On March 12, 2024, the Department of Defense issued a final rule revising the eligibility criteria for its voluntary Defense Industrial Base Cybersecurity (“DIB”) Program. The Final Rule “expands eligibility for the DIB CS Program from only contractors that possess an active Facility Clearance to all defense contractors who own or operate an unclassified information system that processes, stores, or transmits Controlled Unclassified Information (CUI).”[1]

The DIB Program, established in 2013, is a voluntary program seeking to enhance and supplement participants’ capabilities to safeguard covered defense information that is processed, stored, or transmitted on unclassified information systems. The rule created a DoD website for cleared defense contractors (“CDC”) to facilitate: (1) sharing information regarding eligibility and participation in the program with potential participants, (2) applying to the program online, and (3) executing the necessary agreements with the Government. The 2013 rule defined CDC as any “private entity granted clearance by DoD to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of DoD.”

The DIB Program gives participants access to: “technical exchange meetings, a collaborative web platform (DIBNet-U), and threat information products and services through the DoD Cyber Crime Center (DC3). DC3 implements the program’s operations by sharing cyber threat information and intelligence with the DIB, and offering a variety of products, tools, services, and events. DC3 serves as the single clearinghouse for unclassified Mandatory Incident Reports (MIRs) and voluntary threat information sharing reports.”

Until the rule change on March 12, 2024, to be eligible to participate in the DIB Program, a contractor had to be a CDC who: (1) has a DoD-approved medium assurance certificate; (2) has an existing facility clearance (“FCL”) to at least the Secret level; and (3) can execute the DIB Framework Agreement (provided only to eligible contractors after verification). With these requirements, 45% of the 266 applicants to the DIB Program in 2022 were ineligible for the Program. The Program currently has approximately 1,000 contractor participants.[2]

The final rule (1) removes the requirement for a DoD-approved medium assurance certificate, replacing it with the requirement to register in the DoD’s Procurement Integrated Enterprise Environment (“PIEE”); and (2) removes the requirement for an existing Secret FCL.

Additionally, the final rule replaces references to CDC with “contractors that own or operate covered contractor information system” (an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. FAR 52.204-21).

These changes to the eligibility criteria are expected to increase the number of eligible defense contractors by approximately 68,000.[3]

Contractors will need to meet the following criteria to receive classified cyber threat information electronically: (1) have an existing FCL to at least the Secret level; (2) have or acquire a Communication Security (COMSEC) account; (3) have or acquire approved safeguarding for at least Secret information; and (4) obtain access to DoD’s secure voice and data transmission systems supporting the DIB Program.

The final rule became effective on April 11, 2024. Stay tuned for additional information on the impact and applications to be updated after the program has been in effect for a longer period of time.

For guidance on the DIB Program and/or cybersecurity under government contracts, please contact Abby Bello Salinas.

____________________________________________________________________________________________________

[1] https://dibnet.dod.mil/dibnet/.

[2] 89 FR 17741.

[3] 89 FR 17741.