\ In October 2015, responding to new 
statutory requirements for cyber incident reporting for DoD 
contractors, subcontractors, and those providing operationally critical 
support, DoD published another interim final rule \8\ to expand 
eligibility to all cleared defense contractors (estimated at 8,500 in 
2015 and 12,000 in 2022), subject to program eligibility requirements. 
The 2015 rule removed the requirement that CDCs be able to safeguard 
classified information to participate in the program. The rule also 
removed the mandatory program eligibility requirement to have or 
acquire a Communications Security (COMSEC) account \9\ and obtain 
access to DoD's secure voice and data transmission systems, although 
participants still have to fulfill these requirements to receive 
classified cyber threat information electronically. A final rule 
responding to public comments was published in October 2016.\10\
---------------------------------------------------------------------------

    \6\ 77 FR 27615, May 11, 2012 (https://www.govinfo.gov/content/pkg/FR-2012-05-11/pdf/2012-10651.pdf).
    \7\ 78 FR 62430, October 22, 2013 (https://www.govinfo.gov/content/pkg/FR-2013-10-22/pdf/2013-24256.pdf).
    \8\ 80 FR 59581, October 2, 2015 (https://www.govinfo.gov/content/pkg/FR-2015-10-02/pdf/2015-24296.pdf).
    \9\ The National Security Agency administers COMSEC accounts.
    \10\ 81 FR 68312, October 4, 2016 (https://www.govinfo.gov/content/pkg/FR-2016-10-04/pdf/2016-23968.pdf).
---------------------------------------------------------------------------

Discussion of the Final Rule

    With this rule, the Department is expanding eligibility 
requirements to allow greater program participation and increase the 
benefits of bilateral information sharing, which helps protect DoD 
controlled unclassified information from cyberattack, as well as to 
better align the voluntary DIB CS Program with DoD's mandatory cyber 
incident reporting requirements. The current eligibility requirements, 
based on the October 2016 rule, requires a company to be a cleared 
defense contractor \11\ who:
---------------------------------------------------------------------------

    \11\ 32 CFR 236.2 defines cleared defense contractor to mean a 
subset of contractors cleared under the National Industrial Security 
Program (NISP) who have classified contracts with the DoD.
---------------------------------------------------------------------------

     Has DoD-approved medium assurance certificates; \12\
---------------------------------------------------------------------------

    \12\ The DoD has established the External Certification 
Authority (ECA) program to support the issuance of DoD-approved 
certificates to industry partners and other external entities and 
organizations. The ECA program is designed to provide the mechanism 
for these entities to securely communicate with the DoD and 
authenticate to DoD Information Systems. [https://public.cyber.mil/eca/].
---------------------------------------------------------------------------

     Has an existing facility clearance \13\ to at least the 
Secret level; and
---------------------------------------------------------------------------

    \13\ Entities (including companies and academic institutions) 
engaged in providing goods or services to the U.S. Government 
involving access to or creation of classified information may be 
granted a Facility Clearance (FCL). The Defense Counterintelligence 
and Security Agency (DCSA) processes, issues, and monitors the 
continued eligibility of entities for an FCL. [https://www.dcsa.mil/mc/isd/fc/].
---------------------------------------------------------------------------

     Can execute the standardized Framework Agreement \14\ 
provided to interested contractors after the Department has verified 
the DIB company is eligible.
---------------------------------------------------------------------------

    \14\ Applicants to the DIB CS Program submit an application from 
https://dibnet.dod.mil. Once a company has been verified, the 
Framework Agreement is made available for review.
---------------------------------------------------------------------------

    The program has experienced steady growth, with the annual number 
of applications more than tripling since 2016 (80 total applications 
received in 2016, 266 total applications received in 2022). It has also 
seen a steady increase in the percentage of defense contractors who are 
interested in participating but do not meet current eligibility 
requirements. The percentage of applications received from ineligible 
defense contractors has risen at an average rate of 5% per year since 
2016; 10% of applications received in 2016 were from ineligible defense 
contractors, while 45% of applicants in 2022 were ineligible. The 
steady increase in DIB applicants indicates an increasing desire 
amongst defense contractors to participate in a cyber threat 
information sharing program.
    In addition, the Department has actively engaged defense 
associations, universities, and companies in the DIB, as well as 
participated in many public forums discussing cyber threats and the way 
forward. The overwhelming feedback was for the Department to facilitate 
engagement with the broader community of defense contractors beyond 
just the cleared defense community. In general, smaller defense 
contractors have fewer resources to devote to cybersecurity, which may 
provide a vector for adversaries to access information critical to 
national security. In addition, the Department is working on providing 
more tailored threat information to support the needs of a broader 
community of defense contractors with varying cybersecurity 
capabilities. The gap in eligibility in the current program, feedback 
from interested but ineligible contractors, a vulnerable DoD supply 
chain, and a pervasive cyber threat have prompted DoD to propose 
revising the eligibility requirements of the DIB CS Program to allow 
participation by non-cleared defense contractors.
    The maximum number of defense contractors estimated to be subject 
to mandatory cyber incident reporting under DFARS clause 252.204-7012 
is 80,000. The presence of the clause in a contract does not establish 
that covered defense information is shared. DoD is working on reporting 
mechanisms to better assess contractors managing covered defense 
information. The population of defense contractors in possession of 
covered defense information and subject to mandatory incident reporting 
requirements far exceeds the population of defense contractors 
currently eligible to participate in the voluntary DIB CS Program. With 
the changes to the eligibility criteria, an estimated additional 68,000 
defense contractors will be eligible to participate in the voluntary 
DIB CS Program. Based on prior participation statistics, it is 
estimated that about 10% of the eligible contractors (12,000 + 68,000 = 
80,000) will actually apply to join the voluntary DIB CS Program 
(80,000 x 0.10 = 8,000).
    Currently, the DIB CS Program has approximately 1,000 cleared 
defense contractors participating in the program. Program participants 
have access to technical exchange meetings, a collaborative web 
platform (DIBNet-U), and threat information products and services 
through the DoD Cyber Crime Center (DC3). DC3 implements the program's 
operations by sharing cyber threat information and intelligence with 
the DIB, and offering a variety of products, tools, services, and 
events. DC3 serves as the single clearinghouse for unclassified 
Mandatory Incident Reports (MIRs) and voluntary threat information 
sharing reports.

Changes to Definitions

    In addition to the program eligibility changes described above, DoD 
is also finalizing the following changes.

[[Page 17744]]

Section 236.2 Definitions

    1. Access to media--This definition is being removed as it is no 
longer used in the rule text.
    2. DIB CS Program participant--This definition has been revised to 
align with the revised eligibility requirements set forth in this final 
rule.
    3. Government furnished information (GFI)--This definition was 
revised to adopt the convention of referring to the DIB CS Program with 
a capital `P'.

Other Finalized Changes

    DoD is amending Sec.  236.4 (Mandatory cyber incident reporting 
procedures), in response to public comments received about the burden 
associated with medium assurance certificates. The amendment will 
require contractors to obtain PIEE account in conjunction with 
mandatory cyber incident reporting. This change will align the identity 
proofing processes used by DoD for the majority of DIB companies and 
will eliminate the cost associated with procuring medium assurance 
certificates. DoD will continue to accept medium assurance certificates 
to fulfil identity proofing requirements.
    DoD is amending Sec.  236.5 (DoD's DIB CS program) in order to 
align the program description with the revised eligibility 
requirements. As a result, references to cleared defense contractors 
have been replaced with contractors that own or operate a covered 
contractor information system. Security clearance information is only 
collected, when applicable, if a company elects and is eligible to 
participate in classified information sharing. In addition, the 
language stating participation is typically three to ten company-
designated points of contact (POC) has been removed, to avoid confusion 
regarding the number of POCs, as some larger companies may wish to 
nominate a larger number of POCs and smaller companies may wish to 
nominate fewer.
    DoD is amending Sec.  236.7 (DoD's DIB CS program requirements) to 
remove the requirement that a company have an existing active facility 
clearance (FCL) to at least the Secret level granted under 32 CFR part 
117, National Industrial Security Program Operating Manual 
(NISPOM),\15\ to be eligible to participate in the DIB CS Program. In 
addition, references to cleared defense contractors have been replaced 
with contractors that own or operate a covered contractor information 
system.
---------------------------------------------------------------------------

    \15\ https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-117.
---------------------------------------------------------------------------

    A foundational element of the activities described in Sec.  236.7 
is the recognition that the information shared between DoD and DIB CS 
Program participants pursuant to the DIB CS Program includes CUI,\16\ 
which requires protection. For additional information regarding the 
Government's safeguarding of information received from contractors that 
requires protection, see the Privacy Impact Assessment (PIA) for the 
DIB Cybersecurity Activities located at: https://dodcio.defense.gov/Portals/0/Documents/DIB_PIA.pdf. The PIA provides detailed procedures 
for handling personally identifiable information (PII), attributional 
information about the strengths or vulnerabilities of specific covered 
contractor information systems, information providing a perceived or 
real competitive advantage on future procurement action, and contractor 
information marked as proprietary or commercial or financial 
information. In addition, personnel information is covered by Office of 
the Secretary of Defense (OSD) System of Records Notice (SORN) DCIO 01 
(https://dpcld.defense.gov/Portals/49/Documents/Privacy/SORNs/OSDJS/DCIO-01.pdf). No changes to the PIA or SORN are being made in 
conjunction with this final rule.
---------------------------------------------------------------------------

    \16\ https://www.archives.gov/cui.
---------------------------------------------------------------------------

Expected Impact of the Final Rule

    Comments were received on the cost of a DoD-approved medium 
assurance certificates and the accuracy of estimates relating to 
familiarization costs and attending meetings. DoD is removing the 
requirement for the DIB to have a DoD-approved medium assurance 
certificate to report cyber incidents. The requirement is being 
replaced with the requirement to register in PIEE which has established 
procedures to perform digital identity proofing. The basis for the cost 
estimate for a company to familiarize themselves with changes to this 
rule and determine if they would like to apply to the DIB CS Program 
does not include time for a company to perform an in-depth review of 
preexisting contractually mandated requirements. The basis for the cost 
estimate to participate in meetings uses the assumption a company sends 
the equivalent of an Information Security Analyst with the mean wage 
estimate published by the Bureau of Labor Statistics. If the company 
elects to send more senior representatives the cost will be higher. The 
economic analysis is being finalized without changes.

Costs

    DoD believes the cost impact of the changes to this final rule is 
not significant, as the changes primarily expand the availability of 
the established DIB CS Program to additional defense contractors. The 
newly eligible population of defense contractors may incur costs to 
familiarize itself with the rule and those who elect to participate in 
the program will incur costs related to program participation. The 
Government will continue to incur costs related to operating the 
program. The DIB CS Program conducts outreach activities to defense 
contractors through press releases, participation in defense-oriented 
conferences, speaking engagements, and through digital media. The 
program will leverage pre-established channels to message changes to 
the program and engage with the eligible population of defense 
contractors. Based on the program growth experienced that during the 
last phase of program expansion the program is forecasting annual 
growth at just over 1% of the eligible population. At a growth rate of 
1% per year it will take the program approximately 10 years to achieve 
the estimated 10% participation rate of the eligible DIB.

Costs to DIB Participants

    In order to join the DIB CS Program there is an initial labor 
burden for a defense contractor to familiarize themselves with the rule 
and subsequently apply to the program and provide POC information. In 
total, if it takes each contractor 30 minutes to read and familiarize 
him/herself with the rule, it will take contractors 4,000 hours to 
familiarize themselves with the rule (8,000 participants x .5 = 4,000 
hours). At an hourly wage of $108.92, the total cost incurred by 
contractors for rule familiarization will amount to $217,840 ($108.92 x 
.5 hours = $54.46 x 4,000 hours = $217,840). The hourly labor cost is 
based on the mean wage estimate from the Bureau of Labor Statistics for 
an Information Security Analysts, Occupational Employment and Wages, 
May 2021 and is covered under information collection 0704-0490. This 
hourly wage is adjusted upward by 100% to account for overhead and 
benefits, which implies a value of $108.92 per hour.
    The estimated annual burden for a company to apply to the program 
or for a participating company to update POC information is $36.31, 
with a total annual cost to all participants of $319,498.67 at peak 
program participation. This calculation is based on 8,000 participants 
submitting an average of one application per year and 10% of the 
population (800 participants) submitting an update each year, with 20 
minutes of labor per

[[Page 17745]]

submission, at a cost of $108.92 per hour ($108.92 x \1/3\ hours = 
$36.31 x 8,800 events = $319,498.67).
    There is an estimated annual burden projected at $1,089.20 for 
defense contractors voluntarily sharing cyber threat information. This 
is based on a defense contractor electing to submit an average of five 
informational reports per year with two hours of labor per voluntary 
submission, at a cost of $108.92 per hour ($108.92 x 2 hours = $217.84 
x 5 reports = $1,089.20). It is estimated that 1% of the newly eligible 
population will elect to join the DIB CS Program annually, which 
currently has approximately 1,000 participants, with program growth 
plateauing at 10% of the population by Year 9. The table below shows 
the costs to industry to voluntarily sharing cyber threat information 
over a 9-year period. If, in the first year of the program expanding 
there are 980 participants and 800 new participants join the program, 
there will be a total of 1,780 participants. Assuming each participant 
responds five times, this totals 8,900 annual responses times $217.84 
per response and will equal $1,938,776 in total annual cost to 
participants, which is covered in information collection 0704-0489.

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                        Year 1       Year 2       Year 3       Year 4       Year 5       Year 6       Year 7       Year 8       Year 9
--------------------------------------------------------------------------------------------------------------------------------------------------------
DIB CS Participants................        1,780        2,580        3,380        4,180        4,980        5,780        6,580        7,380        8,000
Voluntary Reports Received.........        8,900       12,900       16,900       20,900       24,900       28,900       32,900       36,900       40,000
Annual Cost........................   $1,938,776   $2,810,136   $3,681,496   $4,552,856   $5,424,216   $6,295,576   $7,166,936   $8,038,296   $8,713,600
--------------------------------------------------------------------------------------------------------------------------------------------------------

    In addition, DIB CS Program participants may choose to attend 
meetings in conjunction with the DIB CS Program. All new participants 
are invited to attend an orientation session and all existing 
participants are invited to attend meetings on a quarterly basis. If a 
defense contractor chooses to send an employee to a day-long meeting 
each quarter, the defense contractor would incur a cost of $3,485.44 
($108.92 x 8 hours = $871.36 x 4 meetings = $3,485.44).

Costs to the Government

    The DoD has identified general areas of costs related to the 
operation of this program. First, DoD incurs costs to implement this 
program operationally by responding to inquiries, processing 
application submissions and collecting, sharing, and managing POC 
information for program administration and management purposes. Second, 
DoD incurs costs to collect, analyze, and disseminate threat 
information.
    DoD responds to an average of 2,000 questions each year and these 
responses are estimated to take 20 minutes per response. If it takes 20 
minutes to respond to each question, it will take 667 hours to respond 
to questions. At an hourly wage of $51.16,\17\ it will cost the DoD 
$34,107 dollars to respond to questions ($51.16 x (.333 x 2,000) = 
$34,107). Costs to the government are incurred when a company applies 
to the DIB CS Program to validate and store POC information and to 
perform follow-up activities with a company when the information is 
outdated. The processing time for these activities is estimated to be 
one hour per company.
---------------------------------------------------------------------------

    \17\ This is based upon the 2022 General Schedule (GS) pay scale 
for a GS-9 Step 5 and is adjusted upward by 100% to adjust for 
overhead and benefits.
---------------------------------------------------------------------------

    If, by Year 9, 8,000 companies participate in the program and 10% 
of the companies update information with the program annually the labor 
cost to the government is expected to be $72,647.20 = (620 + 800 x 
$51.16).

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                        Year 1       Year 2       Year 3       Year 4       Year 5       Year 6       Year 7       Year 8       Year 9
--------------------------------------------------------------------------------------------------------------------------------------------------------
DIB CS Participants................         1780         2580         3380         4180         4980         5780         6580         7380         8000
New Applications...................          780          800          800          800          800          800          800          800          620
Updates............................          178          258          338          418          498          578          658          738          800
Annual Cost........................   $49,011.28   $54,127.28   $58,220.08   $62,312.88   $66,405.68   $70,498.48   $74,591.28   $78,684.08   $72,647.20
--------------------------------------------------------------------------------------------------------------------------------------------------------

    In addition, there is a cost incurred by the DoD to receive cyber 
threat information submitted by defense contractors to have it analyzed 
by cyber threat experts at DC3. By year 9 of the expanded program, it 
is estimated DC3 will receive 40,000 responses per year, based on the 
estimate that each participating company elects to submit 5 
informational reports (8,000 participants x 5 reports). Each product 
takes approximately two hours to create and incurs an hourly labor cost 
of $51.16 per hour. This equals $102.32 (2 hours x 51.16) per response. 
The labor cost to the government is forecasted to be $4,092,800 
annually after 9 years of growth. In addition to processing cyber 
threat information, the DoD incurs operational and maintenance costs 
for the system receiving and storing cyber threat information. This 
system costs the DoD $5,100,000 annually to maintain (covered under 
information collection 0704-0489).

Benefits

    This program benefits the Department by increasing the overall 
security of the DIB through increasing awareness and improving 
assessments of cyber incidents that may affect mission critical 
capabilities and services. It continues to be an important element of 
the Department's comprehensive effort to defend DoD information, 
protect U.S. national interests against cyber-attacks, and support 
military operations and contingency plans worldwide. Once a

[[Page 17746]]

defense contractor joins the program, they are encouraged to share 
information, including cyber threat indicators, that they believe may 
be of value in alerting the Government and others, as appropriate, of 
adversary activity to enable the development of mitigation strategies 
and proactively counter threat actor activity. DC3 develops written 
products that include analysis of the threat, mitigations, and 
indicators of adversary activity. Even cyber incidents that are not 
compromises of covered defense information may be of interest to DoD 
for situational awareness purposes. This information is disseminated as 
anonymized threat products that are shared with authorized DoD 
personnel, other Federal agencies, and company-designated POCs 
participating in the DIB CS Program. With the revisions to the 
eligibility criteria, the Department will be able to reduce the impact 
of cyber threat activity on DIB networks and information systems and, 
in turn, preserve its technological advantage and protect DoD 
information and warfighting capabilities. The mitigation of the cyber 
threat targeting defense contractors reinforces the nation's national 
security and economic vitality.
    For DIB participants, this program provides unique cyber threat 
information and technical assistance through analyst-to-analyst 
exchanges, mitigation and remediation strategies, and cybersecurity 
best practices in a collaborative environment. The shared unclassified 
and classified cyber threat information is used to bolster a company's 
cybersecurity posture and mitigate the growing cyber threat. The 
program's tailored support for small, mid-size, and large companies 
with varying cybersecurity maturity levels is an asset for 
participants. The program remains a key element of DoD's cybersecurity 
efforts by providing services to help protect DIB CS Program 
participants and the sensitive DoD information they handle.

Regulatory Compliance Analysis

A. Executive Order 12866, ``Regulatory Planning and Review'' and 
Executive Order 13563, ``Improving Regulation and Regulatory Review''

    Executive Order 12866 directs agencies to assess all costs, 
benefits, and available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health, safety 
effects, distributive impacts, and equity). Executive Order 13563 
emphasizes the importance of quantifying both costs and benefits, of 
reducing costs, of harmonizing rules, and of promoting flexibility. 
This final rule has been designated ``significant,'' under Executive 
Order 12866.

B. Congressional Review Act (5 U.S.C. 801 et seq.)

    Pursuant to the Congressional Review Act, this final rule has not 
been designated a major rule, as defined by 5 U.S.C. 804(2). This final 
rule will not have an economic effect above the $100 million threshold 
defined in 5 U.S.C. 804(2) or spur a major increase in costs or prices 
for consumers, individual industries, Federal, State, or local 
government agencies, or geographic regions; or have significant adverse 
effects on competition, employment, investment, productivity, 
innovation, or on the ability of United States-based enterprises to 
compete with foreign-based enterprises in domestic and export markets.

C. Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601)

    The Office of the DoD Chief Information Officer certified that this 
final rule is not subject to the Regulatory Flexibility Act (5 U.S.C. 
601) because it would not, if promulgated, have a significant economic 
impact on a substantial number of small entities. This final rule will 
have a significant positive impact on small entities that will become 
eligible to participate in and receive benefits through the DIB CS 
Program. For DIB participants, this program provides cyber threat 
information and technical assistance through analyst-to-analyst 
exchanges, mitigation and remediation strategies, and cybersecurity 
best practices in a collaborative environment. The shared threat 
information is used to bolster a company's cybersecurity posture and 
mitigate the growing cyber threat. The program's tailored support for 
small, mid-size, and large companies with varying cybersecurity 
maturity levels is an asset for participants, and in fact can avoid 
expending resources to obtain threat intelligence from private sources 
if the company elects to participate in services offered by the DoD 
that directly integrate threat intelligence.
    Participation in the DIB CS Program is voluntary. Program 
application and participation costs are described in the cost analysis 
section of this final rule. These costs are voluntarily incurred and 
associated with the labor and resource costs to complete the required 
program paperwork, including execution of the Framework Agreement, to 
submit information to the Government, and to receive information from 
the Government. The costs associated with applying to the DIB CS 
Program are associated exclusively with labor costs and estimated to be 
$18.15 per company. None of the program's offering come at an 
additional fee to DIB participants and additional costs related to 
participation are estimated based on the time investment (labor hours) 
required to obtain the benefits as described in the cost analysis of 
this preamble. Therefore, the Regulatory Flexibility Act, as amended, 
does not require us to prepare a regulatory flexibility analysis.

D. Sec. 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

    Section 202 of the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 
1532) requires agencies to assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any one year of 
$100 million in 1995 dollars, updated annually for inflation. When the 
Federal Government passes legislation requiring a State, local, or 
tribal government to perform certain actions or offer certain programs 
but does not include any funds for the actions or programs in the law, 
an unfunded mandate is the result. This final rule will not mandate any 
requirements for State, local, or tribal governments, and will not 
mandate private sector incurred costs above the $100 million threshold 
defined in 2 U.S.C. 1532.

E. Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 
35)

    Section 236.2 of this rule contains information collection 
requirements. As required by the Paperwork Reduction Act (44 U.S.C. 
Chapter 35), DoD submitted information collection requests to the 
Office of Management and Budget for review and approval. In response to 
DoD's invitation in the proposed rule to comment on any potential 
paperwork burden associated with this rule, there were no comments from 
the public. This final rule contains the following information 
collection requirements under the Paperwork Reduction Act (PRA) of 
1995.
     OMB Control Number 0704-0489, ``DoD's Defense Industrial 
Base (DIB) Cybersecurity (CS) Activities Cyber Incident Reporting,''
     OMB Control Number 0704-0490, ``DoD's Defense Industrial 
Base (DIB) Cybersecurity (CS) Points of Contact (POC) Information.''
    The System of Records Notice associated with these information 
collections (DCIO 01, ``Defense Industrial Base (DIB) Cybersecurity 
(CS) Activities Records'') published on May

[[Page 17747]]

17, 2019. The Federal Register citation for the SORN is 84 FR 22477.
    The Privacy Impact Assessment for the Defense Industrial Base (DIB) 
Cybersecurity (CS) Activities is posted at: https://dodcio.defense.gov/Portals/0/Documents/DIB_PIA.pdf.

F. Executive Order 13132, ``Federalism''

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a final rule that imposes 
substantial direct requirement costs on State and local governments, 
preempts State law, or otherwise has federalism implications. This 
final rule will not have a substantial effect on State and local 
governments.

G. Executive Order 13175, ``Consultation and Coordination With Indian 
Tribal Governments''

    Executive Order 13175 establishes certain requirements that an 
agency must meet when it promulgates a final rule that imposes 
substantial direct compliance costs on one or more Indian tribes, 
preempts tribal law, or effects the distribution of power and 
responsibilities between the Federal Government and Indian tribes. This 
final rule will not have a substantial effect on Indian tribal 
governments.

List of Subjects in 32 CFR Part 236

    Government contracts, Security measures.

    Accordingly, DoD amends 32 CFR part 236 as follows:

PART 236--DEPARTMENT OF DEFENSE (DoD) DEFENSE INDUSTRIAL BASE (DIB) 
CYBERSECURITY (CS) ACTIVITIES

0
1. The authority citation for 32 CFR part 236 is revised to read as 
follows:

    Authority: 10 U.S.C. 391, 393, and 2224; 44 U.S.C. 3506 and 
3554; 50 U.S.C. 3330.


0
2. Revise the heading of 32 CFR part 236 to read as set forth above.

0
3. Revise and republish Sec.  236.1 to read as follows:


Sec.  236.1   Purpose.

    Cyber threats to contractor unclassified information systems 
represent an unacceptable risk of compromise of DoD information and 
pose an imminent threat to U.S. national security and economic security 
interests. This part requires all DoD contractors to rapidly report 
cyber incidents involving covered defense information on their covered 
contractor information systems or cyber incidents affecting the 
contractor's ability to provide operationally critical support. The 
part also permits eligible DoD contractors to participate in the 
voluntary DIB CS Program to share cyber threat information and 
cybersecurity best practices with DIB CS Program participants. The DIB 
CS Program enhances and supplements DIB CS Program participants' 
capabilities to safeguard DoD information that resides on, or transits, 
DIB unclassified information systems.

0
4. Amend Sec.  236.2 by:
0
a. Removing the definition of ``Access to media''.
0
b. Removing the definition of ``DIB participant'' and adding the 
definition ``DIB CS Program participant'' in its place.
0
c. Removing the words ``DIB CS program'' in the definition of 
``Government furnished information (GFI)'' and adding in their place 
the words ``DIB CS Program''.
    The addition reads as follows:


Sec.  236.2   Definitions.

* * * * *
    DIB CS Program participant means a contractor that has met all of 
the eligibility requirements to participate in the voluntary DIB CS 
Program as set forth in this part (see Sec.  236.7).
* * * * *


Sec.  236.3   [Amended]

0
5. Amend Sec.  236.3 by:
0
a. Removing the word ``program'' and adding in its place the words 
``Program participants'' in paragraph (b)(1).
0
b. Removing the words ``DIB CS program'' and adding in their place the 
words ``DIB CS Program'' in paragraph (c).
0
6. Amend Sec.  236.4 by:
0
a. Removing the text ``http'' and adding in its place the text 
``https'' in paragraphs (b)(2), (c), and (d).
0
b. Revising paragraphs (e) through (g).
0
c. Removing the words ``paragraph (e)'' and adding in their place the 
words ``paragraph (i)'' in paragraph (k).
0
d. Revising paragraph (m)(4).
0
e. Adding a heading for paragraph (o).
0
f. Revising paragraph (p).
    The revisions and additions read as follows:


Sec.  236.4   Mandatory cyber incident reporting procedures.

* * * * *
    (e) Procurement Integrated Enterprise Environment (PIEE) account 
requirement. To report cyber incidents in accordance with this section, 
the contractor or subcontractor shall have a PIEE account to access 
https://dibnet.dod.mil. For information on obtaining a PIEE account, 
see https://piee.eb.mil/.
    (f) Third-party service provider support. If the contractor 
utilizes a third-party service provider (SP) for information system 
security services, the contractor may authorize the SP to report cyber 
incidents on behalf of the contractor.
    (g) Voluntary information sharing. Contractors are encouraged to 
report information to promote sharing of cyber threat indicators that 
they believe are valuable in alerting the Government and others, as 
appropriate, in order to better counter threat actor activity. Cyber 
incidents that are not compromises of covered defense information or do 
not adversely affect the contractor's ability to perform operationally 
critical support may be of interest to the DIB and DoD for situational 
awareness purposes.
* * * * *
    (m) * * *
    (4) For national security purposes, including cyber situational 
awareness and defense purposes (including sharing non-attributional 
cyber threat information with defense contractors participating in the 
DIB CS Program authorized by this part); or
* * * * *
    (o) Contractor activities. * * *
    (p) Freedom of Information Act (FOIA). Agency records, which may 
include qualifying information received from non-Federal entities, are 
subject to request under the Freedom of Information Act (5 U.S.C. 552). 
The Government will notify the non-Government source or submitter 
(e.g., contractor or DIB CS Program participant) of the information in 
accordance with the procedures in 32 CFR 286.10.
* * * * *

0
7. Revise and republish Sec.  236.5 to read as follows:


Sec.  236.5   DoD's DIB CS Program.

    (a) All defense contractors that meet the requirements set forth in 
Sec.  236.7 are eligible to join the DIB CS Program as a DIB CS Program 
participant. Defense contractors meeting the additional eligibility 
requirements in Sec.  236.7 can elect to access and receive classified 
information electronically.
    (b) Under the voluntary activities of the DIB CS Program, the 
Government and each DIB CS Program participant will execute a 
standardized agreement, referred to as a Framework Agreement (FA) to 
share, in a timely and secure manner, on a recurring basis, and to the 
greatest extent possible, cybersecurity information.
    (c) Each such FA between the Government and a DIB CS Program 
participant must comply with and

[[Page 17748]]

implement the requirements of this part, and will include additional 
terms and conditions as necessary to effectively implement the 
voluntary information sharing activities described in this part with 
individual DIB CS Program participants.
    (d) DoD's DIB CS Program Management Office is the overall point of 
contact for the program. The DC3 managed DoD-DIB Collaborative 
Information Sharing Environment (DCISE) is the operational focal point 
for cyber threat information sharing and incident reporting under the 
DIB CS Program.
    (e) The Government will maintain a website or other internet-based 
capability to provide potential DIB CS Program participants with 
information about eligibility and participation in the program, to 
enable online application or registration for participation, and to 
support the execution of necessary agreements with the Government.
    (f) As participants of the DIB CS Program, defense contractors are 
encouraged to share cyber threat indicators and information that they 
believe are valuable in alerting the Government and other DIB CS 
Program participants to better counter threat actor activity. Cyber 
activity that is not covered under Sec.  236.4 may be of interest to 
DIB CS Program participants and DoD.
    (g) The Government shall share GFI DIB CS Program participant or 
designated SP in accordance with this part.
    (h) Prior to receiving GFI, each DIB CS Program participant shall 
provide the requisite points of contact information, to include U.S. 
citizenship and security clearance information, as applicable, for the 
designated personnel within their company in order to facilitate the 
DoD-DIB interaction in the DIB CS Program. The Government will confirm 
the accuracy of the information provided as a condition of that point 
of contact being authorized to act on behalf of the DIB CS Program 
participant for this program.
    (i) GFI will be issued via both unclassified and classified means. 
DIB CS Program participants handling and safeguarding of classified 
information shall be in compliance with 32 CFR part 117. The Government 
shall specify transmission and distribution procedures for all GFI, and 
shall inform DIB CS Program participants of any revisions to previously 
specified transmission or procedures.
    (j) Except as authorized in this part or in writing by the 
Government, DIB CS Program participants may:
    (1) Use GFI only on U.S. based covered contractor information 
systems, or U.S. based networks or information systems used to provide 
operationally critical support; and
    (2) Share GFI only within their company or organization, on a need-
to-know basis, with distribution restricted to U.S. citizens.
    (k) In individual cases DIB CS Program participants may request, 
and the Government may authorize, disclosure and use of GFI under 
applicable terms and conditions when the DIB CS Program participant can 
demonstrate that appropriate information handling and protection 
mechanisms are in place and has determined that it requires the 
ability:
    (1) To share the GFI with a non-U.S. citizen; or
    (2) To use the GFI on a non-U.S. based covered contractor 
information system; or
    (3) To use the GFI on a non-U.S. based network or information 
system in order to better protect a contractor's ability to provide 
operationally critical support.
    (l) DIB CS Program participants shall maintain the capability to 
electronically disseminate GFI within the Company in an encrypted 
fashion (e.g., using Secure/Multipurpose internet Mail Extensions (S/
MIME), secure socket layer (SSL), Transport Layer Security (TLS) 
protocol version 1.2, DoD-approved medium assurance certificates).
    (m) DIB CS Program participants shall not share GFI outside of 
their company or organization, regardless of personnel clearance level, 
except as authorized in this part or otherwise authorized in writing by 
the Government.
    (n) If the DIB CS Program participant utilizes a SP for information 
system security services, the DIB CS Program participant may share GFI 
with that SP under the following conditions and as authorized in 
writing by the Government:
    (1) The DIB CS Program participant must identify the SP to the 
Government and request permission to share or disclose any GFI with 
that SP (which may include a request that the Government share 
information directly with the SP on behalf of the DIB CS Program 
participant) solely for the authorized purposes of this program.
    (2) The SP must provide the Government with sufficient information 
to enable the Government to determine whether the SP is eligible to 
receive such information, and possesses the capability to provide 
appropriate protections for the GFI.
    (3) Upon approval by the Government, the SP must enter into a 
legally binding agreement with the DIB CS Program participant (and also 
an appropriate agreement with the Government in any case in which the 
SP will receive or share information directly with the Government on 
behalf of the DIB CS Program participant) under which the SP is subject 
to all applicable requirements of this part and of any supplemental 
terms and conditions in the DIB CS Program participant's FA with the 
Government, and which authorizes the SP to use the GFI only as 
authorized by the Government.
    (o) The DIB CS Program participant may not sell, lease, license, or 
otherwise incorporate the GFI into its products or services, except 
that this does not prohibit a DIB CS Program participant from being 
appropriately designated an SP in accordance with paragraph (n) of this 
section.

0
8. Revise and republish Sec.  236.6 to read as follows:


Sec.  236.6   General provisions of DoD's DIB CS Program.

    (a) Confidentiality of information that is exchanged under the DIB 
CS Program will be protected to the maximum extent authorized by law, 
regulation, and policy. DoD and DIB CS Program participants each bear 
responsibility for their own actions under the voluntary DIB CS 
Program.
    (b) All DIB CS Program participants may participate in the 
Department of Homeland Security's Enhanced Cybersecurity Services (ECS) 
program (https://www.cisa.gov/resources-tools/programs/enhanced-cybersecurity-services-ecs).
    (c) Participation in the voluntary DIB CS Program does not obligate 
the DIB CS Program participant to utilize the GFI in, or otherwise to 
implement any changes to, its information systems. Any action taken by 
the DIB CS Program participant based on the GFI or other participation 
in this program is taken on the DIB CS Program participant's own 
volition and at its own risk and expense.
    (d) A DIB CS Program participant's participation in the voluntary 
DIB CS Program is not intended to create any unfair competitive 
advantage or disadvantage in DoD source selections or competitions, or 
to provide any other form of unfair preferential treatment, and shall 
not in any way be represented or interpreted as a Government 
endorsement or approval of the DIB CS Program participant, its 
information systems, or its products or services.
    (e) The DIB CS Program participant and the Government may each 
unilaterally limit or discontinue participation in the voluntary DIB CS 
Program at any time. Termination shall

[[Page 17749]]

not relieve the DIB CS Program participant or the Government from 
obligations to continue to protect against the unauthorized use or 
disclosure of GFI, attribution information, contractor proprietary 
information, third-party proprietary information, or any other 
information exchanged under this program, as required by law, 
regulation, contract, or the FA.
    (f) Upon termination of the FA, change of status as a defense 
contractor, and/or change of Facility Security Clearance (FCL) status 
below Secret, GFI must be returned to the Government or destroyed 
pursuant to direction of, and at the discretion of, the Government.
    (g) Participation in these activities does not abrogate the 
Government's, or the DIB CS Program participants' rights or obligations 
regarding the handling, safeguarding, sharing, or reporting of 
information, or regarding any physical, personnel, or other security 
requirements, as required by law, regulation, policy, or a valid legal 
contractual obligation. However, participation in the voluntary 
activities of the DIB CS Program does not eliminate the requirement for 
DIB CS Program participants to report cyber incidents in accordance 
with Sec.  236.4.

0
9. Revise Sec.  236.7 to read as follows:


Sec.  236.7   DoD's DIB CS Program requirements.

    (a) To participate in the DIB CS Program, a contractor must own or 
operate a covered contractor information system and shall execute the 
standardized FA with the Government (available during the application 
process), which implements the requirements set forth in Sec. Sec.  
236.5 and 236.6.
    (b) In order for DIB CS Program participants to receive classified 
cyber threat information electronically, the company must be a cleared 
defense contractor and must:
    (1) Have an existing active facility clearance level (FCL) to at 
least the Secret level in accordance with 32 CFR part 117;
    (2) Have or acquire a Communication Security (COMSEC) account in 
accordance with 32 CFR part 117, which provides procedures and 
requirements for COMSEC activities;
    (3) Have or acquire approved safeguarding for at least Secret 
information, and continue to qualify under 32 CFR part 117 for 
retention of its FCL and approved safeguarding; and
    (4) Obtain access to DoD's secure voice and data transmission 
systems supporting the voluntary DIB CS Program.

    Dated: March 1, 2024.
Patricia L. Toppings,
OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2024-04752 Filed 3-11-24; 8:45 am]
BILLING CODE 6001-FR-P