Amid strong demand and the need to bolster supply chain security, the Pentagon is proposing to expand the number of contractors eligible to participate in a voluntary cybersecurity program that involves sharing of information about cyber threats and incident reports, analysis of malware and strategies to reduce threats.
Eligibility would expand from the roughly 12,000 contractors with security clearances to all contractors that are subject to mandatory cybersecurity reporting requirements under current acquisition regulations, which the Department of Defense estimates to be around 80,000. Based on existing enrollment statistics, DoD estimates 10 percent of eligible contractors—amounting to 8,000—will join the Defense Industrial Base Cybersecurity (DIB CS) program, according to the proposal to change the requirements to join the program, which appears in the May 3 Federal Register.
The DIB CS program began in Oct. 2013 with cleared defense contractors that have the ability to safeguard classified information. In Oct. 2016, eligibility was expanded to just cleared contractors, removing the requirement to be able to safeguard classified information.
Since then, demand to participate in the voluntary program has grown. DoD says that 80 applications were received in 2016 and 266 in 2022, and that the number of applications from ineligible contractors has risen from 10 percent to 45 percent over that same period.
“This steady increase in ineligible applicants indicates an increasing desire amongst defense contractors to participate in a cyber threat information sharing program,” DoD says.
Expanding eligibility for the DIB CS program would allow more small defense contractors to participate that don’t have the resources to put to cybersecurity and would allow the department to provide “more tailored threat information to support the needs of a broader community of defense contractors with varying cybersecurity capabilities,” DoD says.
“The gap in eligibility in the current program, feedback from interested but ineligible contractors, a vulnerable DoD supply chain, and a pervasive cyber threat have prompted DoD to propose revising the eligibility requirements of the DIB CS program to allow participation by non-cleared defense contractors,” DoD says.
Comments on the proposal are due by June 20.