81_FR_68504 81 FR 68312 - Department of Defense (DoD)'s Defense Industrial Base (DIB) Cybersecurity (CS) Activities

81 FR 68312 - Department of Defense (DoD)'s Defense Industrial Base (DIB) Cybersecurity (CS) Activities

DEPARTMENT OF DEFENSE
Office of the Secretary

Federal Register Volume 81, Issue 192 (October 4, 2016)

Page Range68312-68317
FR Document2016-23968

This final rule responds to public comments and updates DoD's Defense Industrial Base (DIB) Cybersecurity (CS) Activities. This rule implements mandatory cyber incident reporting requirements for DoD contractors and subcontractors who have agreements with DoD. In addition, the rule modifies eligibility criteria to permit greater participation in the voluntary DIB CS information sharing program.

Federal Register, Volume 81 Issue 192 (Tuesday, October 4, 2016) 
[Federal Register Volume 81, Number 192 (Tuesday, October 4, 2016)]
[Rules and Regulations]
[Pages 68312-68317]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2016-23968]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 236

[DOD-2014-OS-0097/RIN 0790-AJ29]


Department of Defense (DoD)'s Defense Industrial Base (DIB) 
Cybersecurity (CS) Activities

AGENCY: Office of the DoD Chief Information Officer, DoD.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule responds to public comments and updates DoD's 
Defense Industrial Base (DIB) Cybersecurity (CS) Activities. This rule 
implements mandatory cyber incident reporting requirements for DoD 
contractors and subcontractors who have agreements with DoD. In 
addition, the rule modifies eligibility criteria to permit greater 
participation in the voluntary DIB CS information sharing program.

DATES: Effective Date: This rule is effective on November 3, 2016.

FOR FURTHER INFORMATION CONTACT: Vicki Michetti, DoD's DIB 
Cybersecurity Program Office: (703) 604-3167, toll free (855) 363-4227, 
or [email protected].

SUPPLEMENTARY INFORMATION:
    Purpose: This final rule responds to public comments to the interim 
final rule published on October 2, 2015. This rule implements statutory 
requirements for DoD contractors and subcontractors to report cyber 
incidents that result in an actual or potentially adverse effect on a 
covered contractor information system or covered defense information 
residing therein, or on a contractor's ability to provide operationally 
critical support. The mandatory reporting applies to all forms of 
agreements between DoD and DIB companies (contracts, grants, 
cooperative agreements, other transaction agreements, technology 
investment agreements, and any other type of legal instrument or 
agreement). The revisions provided are part of DoD's efforts to 
establish a single reporting mechanism for such cyber incidents on 
unclassified DoD contractor networks or information systems. Reporting 
under this rule does not abrogate the contractor's responsibility for 
any other applicable cyber incident reporting requirement. Cyber 
incident reporting involving classified information on classified 
contractor systems will be in accordance with the National Industrial 
Security Program Operating Manual (DoD-M 5220.22 (http://dtic.mil/whs/directives/corres/pdf/522022M.pdf)).
    The rule also addresses the voluntary DIB CS information sharing 
program that is outside the scope of the mandatory reporting 
requirements. By modifying the eligibility criteria for the DIB CS 
program, the rule enables greater participation in the voluntary 
program. Expanding participation in the DIB CS program is part of DoD's 
comprehensive approach to counter cyber threats through information 
sharing between the Government and DIB participants.
    Benefits: The DIB CS program allows eligible DIB participants to 
receive Government furnished information and cyber threat information 
from other DIB participants, thereby providing greater insights into 
adversarial activity targeting the DIB. The program builds trust 
between DoD and DIB and provides a collaborative environment for 
participating companies and DoD to share actionable unclassified cyber 
threat information that may be used to

[[Page 68313]]

bolster cybersecurity posture. The program also offers access to 
government classified cyber threat information to better understand the 
threat, as well as providing technical assistance from the DoD Cyber 
Crime Center (DC3) including analyst-to-analyst exchanges, mitigation 
and remediation strategies, and best practices. Through cyber incident 
reporting and voluntary cyber threat information sharing, both DoD and 
the DIB have a better understanding of adversary actions and the impact 
on DoD information and warfighting capabilities.
    Related Regulations: The definitions in the rule are consistent 
with Controlled Unclassified Information as used by the National 
Archives and Records Administration pursuant to Executive Order (E.O.) 
13556 ``Controlled Unclassified Information'' (November 4, 2010) and 32 
Code of Federal Regulations (CFR) 2002, ``Controlled Unclassified 
Information'' (September 14, 2016). The rule is also harmonized with 
Defense Federal Acquisition Regulation Supplement (DFARS) Case 2013-
D018, ``Network Penetration Reporting and Contracting for Cloud 
Services'' and FAR Case 2011-020, ``Basic Safeguarding of Contractor 
Information Systems.''
    Authorities: The mandatory cyber incident reporting requirements 
support implementation of sections 391, 393, and 2224 of Title 10, 
United States Code (U.S.C); the Federal Information Security 
Modernization Act (FISMA), codified at 44 U.S.C. 3551 et seq.; and 50 
U.S.C. 3330(e), and the Intelligence Authorization Act for Fiscal Year 
2014. Cyber threat information sharing activities under this rule 
fulfill important elements of DoD's critical infrastructure protection 
responsibilities, as the sector specific agency for the DIB (see 
Presidential Policy Directive 21 (PPD-21), ``Critical Infrastructure 
Security and Resilience,'' available at https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil).
    Associated Costs: Under this rule, contractors will incur costs 
associated with identifying and analyzing cyber incidents and their 
impact on covered defense information, or a contractor's ability to 
provide operationally critical support, and reporting those incidents 
to DoD. Contractors must obtain DoD-approved medium assurance 
certificates to ensure authentication and identification when reporting 
cyber incidents to DoD. Medium assurance certificates are individually 
issued digital identity credentials used to ensure the identity of the 
user in online environments. Certificates typically cost about $175 
each. If a contractor submits five cyber incident reports and 
participates in the voluntary DIB CS program, the annual cost to the 
contractor is estimated at $1,045. If the contractor elects to receive 
classified information electronically, the cost to establish the 
capability is approximately $4,500. The Government incurs cost to 
collect and analyze cyber incident information and develop trends and 
other analysis products, analyze malicious software, analyze media, 
onboard new companies into the voluntary DIB CS information sharing 
program, and facilitate collaboration activities related to the cyber 
threat information sharing.
    Cybersecurity and Privacy: A foundational element of the mandatory 
reporting requirements, as well as the voluntary DIB CS program, is the 
recognition that the information being shared between the parties 
includes extremely sensitive information that requires protection. For 
additional information regarding the Government's safeguarding of 
information received from the contractors that require protection, see 
the Privacy Impact Assessment (PIA) for DoD's DIB Cybersecurity 
Activities located at http://dodcio.defense.gov/IntheNews/PrivacyImpactAssessments.aspx. The PIA provides detailed procedures for 
handling personally identifiable information (PII), attributional 
information about the strengths or vulnerabilities of specific covered 
contractor information systems, information providing a perceived or 
real competitive advantage on future procurement action, and contractor 
information marked as proprietary or commercial or financial 
information.

Public Comments

    DoD published an interim final rule on October 2, 2015 (80 FR 
59581). Twenty-eight comments were received and reviewed by DoD in the 
development of this final rule. A discussion of the comments received 
and changes made to the rule as a result of those comments follows:
    Comment: One respondent recommended that the rule be clarified to 
confirm the requirements in the rule are prospective to be implemented 
in new agreements or in modifying an existing agreement.
    Response: There should be no confusion regarding the prospective 
effect and effective date of the rule, nor is there basis to infer or 
interpret the rule as being intended to apply retroactively or 
otherwise to mandate the modification of pre-existing agreements; 
however, DoD agrees that the rule enables the option to modify such 
pre-existing agreements where deemed appropriate. No change is made to 
the rule.
    Comment: One respondent expressed concern about being unable to 
locate the text of Section 941 of the National Defense Authorization 
Act (NDAA) for Fiscal Year (FY) 2013 in the U.S. Code.
    Response: Section 941 of NDAA for FY13 has been codified at 10 
U.S.C. 393 and all citations to this law have been updated accordingly.
    Comment: One respondent recommended regularly conducting and 
releasing PIAs.
    Response: DoD updates PIAs in accordance with DoD regulations and 
policy. DoD revised the PIA and published it in October 2015 (see 
http://dodcio.defense.gov/IntheNews/PrivacyImpactAssessments.aspx). No 
change is made to the rule.
    Comment: Two respondents recommended publishing a report on the 
program's privacy implications and addressing personal information in 
internal contractor systems and that DoD address special procedures and 
protections for personal information.
    Response: DIB CS program activities are in compliance with DoD and 
national policies for collecting, handling, safeguarding, and sharing 
sensitive information in accordance with DoD Directive 5400.11, ``DoD 
Privacy Program'' and 5400.11- Regulation, ``Department of Defense 
Privacy Program,'' which prescribes uniform procedures for 
implementation of and compliance with the DoD Privacy Program. Also, as 
noted in the immediately preceding response, the PIA for this program 
is also publicly available at http://dodcio.defense.gov/IntheNews/PrivacyImpactAssessments.aspx. In addition, DoD submits a privacy and 
civil liberties assessment of the DIB CS voluntary program for the 
annual Privacy and Civil Liberties Assessment Report required by E.O. 
13636. No change is made to the rule.
    Comment: One respondent stated that contractors are faced with 
multiple and sometimes conflicting reporting requirements for reporting 
cyber incidents from across the Government and even within DoD, and 
asserts that these reporting requirements should be clearly set forth 
in agreements with the Government. The respondent did not specifically 
identify any other cyber incident reporting requirements that might 
conflict with this rule.

[[Page 68314]]

    Response: This rule consolidates and streamlines mandatory cyber 
incident reporting requirements and procedures originating from 
multiple separate statutory bases (e.g., 10 U.S.C. 391 and 393, and 50 
U.S.C. 3330(e))--however, reporting under these procedures in no way 
abrogates the contractor's responsibility to meet other cyber incident 
reporting requirements that may be applicable based on other contract 
requirements, or other U.S. Government statutory or regulatory 
requirements (see Sec.  236.4(p)). DoD is working to streamline 
reporting procedures within the Department, including by designating 
the DoD Cyber Crime Center (DC3) as the single DoD focal point for 
receiving cyber incident reporting affecting unclassified networks of 
DoD contractors. No change is made to the rule.
    Comment: One respondent recommended that Congress repeal the 
requirement to establish procedures for mandatory cyber incident 
reporting.
    Response: This rule implements mandatory statutory requirements for 
mandatory cyber incident reporting set forth in 10 U.S.C. 391 and 393 
(Sec.  236.4(b)-(d)). No change is made to the rule.
    Comment: Two respondents questioned the Department's use of 
specific terms and definitions in the rule. One respondent stated that 
``a violation of security policy of a system'' that is a subset of the 
definition of ``compromise'' is very broad and could result in over 
reporting and overwhelming DoD's resources. Another respondent 
recommended that the scope of the rule should be narrowed to only 
information that relates to a ``successful penetration.''
    Response: The rule leverages established definitions from the 
Committee on National Security Systems Instruction No. 4009, ``National 
Information (IA) Assurance Glossary,'' (https://www.ncsc.gov/nittf/docs/CNSSI-4009_National_Information_Assurance.pdf). The term 
``successful penetration'' is not in the CNSS glossary. However, the 
rule uses the established terms ``cyber incident'' and ``compromise'' 
from the CNSS glossary, which are widely accepted and understood 
Government definitions. Adhering to this definition will not overwhelm 
DoD resources. No change is made to the rule.
    Comment: One respondent stated that the four categories of covered 
defense information are unclear and will hamper timely reporting.
    Response: The definition of covered defense information has been 
clarified to more closely align with, and leverage, the Controlled 
Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html (Sec.  236.2).
    Comment: One respondent stated the scope of a cyber incident 
``affecting the contractor's ability to provide operationally critical 
support'' is so vague that it may result in over reporting.
    Response: DoD designates the supplies or services that qualify as 
operationally critical support, and is developing procedures to ensure 
that contractors are notified when they are providing supplies or 
services designated as operationally critical support. If the 
contractor is unclear as to what specific supplies or services being 
provided have been designated as operationally critical, the contractor 
should request clarification from the DoD point of contact (e.g., 
contracting officer or agreements officer) for the agreement(s) 
governing the activity in question. No change is made to the rule.
    Comment: One respondent stated that it is not clear why the rule 
now distinguishes information ``created by or for DoD'' from 
information ``not created by DoD.''
    Response: The distinction regarding whether information has been 
created by or for DoD originates from that distinction being an element 
of the underlying statutes that are implemented in this rule (e.g., 10 
U.S.C. 391 and 393). The distinction is made in a variety of contexts--
generally to reinforce the underlying reason for requiring the 
contractor to share information with DoD (e.g., as it relates to a 
potential compromise of information created by or for DoD in support of 
a DoD program), and to minimize the requirement to share or provide 
access to information that is not related to DoD programs or activities 
(e.g., except as necessary for forensics analysis regarding an incident 
in which DoD information may have been compromised). No change is made 
to the rule.
    Comment: One respondent requested clarification of the purpose of, 
``Applicability and Order of Precedence,'' and the meaning of the 
phrase ``applicable laws and regulations'' in Sec.  236.4 of this rule.
    Response: Section 236.4(a) mandates that the cyber incident 
reporting requirements of this rule be incorporated into all relevant 
types of agreements between DoD, but recognizes that in some cases an 
individual agreement may have terms or conditions that may be 
inconsistent with this rule, and allows the terms of the agreement to 
take precedence over the requirements of this rule only when the terms 
of the agreement ``are authorized to have been included in the 
agreement in accordance with applicable laws and regulations.'' The 
laws and regulations that are applicable to any individual agreement 
will depend on the nature and context of the agreement. For example, in 
the context of procurement contracts, the requirements of this rule are 
implemented through Defense Federal Acquisition Regulation Supplement 
(DFARS) Subpart 204.73, ``Safeguarding Covered Defense Information and 
Cyber Incident Reporting,'' and its associated clauses (e.g., DFARS 
252.204-7009, and -7012). However, the FAR and DFARS also permit 
deviations from otherwise prescribed contract requirements under 
certain conditions, but not including cases when the deviation would be 
``precluded by law, executive order, or regulation'' (see FAR 1.402). 
No change is made to the rule.
    Comment: One respondent recommended that the phrase ``all 
applicable agreements'' in Sec.  236.4(a) be clarified to identify the 
agreements that DoD intends to be covered by the rule.
    Response: Section 236.4(a) has been revised to clarify that the 
rule applies to ``all forms of agreements (e.g., contracts, grants, 
cooperative agreements, other transaction agreements, technology 
investment agreements, and any other type of legal instrument or 
agreement).'' For example, these requirements are implemented for DoD 
procurement contracts through DFARS Subpart 204.73 and its associated 
clauses (e.g., DFARS 252.204-7009, and -7012).
    Comment: One respondent raised issue about the practicality of the 
72 hour reporting requirement.
    Response: Timeliness in reporting cyber incidents is a key element 
in cybersecurity and provides the clearest understanding of the cyber 
threat targeting DoD information and the ability of companies to 
provide operationally critical support. The 72 hour reporting standard 
has been a part of the DIB CS program since it was first established as 
a pilot activity in 2008, and throughout its evolution into a permanent 
program and ultimate codification in the CFR in 2012. Based on this 
history, the 72 hour period has proven to be an effective balance of 
the need for timely reporting while recognizing the challenges inherent 
in the initial phases of investigating a cyber incident. Contractors 
should report available information within the 72 hour period and 
provide updates if more information becomes available. No change is 
made to the rule.

[[Page 68315]]

    Comment: One respondent questioned the reporting by subcontractors 
and how DoD intends to enforce flow down of the clause and does DoD 
consider Internet Service Providers (ISPs) to fall in the category of 
subcontractors.
    Response: Section 236.4(d) of the rule has been revised to clarify 
that contractors must flow down the reporting requirements to 
``subcontractors that are providing operationally critical support or 
for which subcontract performance will involve a covered contractor 
information system.'' Whether these requirements would be required to 
flow down to an ISP would depend on whether the particular service(s) 
being provided would meet the flowdown criteria, and the implementation 
of these requirements for any specific type of agreement (e.g., for 
procurement contracts governed by the DFARS) may provide additional 
guidance regarding flowdown. The contractor should consult with the DoD 
point of contact for the relevant agreement (e.g., contracting officer 
or agreements officer) when it is uncertain if the requirements should 
flow down. Section 236.4(d) has been revised.
    Comment: One respondent recommended that the rule establish what 
information a contractor must share with the Government under mandatory 
reporting.
    Response: Contractors are required to report in accordance with 
Sec.  236.4(b). A list of the reporting fields can be found at http://dibnet.dod.mil. These reporting fields include the statutory 
requirements set forth in 10 U.S.C. 391 and 393, including but not 
limited to an assessment of the impact of the cyber incident, 
description of the technique or method used, summary of information 
compromised. No change is made to the rule.
    Comment: One respondent commented that the rule does not provide 
any mechanism for a contractor to raise concerns about, object to, or 
limit the data being provided due to its sensitivity.
    Response: This rule implements mandatory information sharing 
requirements of 10 U.S.C. 391 and 393 by requiring DoD contractors to 
report key information regarding cyber incidents, and to provide access 
to equipment or information enabling DoD to conduct forensic analysis 
to determine if or how DoD information was impacted in a cyber 
incident. The rule's implementation of these requirements is tailored 
to minimize the sharing of unnecessary information (whether sensitive 
or not), including by carefully tailoring the information required in 
the initial incident reports (Sec.  236.4(c)), by expressly limiting 
the scope of the requirement to provide DoD with access to additional 
information to only such information that is ``necessary to conduct a 
forensic analysis,'' and by affirmatively requiring the Government to 
safeguard any contractor attributional/proprietary information that has 
been shared (or derived from information that has been shared) against 
any unauthorized access or use. In the event that the contractor 
believes that there is information that meets the criteria for 
mandatory reporting, but the contractor desires not to share that 
information due to its sensitivity, then the contractor should 
immediately raise that issue to the DoD point of contact (e.g., 
contracting officer or agreements officer) for the agreement(s) 
governing the activity in question, and if necessary, follow the 
dispute resolution procedures that are applicable to the agreement(s). 
No change is made to the rule.
    Comment: One respondent asked how DoD will safeguard any contractor 
data provided as part of media once in DoD's possession, and what are 
the recourses for contractors in the event of a breach of those 
safeguards.
    Response: DoD uses a wide variety of mechanisms to safeguard all 
forms of sensitive information, including information received from 
contractors, to ensure that information is accessed, used, and shared 
only with authorized persons for authorized purposes. For example, the 
DIB CS PIA addresses how PII and other sensitive information will be 
protected. No change is made to the rule.
    Comment: One respondent stated that the rule lacks sufficient 
protections for contractor sensitive information that is provided to 
government support contractors, and the rule should provide such 
protections consistent with 10 U.S.C. 2320(f)(2) and DFARS 252.227-
7025, ``Limitations on the Use or Disclosure of Government-Furnished 
Information Marked with Restrictive Legends.''
    Response: Responsibilities of government support contractors to 
protect sensitive information received from other contractors under 
this rule are addressed in Sec.  236.4(m)(5) and are largely consistent 
with, although not identical to, the statutory provision and DFARS 
Clause cited by the commenter. In addition, the support contractor 
providing support for DoD's activities under this rule may also qualify 
as a ``covered Government support contractor'' under the cited DFARS 
clause, and thereby would already be subject to the cited DFARS clause. 
No change is made to the rule.
    Comment: One respondent stated the information shared with the 
Government should only be used for cybersecurity purposes.
    Response: 10 U.S.C. 391 and 393 provide specific authorization for 
sharing information received in cyber incident reports for a range of 
important activities that include, but are not limited to, 
cybersecurity activities (see Sec.  236.4(m)(1)-(5)). Limiting the 
sharing of information to cybersecurity purposes only would be 
inconsistent with the statutory framework and would unnecessarily limit 
the use of information for critical activities such as law enforcement, 
counterintelligence, and national security. No change is made to the 
rule.
    Comment: One respondent stated the rule provides no limitations on 
DoD's ability to share information with third-party contractors. It 
also imposes a confidentiality obligation upon receiving contractors 
but does not address measures needed to mitigate any potential 
conflicts of interest stemming from third-party access.
    Response: Section 236.4(m)(5) authorizes sharing with government 
support contractors that are ``directly supporting'' Government 
activities under this rule, and applies a comprehensive set of use and 
non-disclosure restrictions and responsibilities for those government 
support contractors to safeguard the information they receive, 
including prohibiting the support contractor from using the information 
for any other purpose, making the reporting contractor a third-party 
beneficiary of the non-disclosure agreement with direct remedies for 
any breach of the restrictions by the support contractor. No change is 
made to the rule.
    Comment: One respondent recommended the proposed rule should 
establish requirements for companies to remove PII before sharing with 
the Government and for the Government to remove upon receipt.
    Response: The DIB CS program has implemented procedures to minimize 
the collection and sharing of PII. Companies are always asked to remove 
unnecessary PII, and only share information if it is relevant to a 
cyber incident (e.g., for forensics or cyber intrusion damage 
assessment). The PIA for DoD's DIB CS Activities provides procedures on 
how the Government handles PII, as well as other forms of sensitive 
contractor information (e.g., contractor attributional/proprietary). 
The PIA was updated and published in October 2015 (http://

[[Page 68316]]

dodcio.defense.gov/IntheNews/PrivacyImpactAssessments.aspx). No change 
is made to the rule.
    Comment: One respondent stated the rule places burden on the 
contractor to mark information as, ``contractor attributional/
proprietary,'' but if it is not marked and subsequently submitted in 
response to request for images at the time of the cyber incident, 
Government must ensure, in absence of marking, obligation to protect 
information as contractor/attributional/proprietary.
    Response: The rule requires that, to the maximum extent 
practicable, the contractor shall identify and mark attributional/
proprietary information, but it does not condition the Government's 
safeguarding of such information on that identification or marking. The 
Government has established procedures for receiving, evaluating, 
anonymizing, safeguarding and sharing of such reported information in 
connection with cyber incidents involving contractor information and 
information systems. The DIB CS PIA provides more details regarding 
processes for handling PII and other sensitive information. No change 
is made to the rule.
    Comment: One respondent stated that the rule should include 
provisions for liability protection.
    Response: Liability protections established by 10 U.S.C. 391 and 
393 became effective after the publication of the interim rule. The 
regulatory implementation of these new statutory elements will be 
addressed through future rulemaking activities to ensure the 
opportunity for public comment.
    Comment: One respondent recommended expanding the number of 
commercial service providers under the Enhanced Cybersecurity Service 
(ECS) program, as part of the DIB CS program.
    Response: The ECS program is managed by the Department of Homeland 
Security (DHS). Recommendations regarding ECS should be forwarded to 
DHS at [email protected]. No change is made to the rule.
    Comment: One respondent cautioned against expanding the types of 
companies eligible for the DIB CS program until addressing all relevant 
operational, privacy, and security concerns. This expansion could 
encompass companies who provide services and products to the general 
public and current defense contractors who are not currently eligible 
to participate in the program.
    Response: DoD has established eligibility requirements (Sec.  
236.7) for participation in the DIB CS program and thus any future 
expansion or revision of this eligibility criteria will be accomplished 
in accordance with federal rulemaking requirements to allow for public 
review and comment. No change is made to the rule.
    Comment: One respondent expressed concern about the burden of cost 
due to increased participation in the DIB CS program.
    Response: The burden of cost for companies participating in the DIB 
CS program has been reduced. Under the revised rule, DoD removed the 
requirement for DIB CS participants to obtain access to DoD's secure 
voice and transmission systems supporting the program. All companies 
participating in the DIB CS program are still required to have a DoD-
approved medium assurance certificate to enable encrypted unclassified 
information sharing between the Government and DIB CS participants. The 
cost of a DoD-approved medium assurance certificate has not changed and 
is approximately $175. No change is made to the rule.

Regulatory Procedures

Executive Orders 12866, ``Regulatory Planning and Review'' and 13563, 
``Improving Regulation and Regulatory Review''

    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distribute impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This rule has been designated a ``significant regulatory 
action,'' although not economically significant, under section 3(f) of 
Executive Order 12866. Accordingly, the rule has been reviewed by the 
Office of Management and Budget (OMB).

Public Law 104-121, ``Congressional Review Act'' (5 U.S.C. 801)

    It has been determined that this rule is not a ``major'' rule under 
5 U.S.C. 801, enacted by Public Law 104-121, because it will not result 
in an annual effect on the economy of $100 million or more; a major 
increase in costs or prices for consumers, individual industries, 
Federal, State, or local Government agencies, or geographic regions; or 
significant adverse effects on competition, employment, investment, 
productivity, innovation, or on the ability of United States-based 
enterprises to compete with foreign-based enterprises in domestic and 
export markets.

2 U.S.C. Ch. 25, ``Unfunded Mandates Reform Act''

    It has been determined that this rule does not contain a Federal 
mandate that may result in expenditure by State, local and tribal 
Governments, in aggregate, or by the private sector, of $100 million or 
more in any one year.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. Ch. 6)

    It has been certified that this rule is not subject to the 
Regulatory Flexibility Act (5 U.S.C. Ch. 6) because it would not, if 
promulgated, have a significant economic impact on a substantial number 
of small entities. Therefore, the Regulatory Flexibility Act, as 
amended, does not require us to prepare a regulatory flexibility 
analysis.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

    This rule does contain reporting requirements under the Paperwork 
Reduction Act (PRA) of 1995. The collection requirements were published 
in the preamble of the interim final rule that was published on October 
2, 2015 (80 FR 59581) for public comment. No comments were received for 
these collections. The Office of Management and Budget (OMB) Control 
Numbers are: 0704-0489, ``DoD's Defense Industrial Base (DIB) 
Cybersecurity (CS) Activities Cyber Incident Reporting,'' and 0704-
0490, ``DoD's Defense Industrial Base (DIB) Cybersecurity (CS) Program 
Points of Contact (POC) Information.''

Executive Order 13132, ``Federalism''

    It has been determined that this rule does not have federalism 
implications, as set forth in Executive Order 13132. This rule does not 
have substantial direct effects on:
    (a) The States;
    (b) The relationship between the National Government and the 
States; or
    (c) The distribution of power and responsibilities among the 
various levels of Government.

List of Subjects in 32 CFR Part 236

    Government contracts, Security measures.

    Accordingly, the interim final rule published at 80 FR 59581 on 
October 2, 2015, is adopted as a final rule with the following changes:

[[Page 68317]]

PART 236--DEPARTMENT OF DEFENSE (DoD)'s DEFENSE INDUSTRIAL BASE 
(DIB) CYBERSECURITY (CS) ACTIVITIES

0
1. The authority citation is revised to read as follows:

    Authority: 10 U.S.C. 391, 393, and 2224; 44 U.S.C. 3506 and 
3544; 50 U.S.C. 3330.


0
2. Amend Sec.  236.1 by revising the last two sentences in the section 
to read as follows:


Sec.  236.1  Purpose.

    * * * The part also permits eligible DIB participants to 
participate in the voluntary DIB CS program to share cyber threat 
information and cybersecurity best practices with DIB CS participants. 
The DIB CS program enhances and supplements DIB participants' 
capabilities to safeguard DoD information that resides on, or transits, 
DIB unclassified information systems.

0
3. Amend Sec.  236.2 by:
0
a. Revising the definition of ``Covered contractor information 
system''.
0
b. Revising the definition of ``Covered defense information''.
0
c. Revising the definition of ``Cyber incident''.
0
d. Revising the definition of ``DIB participant''.
0
e. Removing ``DoD-DIB CS information sharing program'' and adding in 
its place ``DIB CS program'' in the definition of ``Government 
furnished information''.
0
f. Removing ``Contractor'' and adding in its place ``contractor'' in 
the definition of ``Media''.
    The revisions read as follows:


Sec.  236.2   Definitions.

* * * * *
    Covered contractor information system means an unclassified 
information system that is owned or operated by or for a contractor and 
that processes, stores, or transmits covered defense information.
    Covered defense information means unclassified controlled technical 
information or other information (as described in the Controlled 
Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or 
dissemination controls pursuant to and consistent with law, 
regulations, and Government wide policies, and is:
    (1) Marked or otherwise identified in an agreement and provided to 
the contractor by or on behalf of the DoD in support of the performance 
of the agreement; or
    (2) Collected, developed, received, transmitted, used, or stored by 
or on behalf of the contractor in support of the performance of the 
agreement.
* * * * *
    DIB participant means a contractor that has met all of the 
eligibility requirements to participate in the voluntary DIB CS program 
as set forth in this part (see Sec.  236.7).
* * * * *


Sec.  236.3   [Amended]

0
4. Amend Sec.  236.3 by:
0
a. In paragraph (b)(1), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
0
b. In paragraph (c), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''


Sec.  236.4  [Amended]

0
5. Amend Sec.  236.4 by:
0
a. In paragraph (a), removing ``applicable agreements'' and adding in 
its place ``forms of agreements (e.g., contracts, grants, cooperative 
agreements, other transaction agreements, technology investment 
agreements, and any other type of legal instrument or agreement).''
0
b. In paragraph (d), removing ``, as appropriate'' and adding in its 
place ``that are providing operationally critical support or for which 
subcontract performance will involve a covered contractor information 
system.''
0
c. In paragraph (e), removing ``http://iase.disa.mil/pki/eca/
certificate.html'' and adding in its place ``http://iase.disa.mil/pki/
eca/Pages/index.aspx.''
0
d. In paragraph (m)(4), adding ``non-attributional cyber threat 
information'' after ``sharing.''
0
e. Redesignating paragraphs (n) through (p) as paragraphs (o) through 
(q).
0
f. Redesignating paragraph (m)(6) as paragraph (n).

0
6. Amend Sec.  236.5 by:
0
a. Revising the section heading.
0
b. In paragraph (a), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
0
c. In paragraph (b), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
0
d. Revising paragraph (d).
0
e. In paragraph (g), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
    The revisions read as follows:


Sec.  236.5   DoD's DIB CS program.

* * * * *
    (d) DoD's DIB CS Program Office is the overall point of contact for 
the program. The DC3 managed DoD DIB Collaborative Information Sharing 
Environment (DCISE) is the operational focal point for cyber threat 
information sharing and incident reporting under the DIB CS program.
* * * * *

0
7. Amend Sec.  236.6 by:
0
a. Revising the section heading.
0
b. In paragraph (a):
0
i. Removing ``DoD-DIB CS information sharing program'' and adding in 
its place ``DIB CS program'' in the first sentence.
0
ii. Removing ``DoD-DIB CS information sharing program'' and adding in 
its place ``DIB CS program'' in the second sentence.
0
c. In paragraph (c), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
0
d. In paragraph (d), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
0
e. In paragraph (e), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
0
f. In paragraph (g), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
    The revisions read as follows:


Sec.  236.6   General provisions of DoD's DIB CS program.

* * * * *

0
8. Amend Sec.  236.7 by:
0
a. Revising the section heading.
0
b. In paragraph (a) introductory text, removing ``DoD-DIB CS 
information sharing program'' and adding in its place ``DIB CS 
program.''
0
c. In paragraph (a)(1), adding ``to at least the Secret level'' after 
``FCL.''
0
d. In paragraph (a)(2), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
0
e. In paragraph (a)(3)(iii), removing ``DoD-DIB CS information sharing 
program'' and adding in its place ``DIB CS program.''
    The revisions read as follows:


Sec.  236.7   DoD's DIB CS program requirements.

* * * * *

    Dated: September 29, 2016.
Patricia L. Toppings,
OSD Federal Register, Liaison Officer, Department of Defense.
[FR Doc. 2016-23968 Filed 10-3-16; 8:45 am]
 BILLING CODE 5001-06-P

68312 Federal Register / Vol. 81, No. 192 / Tuesday, October 4, 2016 / Rules and Regulations distribute the jobs across thousands of PCs activities did not involve significant permit greater participation in the and workstations, as well as handle all the economic risk under paragraph voluntary DIB CS information sharing error conditions that occur on a user’s (c)(6)(vii)(A)(2) of this section. X did not have program. machine. X commits substantial resources to substantial uncertainty, because of technical the project. X undertakes a process of risk, that the resources committed to the DATES: Effective Date: This rule is experimentation to attempt to eliminate its project would be recovered within a effective on November 3, 2016. uncertainty. At the beginning of the reasonable period. FOR FURTHER INFORMATION CONTACT: development, X does not intend to develop * * * * * Vicki Michetti, DoD’s DIB Cybersecurity the software for commercial sale, lease, Program Office: (703) 604–3167, toll free license, or to be otherwise marketed to third (e) Effective/applicability dates. Other parties or to enable X to interact with third than paragraph (c)(6) of this section, this (855) 363–4227, or OSD.DIBCSIA@ parties or to allow third parties to initiate section is applicable for taxable years mail.mil. functions or review data on X’s system. ending on or after December 31, 2003. SUPPLEMENTARY INFORMATION: (ii) Conclusion. The software is internal Paragraph (c)(6) of this section is Purpose: This final rule responds to use software because it is developed for use applicable for taxable years beginning public comments to the interim final in a general and administrative function. on or after October 4, 2016. For any rule published on October 2, 2015. This However, the software satisfies the high taxable year that both ends on or after threshold of innovation test as set forth in rule implements statutory requirements paragraph (c)(6)(vii) of this section. The January 20, 2015 and begins before for DoD contractors and subcontractors software was intended to be innovative October 4, 2016, the IRS will not to report cyber incidents that result in because it would provide a reduction in cost challenge return positions consistent an actual or potentially adverse effect on or improvement in speed that is substantial with all of paragraph (c)(6) of this a covered contractor information system and economically significant. In addition, X’s section or all of paragraph (c)(6) of this or covered defense information residing development activities involved significant section as contained in the Internal therein, or on a contractor’s ability to economic risk in that X committed Revenue Bulletin (IRB) 2015–5 (see provide operationally critical support. substantial resources to the development and www.irs.gov/pub/irs-irbs/irb15-05.pdf). The mandatory reporting applies to all there was substantial uncertainty that forms of agreements between DoD and For taxable years ending before January because of technical risk, such resources would be recovered within a reasonable 20, 2015, taxpayers may choose to DIB companies (contracts, grants, period. Finally, at the time X undertook the follow either all of § 1.41–4(c)(6) as cooperative agreements, other development of the system, software meeting contained in 26 CFR part 1 (revised as transaction agreements, technology X’s requirements was not commercially of April 1, 2003) and IRB 2001–5 (see investment agreements, and any other available for use by X. www.irs.gov/pub/irs-irbs/irb01-05.pdf) type of legal instrument or agreement). Example 18. Internal use software; or all of § 1.41–4(c)(6) as contained in The revisions provided are part of DoD’s application of the high threshold of IRB 2002–4 (see www.irs.gov/pub/irs- efforts to establish a single reporting innovation test—(i) Facts. X, a multinational irbs/irb02-04.pdf). mechanism for such cyber incidents on manufacturer, wants to install an enterprise unclassified DoD contractor networks or resource planning (ERP) system that runs off John Dalrymple, information systems. Reporting under a single database. However, to implement the Deputy Commissioner for Services and ERP system, X determines that it must this rule does not abrogate the Enforcement. contractor’s responsibility for any other integrate part of its old system with the new Approved: August 22, 2016. applicable cyber incident reporting because the ERP system does not have a particular function that X requires for its Mark J. Mazur requirement. Cyber incident reporting business. The two systems are general and Assistant Secretary of the Treasury (Tax involving classified information on administrative software systems. The systems Policy). classified contractor systems will be in have mutual incompatibilities. The [FR Doc. 2016–23174 Filed 10–3–16; 8:45 am] accordance with the National Industrial integration, if successful, would provide a BILLING CODE 4830–01–P Security Program Operating Manual reduction in cost and improvement in speed (DoD–M 5220.22 (http://dtic.mil/whs/ that is substantial and economically significant. At the time X undertook this directives/corres/pdf/522022M.pdf)). project, there was no commercial application DEPARTMENT OF DEFENSE The rule also addresses the voluntary available with such a capability. X is DIB CS information sharing program uncertain regarding the appropriate design of Office of the Secretary that is outside the scope of the the interface software. However, X knows mandatory reporting requirements. By that given a reasonable period of time to 32 CFR Part 236 modifying the eligibility criteria for the experiment with various designs, X would be DIB CS program, the rule enables greater able to determine the appropriate design [DOD–2014–OS–0097/RIN 0790–AJ29] participation in the voluntary program. necessary to meet X’s technical requirements Expanding participation in the DIB CS and would recover the substantial resources Department of Defense (DoD)’s Defense Industrial Base (DIB) program is part of DoD’s comprehensive that X commits to the development of the system within a reasonable period. At the Cybersecurity (CS) Activities approach to counter cyber threats beginning of the development, X does not through information sharing between intend to develop the software for AGENCY: Office of the DoD Chief the Government and DIB participants. commercial sale, lease, license, or to be Information Officer, DoD. Benefits: The DIB CS program allows otherwise marketed to third parties or to ACTION: Final rule. eligible DIB participants to receive enable X to interact with third parties or to Government furnished information and allow third parties to initiate functions or SUMMARY: This final rule responds to cyber threat information from other DIB asabaliauskas on DSK3SPTVN1PROD with RULES review data on X’s system. public comments and updates DoD’s participants, thereby providing greater (ii) Conclusion. The software is internal Defense Industrial Base (DIB) insights into adversarial activity use software because it is developed for use Cybersecurity (CS) Activities. This rule targeting the DIB. The program builds in a general and administrative function. X’s activities do not satisfy the high threshold of implements mandatory cyber incident trust between DoD and DIB and innovation test of paragraph (c)(6)(vii) of this reporting requirements for DoD provides a collaborative environment section. Although the software meets the contractors and subcontractors who for participating companies and DoD to requirements of paragraphs (c)(6)(vii)(A)(1) have agreements with DoD. In addition, share actionable unclassified cyber and (3) of this section, X’s development the rule modifies eligibility criteria to threat information that may be used to VerDate Sep<11>2014 17:56 Oct 03, 2016 Jkt 241001 PO 00000 Frm 00020 Fmt 4700 Sfmt 4700 E:\FR\FM\04OCR1.SGM 04OCR1

Federal Register / Vol. 81, No. 192 / Tuesday, October 4, 2016 / Rules and Regulations 68313 bolster cybersecurity posture. The digital identity credentials used to retroactively or otherwise to mandate program also offers access to ensure the identity of the user in online the modification of pre-existing government classified cyber threat environments. Certificates typically cost agreements; however, DoD agrees that information to better understand the about $175 each. If a contractor submits the rule enables the option to modify threat, as well as providing technical five cyber incident reports and such pre-existing agreements where assistance from the DoD Cyber Crime participates in the voluntary DIB CS deemed appropriate. No change is made Center (DC3) including analyst-to- program, the annual cost to the to the rule. analyst exchanges, mitigation and contractor is estimated at $1,045. If the Comment: One respondent expressed remediation strategies, and best contractor elects to receive classified concern about being unable to locate the practices. Through cyber incident information electronically, the cost to text of Section 941 of the National reporting and voluntary cyber threat establish the capability is approximately Defense Authorization Act (NDAA) for information sharing, both DoD and the $4,500. The Government incurs cost to Fiscal Year (FY) 2013 in the U.S. Code. DIB have a better understanding of collect and analyze cyber incident Response: Section 941 of NDAA for adversary actions and the impact on information and develop trends and FY13 has been codified at 10 U.S.C. 393 DoD information and warfighting other analysis products, analyze and all citations to this law have been capabilities. malicious software, analyze media, updated accordingly. Related Regulations: The definitions onboard new companies into the Comment: One respondent in the rule are consistent with voluntary DIB CS information sharing recommended regularly conducting and Controlled Unclassified Information as program, and facilitate collaboration releasing PIAs. used by the National Archives and activities related to the cyber threat Response: DoD updates PIAs in Records Administration pursuant to information sharing. accordance with DoD regulations and Executive Order (E.O.) 13556 Cybersecurity and Privacy: A policy. DoD revised the PIA and ‘‘Controlled Unclassified Information’’ foundational element of the mandatory published it in October 2015 (see http:// (November 4, 2010) and 32 Code of reporting requirements, as well as the dodcio.defense.gov/IntheNews/ Federal Regulations (CFR) 2002, voluntary DIB CS program, is the PrivacyImpactAssessments.aspx). No ‘‘Controlled Unclassified Information’’ recognition that the information being change is made to the rule. (September 14, 2016). The rule is also shared between the parties includes Comment: Two respondents harmonized with Defense Federal extremely sensitive information that recommended publishing a report on Acquisition Regulation Supplement requires protection. For additional the program’s privacy implications and (DFARS) Case 2013–D018, ‘‘Network information regarding the Government’s addressing personal information in Penetration Reporting and Contracting safeguarding of information received internal contractor systems and that for Cloud Services’’ and FAR Case from the contractors that require DoD address special procedures and 2011–020, ‘‘Basic Safeguarding of protection, see the Privacy Impact protections for personal information. Contractor Information Systems.’’ Assessment (PIA) for DoD’s DIB Authorities: The mandatory cyber Cybersecurity Activities located at Response: DIB CS program activities incident reporting requirements support http://dodcio.defense.gov/IntheNews/ are in compliance with DoD and implementation of sections 391, 393, PrivacyImpactAssessments.aspx. The national policies for collecting, and 2224 of Title 10, United States Code PIA provides detailed procedures for handling, safeguarding, and sharing (U.S.C); the Federal Information handling personally identifiable sensitive information in accordance Security Modernization Act (FISMA), information (PII), attributional with DoD Directive 5400.11, ‘‘DoD codified at 44 U.S.C. 3551 et seq.; and information about the strengths or Privacy Program’’ and 5400.11- 50 U.S.C. 3330(e), and the Intelligence vulnerabilities of specific covered Regulation, ‘‘Department of Defense Authorization Act for Fiscal Year 2014. contractor information systems, Privacy Program,’’ which prescribes Cyber threat information sharing information providing a perceived or uniform procedures for implementation activities under this rule fulfill real competitive advantage on future of and compliance with the DoD Privacy important elements of DoD’s critical procurement action, and contractor Program. Also, as noted in the infrastructure protection information marked as proprietary or immediately preceding response, the responsibilities, as the sector specific commercial or financial information. PIA for this program is also publicly agency for the DIB (see Presidential available at http://dodcio.defense.gov/ Policy Directive 21 (PPD–21), ‘‘Critical Public Comments IntheNews/ Infrastructure Security and Resilience,’’ DoD published an interim final rule PrivacyImpactAssessments.aspx. In available at https:// on October 2, 2015 (80 FR 59581). addition, DoD submits a privacy and www.whitehouse.gov/the-press-office/ Twenty-eight comments were received civil liberties assessment of the DIB CS 2013/02/12/presidential-policy- and reviewed by DoD in the voluntary program for the annual directive-critical-infrastructure-security- development of this final rule. A Privacy and Civil Liberties Assessment and-resil). discussion of the comments received Report required by E.O. 13636. No Associated Costs: Under this rule, and changes made to the rule as a result change is made to the rule. contractors will incur costs associated of those comments follows: Comment: One respondent stated that with identifying and analyzing cyber Comment: One respondent contractors are faced with multiple and incidents and their impact on covered recommended that the rule be clarified sometimes conflicting reporting defense information, or a contractor’s to confirm the requirements in the rule requirements for reporting cyber asabaliauskas on DSK3SPTVN1PROD with RULES ability to provide operationally critical are prospective to be implemented in incidents from across the Government support, and reporting those incidents new agreements or in modifying an and even within DoD, and asserts that to DoD. Contractors must obtain DoD- existing agreement. these reporting requirements should be approved medium assurance certificates Response: There should be no clearly set forth in agreements with the to ensure authentication and confusion regarding the prospective Government. The respondent did not identification when reporting cyber effect and effective date of the rule, nor specifically identify any other cyber incidents to DoD. Medium assurance is there basis to infer or interpret the incident reporting requirements that certificates are individually issued rule as being intended to apply might conflict with this rule. VerDate Sep<11>2014 17:56 Oct 03, 2016 Jkt 241001 PO 00000 Frm 00021 Fmt 4700 Sfmt 4700 E:\FR\FM\04OCR1.SGM 04OCR1

68314 Federal Register / Vol. 81, No. 192 / Tuesday, October 4, 2016 / Rules and Regulations Response: This rule consolidates and the Controlled Unclassified Information the requirements of this rule only when streamlines mandatory cyber incident (CUI) Registry at http:// the terms of the agreement ‘‘are reporting requirements and procedures www.archives.gov/cui/registry/category- authorized to have been included in the originating from multiple separate list.html (§ 236.2). agreement in accordance with statutory bases (e.g., 10 U.S.C. 391 and Comment: One respondent stated the applicable laws and regulations.’’ The 393, and 50 U.S.C. 3330(e))—however, scope of a cyber incident ‘‘affecting the laws and regulations that are applicable reporting under these procedures in no contractor’s ability to provide to any individual agreement will way abrogates the contractor’s operationally critical support’’ is so depend on the nature and context of the responsibility to meet other cyber vague that it may result in over agreement. For example, in the context incident reporting requirements that reporting. of procurement contracts, the may be applicable based on other Response: DoD designates the requirements of this rule are contract requirements, or other U.S. supplies or services that qualify as implemented through Defense Federal Government statutory or regulatory operationally critical support, and is Acquisition Regulation Supplement requirements (see § 236.4(p)). DoD is developing procedures to ensure that (DFARS) Subpart 204.73, ‘‘Safeguarding working to streamline reporting contractors are notified when they are Covered Defense Information and Cyber procedures within the Department, providing supplies or services Incident Reporting,’’ and its associated including by designating the DoD Cyber designated as operationally critical clauses (e.g., DFARS 252.204–7009, and Crime Center (DC3) as the single DoD support. If the contractor is unclear as –7012). However, the FAR and DFARS focal point for receiving cyber incident to what specific supplies or services also permit deviations from otherwise reporting affecting unclassified being provided have been designated as prescribed contract requirements under networks of DoD contractors. No change operationally critical, the contractor certain conditions, but not including is made to the rule. should request clarification from the cases when the deviation would be Comment: One respondent DoD point of contact (e.g., contracting ‘‘precluded by law, executive order, or recommended that Congress repeal the officer or agreements officer) for the regulation’’ (see FAR 1.402). No change requirement to establish procedures for agreement(s) governing the activity in is made to the rule. mandatory cyber incident reporting. question. No change is made to the rule. Comment: One respondent Response: This rule implements Comment: One respondent stated that recommended that the phrase ‘‘all mandatory statutory requirements for it is not clear why the rule now applicable agreements’’ in § 236.4(a) be mandatory cyber incident reporting set distinguishes information ‘‘created by or clarified to identify the agreements that forth in 10 U.S.C. 391 and 393 for DoD’’ from information ‘‘not created by DoD.’’ DoD intends to be covered by the rule. (§ 236.4(b)–(d)). No change is made to Response: The distinction regarding Response: Section 236.4(a) has been the rule. Comment: Two respondents whether information has been created revised to clarify that the rule applies to questioned the Department’s use of by or for DoD originates from that ‘‘all forms of agreements (e.g., contracts, specific terms and definitions in the distinction being an element of the grants, cooperative agreements, other rule. One respondent stated that ‘‘a underlying statutes that are transaction agreements, technology violation of security policy of a system’’ implemented in this rule (e.g., 10 U.S.C. investment agreements, and any other that is a subset of the definition of 391 and 393). The distinction is made type of legal instrument or agreement).’’ ‘‘compromise’’ is very broad and could in a variety of contexts—generally to For example, these requirements are result in over reporting and reinforce the underlying reason for implemented for DoD procurement overwhelming DoD’s resources. Another requiring the contractor to share contracts through DFARS Subpart respondent recommended that the scope information with DoD (e.g., as it relates 204.73 and its associated clauses (e.g., of the rule should be narrowed to only to a potential compromise of DFARS 252.204–7009, and –7012). information that relates to a ‘‘successful information created by or for DoD in Comment: One respondent raised penetration.’’ support of a DoD program), and to issue about the practicality of the 72 Response: The rule leverages minimize the requirement to share or hour reporting requirement. established definitions from the provide access to information that is not Response: Timeliness in reporting Committee on National Security related to DoD programs or activities cyber incidents is a key element in Systems Instruction No. 4009, ‘‘National (e.g., except as necessary for forensics cybersecurity and provides the clearest Information (IA) Assurance Glossary,’’ analysis regarding an incident in which understanding of the cyber threat (https://www.ncsc.gov/nittf/docs/ DoD information may have been targeting DoD information and the CNSSI-4009_National_Information_ compromised). No change is made to ability of companies to provide Assurance.pdf). The term ‘‘successful the rule. operationally critical support. The 72 penetration’’ is not in the CNSS Comment: One respondent requested hour reporting standard has been a part glossary. However, the rule uses the clarification of the purpose of, of the DIB CS program since it was first established terms ‘‘cyber incident’’ and ‘‘Applicability and Order of established as a pilot activity in 2008, ‘‘compromise’’ from the CNSS glossary, Precedence,’’ and the meaning of the and throughout its evolution into a which are widely accepted and phrase ‘‘applicable laws and permanent program and ultimate understood Government definitions. regulations’’ in § 236.4 of this rule. codification in the CFR in 2012. Based Adhering to this definition will not Response: Section 236.4(a) mandates on this history, the 72 hour period has overwhelm DoD resources. No change is that the cyber incident reporting proven to be an effective balance of the asabaliauskas on DSK3SPTVN1PROD with RULES made to the rule. requirements of this rule be need for timely reporting while Comment: One respondent stated that incorporated into all relevant types of recognizing the challenges inherent in the four categories of covered defense agreements between DoD, but the initial phases of investigating a information are unclear and will recognizes that in some cases an cyber incident. Contractors should hamper timely reporting. individual agreement may have terms or report available information within the Response: The definition of covered conditions that may be inconsistent 72 hour period and provide updates if defense information has been clarified with this rule, and allows the terms of more information becomes available. No to more closely align with, and leverage, the agreement to take precedence over change is made to the rule. VerDate Sep<11>2014 17:56 Oct 03, 2016 Jkt 241001 PO 00000 Frm 00022 Fmt 4700 Sfmt 4700 E:\FR\FM\04OCR1.SGM 04OCR1

Federal Register / Vol. 81, No. 192 / Tuesday, October 4, 2016 / Rules and Regulations 68315 Comment: One respondent questioned required in the initial incident reports subject to the cited DFARS clause. No the reporting by subcontractors and how (§ 236.4(c)), by expressly limiting the change is made to the rule. DoD intends to enforce flow down of the scope of the requirement to provide DoD Comment: One respondent stated the clause and does DoD consider Internet with access to additional information to information shared with the Service Providers (ISPs) to fall in the only such information that is ‘‘necessary Government should only be used for category of subcontractors. to conduct a forensic analysis,’’ and by cybersecurity purposes. Response: Section 236.4(d) of the rule affirmatively requiring the Government Response: 10 U.S.C. 391 and 393 has been revised to clarify that to safeguard any contractor provide specific authorization for contractors must flow down the attributional/proprietary information sharing information received in cyber reporting requirements to that has been shared (or derived from incident reports for a range of important ‘‘subcontractors that are providing information that has been shared) activities that include, but are not operationally critical support or for against any unauthorized access or use. limited to, cybersecurity activities (see which subcontract performance will In the event that the contractor believes § 236.4(m)(1)–(5)). Limiting the sharing involve a covered contractor that there is information that meets the of information to cybersecurity purposes information system.’’ Whether these criteria for mandatory reporting, but the only would be inconsistent with the requirements would be required to flow contractor desires not to share that statutory framework and would down to an ISP would depend on information due to its sensitivity, then unnecessarily limit the use of whether the particular service(s) being the contractor should immediately raise information for critical activities such as provided would meet the flowdown that issue to the DoD point of contact law enforcement, counterintelligence, criteria, and the implementation of (e.g., contracting officer or agreements and national security. No change is these requirements for any specific type officer) for the agreement(s) governing made to the rule. of agreement (e.g., for procurement the activity in question, and if Comment: One respondent stated the contracts governed by the DFARS) may necessary, follow the dispute resolution rule provides no limitations on DoD’s provide additional guidance regarding procedures that are applicable to the ability to share information with third- flowdown. The contractor should party contractors. It also imposes a agreement(s). No change is made to the consult with the DoD point of contact confidentiality obligation upon rule. for the relevant agreement (e.g., receiving contractors but does not Comment: One respondent asked how contracting officer or agreements officer) address measures needed to mitigate DoD will safeguard any contractor data when it is uncertain if the requirements any potential conflicts of interest provided as part of media once in DoD’s stemming from third-party access. should flow down. Section 236.4(d) has possession, and what are the recourses been revised. Response: Section 236.4(m)(5) for contractors in the event of a breach authorizes sharing with government Comment: One respondent of those safeguards. support contractors that are ‘‘directly recommended that the rule establish what information a contractor must Response: DoD uses a wide variety of supporting’’ Government activities share with the Government under mechanisms to safeguard all forms of under this rule, and applies a mandatory reporting. sensitive information, including comprehensive set of use and non- Response: Contractors are required to information received from contractors, disclosure restrictions and report in accordance with § 236.4(b). A to ensure that information is accessed, responsibilities for those government list of the reporting fields can be found used, and shared only with authorized support contractors to safeguard the at http://dibnet.dod.mil. These reporting persons for authorized purposes. For information they receive, including fields include the statutory example, the DIB CS PIA addresses how prohibiting the support contractor from requirements set forth in 10 U.S.C. 391 PII and other sensitive information will using the information for any other and 393, including but not limited to an be protected. No change is made to the purpose, making the reporting assessment of the impact of the cyber rule. contractor a third-party beneficiary of incident, description of the technique or Comment: One respondent stated that the non-disclosure agreement with method used, summary of information the rule lacks sufficient protections for direct remedies for any breach of the compromised. No change is made to the contractor sensitive information that is restrictions by the support contractor. rule. provided to government support No change is made to the rule. Comment: One respondent contractors, and the rule should provide Comment: One respondent commented that the rule does not such protections consistent with 10 recommended the proposed rule should provide any mechanism for a contractor U.S.C. 2320(f)(2) and DFARS 252.227– establish requirements for companies to to raise concerns about, object to, or 7025, ‘‘Limitations on the Use or remove PII before sharing with the limit the data being provided due to its Disclosure of Government-Furnished Government and for the Government to sensitivity. Information Marked with Restrictive remove upon receipt. Response: This rule implements Legends.’’ Response: The DIB CS program has mandatory information sharing Response: Responsibilities of implemented procedures to minimize requirements of 10 U.S.C. 391 and 393 government support contractors to the collection and sharing of PII. by requiring DoD contractors to report protect sensitive information received Companies are always asked to remove key information regarding cyber from other contractors under this rule unnecessary PII, and only share incidents, and to provide access to are addressed in § 236.4(m)(5) and are information if it is relevant to a cyber equipment or information enabling DoD largely consistent with, although not incident (e.g., for forensics or cyber asabaliauskas on DSK3SPTVN1PROD with RULES to conduct forensic analysis to identical to, the statutory provision and intrusion damage assessment). The PIA determine if or how DoD information DFARS Clause cited by the commenter. for DoD’s DIB CS Activities provides was impacted in a cyber incident. The In addition, the support contractor procedures on how the Government rule’s implementation of these providing support for DoD’s activities handles PII, as well as other forms of requirements is tailored to minimize the under this rule may also qualify as a sensitive contractor information (e.g., sharing of unnecessary information ‘‘covered Government support contractor attributional/proprietary). (whether sensitive or not), including by contractor’’ under the cited DFARS The PIA was updated and published in carefully tailoring the information clause, and thereby would already be October 2015 (http:// VerDate Sep<11>2014 17:56 Oct 03, 2016 Jkt 241001 PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 E:\FR\FM\04OCR1.SGM 04OCR1

68316 Federal Register / Vol. 81, No. 192 / Tuesday, October 4, 2016 / Rules and Regulations dodcio.defense.gov/IntheNews/ this eligibility criteria will be enterprises to compete with foreign- PrivacyImpactAssessments.aspx). No accomplished in accordance with based enterprises in domestic and change is made to the rule. federal rulemaking requirements to export markets. Comment: One respondent stated the allow for public review and comment. rule places burden on the contractor to No change is made to the rule. 2 U.S.C. Ch. 25, ‘‘Unfunded Mandates mark information as, ‘‘contractor Comment: One respondent expressed Reform Act’’ attributional/proprietary,’’ but if it is not concern about the burden of cost due to It has been determined that this rule marked and subsequently submitted in increased participation in the DIB CS response to request for images at the does not contain a Federal mandate that program. time of the cyber incident, Government may result in expenditure by State, local Response: The burden of cost for must ensure, in absence of marking, and tribal Governments, in aggregate, or companies participating in the DIB CS obligation to protect information as program has been reduced. Under the by the private sector, of $100 million or contractor/attributional/proprietary. revised rule, DoD removed the more in any one year. Response: The rule requires that, to requirement for DIB CS participants to Public Law 96–354, ‘‘Regulatory the maximum extent practicable, the obtain access to DoD’s secure voice and Flexibility Act’’ (5 U.S.C. Ch. 6) contractor shall identify and mark transmission systems supporting the attributional/proprietary information, program. All companies participating in It has been certified that this rule is but it does not condition the the DIB CS program are still required to not subject to the Regulatory Flexibility Government’s safeguarding of such have a DoD-approved medium Act (5 U.S.C. Ch. 6) because it would information on that identification or assurance certificate to enable encrypted not, if promulgated, have a significant marking. The Government has unclassified information sharing economic impact on a substantial established procedures for receiving, between the Government and DIB CS number of small entities. Therefore, the evaluating, anonymizing, safeguarding participants. The cost of a DoD- Regulatory Flexibility Act, as amended, and sharing of such reported approved medium assurance certificate does not require us to prepare a information in connection with cyber has not changed and is approximately regulatory flexibility analysis. incidents involving contractor $175. No change is made to the rule. information and information systems. Public Law 96–511, ‘‘Paperwork The DIB CS PIA provides more details Regulatory Procedures Reduction Act’’ (44 U.S.C. Chapter 35) regarding processes for handling PII and Executive Orders 12866, ‘‘Regulatory other sensitive information. No change This rule does contain reporting Planning and Review’’ and 13563, is made to the rule. requirements under the Paperwork ‘‘Improving Regulation and Regulatory Comment: One respondent stated that Reduction Act (PRA) of 1995. The Review’’ the rule should include provisions for collection requirements were published liability protection. Executive Orders 12866 and 13563 in the preamble of the interim final rule Response: Liability protections direct agencies to assess all costs and that was published on October 2, 2015 established by 10 U.S.C. 391 and 393 benefits of available regulatory (80 FR 59581) for public comment. No became effective after the publication of alternatives and, if regulation is comments were received for these the interim rule. The regulatory necessary, to select regulatory collections. The Office of Management implementation of these new statutory approaches that maximize net benefits and Budget (OMB) Control Numbers are: elements will be addressed through (including potential economic, 0704–0489, ‘‘DoD’s Defense Industrial future rulemaking activities to ensure environmental, public health and safety Base (DIB) Cybersecurity (CS) Activities the opportunity for public comment. effects, distribute impacts, and equity). Cyber Incident Reporting,’’ and 0704– Comment: One respondent Executive Order 13563 emphasizes the 0490, ‘‘DoD’s Defense Industrial Base recommended expanding the number of importance of quantifying both costs (DIB) Cybersecurity (CS) Program Points commercial service providers under the and benefits, of reducing costs, of harmonizing rules, and of promoting of Contact (POC) Information.’’ Enhanced Cybersecurity Service (ECS) program, as part of the DIB CS program. flexibility. This rule has been Executive Order 13132, ‘‘Federalism’’ Response: The ECS program is designated a ‘‘significant regulatory managed by the Department of action,’’ although not economically It has been determined that this rule Homeland Security (DHS). significant, under section 3(f) of does not have federalism implications, Recommendations regarding ECS Executive Order 12866. Accordingly, as set forth in Executive Order 13132. should be forwarded to DHS at ECS_ the rule has been reviewed by the Office This rule does not have substantial Program@hq.dhs.gov. No change is of Management and Budget (OMB). direct effects on: made to the rule. (a) The States; Public Law 104–121, ‘‘Congressional Comment: One respondent cautioned Review Act’’ (5 U.S.C. 801) (b) The relationship between the against expanding the types of companies eligible for the DIB CS It has been determined that this rule National Government and the States; or program until addressing all relevant is not a ‘‘major’’ rule under 5 U.S.C. 801, (c) The distribution of power and operational, privacy, and security enacted by Public Law 104–121, responsibilities among the various concerns. This expansion could because it will not result in an annual levels of Government. encompass companies who provide effect on the economy of $100 million asabaliauskas on DSK3SPTVN1PROD with RULES services and products to the general or more; a major increase in costs or List of Subjects in 32 CFR Part 236 public and current defense contractors prices for consumers, individual Government contracts, Security who are not currently eligible to industries, Federal, State, or local measures. participate in the program. Government agencies, or geographic Response: DoD has established regions; or significant adverse effects on Accordingly, the interim final rule eligibility requirements (§ 236.7) for competition, employment, investment, published at 80 FR 59581 on October 2, participation in the DIB CS program and productivity, innovation, or on the 2015, is adopted as a final rule with the thus any future expansion or revision of ability of United States-based following changes: VerDate Sep<11>2014 17:56 Oct 03, 2016 Jkt 241001 PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 E:\FR\FM\04OCR1.SGM 04OCR1

Federal Register / Vol. 81, No. 192 / Tuesday, October 4, 2016 / Rules and Regulations 68317 PART 236—DEPARTMENT OF behalf of the contractor in support of the (d) DoD’s DIB CS Program Office is DEFENSE (DoD)’s DEFENSE performance of the agreement. the overall point of contact for the INDUSTRIAL BASE (DIB) * * * * * program. The DC3 managed DoD DIB CYBERSECURITY (CS) ACTIVITIES DIB participant means a contractor Collaborative Information Sharing that has met all of the eligibility Environment (DCISE) is the operational ■ 1. The authority citation is revised to requirements to participate in the focal point for cyber threat information read as follows: voluntary DIB CS program as set forth sharing and incident reporting under Authority: 10 U.S.C. 391, 393, and 2224; 44 in this part (see § 236.7). the DIB CS program. U.S.C. 3506 and 3544; 50 U.S.C. 3330. * * * * * * * * * * ■ 2. Amend § 236.1 by revising the last ■ 7. Amend § 236.6 by: § 236.3 [Amended] two sentences in the section to read as ■ a. Revising the section heading. follows: ■ 4. Amend § 236.3 by: ■ b. In paragraph (a): ■ a. In paragraph (b)(1), removing ■ i. Removing ‘‘DoD–DIB CS § 236.1 Purpose. ‘‘DoD–DIB CS information sharing information sharing program’’ and * * * The part also permits eligible program’’ and adding in its place ‘‘DIB adding in its place ‘‘DIB CS program’’ in DIB participants to participate in the CS program.’’ the first sentence. voluntary DIB CS program to share ■ b. In paragraph (c), removing ‘‘DoD– ■ ii. Removing ‘‘DoD–DIB CS cyber threat information and DIB CS information sharing program’’ information sharing program’’ and cybersecurity best practices with DIB CS and adding in its place ‘‘DIB CS adding in its place ‘‘DIB CS program’’ in participants. The DIB CS program program.’’ the second sentence. enhances and supplements DIB ■ c. In paragraph (c), removing ‘‘DoD– participants’ capabilities to safeguard § 236.4 [Amended] DIB CS information sharing program’’ DoD information that resides on, or ■ 5. Amend § 236.4 by: and adding in its place ‘‘DIB CS transits, DIB unclassified information ■ a. In paragraph (a), removing program.’’ systems. ‘‘applicable agreements’’ and adding in ■ d. In paragraph (d), removing ‘‘DoD– ■ 3. Amend § 236.2 by: its place ‘‘forms of agreements (e.g., DIB CS information sharing program’’ ■ a. Revising the definition of ‘‘Covered contracts, grants, cooperative and adding in its place ‘‘DIB CS contractor information system’’. agreements, other transaction program.’’ ■ b. Revising the definition of ‘‘Covered agreements, technology investment ■ e. In paragraph (e), removing ‘‘DoD– defense information’’. agreements, and any other type of legal DIB CS information sharing program’’ ■ c. Revising the definition of ‘‘Cyber instrument or agreement).’’ and adding in its place ‘‘DIB CS incident’’. ■ b. In paragraph (d), removing ‘‘, as program.’’ ■ d. Revising the definition of ‘‘DIB appropriate’’ and adding in its place ■ f. In paragraph (g), removing ‘‘DoD– participant’’. ‘‘that are providing operationally critical DIB CS information sharing program’’ ■ e. Removing ‘‘DoD–DIB CS support or for which subcontract and adding in its place ‘‘DIB CS information sharing program’’ and performance will involve a covered program.’’ adding in its place ‘‘DIB CS program’’ in contractor information system.’’ The revisions read as follows: the definition of ‘‘Government furnished ■ c. In paragraph (e), removing ‘‘http:// information’’. iase.disa.mil/pki/eca/certificate.html’’ § 236.6 General provisions of DoD’s DIB ■ f. Removing ‘‘Contractor’’ and adding and adding in its place ‘‘http:// CS program. in its place ‘‘contractor’’ in the iase.disa.mil/pki/eca/Pages/ * * * * * definition of ‘‘Media’’. index.aspx.’’ ■ 8. Amend § 236.7 by: The revisions read as follows: ■ d. In paragraph (m)(4), adding ‘‘non- ■ a. Revising the section heading. attributional cyber threat information’’ ■ b. In paragraph (a) introductory text, § 236.2 Definitions. after ‘‘sharing.’’ removing ‘‘DoD–DIB CS information * * * * * ■ e. Redesignating paragraphs (n) Covered contractor information sharing program’’ and adding in its through (p) as paragraphs (o) through place ‘‘DIB CS program.’’ system means an unclassified (q). ■ c. In paragraph (a)(1), adding ‘‘to at information system that is owned or ■ f. Redesignating paragraph (m)(6) as operated by or for a contractor and that least the Secret level’’ after ‘‘FCL.’’ paragraph (n). ■ d. In paragraph (a)(2), removing processes, stores, or transmits covered ■ 6. Amend § 236.5 by: ‘‘DoD–DIB CS information sharing defense information. ■ a. Revising the section heading. Covered defense information means program’’ and adding in its place ‘‘DIB ■ b. In paragraph (a), removing ‘‘DoD– CS program.’’ unclassified controlled technical DIB CS information sharing program’’ ■ e. In paragraph (a)(3)(iii), removing information or other information (as and adding in its place ‘‘DIB CS described in the Controlled Unclassified ‘‘DoD–DIB CS information sharing program.’’ program’’ and adding in its place ‘‘DIB Information (CUI) Registry at http:// ■ c. In paragraph (b), removing ‘‘DoD– www.archives.gov/cui/registry/category- CS program.’’ DIB CS information sharing program’’ The revisions read as follows: list.html) that requires safeguarding or and adding in its place ‘‘DIB CS dissemination controls pursuant to and program.’’ § 236.7 DoD’s DIB CS program consistent with law, regulations, and ■ d. Revising paragraph (d). requirements. asabaliauskas on DSK3SPTVN1PROD with RULES Government wide policies, and is: ■ e. In paragraph (g), removing ‘‘DoD– * * * * * (1) Marked or otherwise identified in DIB CS information sharing program’’ an agreement and provided to the Dated: September 29, 2016. and adding in its place ‘‘DIB CS contractor by or on behalf of the DoD in Patricia L. Toppings, program.’’ support of the performance of the The revisions read as follows: OSD Federal Register, Liaison Officer, agreement; or Department of Defense. (2) Collected, developed, received, § 236.5 DoD’s DIB CS program. [FR Doc. 2016–23968 Filed 10–3–16; 8:45 am] transmitted, used, or stored by or on * * * * * BILLING CODE 5001–06–P VerDate Sep<11>2014 17:56 Oct 03, 2016 Jkt 241001 PO 00000 Frm 00025 Fmt 4700 Sfmt 4700 E:\FR\FM\04OCR1.SGM 04OCR1


Document Created: 2016-10-04 03:03:28
Document Modified: 2016-10-04 03:03:28
CategoryRegulatory Information
CollectionFederal Register
sudoc ClassAE 2.7:
GS 4.107:
AE 2.106:
PublisherOffice of the Federal Register, National Archives and Records Administration
SectionRules and Regulations
ActionFinal rule.
ContactVicki Michetti, DoD's DIB Cybersecurity Program Office: (703) 604-3167, toll free (855) 363-4227, or [email protected]
FR Citation81 FR 68312 
CFR AssociatedGovernment Contracts and Security Measures
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR