Susan Cassidy's commentary appeared in an article appearing in Inside Cybersecurity about the Defense Department's proposed rule that would allow more defense contractors who hold sensitive DOD information to become part of the Pentagon’s DIB Cybersecurity program. The Pentagon has required contractors to report cyber incidents within 72 hours since 2018 through the DOD Cyber Crime Center.
According to Susan, "The proposed rule seems like a logical progression of the Department's efforts to expand the Voluntary DIB Cybersecurity Program beyond classified information and cleared contractors to all contractors that have covered contractor information systems. This rule could be seen as a recognition that many companies beyond cleared contractors have CUI on their systems and DoD has an interest in helping to secure those systems."
However, Susan said it’s “unlikely” that the expansion of the program will meet DOD’s needs for increased information sharing between the Pentagon and contractors.
“To begin with,” Susan said, “the proposed rule says that DOD expects that only 10 percent of the DIB not currently eligible for the program will apply (over a period of ten years). Furthermore, contractors' reluctance to share information with DOD is based on factors that go beyond lack of access to the information sharing and other perceived benefits of the DIB Voluntary Program.”
Susan said, “However, DOD evidently hopes that by offering those benefits to more contractors, at least some additional contractors will be more willing to share information with DOD."
Susan stated the DIB program could “possibly serve as a precursor for the CIRCIA mandatory regime for the DIB critical infrastructure sector” depending on how CISA structures its effort.
Click here to read the full article.