Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity (CS) Activities

AGENCY:

Office of the DoD Chief Information Officer, Department of Defense (DoD).

ACTION:

Final rule.

SUMMARY:

The DoD is finalizing revisions to the eligibility criteria for the voluntary Defense Industrial Base (DIB) Cybersecurity (CS) Program. These revisions will allow all defense contractors who own or operate an unclassified information system that processes, stores, or transmits covered defense information to benefit from bilateral information sharing. DoD is also finalizing changes to definitions and some technical corrections for readability.

DATES:

This rule is effective on April 11, 2024.

FOR FURTHER INFORMATION CONTACT:

• Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity, Office: 703–604–3167.

• DIB CS Program Management Office: OSD.DIBCSIA@mail.mil.

SUPPLEMENTARY INFORMATION:

Discussion of Comments and Changes

The proposed rule was published in the Federal Register (88 FR 27832–27839) on May 3, 2023. Four submissions were received and are summarized below.

A commenter suggested DoD should redefine terms and should change the regulations for the program. However, the commenter did not provide any additional detail which would allow DoD to consider possible changes.

A commenter suggested DoD use this opportunity to run a targeted marketing campaign to assist small businesses with explaining a medium assurance certificate's purpose and procuring the hardware in advance of needing it.

After consideration, DoD is modifying the requirement for industry to obtain a medium assurance certificate. Medium assurance certificates can be used to validate digital identity and facilitate the exchange of encrypted information. However, it is not the only technical solution available to support identity proofing requirements. So, DoD is revising paragraph (e) in § 236.4, and separately in Department of Defense Instruction (DoDI) 8582.01, “Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information,” to require registration with Procurement Integrated Enterprise Environment (PIEE) when submitting mandatory cyber incident reports. This change will reduce the burden of having to procure a medium assurance certificate which costs approximately $175 annually. All DoD contracts contain Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.232–7003 (48 CFR 252.232–7003), which specifies requirements for electronic submission of payment requests. In order to access the electronic systems associated with electronic payments the contractor must also complete the required identity proofing and registration process with PIEE.

Multiple commenters provided input on the accuracy of the burden estimates. One commentor recommended allowing one report to cover multiple contracts to reduce the administrative reporting burden on all parties and enhance consistency across DoD data. Another commentor noted that many firms will lack in-depth familiarity with existing policy, compliance requirements, and other details of the DIB CS Program and, as such, the estimate of 30 minutes for new entrants to familiarize themselves with the rule is an underestimate.

As DoD is modifying the requirement for industry to obtain a medium assurance certificate with this final rule, the Department believes the burden to companies participating in the DIB CS Program is being reduced. In response to concerns about submitting a nearly identical report for multiple contracts, DoD would like to clarify that a contractor may submit one report for an event that impacts multiple contracts. Finally, DoD would like to clarify the estimate of 30 minutes to review changes to this final rule and choose whether to apply to the voluntary DIB CS Program does not include time for contractors to develop in-depth familiarity with existing policies and compliance requirements. It is expected DoD contractors will invest time to familiarize themselves with contractually mandated requirements in addition to this estimate.

A commenter highlighted the revision to the DIB CS Program omits a key component of the Critical Infrastructure Protection Act (CIPA) of 2001, and the revisions to the DIB CS Program will exclude operationally critical support (OCS) contractors from its provisions unless such contractors have covered defense information (CDI) resident in their information systems (IS). The commenter recommended including contractors performing under contracts that are designated as providing OCS, regardless of whether those IS contain CDI.

In accordance with 10 U.S.C. 391, the DoD must include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations. Pursuant to section 1642(b) of the National Defense Authorization Act for Fiscal Year 2019 DoD has authority to engage with the DIB that is complementary to, but distinct from, the DIB Cybersecurity Activities that implement the requirements levied upon the Department in 10 U.S.C. 391 and 393. To meet the requirements specified in 10 U.S.C. 391, the DIB CS program will refer ineligible applicants to other U.S. Government Departments and Agencies sharing cybersecurity equities to ensure Federal unity of effort.

A commenter posed several questions about the role of third-party service providers seeking to understand if a third-party service provider may submit reports on behalf of a client, and if a third-party service provider must own or operate covered contractor information systems.

Currently, a contractor may authorize a third-party service provider to report incidents on behalf of the contractor. If that contractor and the third-party service provider are interested in participating in the DIB CS Program, an amendment to the DIB CS Program Framework Agreement is available to authorize the third-party service provider access to DIB CS resources. This agreement details whether the third-party service provider will provide on-site or off-site support; clarifies the respective roles of the contractor and the third-party service provider regarding accessing the government-furnished information on the DIB CS web portal and voluntary reporting of cyber incidents and indicators to the Government. The Framework Agreement and all Program amendments are made available through https://dibnet.dod.mil to an eligible company after the company has been verified by the DoD. The third-party service provider does not need to own or operate a covered defense system.

Two commenters reiterated the need for training and best practices but did not indicate if they are familiar with DoD's current training programs or if they believe the programs are adequate.

DoD notes the DIB CS Program offers training and best practices through in-person and virtual meetings and provides information about digital resources on https://dibnet.dod.mil.

One commenter stated a link or a copy of the “standardized” Government Framework Agreement on the website will help contractors better understand their ability to meet the requirement before submitting an application—potentially saving all parties time and resources.

DoD notes factsheets and informational materials are publicly available on https://dibnet.dod.mil. The Framework Agreement between the Government and a DIB participant is made available after the company applies to the program and DoD verifies the company meets the eligibility requirements set forth in § 236.7.

A commenter suggested access and information for cleared companies should remain as it is today and recommended an “impact statement” to information released to uncleared firms to help contextualize the information and the reason for disseminating it.

The Privacy Impact Assessment (PIA) for DoD's DIB CS Activities provides procedures on how the Government handles personally identifiable information (PII), as well as other forms of sensitive contractor information ( e.g., contractor attributional/proprietary). The PIA is publicly available at https://dodcio.defense.gov/Portals/0/Documents/DIB_PIA.pdf and no changes to the PIA are being proposed. The Security Classification Guide (SCG) is the tool used by DoD Personnel to identify and safeguard national security information when derivatively classifying information. All information will be designated and handled in accordance with the DIB CS Activities SCG, the NISPOM Program as defined in 32 CFR part 117 and the Controlled Unclassified Information (CUI) Program as defined in 32 CFR part 2002.

A commenter asked about a future opportunity to map the level of access to DIB CS resources to a company's certification(s) level or assessment scoring.

DoD notes all companies currently participating in the DIB CS Program are eligible to receive Government Furnished Information (GFI) under the voluntary DIB CS Program and cybersecurity information is shared to the greatest extent possible in accordance with the Program's SCG. Information about a company's certification level or assessment score is controlled information and not available to the DIB CS Program at this time.

A commenter recommended providing consistent controls and data access channels to help companies synthesize and apply the threat information to their market.

The DIB CS Program marks all documents in accordance with the SCG ³ and DIBNet remains the primary channel for disseminating threat products. DoD has recently relaunched DIBNet to provide an API-based data access channel to complement the ability for a DIB CS Participant to download PDF, TXT, and CSV based products which should allow a participating company to analyze threat information unique to their market.

A commenter recommended adding headers to § 236.4 for paragraph (f), (g), (j), and (o) to increase uniformity.

DoD has added headers to § 236.4 for paragraphs (f), (g), and (o). Paragraph (j) has a header, and an administrative correction will be made to correct the format of paragraph (n).

A commenter asked if the rights and responsibilities for submittals under the DIB CS Program have changed with respect to Freedom of Information Act (FOIA).

The rights and responsibilities for submittals under the DIB CS Program have not changed with respect to Freedom of Information Act (FOIA). The Office of the Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency (OATSD(PCLT)) maintains a DoD FOIA Handbook available at https://open.defense.gov/Transparency/FOIA/FOIAHandbook.aspx.

Background and Authority

The DIB means the DoD, Government, and private sector worldwide industrial complex with capabilities to perform research and development, design, produce, and maintain military weapon systems, subsystems, components, or parts to satisfy military requirements. The DIB Cybersecurity Program is a voluntary program to enhance and supplement participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems. The program encourages greater threat information sharing to complement mandatory aspects of DoD's DIB cybersecurity activities which are contractually mandated through DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This program supports and complements DoD-specific authorities at 10 U.S.C. 2224 and the Federal Information Security Management Act (FISMA 2002) as amended by the Federal Information Security Modernization Act, 2014. Cyber threat information sharing activities under this final rule also fulfill important elements of DoD's critical infrastructure protection responsibilities, as the sector risk management agency for the DIB (see Presidential Policy Directive 21 (PPD–21), “Critical Infrastructure Security and Resilience”). This program is aligned with the requirements of the Controlled Unclassified Information (CUI) program established in Executive Order 13556. Expanding eligibility requirements for the DIB CS Program will augment DoD's information sharing activities with the DIB.

Currently, the DIB CS Program has the following objectives:

• Establish a voluntary, mutually acceptable framework to protect information from unauthorized access.
• Protect the confidentiality of information exchanged to the maximum extent authorized by law.
• Create a trusted environment to maximize network defense and remediation efforts by:

1. Sharing cyber threat information and incident reports.

2. Providing mitigation/remediation strategies and malware analysis.

This program is part of DoD's larger portfolio of work to protect DoD information handled by the DIB by understanding and sharing information, building security partnerships, implementing long-term risk management programs, and maximizing efficient use of resources. It supports two-way information sharing and maintains meaningful relationships and frequent dialogue across the diverse array of eligible defense contractors. For eligible defense contractors, the program maintains a capability for companies to access classified government cyber threat information providing additional context to better understand the cyber threats targeting their networks and information systems.

In May 2012, DoD published an interim final rule establishing the voluntary DIB CS Program and the bilateral information sharing model still used today. The 2012 rule established a voluntary cyber threat information sharing program for cleared defense contractors (CDC) with the ability to safeguard classified information, estimated at 2,650 in 2012. Under the rule CDC is defined as a private entity granted clearance by DoD to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of DoD. The 2012 rule stated DoD would maintain a website to facilitate the following aspects of program participation: (1) sharing information regarding eligibility and participation in the program with potential participants, (2) applying to the program online, and 3) executing the necessary agreements with the Government. DoD has established this capability as an online portal referred to as “DIBNet,” located at https://dibnet.dod.mil. A final rule responding to public comments was published in October 2013. In October 2015, responding to new statutory requirements for cyber incident reporting for DoD contractors, subcontractors, and those providing operationally critical support, DoD published another interim final rule to expand eligibility to all cleared defense contractors (estimated at 8,500 in 2015 and 12,000 in 2022), subject to program eligibility requirements. The 2015 rule removed the requirement that CDCs be able to safeguard classified information to participate in the program. The rule also removed the mandatory program eligibility requirement to have or acquire a Communications Security (COMSEC) account and obtain access to DoD's secure voice and data transmission systems, although participants still have to fulfill these requirements to receive classified cyber threat information electronically. A final rule responding to public comments was published in October 2016.

Discussion of the Final Rule

With this rule, the Department is expanding eligibility requirements to allow greater program participation and increase the benefits of bilateral information sharing, which helps protect DoD controlled unclassified information from cyberattack, as well as to better align the voluntary DIB CS Program with DoD's mandatory cyber incident reporting requirements. The current eligibility requirements, based on the October 2016 rule, requires a company to be a cleared defense contractor who:

• Has DoD-approved medium assurance certificates;

• Has an existing facility clearance to at least the Secret level; and

• Can execute the standardized Framework Agreement provided to interested contractors after the Department has verified the DIB company is eligible.

The program has experienced steady growth, with the annual number of applications more than tripling since 2016 (80 total applications received in 2016, 266 total applications received in 2022). It has also seen a steady increase in the percentage of defense contractors who are interested in participating but do not meet current eligibility requirements. The percentage of applications received from ineligible defense contractors has risen at an average rate of 5% per year since 2016; 10% of applications received in 2016 were from ineligible defense contractors, while 45% of applicants in 2022 were ineligible. The steady increase in DIB applicants indicates an increasing desire amongst defense contractors to participate in a cyber threat information sharing program.

In addition, the Department has actively engaged defense associations, universities, and companies in the DIB, as well as participated in many public forums discussing cyber threats and the way forward. The overwhelming feedback was for the Department to facilitate engagement with the broader community of defense contractors beyond just the cleared defense community. In general, smaller defense contractors have fewer resources to devote to cybersecurity, which may provide a vector for adversaries to access information critical to national security. In addition, the Department is working on providing more tailored threat information to support the needs of a broader community of defense contractors with varying cybersecurity capabilities. The gap in eligibility in the current program, feedback from interested but ineligible contractors, a vulnerable DoD supply chain, and a pervasive cyber threat have prompted DoD to propose revising the eligibility requirements of the DIB CS Program to allow participation by non-cleared defense contractors.

The maximum number of defense contractors estimated to be subject to mandatory cyber incident reporting under DFARS clause 252.204–7012 is 80,000. The presence of the clause in a contract does not establish that covered defense information is shared. DoD is working on reporting mechanisms to better assess contractors managing covered defense information. The population of defense contractors in possession of covered defense information and subject to mandatory incident reporting requirements far exceeds the population of defense contractors currently eligible to participate in the voluntary DIB CS Program. With the changes to the eligibility criteria, an estimated additional 68,000 defense contractors will be eligible to participate in the voluntary DIB CS Program. Based on prior participation statistics, it is estimated that about 10% of the eligible contractors (12,000 + 68,000 = 80,000) will actually apply to join the voluntary DIB CS Program (80,000 × 0.10 = 8,000).

Currently, the DIB CS Program has approximately 1,000 cleared defense contractors participating in the program. Program participants have access to technical exchange meetings, a collaborative web platform (DIBNet-U), and threat information products and services through the DoD Cyber Crime Center (DC3). DC3 implements the program's operations by sharing cyber threat information and intelligence with the DIB, and offering a variety of products, tools, services, and events. DC3 serves as the single clearinghouse for unclassified Mandatory Incident Reports (MIRs) and voluntary threat information sharing reports.

Changes to Definitions

In addition to the program eligibility changes described above, DoD is also finalizing the following changes.

Section 236.2 Definitions

1. Access to media—This definition is being removed as it is no longer used in the rule text.

2. DIB CS Program participant—This definition has been revised to align with the revised eligibility requirements set forth in this final rule.

3. Government furnished information (GFI)—This definition was revised to adopt the convention of referring to the DIB CS Program with a capital `P'.

Other Finalized Changes

DoD is amending § 236.4 (Mandatory cyber incident reporting procedures), in response to public comments received about the burden associated with medium assurance certificates. The amendment will require contractors to obtain PIEE account in conjunction with mandatory cyber incident reporting. This change will align the identity proofing processes used by DoD for the majority of DIB companies and will eliminate the cost associated with procuring medium assurance certificates. DoD will continue to accept medium assurance certificates to fulfil identity proofing requirements.

DoD is amending § 236.5 (DoD's DIB CS program) in order to align the program description with the revised eligibility requirements. As a result, references to cleared defense contractors have been replaced with contractors that own or operate a covered contractor information system. Security clearance information is only collected, when applicable, if a company elects and is eligible to participate in classified information sharing. In addition, the language stating participation is typically three to ten company-designated points of contact (POC) has been removed, to avoid confusion regarding the number of POCs, as some larger companies may wish to nominate a larger number of POCs and smaller companies may wish to nominate fewer.

DoD is amending § 236.7 (DoD's DIB CS program requirements) to remove the requirement that a company have an existing active facility clearance (FCL) to at least the Secret level granted under 32 CFR part 117, National Industrial Security Program Operating Manual (NISPOM), to be eligible to participate in the DIB CS Program. In addition, references to cleared defense contractors have been replaced with contractors that own or operate a covered contractor information system.

A foundational element of the activities described in § 236.7 is the recognition that the information shared between DoD and DIB CS Program participants pursuant to the DIB CS Program includes CUI, which requires protection. For additional information regarding the Government's safeguarding of information received from contractors that requires protection, see the Privacy Impact Assessment (PIA) for the DIB Cybersecurity Activities located at: https://dodcio.defense.gov/Portals/0/Documents/DIB_PIA.pdf. The PIA provides detailed procedures for handling personally identifiable information (PII), attributional information about the strengths or vulnerabilities of specific covered contractor information systems, information providing a perceived or real competitive advantage on future procurement action, and contractor information marked as proprietary or commercial or financial information. In addition, personnel information is covered by Office of the Secretary of Defense (OSD) System of Records Notice (SORN) DCIO 01 ( https://dpcld.defense.gov/Portals/49/Documents/Privacy/SORNs/OSDJS/DCIO-01.pdf ). No changes to the PIA or SORN are being made in conjunction with this final rule.

Expected Impact of the Final Rule

Comments were received on the cost of a DoD-approved medium assurance certificates and the accuracy of estimates relating to familiarization costs and attending meetings. DoD is removing the requirement for the DIB to have a DoD-approved medium assurance certificate to report cyber incidents. The requirement is being replaced with the requirement to register in PIEE which has established procedures to perform digital identity proofing. The basis for the cost estimate for a company to familiarize themselves with changes to this rule and determine if they would like to apply to the DIB CS Program does not include time for a company to perform an in-depth review of preexisting contractually mandated requirements. The basis for the cost estimate to participate in meetings uses the assumption a company sends the equivalent of an Information Security Analyst with the mean wage estimate published by the Bureau of Labor Statistics. If the company elects to send more senior representatives the cost will be higher. The economic analysis is being finalized without changes.

Costs

DoD believes the cost impact of the changes to this final rule is not significant, as the changes primarily expand the availability of the established DIB CS Program to additional defense contractors. The newly eligible population of defense contractors may incur costs to familiarize itself with the rule and those who elect to participate in the program will incur costs related to program participation. The Government will continue to incur costs related to operating the program. The DIB CS Program conducts outreach activities to defense contractors through press releases, participation in defense-oriented conferences, speaking engagements, and through digital media. The program will leverage pre-established channels to message changes to the program and engage with the eligible population of defense contractors. Based on the program growth experienced that during the last phase of program expansion the program is forecasting annual growth at just over 1% of the eligible population. At a growth rate of 1% per year it will take the program approximately 10 years to achieve the estimated 10% participation rate of the eligible DIB.

Costs to DIB Participants

In order to join the DIB CS Program there is an initial labor burden for a defense contractor to familiarize themselves with the rule and subsequently apply to the program and provide POC information. In total, if it takes each contractor 30 minutes to read and familiarize him/herself with the rule, it will take contractors 4,000 hours to familiarize themselves with the rule (8,000 participants x .5 = 4,000 hours). At an hourly wage of $108.92, the total cost incurred by contractors for rule familiarization will amount to $217,840 ($108.92 × .5 hours = $54.46 × 4,000 hours = $217,840). The hourly labor cost is based on the mean wage estimate from the Bureau of Labor Statistics for an Information Security Analysts, Occupational Employment and Wages, May 2021 and is covered under information collection 0704–0490. This hourly wage is adjusted upward by 100% to account for overhead and benefits, which implies a value of $108.92 per hour.

The estimated annual burden for a company to apply to the program or for a participating company to update POC information is $36.31, with a total annual cost to all participants of $319,498.67 at peak program participation. This calculation is based on 8,000 participants submitting an average of one application per year and 10% of the population (800 participants) submitting an update each year, with 20 minutes of labor per submission, at a cost of $108.92 per hour ($108.92 × 1/3 hours = $36.31 × 8,800 events = $319,498.67).

There is an estimated annual burden projected at $1,089.20 for defense contractors voluntarily sharing cyber threat information. This is based on a defense contractor electing to submit an average of five informational reports per year with two hours of labor per voluntary submission, at a cost of $108.92 per hour ($108.92 × 2 hours = $217.84 × 5 reports = $1,089.20). It is estimated that 1% of the newly eligible population will elect to join the DIB CS Program annually, which currently has approximately 1,000 participants, with program growth plateauing at 10% of the population by Year 9. The table below shows the costs to industry to voluntarily sharing cyber threat information over a 9-year period. If, in the first year of the program expanding there are 980 participants and 800 new participants join the program, there will be a total of 1,780 participants. Assuming each participant responds five times, this totals 8,900 annual responses times $217.84 per response and will equal $1,938,776 in total annual cost to participants, which is covered in information collection 0704–0489.

In addition, DIB CS Program participants may choose to attend meetings in conjunction with the DIB CS Program. All new participants are invited to attend an orientation session and all existing participants are invited to attend meetings on a quarterly basis. If a defense contractor chooses to send an employee to a day-long meeting each quarter, the defense contractor would incur a cost of $3,485.44 ($108.92 × 8 hours = $871.36 × 4 meetings = $3,485.44).

Costs to the Government

The DoD has identified general areas of costs related to the operation of this program. First, DoD incurs costs to implement this program operationally by responding to inquiries, processing application submissions and collecting, sharing, and managing POC information for program administration and management purposes. Second, DoD incurs costs to collect, analyze, and disseminate threat information.

DoD responds to an average of 2,000 questions each year and these responses are estimated to take 20 minutes per response. If it takes 20 minutes to respond to each question, it will take 667 hours to respond to questions. At an hourly wage of $51.16, it will cost the DoD $34,107 dollars to respond to questions ($51.16 × (.333 × 2,000) = $34,107). Costs to the government are incurred when a company applies to the DIB CS Program to validate and store POC information and to perform follow-up activities with a company when the information is outdated. The processing time for these activities is estimated to be one hour per company.

If, by Year 9, 8,000 companies participate in the program and 10% of the companies update information with the program annually the labor cost to the government is expected to be $72,647.20 = (620 + 800 × $51.16).

In addition, there is a cost incurred by the DoD to receive cyber threat information submitted by defense contractors to have it analyzed by cyber threat experts at DC3. By year 9 of the expanded program, it is estimated DC3 will receive 40,000 responses per year, based on the estimate that each participating company elects to submit 5 informational reports (8,000 participants × 5 reports). Each product takes approximately two hours to create and incurs an hourly labor cost of $51.16 per hour. This equals $102.32 (2 hours × 51.16) per response. The labor cost to the government is forecasted to be $4,092,800 annually after 9 years of growth. In addition to processing cyber threat information, the DoD incurs operational and maintenance costs for the system receiving and storing cyber threat information. This system costs the DoD $5,100,000 annually to maintain (covered under information collection 0704–0489).

Benefits

This program benefits the Department by increasing the overall security of the DIB through increasing awareness and improving assessments of cyber incidents that may affect mission critical capabilities and services. It continues to be an important element of the Department's comprehensive effort to defend DoD information, protect U.S. national interests against cyber-attacks, and support military operations and contingency plans worldwide. Once a defense contractor joins the program, they are encouraged to share information, including cyber threat indicators, that they believe may be of value in alerting the Government and others, as appropriate, of adversary activity to enable the development of mitigation strategies and proactively counter threat actor activity. DC3 develops written products that include analysis of the threat, mitigations, and indicators of adversary activity. Even cyber incidents that are not compromises of covered defense information may be of interest to DoD for situational awareness purposes. This information is disseminated as anonymized threat products that are shared with authorized DoD personnel, other Federal agencies, and company-designated POCs participating in the DIB CS Program. With the revisions to the eligibility criteria, the Department will be able to reduce the impact of cyber threat activity on DIB networks and information systems and, in turn, preserve its technological advantage and protect DoD information and warfighting capabilities. The mitigation of the cyber threat targeting defense contractors reinforces the nation's national security and economic vitality.

For DIB participants, this program provides unique cyber threat information and technical assistance through analyst-to-analyst exchanges, mitigation and remediation strategies, and cybersecurity best practices in a collaborative environment. The shared unclassified and classified cyber threat information is used to bolster a company's cybersecurity posture and mitigate the growing cyber threat. The program's tailored support for small, mid-size, and large companies with varying cybersecurity maturity levels is an asset for participants. The program remains a key element of DoD's cybersecurity efforts by providing services to help protect DIB CS Program participants and the sensitive DoD information they handle.

Regulatory Compliance Analysis

A. Executive Order 12866, “Regulatory Planning and Review” and Executive Order 13563, “Improving Regulation and Regulatory Review”

Executive Order 12866 directs agencies to assess all costs, benefits, and available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health, safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This final rule has been designated “significant,” under Executive Order 12866.

B. Congressional Review Act (5 U.S.C. 801 et seq.)

Pursuant to the Congressional Review Act, this final rule has not been designated a major rule, as defined by 5 U.S.C. 804(2). This final rule will not have an economic effect above the $100 million threshold defined in 5 U.S.C. 804(2) or spur a major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies, or geographic regions; or have significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based enterprises to compete with foreign-based enterprises in domestic and export markets.

C. Public Law 96–354, “Regulatory Flexibility Act” (5 U.S.C. 601)

The Office of the DoD Chief Information Officer certified that this final rule is not subject to the Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if promulgated, have a significant economic impact on a substantial number of small entities. This final rule will have a significant positive impact on small entities that will become eligible to participate in and receive benefits through the DIB CS Program. For DIB participants, this program provides cyber threat information and technical assistance through analyst-to-analyst exchanges, mitigation and remediation strategies, and cybersecurity best practices in a collaborative environment. The shared threat information is used to bolster a company's cybersecurity posture and mitigate the growing cyber threat. The program's tailored support for small, mid-size, and large companies with varying cybersecurity maturity levels is an asset for participants, and in fact can avoid expending resources to obtain threat intelligence from private sources if the company elects to participate in services offered by the DoD that directly integrate threat intelligence.

Participation in the DIB CS Program is voluntary. Program application and participation costs are described in the cost analysis section of this final rule. These costs are voluntarily incurred and associated with the labor and resource costs to complete the required program paperwork, including execution of the Framework Agreement, to submit information to the Government, and to receive information from the Government. The costs associated with applying to the DIB CS Program are associated exclusively with labor costs and estimated to be $18.15 per company. None of the program's offering come at an additional fee to DIB participants and additional costs related to participation are estimated based on the time investment (labor hours) required to obtain the benefits as described in the cost analysis of this preamble. Therefore, the Regulatory Flexibility Act, as amended, does not require us to prepare a regulatory flexibility analysis.

D. Sec. 202, Public Law 104–4, “Unfunded Mandates Reform Act”

Section 202 of the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1532) requires agencies to assess anticipated costs and benefits before issuing any rule whose mandates require spending in any one year of $100 million in 1995 dollars, updated annually for inflation. When the Federal Government passes legislation requiring a State, local, or tribal government to perform certain actions or offer certain programs but does not include any funds for the actions or programs in the law, an unfunded mandate is the result. This final rule will not mandate any requirements for State, local, or tribal governments, and will not mandate private sector incurred costs above the $100 million threshold defined in 2 U.S.C. 1532.

E. Public Law 96–511, “Paperwork Reduction Act” (44 U.S.C. Chapter 35)

Section 236.2 of this rule contains information collection requirements. As required by the Paperwork Reduction Act (44 U.S.C. Chapter 35), DoD submitted information collection requests to the Office of Management and Budget for review and approval. In response to DoD's invitation in the proposed rule to comment on any potential paperwork burden associated with this rule, there were no comments from the public. This final rule contains the following information collection requirements under the Paperwork Reduction Act (PRA) of 1995.

• OMB Control Number 0704–0489, “DoD's Defense Industrial Base (DIB) Cybersecurity (CS) Activities Cyber Incident Reporting,”
• OMB Control Number 0704–0490, “DoD's Defense Industrial Base (DIB) Cybersecurity (CS) Points of Contact (POC) Information.”

The System of Records Notice associated with these information collections (DCIO 01, “Defense Industrial Base (DIB) Cybersecurity (CS) Activities Records”) published on May 17, 2019. The Federal Register citation for the SORN is 84 FR 22477.

The Privacy Impact Assessment for the Defense Industrial Base (DIB) Cybersecurity (CS) Activities is posted at: https://dodcio.defense.gov/Portals/0/Documents/DIB_PIA.pdf.

F. Executive Order 13132, “Federalism”

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a final rule that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has federalism implications. This final rule will not have a substantial effect on State and local governments.

G. Executive Order 13175, “Consultation and Coordination With Indian Tribal Governments”

Executive Order 13175 establishes certain requirements that an agency must meet when it promulgates a final rule that imposes substantial direct compliance costs on one or more Indian tribes, preempts tribal law, or effects the distribution of power and responsibilities between the Federal Government and Indian tribes. This final rule will not have a substantial effect on Indian tribal governments.

List of Subjects in 32 CFR Part 236

• Government contracts
• Security measures

Accordingly, DoD amends 32 CFR part 236 as follows:

PART 236—DEPARTMENT OF DEFENSE (DoD) DEFENSE INDUSTRIAL BASE (DIB) CYBERSECURITY (CS) ACTIVITIES

1. The authority citation for 32 CFR part 236 is revised to read as follows:

Authority: 10 U.S.C. 391, 393, and 2224; 44 U.S.C. 3506 and 3554; 50 U.S.C. 3330.

2. Revise the heading of 32 CFR part 236 to read as set forth above.

3. Revise and republish § 236.1 to read as follows:

4. Amend § 236.2 by:

a. Removing the definition of “Access to media”.

b. Removing the definition of “DIB participant” and adding the definition “DIB CS Program participant” in its place.

c. Removing the words “DIB CS program” in the definition of “Government furnished information (GFI)” and adding in their place the words “DIB CS Program”.

The addition reads as follows:

5. Amend § 236.3 by:

a. Removing the word “program” and adding in its place the words “Program participants” in paragraph (b)(1).

b. Removing the words “DIB CS program” and adding in their place the words “DIB CS Program” in paragraph (c).

6. Amend § 236.4 by:

a. Removing the text “ http ” and adding in its place the text “ https ” in paragraphs (b)(2), (c), and (d).

b. Revising paragraphs (e) through (g).

c. Removing the words “paragraph (e)” and adding in their place the words “paragraph (i)” in paragraph (k).

d. Revising paragraph (m)(4).

e. Adding a heading for paragraph (o).

f. Revising paragraph (p).

The revisions and additions read as follows:

7. Revise and republish § 236.5 to read as follows:

8. Revise and republish § 236.6 to read as follows:

9. Revise § 236.7 to read as follows: