On Nov. 21, 2013, the Department of Defense (DoD) Final Rule establishing a program for promoting voluntary sharing of cyber threat information between the DoD and government contractors will go into effect. The rule is codified at 32 C.F.R. 236.
The program is designed to “enhance and supplement” a contractor's ability to safeguard DoD information. If a contractor chooses to participate in the program, the government will provide the contractor with information on cyber threats and recommendations for combating those threats. In return, the contractor is obligated to report any cyber incidents that have the potential to compromise the DoD, within 72 hours of discovery.
Applying to the Program
A contractor wishing to participate in the program must:
- Hold a DoD-approved medium assurance certificate to enable encrypted unclassified information sharing between the contractor and the government.
- Possess an existing Facility Security Clearance.
- Have a COMSEC account.
- Have access to the DoD’s secure voice and data transmission systems.
- Own/operate covered Defense Industrial Base systems.
Pursuant to 32 C.F.R. 236.6, a contractor will also need to conduct a legal review of its policies and practices that support activities under the program to ensure those policies and practices comply with the program’s applicable legal requirements. Once a contractor has confirmed compliance, it can apply online for the Information Sharing Program via the DoD’s website here: dibnet.dod.mil/ .
Advantages and Disadvantages of Participation
The principal advantage to participating in the program is that a contractor can learn invaluable information on cyber threats from the government that it might not receive otherwise. In addition, even though the Final Rule provides that the program is not designed to create any advantage or disadvantage in source selections, a company may be able to strengthen its overall information security by participating in the program, which certainly could result in a more favorable evaluation when competing for contracts.
Participation in the program is not without its risks or disadvantages. First, it could take a long time to obtain the requisite certificates, clearances and accounts. In addition, a legal review of the program policies could require certain contractors to undergo substantive and costly changes to become compliant with state and federal privacy laws. Furthermore, program participation may require certain contractors to share information they would normally keep confidential. While the Final Rule provides that the information shared through participation in the program will be protected from FOIA requests and kept confidential by the government, the risk of inadvertent disclosure remains.
Perhaps most importantly, a participating contractor could be exposed to liability by reporting information that demonstrates a violation of security provisions in an ongoing contract. Although most DoD contracts dealing with sensitive information already contain provisions imposing an affirmative reporting obligation for security policy violations, program participation could increase the burden on contractors to report violations.