A proposed revision to 32 Code of Federal Regulations (CFR) Part 236, "Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity (CS) Activities," has been posted for public comment as of May 3. It is available for public review and comment here: https://www.regulations.gov/document/DOD-2019-OS-0112-0001. Comments on the proposed rule must be received by June 20, 2023.
slider-dots
faq anchor
faq-1 anchor
This means that the primary contractor would like you to join the DIB CS Program, which is a voluntary public-private cybersecurity partnership in which Program participants share cyber threat information, mitigation, and remediation strategies. In order to learn more about the requirements to join the DIB CS Program click here.
If the primary contractor simply has a contract requirement to rapidly report cyber incidents, you can learn more about Reporting Cyber Incidents here.
faq-2 anchor
A DoD-approved Medium Assurance Certificate is required to access these capabilities. To learn more about Medium Assurance Certificates, and to obtain one, please visit http://public.cyber.mil/eca. You can also read more below.
If you do not yet have a DoD-approved Medium Assurance Certificate, please email the DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE) DC3.DCISE@us.af.mil or call the DCISE hotline at (410) 981-0104 for further assistance.
Please DO NOT send any malicious files to the email address.
faq-3 anchor
The DoD has established the External Certification Authority (ECA) Program to support the issuance of DoD-approved identification certificates to industry partners and other external entities and organizations. DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting requires contractors and subcontracts to obtain a DoD-Approved Medium Assurance Certificate in order to report cyber incidents. The ECA Program is designed to provide the mechanism for these entities to securely communicate with the DoD and authenticate to DoD Information Systems. To learn more about Medium Assurance Certificates and to obtain one, please visit http://public.cyber.mil/eca.
faq-4 anchor
You can complete an Incident Collection Format (ICF) by using https://icf.dib.mil or by calling the DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE) hotline at (410) 981-0104.
faq-5 anchor
The DCISE hotline (410) 981-0104 operates 24/7. Normal, in-office operating hours for DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE) are from 6:00 a.m. to 6:00 p.m. ET.
faq-6 anchor
Mandatory incident reporting under DFARS 252.204-7012 Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting is required by most DoD contracts and in subcontracts that involve CDI and/or operationally critical support programs involving CDI. Contractors must report the discovery of cyber incidents that affect CDI information systems, or the CDI information residing therein, to https://dibnet.dod.mil within 72 hours of discovery. Malicious software, affected system images, packet capture, and other data relevant to the reported cyber incident must be preserved for 90 days to allow time for DoD to request the data in order to conduct a damage assessment or decline interest.
DFARS 252.204-7012 defines CDI as:
Any unclassified controlled technical information (CTI) OR other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is:
Voluntary reporting is the primary channel for DIB Participants to share cyber threat information and indicators of compromise (IoCs) that may help the cybersecurity posture of other DIB Participants. Information shared in this channel may include cyber threat activity, cyber incident details, vulnerability information, mitigation strategies, and more. Cyber threat activity recommended to be submitted as a voluntary report includes but is not limited to:
For more information, please click here.
faq-7 anchor
No. The DIB CS Program is a voluntary information sharing initiative between private industry cleared defense contractors and the U.S. Government. All that is needed to report a cyber incident is possession of a DoD-approved Medium Assurance Certificate. To learn more about Medium Assurance Certificates, and to obtain one, please click here. To learn more about reporting a cyber incident, click here.
faq-8 anchor
No. DFARS 252.204-7012 requires the impacted company to submit a report on the specific cyber incident. Additionally, if a sub-contractor experiences a reportable cyber incident, the sub-contractor is required to provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as possible.
faq-10 anchor
A self-assessment that allows you to get a baseline of your cybersecurity resiliency is a valuable opportunity. The CRA will allow you to see where there are areas to improve and where you are already doing well. The practice areas and security domains in the CRA also map to the NIST 800-171 requirements for protection of CUI and the NIST Cybersecurity Framework.
faq-11 anchor
We recommend maintaining your relationships with other agencies that you share information with and maintain any other contractual requirements you may have to share with other agencies. On the Incident Collection Format (ICF), there is also an area to let us know who else you've shared the information with. Per the DFARS 252.204-7012 clause, you do need to report any incidents involving Controlled Unclassified Information (CUI) to DCISE via the Mandatory Report ICF.
faq-12 anchor
The U.S Government and law enforcement agencies have access to mandatory reporting. When it comes to the DIB CS Program however, voluntary reporting can only be shared with law enforcement with consent from the Partner.
reporting anchor
reporting-1 anchor
A DoD-Approved Medium Assurance Certificate is required to report a cyber incident. However, if you do not yet have a DoD-approved Medium Assurance Certificate, please email DC3.DCISE@us.af.mil or call the DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE) hotline at (410) 981-0104 for further assistance.
reporting-2 anchor
DoD contractors shall report as much of the following information as can be obtained to DoD within 72 hours of discovery of any cyber incident involving covered defense information (CDI) systems or CDI information contained therein. Also, if any additional information is obtained after the initial Incident Collection Format (ICF) is submitted, you can select the initial ICF in your submission history and report any new or updated information via a follow-on ICF.
See DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting for more information.
reporting-3 anchor
DoD Contractors shall report as much of the following information as can be obtained to the DoD within one business day of identifying or being notified by a subcontractor that a covered article was provided to the Government during contract performance.
See FAR 52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities for more information.
See FAR 52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment for more information.
reporting-4 anchor
See DFARS 252.239-7010 Cloud Computing Services for more information.
reporting-5 anchor
DIB participants are encouraged to VOLUNTARILY report information to promote sharing of cyber threat information and indicators that they believe are valuable in alerting the U.S. Government and others, as appropriate in order to better counter threat actor activity. Cyber activity other than compromises of covered defense information (CDI) or do not adversely affect the contractor’s ability to perform operationally critical support may be of interest to the DIB and DoD for situational awareness purposes. Cyber threat activity recommended to be submitted as a voluntary report includes but is not limited to:
reporting-6 anchor
DFARS 252.204-7012 requires contractors to isolate and submit malicious files, if available, to DoD Cyber Crime Center (DC3) as part of the mandatory reporting requirements for cyber incidents. If you have a PKI certificate, you can get an Electronic Malware Submission (EMS) portal account where you will be able to submit malicious files and download the associated report once complete. Submit malicious files to EMS at https://ems.dc3on.gov. You may also request a DoD Safe link drop via emailing DC3.DCISE@us.af.mil and including your ICF number in the subject line, or by calling (410) 981-0104. DO NOT email malicious files to this email address.
dc3 anchor
dc3-1 anchor
The DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE), through the DoD Defense Cyber Crime Center (DC3), serves as the operational focal point for the DIB Cybersecurity Program under 32 Code of Federal Regulations, Part 236. DCISE fosters a cyber threat information sharing partnership with DIB participants by performing cyber analysis, offering mitigation and remediation strategies, providing best practices, and conducting analyst-to-analyst exchanges with DIB participants. Learn more at: https://www.dc3.mil/
Contact the DoD Cyber Crime Center (DC3): DC3.DCISE@us.af.mil, Hotline: (410) 981-0104, or Toll Free: (877) 838-2174
dc3-2 anchor
dc3-5 anchor
dibcsprogram anchor
dibcsprogram-1 anchor
DoD established the Defense Industrial Base (DIB) Cybersecurity (CS) Program to enhance and supplement DIB participants' capabilities to safeguard DoD information that resides on or transits DIB unclassified networks or information systems. This public-private cybersecurity partnership is designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness. Under the DIB CS Program, DoD and DIB participants share unclassified and classified cyber threat information.
DIB CS Program Fact Sheet (.pdf)
See 32 Code of Federal Regulations (CFR) Part 236, DoD's DIB Cybersecurity Activities for more information.
Learn more about the DoD's DIB Cybersecurity efforts here
Contact the DIB Cybersecurity Program: OSD.DIBCSIA@mail.mil, Hotline: (703) 604-3167, or Toll Free: (855) DoD-IACS
dibcsprogram-2 anchor
Learn about DoD DIB Cybersecurity-as-a-Service (CSaaS) Services and Support by clicking here.
dibcsprogram-3 anchor
Cleared DoD contractors may submit an application by clicking here. Access to DoD's DIB Cybersecurity Program application requires a DoD-approved medium assurance certificate. For information on obtaining a DoD-approved medium assurance certificate, please visit http://public.cyber.mil/eca. Also note that the online application process will only permit one application account per company. The company applicant must be a U.S. citizen and authorized to act on behalf of the company during the application process.
To be eligible to participate in this Program DoD contractors must be a cleared defense contractor (CDC) and shall:
dibcsprogram-4 anchor
The DIB CS Program Framework Agreement has several Amendments available to qualifying participating companies. Learn more about the Subsidiary Amendment, International Business Unit Amendment, Third-Party Service Provider Amendment, and the Supply Chain Amendment in the Amendment Fact Sheet (PDF).
The Manufacturing Overlay was created to help secure information systems supporting manufacturing processes and was developed through a partnership with cybersecurity experts from the Defense Industrial Base (DIB) Cybersecurity (CS) Program and USG. The Manufacturing Overlay is intended to complement (and further refine) existing security control baselines; further tailoring of controls may be required for systems with additional security or operational considerations.
The DIB Guide to Implementing the Cybersecurity Framework supports DoD's critical infrastructure responsibilities for the DIB. This Guide was developed working with our private sector partners to implement the Framework, while also incorporating the security requirements of NIST SP 800-171.
resources anchor
resources-1 anchor
32 Code of Federal Regulations, Part 236: "Department of Defense (DoD) Defense Industrial Base (DIB) Cyber Security (CS) Activities"
DFARS 252.204-7012: "Safeguarding Covered Defense Information and Cyber Incident Reporting"
DFARS 252.239-7010: "Cloud Computing Services"
DFARS 252.204-7018: "Prohibition onthe Acquisition of Covered Defense Telecommunications Equipmentor Services"
DFARS 252.204-7019: "Notice of NIST SP 800-171 DoD Assessment Requirements"
FAR 52.204-23: "Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities"
FAR 52.204-25: "Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment"
resources-2 anchor
NIST SP 800-171 Rev. 3 (Draft) represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI). Read more about it here: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft
NIST SP 800-171 Rev. 2: "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations"
NIST SP 800-172: "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171"
resources-3 anchor
The DoD recognizes the need to help DIB organizations improve their cybersecurity posture and operational resilience and to help the DIB protect DoD information that resides on and transits DIB information systems. A variety of services are available based on your specific needs. Visit the websites below for information about cybersecurity training, services, and products. You may also contact the DIB CS PMO at OSD.DIBCSIA@mail.mil to request additional details about these services.
Download the DoD DIB Cybersecurity-as-a-Service (CSaaS) Services and Support slicksheet here.
DCISE3: DCISE has partnered with a service provider to offer real-time monitoring of your organization’s network traffic, threat detection, and alerts as well as the option to block malicious traffic.
This service includes real-time network traffic monitoring for malicious sources and destinations and shares data anonymously at no cost. Malicious traffic is alerted on and, if desired, blocked. The service protects against DDOS and DNS attacks.
Cyber Resilience Analysis (CRA): This program offers a structured review of an organization’s cybersecurity posture with the goal of understanding cybersecurity capabilities and operational resilience and improving the ability to manage risk to critical services and assets.
A structured survey conducted either in a DC3-facilitated session or as a self-assessment produces a report with suggested actions aligned with the 10 security domains that map to the NIST SP 800-171 requirements to protect CUI and the NIST Cybersecurity Framework.
Adversary Emulation (AE): This program analyzes an organization’s vulnerability to threat actors based on network architecture, software, and processes. It includes technical, process, and policy evaluations in asingle, actionable framework.
AE may include penetration testing, network mapping, vulnerability scanning, phishing assessments, and web application testing.
Visit: https://www.dc3.mil or email DC3.Information@us.af.mil
Protective Domain Name System (PDNS): The NSA’s PDNS service combines commercial cyber threat feeds with the NSA’s unique insights to filter external DNS queries and block known malicious or suspicious website traffic, mitigating nation-state malware, spearphishing, botnets, and more.
Attack Surface Management: This service helps DIB customers find and fix issues before they become compromises by identifying DIB internet-facing assets, then leveraging commercial scanning services to find vulnerabilities or misconfigurations on these networks. Each customer receives a tailored report with issues to remediate, prioritized based on both severity of the vulnerability and whether or not it is being exploited.
Visit: https://www.nsa.gov/CCC or email DIB_Defense@cyber.nsa.gov
Sponsored by the DoD Office of Small Business Programs (OSBP), Project Spectrum offers a wide variety of services, including cybersecurity information, resources, tools, and training. Their mission is to improve cybersecurity readiness, resiliency, and compliance for small and medium-sized businesses and the federal manufacturing supply chain.
Project Spectrum includes information about security, risk, and compliance assessments, readiness checks, training, reviews of tools, current research, and policy. Project Spectrum provides information about U.S. Government and commercial services and tools, both free and fee based.
Visit: https://www.projectspectrum.io/#/
The U.S. Air Force’s Blue Cyber Education Series for Small Businesses provides free and opento-the-public cybersecurity information and support.
Participate in daily, weekly, and monthly cybersecurity online help sessions and webinars. Learn about state and federal resources and collaborate across the federal, academic, and national small business ecosystem. Explore links to other DoD-sponsored Small Business Innovation Research cybersecurity programs.
Visit: https://www.safcn.af.mil/CISO/Small-Business-Cybersecurity-Information/
resources-4 anchor
CISA Cybersecurity Evaluation Tool (CSET)
National Security Agency Cybersecurity Collaboration Center (NSA CCC)
Department of Defense Procurement Toolbox : Related Regulations, Policy, Frequently Asked Questions, and Resources
Defense Pricing and Contracting (DPC): DFARs, Procedures, Guidance and Information (PGI), and Frequently Asked Questions
NIST Manufacturing Extension Partnership (MEP)
APEX Accelerators: Entrepreneurship for Small Businesses (Formerly Procurement Technical Assistance Program (PTAP))
contactus anchor