Department of Defense (DoD)-Defense Industrial Base (DIB) Voluntary Cyber Security and Information Assurance (CS/IA) Activities

Federal Register, Volume 77 Issue 92 (Friday, May 11, 2012)

Federal Register Volume 77, Number 92 (Friday, May 11, 2012)

Rules and Regulations

Pages 27615-27621

From the Federal Register Online via the Government Printing Office www.gpo.gov

FR Doc No: 2012-10651

=======================================================================

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 236

DOD-2009-OS-0183/RIN 0790-AI60

Department of Defense (DoD)-Defense Industrial Base (DIB) Voluntary Cyber Security and Information Assurance (CS/IA) Activities

AGENCY: Office of the DoD Chief Information Officer, DoD.

ACTION: Interim final rule.

-----------------------------------------------------------------------

SUMMARY: DoD is publishing an interim final rule to establish a voluntary cyber security information sharing program between DoD and eligible DIB companies. The program enhances and supplements DIB participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.

DATES: This rule is effective May 11, 2012. Comments must be received by July 10, 2012.

ADDRESSES: You may submit comments, identified by docket number and/or RIN number and title, by any of the following methods:

Federal Rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.

Mail: Federal Docket Management System Office, 4800 Mark Center Drive, East Tower, Suite 02G09, Alexandria, VA 22350-3100.

Instructions: All submissions received must include the agency name and docket number or Regulatory Information Number (RIN) for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the Internet at http://www.regulations.gov as they are received without change, including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: DIB Cyber Security and Information Assurance Program Office: (703) 604-3167, toll free (855) 363-4227, email DIB.CS/IA.Reg@osd.mil.

SUPPLEMENTARY INFORMATION:

Background

Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and pose an imminent threat to U.S. national security and economic security interests. DoD's voluntary DIB CS/IA program enhances and supplements DIB participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.

This rule is being published as an interim final rule to:

(a) Allow eligible DIB companies to receive USG threat information and share information about network intrusions that could compromise critical DOD programs and missions.

(b) Permit DIB companies and DOD to assess and reduce damage to critical DOD programs and missions when DOD information is compromised.

(c) Fulfill statutory requirements to ensure the protection of DOD information.

(d) Address vigorous congressional and public interest in increasing cyber security and information assurance activities through government-industry cooperation.

(e) Immediately provide a voluntary framework for DOD and DIB companies to share information to address sophisticated cyber threats that represent an imminent threat to U.S. national security and economic security interests.

Until this rule is published as an interim final rule, eligible DIB companies cannot receive USG information about cyber threats and mitigation strategies or share information about cyber incidents that may compromise critical DOD programs and missions. Without this information, eligible DIB companies' ability to protect USG information cannot be fully effective. While this vulnerability remains open, the USG faces an elevated risk that critical program information

Page 27616

could be compromised, resulting in potential economic losses or damage to U.S. national security. For example, the compromise of such information can significantly diminish return on DIB company and U.S. Government research and development investment and represents a loss of intellectual property that compromises the security and technical advantages of DoD weapons systems.

DIB CS/IA activities, including the collection, management and sharing of information for cyber security purposes, support and implement the following national and DoD-specific guidance and authority: information assurance (IA) requirements to establish programs and activities to protect DoD information and DoD information systems, including information and information systems operated and maintained by contractors or others in support of DoD activities (see 10 U.S.C. 2224; and the Federal Information Security Management Act (FISMA), codified at 44 U.S.C. 3541 et seq.); critical infrastructure protection responsibilities, in which DoD is the sector specific agency for the DIB sector, (see Homeland Security Presidential Directive 7 (HSPD-7), ``Critical Infrastructure Identification, Prioritization, and Protection'').

The DoD established the voluntary DIB CS/IA program to enhance and supplement DIB participants' capabilities to safeguard DoD unclassified information that resides on, or transits, DIB unclassified information systems. At the core of the program is a bilateral cyber security information sharing activity, in which DoD provides cyber threat information and information assurance (IA) best practices to DIB companies to enhance and supplement DIB companies' capabilities to safeguard DoD unclassified information; and in return, DIB companies report certain types of cyber intrusion incidents to the Defense Cyber Crime Center's DoD-DIB Collaborative Information Sharing Environment (DCISE), DoD's operational focal point for cyber threat information sharing and incident response under this program. The DoD analyzes the information reported by the DIB company regarding any such cyber incident, to glean information regarding cyber threats, vulnerabilities, and the development of effective response measures. In addition to this initial reporting and analysis, the DoD and DIB company may pursue, on a voluntary basis, follow-on, more detailed, digital forensics analysis or damage assessments of individual incidents, including sharing of additional electronic media/files or information regarding the incident or the affected systems, networks, or information. The information sharing arrangements between the DoD and each participating DIB company are memorialized in a standardized bilateral Framework Agreement (FA), signed by the participating DIB company and the Government, that implements the requirements of this part and is signed by the participating DIB company and the Government. The FA is available to eligible DIB companies during the application process. As provided by the FA, participation in the program is entirely voluntary and does not obligate any DIB participant to change its information systems or otherwise alter its normal conduct of cyber security activities. In keeping with the voluntary, collaborative nature of the activity described in the FA, each Party bears responsibility for its own actions under this FA. The FA emphasizes sharing to the greatest extent possible information to provide the clearest understanding of the cyber threat. This will allow the Company to improve defense and remediation efforts and allow the Government to assess the damage or impact to defense information and programs entrusted to the Company.

A foundational element of this bilateral information sharing model is the recognition that the information being shared between the parties includes extremely sensitive nonpublic information, which must be protected against unauthorized uses and disclosures in order to preserve the integrity of the program. For example, the cyber threat information shared by the Government must be protected against compromise by the cyber threat, which may already have a presence on the DIB participant's system; and thus the DIB participants must utilize security measures and limited sharing within the company, to ensure that the cyber threat information retains its operational value--for the benefit of all of the DIB participants. Similarly, the DIB participants typically treat information regarding potential cyber intrusion incidents on their networks as extremely sensitive proprietary, commercial, or operational information and tightly control that information within the company, let alone sharing outside the company. The DIB participants share this type of information with the Government only on the condition that the Government safeguards that information against any unauthorized use or release (both within the Government and outside the Government), which could cause substantial competitive harm to the DIB participant that reported that information. In addition, during any follow-on forensics or damage assessment activities, the Government and DIB companies may share additional types of sensitive information, which may include information regarding the types of DoD information or DIB company information that may have been compromised during the reported incident--potentially including the most sensitive types of unclassified information (e.g., critical program information relating to DoD weapons systems, DIB company trade secrets related to DoD programs, personally identifiable information (PII) regarding individuals). For additional information regarding the Government's safeguarding of information received from the DIB companies, with specific focus on PII, see the Privacy Impact Assessment for the DIB CS/IA Program (http://dodcio.defense.gov/Portals/0/Documents/DIB%20CS-IA%20PIA_FINAL_signed_30jun2011_VMSS_GGMR_RC.pdf).

As part of DoD's instantiation of the voluntary DIB CS/IA program, DoD developed new policies and procedures, developed a dedicated threat sharing and collaboration system, and validated on-line application procedures in order to support participation by a large number of companies. The on-line application procedures provide the administrative and security requirements for DIB participants, including the standardized bilateral FA that implements the requirements of the DIB CS/IA program. The FA will typically be executed by a senior DoD official, such as the DoD Chief Information Officer (CIO), and by a DIB company corporate senior official (e.g., Company CIO or equivalent).

This interim-final rule establishes a new part 236 in title 32 of the Code of Federal Regulations, with the following new sections: Section 236.2 establishes the definitions of terms used in the new part, leveraging established definitions to the maximum extent possible (e.g., those provided in the Committee on National Security Systems Instruction No. 4009, ``National Information Assurance Glossary'') (http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf); Section 236.4 sets forth the basic requirements and procedures of the voluntary program, including information collection requirements; Section 236.5 characterizes cyber security information sharing and collection procedures; Section 236.6 establishes the general provisions of the voluntary DIB CS/IA program; and Section 236.7 sets forth the eligibility

Page 27617

requirements to participate in the voluntary program.

Nothing in this rule or program is intended to be inconsistent with any other related or similar federal agency or private sector activity or requirement. For example, nothing in this rule or program abrogates the Government's or the DIB participants' rights or obligations regarding the handling, safeguarding, sharing, or reporting of information, or regarding any physical, personnel, or other security requirements, as required by law, regulation, policy, or a valid legal contractual obligation.

Similarly, this rule and program are intended to be consistent and coordinated with, and updated as necessary to ensure consistency with and support for, other federal activities related to the handling and safeguarding of controlled unclassified information, such as those that are being led by the National Archives and Records Administration pursuant to Executive Order 13556 ``Controlled Unclassified Information'' (November 4, 2010) (see http://www.archives.gov/cui/).

Executive Orders 12866, ``Regulatory Planning and Review'' and 13563, ``Improving Regulation and Regulatory Review''

It has been certified that 32 CFR part 236 does not:

(a) Have an annual effect on the economy of $100 million or more, or adversely affect in a material way, the economy; a section of the economy; productivity; competition; jobs; the environment; public health or safety; or State, local, or tribal governments or communities;

(b) Create a serious inconsistency, or otherwise interfere with, an action taken or planned by another Agency;

(c) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs, or the rights and obligations of recipients thereof; or

(d) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles as set forth in these Executive Orders.

Public Law 104-121, ``Congressional Review Act'' (5 U.S.C. 801)

It has been determined that 32 CFR part 236 is not a ``major'' rule under 5 U.S.C. 801, enacted by Public Law 104-121, because it will not result in an annual effect on the economy of $100 million or more; a major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies, or geographic regions; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based enterprises to compete with foreign-based enterprises in domestic and export markets.

Sec. 202, Public Law 104-4, ``Unfunded Mandates Reform Act''

It has been certified that 32 CFR part 236 does not contain a Federal mandate that may result in expenditure by State, local and tribal governments, in aggregate, or by the private sector, of $100 million or more in any one year.

Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601)

It has been certified that 32 CFR part 236 is not subject to the Regulatory Flexibility Act (5 U.S.C. 601) because it would not, if promulgated, have a significant economic impact on a substantial number of small entities. DIB participation in the DIB CS/IA Program is voluntary.

Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)

Sections 236.4 and 236.5 and 236.7 of this interim final rule contain information collection requirements. DoD has submitted the following proposal to Office of Management and Budget (OMB) under the provisions of the Paperwork Reduction Act (44 U.S.C. Chapter 35). Comments are invited on: (a) Whether the proposed collection of information is necessary for the proper performance of the functions of DoD, including whether the information will have practical utility; (b) the accuracy of the estimate of the burden of the proposed information collection; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the information collection on respondents, including the use of automated collection techniques or other forms of information technology.

(a) Title: Defense Industrial Base Cyber Security/Information Assurance (DIB CS/IA) Points of Contact Information.

Type of Request: New.

Projected Responses per Respondent: One response is required initially and thereafter only on an ``as needed/required'' basis, as changes to the points of contact occur.

Annual Responses: 275, which includes the additional responses required on an ``as needed/required'' basis.

Average Burden per Response: 20 minutes.

Annual Burden Hours: Total annual burden for respondents 92 hours.

Total Annualized Cost to Respondents: One-time cost of ~$12 per respondent. Total cumulative annual cost for 250 respondents (275 responses) is $3,337.

Needs and Uses: The DIB CS/IA program collects Point of Contact (POC) information from DIB participants. POC information is needed to facilitate communication between DoD and DIB participants, as well as prospective participants. The POC information includes the names, security clearance information, citizenship, work addresses, including division/group, work email addresses and work telephone numbers of company-identified representatives. DIB POCs include the Chief Executive Officer (CEO), Chief Information Officer (CIO), Chief Information Security Officer (CISO), General Counsel, the Chief Privacy Officer, and the Corporate Security Officer (CSO) or Facility Security Officer (FSO), or their equivalents. DIB participants also provide POC information for personnel responsible for the implementation and execution of the DIB CS/IA program within their company including designated personnel authorized to report incidents and any policy, administrative, or technical personnel identified to interact with DOD in the operational implementation of the program.

Affected Public: Business or other for-profit and not-for-profit institutions participating in the voluntary DIB CS/IA program.

Frequency: On occasion.

Respondent's Obligation: Voluntary.

(b) Title: DIB Cyber Security/Information Assurance Cyber Incident Reporting.

Type of Request: New.

Phased expansion of DIB CS/IA Number of Participants increases to 750 over three years.

Projected Responses per Participant: 5.

Annual Responses: Year 1 responses are 1,250. Year 2 responses are 2,500. Year 3 responses are 3,750.

Average Burden per Response: 7 hours (this includes searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information).

Annual Burden Hours: Year 1 burden hours are 8,750 hours. Year 2 burden hours are 17,500 hours. Year 3 burden hours are 26,250 hours.

Needs and Uses: The collection of this information is necessary to enhance and supplement DIB participants' information security capabilities to safeguard DoD information that resides on, or transits, DIB unclassified

Page 27618

information systems. The requested information supports the information assurance objectives, cyber threat information sharing, and incident reporting between DoD and the DIB participants. In most cases, DIB participants report incidents using a DIB CS/IA standardized Incident Collection Form (ICF). In some cases, a company may elect to report the incident without using the ICF; and companies may report incidents through a variety of communications channels, including email, fax, or by phone, if necessary.

Affected Public: Business or other for-profit and not-for-profit institutions participating in the DIB CS/IA program.

Frequency: On occasion.

Respondent's Obligation: Voluntary.

OMB Desk Officer: Written comments and recommendations on the information collection should be sent to Ms. Jasmeet Seehra at the Office of Management and Budget, DoD Desk Officer, Room 10102, New Executive Office Building, Washington, DC 20503, with a copy to the Director, DIB CS/IA Program Office, at the Office of the DoD Chief Information Officer, 6000 Defense Pentagon, Attn: DIB CS/IA Program Office, Washington, DC 20301, or email at DIB.CS/IA.Reg@osd.mil. Comments can be received from 30 to 60 days after the date of this notice, but comments to OMB will be most useful if received by OMB within 30 days after the date of this notice.

You may also submit comments, identified by docket number and title, by the following method: Federal Rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.

Instructions: All submissions received must include the agency name, docket number and title for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the Internet at http://www.regulations.gov as they are received without change, including any personal identifiers or contact information.

To request more information on this information collection or to obtain a copy of the proposal and associated collection instruments, please write to Director, DIB CS/IA Program Office, at Office of the DoD Chief Information Officer, Attn: DIB CS/IA Program Office, 6000 Defense Pentagon, Washington, DC 20301.

Executive Order 13132, ``Federalism''

It has been certified that 32 CFR part 236 does not have federalism implications, as set forth in Executive Order 13132. This rule does not have substantial direct effects on:

(a) The States;

(b) The relationship between the National Government and the States; or

(c) The distribution of power and responsibilities among the various levels of Government.

List of Subjects in 32 CFR Part 236

Contracts, Security measures.

Accordingly 32 CFR part 236 is added to read as follows:

PART 236--DEPARTMENT OF DEFENSE (DOD)-DEFENSE INDUSTRIAL BASE (DIB) VOLUNTARY CYBER SECURITY AND INFORMATION ASSURANCE (CS/IA) ACTIVITIES

Sec.

236.1 Purpose.

236.2 Definitions.

236.3 Policy.

236.4 Procedures.

236.5 Cyber security information sharing.

236.6 General provisions.

236.7 DIB participant eligibility requirements.

Authority: 10 U.S.C. 2224; 44 U.S.C. 3506; 44 U.S.C. 3544.

Sec. 236.1 Purpose.

Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and pose an imminent threat to U.S. national security and economic security interests. DoD's voluntary DIB CS/IA program enhances and supplements DIB participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.

Sec. 236.2 Definitions.

As used in this part:

(a) Attribution information means information that identifies the DIB participant, whether directly or indirectly, by the grouping of information that can be traced back to the DIB participant (e.g., program description, facility locations).

(b) Compromise means disclosure of information to unauthorized persons or a violation of the security policy of a system in which unauthorized intentional, or unintentional, disclosure, modification, destruction, loss of an object, or the copying of information to unauthorized media may have occurred.

(c) Covered defense information means unclassified information that:

(1) Is:

(i) Provided by or on behalf of the DoD to the DIB participant in connection with an official DoD activity; or

(ii) Collected, developed, received, transmitted, used, or stored by the DIB participant in support of an official DoD activity; and

(2) Is:

(i) Technical information marked for restricted distribution in accordance with DoD Directive 5230.25, ``Withholding of Unclassified Technical Data From Public Disclosure,'' or DoD Directive 5230.24, ``Distribution Statements on Technical Documents'';

(ii) Information subject to export control under the International Traffic in Arms Regulations (ITAR) (http://pmddtc.state.gov/regulations_laws/itar_official.html), or the Export Administration Regulations (EAR) (http://ecfr.gpoaccess.gov, Title 15, part 730);

(iii) Information designated as Critical Program Information (CPI) in accordance with DoD Instruction 5200.39, ``Critical Program Information (CPI) Protection within the Department of Defense'';

(iv) Information that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries as described in 5205.02-M, ``DoD Operations Security (OPSEC Program Manual'';

(v) Personally Identifiable Information (PII) that can be used to distinguish or trace an individual's identity in accordance with DoD Directive 5400.11, ``DoD Privacy Program'';

(vi) Information bearing current and prior designations indicating unclassified controlled information (e.g., For Official Use Only, Sensitive But Unclassified, and Limited Official Use, DoD Unclassfied Controlled Nuclear Information, Sensitive Information) that has not been cleared for public release in accordance with DoD Directive 5230.29, ``Clearance of DoD Information for Public Release'' (see also Appendix 3 of DoD 5200.1-R, ``Information Security Program Regulation''); or

(vii) Any other information that is exempt from mandatory public disclosure under DoD Directive 5400.07, ``DoD Freedom of Information Act (FOIA) Program'', and DoD Regulation 5400.7-R, ``DoD Freedom of Information Program''.

(d) Covered DIB systems means an information system that is owned or operated by or for a DIB participant and that processes, stores, or transmits covered defense information.

(e) Cyber incident means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.

Page 27619

(f) Cyber intrusion damage assessment means a managed, coordinated process to determine the effect on defense programs, defense scientific and research projects, or defense warfighting capabilities resulting from compromise of a DIB participant's unclassified computer system or network.

(g) Defense Industrial Base (DIB) means the Department of Defense, government, and private sector worldwide industrial complex with capabilities to perform research and development, design, produce, and maintain military weapon systems, subsystems, components, or parts to satisfy military requirements.

(h) DIB participant means a DIB company that has met all of the eligibility requirements to participate in the voluntary DIB CS/IA information sharing program as set forth in this part (see Sec. 236.7).

(i) Government means the United States Government.

(j) Government Furnished Information (GFI) means information provided by the Government under the voluntary DIB CS/IA program, including but not limited to cyber threat information and information assurance practices.

(k) Information means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

(l) Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

(m) Threat means any circumstance or event with the potential to adversely impact organization operations (including mission, functions, image, or reputation), organization assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

Sec. 236.3 Policy.

It is DoD policy to:

(a) Establish a comprehensive approach for enhancing and supplementing DIB information assurance capabilities to safeguard covered defense information on covered DIB systems.

(b) Increase the Government and DIB situational awareness of the extent and severity of cyber threats to DOD information.

Sec. 236.4 Procedures.

(a) The Government and each DIB participant will execute a voluntary standardized agreement, referred to as a Framework Agreement (FA), to share, in a timely and secure manner, on a recurring basis, and to the greatest extent possible, cyber security information relating to information assurance for covered defense information on covered DIB systems.

(b) Each such FA between the Government and a DIB participant must comply with and implement the requirements of this part, and will include additional terms and conditions as necessary to effectively implement the voluntary information sharing activities described in this part with individual DIB participants.

(c) DoD's DIB CS/IA Program Office is the overall point of contact for the program. The DoD Cyber Crime Center's DoD-DIB Collaborative Information Sharing Environment (DC3/DCISE) is the operational focal point for cyber threat information sharing and incident reporting under the DIB CS/IA program.

(d) The Government will maintain a Web site or other Internet-based capability to provide potential DIB participants with information about eligibility and participation in the program, to enable the online application or registration for participation, and to support the execution of necessary agreements with the Government. (http://dibnet.dod.mil/)

(e) Prior to receiving GFI from the Government, each DIB participant shall provide the requisite points of contact information, to include security clearance and citizenship information, for the designated personnel within their company (e.g., typically 3-10 company designated points of contact) in order to facilitate the DoD-DIB interaction in the DIB CS/IA program. The Government will confirm the accuracy of the information provided as a condition of that point of contact being authorized to act on behalf of the DIB participant for this program.

(f) GFI will be issued via both unclassified and classified means. DIB participant handling and safeguarding of classified information shall be in compliance with the National Industrial Security Program Operating Manual (NISPOM) (DoD 5220.22-M). The Government shall specify transmission and distribution procedures for all GFI, and shall inform DIB participants of any revisions to previously specified transmission or procedures.

(g) Except as authorized in this part or in writing by the Government, DIB participants may use GFI to safeguard covered defense information only on covered DIB systems that are U.S. based (i.e., provisioned, maintained, or operated within the physical boundaries of the United States); and share GFI only within their company or organization, on a need to know basis, with distribution restricted to U.S. citizens (i.e., a person born in the United States, or naturalized, holding a U.S. passport). However, in individual cases, upon request of a DIB participant that has determined that it requires the ability to share the information with a non-U.S. citizen, or to use the GFI on a non-U.S. based covered DIB system, and can demonstrate that appropriate information handling and protection mechanisms are in place, the Government may authorize such disclosure or use under appropriate terms and conditions.

(h) DIB participants shall maintain the capability to electronically disseminate GFI within the Company in an encrypted fashion (e.g., using Secure/Multipurpose Internet Mail Extensions (S/

MIME), secure socket layer (SSL), Transport Layer Security (TLS) protocol version 1.2, DoD-approved medium assurance certificates).

(i) The DIB participants shall not share GFI outside of their company or organization, regardless of personnel clearance level, except as authorized in this part or otherwise authorized in writing by the Government.

(j) If the DIB participant utilizes a third-party service provider (SP) for information system security services, the DIB participant may share GFI with that SP under the following conditions and as authorized in writing by the Government:

(1) The DIB participant must identify the SP to the Government and request permission to share or disclose any GFI with that SP (which may include a request that the Government share information directly with the SP on behalf of the DIB participant) solely for the authorized purposes of this program;

(2) The SP must provide the Government with sufficient information to enable the Government to determine whether the SP is eligible to receive such information, and possesses the capability to provide appropriate protections for the GFI;

(3) Upon approval by the Government, the SP must enter into a legally binding agreement with the DIB participant (and also an appropriate agreement with the Government in any case in which the SP will receive or share information directly with the Government on behalf of the DIB participant) under which the SP is subject to all applicable requirements of

Page 27620

this part and of any supplemental terms and conditions in the DIB participant's FA with the Government, and which authorizes the SP to use the GFI only as authorized by the Government.

(k) The DIB participant may not sell, lease, license, or otherwise incorporate the GFI into its products or services, except that this does not prohibit a DIB participant from being appropriately designated an SP in accordance with paragraph (j) of this section.

Sec. 236.5 Cyber security information sharing.

(a) GFI. The Government shall share GFI with DIB participants or designated SPs in accordance with this part.

(b) Initial incident reporting. The DIB participant shall report to DC3/DCISE cyber incidents involving covered defense information on a covered DIB system. These initial reports will be provided within 72 hours of discovery. DIB participants also may report other cyber incidents to the Government if the DIB participant determines the incident may be relevant to information assurance for covered defense information or covered DIB systems or other information assurance activities of the Government.

(c) Follow-up reporting. After an initial incident report, the Government and the DIB participant may voluntarily share additional information that is determined to be relevant to a reported incident, including information regarding forensic analyses, mitigation and remediation, and cyber intrusion damage assessments.

(d) Cyber intrusion damage assessment. Following analysis of a cyber incident, DC3/DCISE may provide information relevant to the potential or known compromise of DoD acquisition program information to the Office of the Secretary of Defense's Damage Assessment Management Office (OSD DAMO) for a cyber intrusion damage assessment. The Government may provide DIB participants with information regarding the damage assessment.

(e) DIB participant attribution information. The Government acknowledges that information shared by the DIB participants under this program may include extremely sensitive proprietary, commercial, or operational information that is not customarily shared outside of the company, and that the unauthorized use or disclosure of such information could cause substantial competitive harm to the DIB participant that reported that information. The Government shall take reasonable steps to protect against the unauthorized use or release of such information (e.g., attribution information and other nonpublic information) received from a DIB participant or derived from such information provided by a DIB participant, including applicable procedures pursuant to paragraph (h) of this section. The Government will restrict its internal use and disclosure of attribution information to only Government personnel and Government support contractors that are bound by appropriate confidentiality obligations and restrictions relating to the handling of this sensitive information and are engaged in lawfully authorized activities.

(f) Non-attribution information. The Government may share non-

attribution information that was provided by a DIB participant (or derived from information provided by a DIB participant) with other DIB participants in the DIB CS/IA program, and may share such information throughout the Government (including with Government support contractors that are bound by appropriate confidentiality obligations) for cyber security and information assurance purposes for the protection of Government information or information systems.

(g) Electronic media. Electronic media/files provided by DIB participants to DC3 under paragraphs (b), (c) and (d) of this section are maintained by the digital and multimedia forensics laboratory at DC3, which implements specialized handling procedures to maintain its accreditation as a digital and multimedia forensics laboratory. DC3 will maintain, control, and dispose of all electronic media/files provided by DIB participants to DC3 in accordance with established DoD policies and procedures.

(h) Freedom of Information Act (FOIA). Agency records, which may include qualifying information received from non-federal entities, are subject to request under the Freedom of Information Act (5 U.S.C. 552) (FOIA), which is implemented in the Department of Defense by DoD Directive 5400.07 and DoD Regulation 5400.7-R (see 32 CFR parts 285 and 286, respectively). Pursuant to established procedures and applicable regulations, the Government will protect sensitive nonpublic information under this Program against unauthorized public disclosure by asserting applicable FOIA exemptions, and will inform the non-

Government source or submitter (e.g., DIB participants) of any such information that may be subject to release in response to a FOIA request, to permit the source or submitter to support the withholding of such information or pursue any other available legal remedies.

Sec. 236.6 General provisions.

(a) Confidentiality of information that is exchanged under this program will be protected to the maximum extent authorized by law, regulation, and policy.

(b) The Government and DIB participants will conduct their respective activities under this program in accordance with applicable laws and regulations, including restrictions on the interception, monitoring, access, use, and disclosure of electronic communications or data. The Government and the DIB participant each bear responsibility for their own actions under this program.

(c) Prior to sharing any information with the Government under this program pursuant to the FA, the DIB participant shall perform a legal review of its policies and practices that support its activities under this program, and shall make a determination that such policies, practices, and activities comply with applicable legal requirements. The Government may request from any DIB participant additional information or assurances regarding such DIB participant's policies or practices, or the determination by the DIB participant that such policies or practices comply with applicable legal requirements.

(d) This voluntary DIB CS/IA program is intended to safeguard covered defense information. None of the restrictions on the Government's use or sharing of information under the DIB CS/IA program shall limit the Government's ability to conduct law enforcement, counterintelligence activities, or other activities in the interest of national security; and participation does not supersede other regulatory or statutory requirements.

(e) Participation in the DIB CS/IA program is voluntary and does not obligate the DIB participant to utilize the GFI in, or otherwise to implement any changes to, its information systems. Any action taken by the DIB participant based on the GFI or other participation in this program is taken on the DIB participant's own volition and at its own risk and expense.

(f) A DIB participant's voluntary participation in this program is not intended to create any unfair competitive advantage or disadvantage in DoD source selections or competitions, or to provide any other form of unfair preferential treatment, and shall not in any way be represented or interpreted as a Government endorsement or approval of the DIB

Page 27621

participant, its information systems, or its products or services.

(g) The DIB participant and the Government may each unilaterally limit or discontinue participation in this program at any time. Termination shall not relieve the DIB participant or the Government from obligations to continue to protect against the unauthorized use or disclosure of GFI, attribution information, contractor proprietary information, third-party proprietary information, or any other information exchanged under this program, as required by law, regulation, contract, or the FA.

(h) Upon termination of the FA, and/or change of Facility Security Clearance status below Secret, GFI must be returned to the Government or destroyed pursuant to direction of, and at the discretion of, the Government.

(i) Participation in this program does not abrogate the Government's or the DIB participants' rights or obligations regarding the handling, safeguarding, sharing, or reporting of information, or regarding any physical, personnel, or other security requirements, as required by law, regulation, policy, or a valid legal contractual obligation.

Sec. 236.7 DIB participant eligibility requirements.

To be eligible to participate in this program, a DIB company must:

(a) Have or acquire DoD-approved medium assurance certificates to enable encrypted unclassified information sharing between the Government and DIB participants;

(b) Have an existing active Facility Security Clearance (FCL) granted under the National Industrial Security Program Operating Manual (NISPOM) (DoD 5220.22-M) with approved safeguarding for at least Secret information, and continue to qualify under the NISPOM for retention of its FCL and approved safeguarding (http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf);

(c) Have or acquire a Communication Security (COMSEC) account in accordance with the NISPOM Chapter 9, Section 4 (DoD 5220.22-M), which provides procedures and requirements for COMSEC activities;

(d) Obtain access to DoD's secure voice and data transmission systems supporting the DIB CS/IA program,

(e) Own or operate covered DIB system(s), and

(f) Execute the standardized FA with the Government (available during the application process), which implements the requirements set forth in sections 236.4 through 236.6 of this part.

Dated: April 30, 2012.

Patricia L. Toppings,

OSD Federal Register Liaison Officer, Department of Defense.

FR Doc. 2012-10651 Filed 5-2-12; 8:45 am

BILLING CODE 5001-06-P