Earlier this month, the Department of Defense (DoD) announced after consideration it is modifying the requirement for industry to obtain a medium assurance certificate – as part of its final rule that solidifies revisions to the eligibility criteria for the voluntary Defense Industrial Base (DIB) Cybersecurity (CS) Program.
According to the Federal Register notice, the medium assurance certificates can be used to validate digital identity and facilitate the exchange of encrypted information. However, it is not the only technical solution available to support identity proofing requirements.
DoD has revised paragraph (e) in § 236.4, and separately in Department of Defense Instruction (DoDI) 8582.01, “Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information,” to require registration with Procurement Integrated Enterprise Environment (PIEE) when submitting mandatory cyber incident reports.
That particular change was meant to reduce the burden of having to procure a medium assurance certificate, which costs approximately $175 annually. However, all DoD contracts still contain the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.232–7003 (48 CFR 252.232–7003), which specifies requirements for electronic submission of payment requests. The department noted that in order to access the electronic systems associated with electronic payments the contractor must also complete the required identity proofing and registration process with PIEE.
The new rule is set to take effect on April 11.
What is the DIB CS Program?
The DIB CS Program was established in 2012 to enhance participants’ capabilities to safeguard DoD information that may reside on, transit through, DIB unclassified information systems. It was initially introduced as a voluntary cyber threat information sharing program for cleared defense contractors that possessed the ability to safeguard such information.
The new rule could effectively expand eligibility for the program to all contractors subject to the department’s mandatory cybersecurity incident reporting requirement – but also removing the requirement for participants to be a cleared contractor with a facility security clearance at the “Secret” level or above.
When it was first established, the Pentagon estimated the number of defense contractors that qualified for the program was under 2,700. That number has greatly expanded in the years that followed, growing to 8,500 participants in 2015, and then to 12,000 in 2022. It could now be open to close to 68,000 additional contractors.
“The expansion of eligibility will allow all defense contractors to participate in bilateral information sharing regarding cybersecurity threats via the DIB CS Program, as opposed to only cleared defense contractors with a facility security clearance,” wrote the legal team of Liza Craig, L. Judson Welle, Alexander Vivona, and Joshuah Turner of the Goodwin Law Practice, calling it a “win/win” for both the DIB and the DoD.
“In addition, the removal of the requirement to obtain a medium assurance certificate will reduce the cost of participation, which will likely be appealing to small business entities now eligible to participate in the Program but looking to minimize the cost burden associated with this volunteer effort,” the Goodwin team continued. “Defense contractors and those seeking to become defense contractors should give thought to the ways that participating in the Program could reduce the risk of cybersecurity incidents by increasing knowledge of potential cyber threats, mitigation strategies, and industry best practices.”
The New CCMC Program Rules
The final DIB CS Program rule announcement follows another from last December – as the DoD published a 60-day comment period for a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program, which revises certain aspects of the program to address public concerns in response to DoD’s initial vision for the CMMC 1.0 program, as originally published in September 2020. Developed to be semi-automated and more importantly, cost-effective, so that small businesses could still achieve at least a level-one certification within the program.
As previously reported, the DoD suggested with its streamlined requirements, the CMMC program now provides for simplified compliance by allowing self-assessment for some requirements; while maintaining priorities for protecting DoD information. In addition, the requirements are meant to reinforce cooperation between the DoD and industry in addressing evolving cyber threats.
The new rules further build on the CMMC framework 2.0, which meant to reduce the security certification tiers from five to three while it also removed the third-party assessment requirement for level one and part of level two, which in turn allowed contractors to return to self-attestation.