The Defense Department (DoD) today issued a proposed revision to the existing eligibility criteria for its voluntary Defense Industrial Base (DIB) Cybersecurity Program that, if enacted, would greatly expand the number of DIB companies that can participate in the program that shares cybersecurity threat intelligence and other security assistance to the private sector firms who do business with DoD.
“These revisions will allow a broader community of defense contractors to benefit from bilateral information sharing as when this proposed rule is finalized all defense contractors who are subject to mandatory cyber incident reporting will be able to participate,” DoD said in Federal Register notice filed today.
The Pentagon is seeking public comment on the proposed revision by June 20. “DoD is also proposing changes to definitions and some technical corrections for readability,” the agency said.
The DIB Cybersecurity Program aims to improve the ability of companies to safeguard DoD information that resides on, or transits, DIB unclassified information systems. “The program encourages greater threat information sharing to complement mandatory aspects of DoD’s DIB cybersecurity activities which are contractually mandated” through Defense Federal Acquisition Regulation Supplement (DFARS) rules, according to DoD.
The program is part of a larger DoD effort to protect information handled by DIB companies “by understanding and sharing information, building security partnerships, implementing long-term risk management programs, and maximizing efficient use of resources,” DoD said in the Federal Register notice.
Speaking today at the AFCEA TechNet Cyber conference in Baltimore, Diedra Padgett, deputy director, Defense Industrial Base (DIB) Operations Directorate within the DoD CIO office, said the program now has more than 1,300 companies participating, and is continuing to grow.
The proposed revisions could attract thousands more participants.
In announcing the proposed revision to the program, Padgett said, “this is exciting, it’s out there for public review.”
“We do this to continue to move forward to reduce cyber risk and to bolster cybersecurity,” she said.
“This has been a long fought-battle for years in the making, and I’m glad to say that we’re getting there,” Padgett said.
DoD Mum on CMMC Status
Padgett said today she could not discuss any aspect of upcoming rules related to the agency’s Cybersecurity Maturity Model Certification (CMMC) requirements for DIB companies.
“DoD is unable to address any substantive aspects of the forthcoming CMMC 32 CFR rule or rule documents to include the potential policy and implementation related topics under the rulemaking process until it’s complete,” she said. “The Office of Management and Budget and the Information and Regulatory Affairs Office … is the authority on the timeline in the status of that rulemaking.”