On March 12, 2024, the U.S. Department of Defense (DoD) published a final rule (pdf) that dramatically expands access to defense contractors seeking to join the DoD’s voluntary Defense Industrial Base Cybersecurity Program (“DIB CS Program” or “the Program”). The decision to revise the eligibility criteria for the DIB CS program appears to be part of a concerted effort by DoD to encourage and improve overall participation by the defense contractor community in the program, which affords bilateral information sharing following a cyber incident.

The final rule is expected to go into effect on April 11, 2024, according to the Federal Register. Under the final rule, all defense contractors will be eligible to participate in the DIB Cybersecurity Program, which is oriented towards enhancing cyber-threat and incident reporting by contractors to protect DoD unclassified information that resides and/or is transmitted on DIB unclassified information system via enhanced measures for information sharing.

Objective of the DIB CS Program

The primary objective of the DIB CS Program is to improve the ability of defense contractors to safeguard DoD information residing on, or in transit through, DIB unclassified information systems. When the Program was launched, the stated objectives included the following:

• Establishing a voluntary, mutually acceptable framework designed to protect government information from unauthorized access
• Protecting the exchange of confidential information exchanged, to the maximum extent authorized by law
• Creating a trusted environment designed to maximize network defense and remediation efforts by sharing cyber threat information and incident reports among participants
• Providing mitigation and remediation strategies and malware analysis among participants

In addition, the DIB CS Program was envisioned as a complimentary tool aimed to amplify the contractual requirements imposed on DIB-eligible defense contractors when DFARS 252.204–7012 (the contractual provision titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”) is included in a prime contract or subcontract.

Though the stated objective was admirable, the original structure of the DIB CS Program was narrow and restricted eligibility to only a tiny sub-set of the defense contractor community. The new rule is an effort to address this issue.

What Changed

Once the final rule goes into full effect, eligibility for the DIB CS Program will expand to all defense contractors subject to DoD’s mandatory cybersecurity incident reporting requirement. Previously, the DIB CS Program was only available to “cleared” defense contractors possessing active facility security clearances. DoD defined a “cleared” defense contractor as a private entity granted clearance by DoD to “access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any DoD program.”

This narrow definition meant less than 2,800 defense contractors were eligible to participate in the DIB CS program when it originally launched in 2012. Subsequently, in 2015, DoD expanded eligibility to participate in the DIB CS Program to all cleared defense contractors, in effect removing the requirement that a defense contractor be able to safeguard classified information. This modification expanded eligibility for the DIB CD Program to around 5,300 additional “cleared” defense contractors.

The new rule removes the “cleared” requirement and opens the DIB CS Program to all defense contractors owning or operating unclassified information systems that process, store, or transmit covered defense information. The DoD estimates close to 68,000 additional defense contractors will be eligible to participate in the DIB CS Program when the new rule goes into effect.

Program Modifications May Benefit Current DIB CS Program Participants

In addition to expanding eligibility for the DIB CS program, the new rule removes the requirement for DIB CS Program participants to secure a medium assurance certificate, which is used to validate a contractor’s digital identity and facilitate the exchange of encrypted information. Participating defense contractors had to spend an estimated $175 per year to obtain this certificate.

Under the new rule, participating defense contractors will instead need to register with Procurement Integrated Enterprise Environment, the main enterprise procure-to-pay (P2P) application for the DoD and its supporting agencies.

Removing the obligation to secure a medium assurance certificate could help spur participation among defense contractors since it reduces the cost of participation. As a result, smaller defense contractors who may want to participate, but didn’t want to take on the direct expense associated with the voluntary program, may now be more inclined to join.

Looking Ahead

It will be interesting to see whether the revisions to the DIB CS Program will have a material impact on participating defense contractors. Eligibility does not necessarily translate to participation. In fact, according to DoD’s own estimates, only a small percentage of eligible defense contractors actually participate in the DIB CS Program. Those estimates may change once the new rule goes into effect on April 11, 2024.

The effort to expand eligibility and broaden participation in the DIB CS Program appears to be part of a broader effort by DoD to prioritize cybersecurity in the defense contracting space. For example, DoD recently released a proposed rule to implement its Cybersecurity Maturity Model Certification (CMMC) Program. The CMMC Program would impose a comprehensive set of cybersecurity requirements on defense contractors. If enacted, CMMC would obligate contractors to take steps to protect sensitive, unclassified government information. The DoD is expected to incorporate the new CMMC cybersecurity requirements into solicitation provisions and implement those requirements by October 1, 2026.

The proposed CMMC rule was followed by the National Institute of Standards and Technology on releasing draft guidance (pdf) related to the protection of sensitive unclassified information, along with revised cybersecurity steps for government contracts – and federal agencies more broadly – to take when safeguarding government data.