US Department of Defense (DoD) expands access to DIB CS program
The US Department of Defense (DoD) has clearly decided to take the necessary steps to strengthen the cybersecurity of its supply chain. Following the CMMC proposed rule published on December 26, 2024, DoD has just published a new Defense Industrial Base Cybersecurity (DIB CS) program mount on March 12, 2024.
This new DIB CS law takes effect on April 11, 2024.
In this article, we will present the DIB CS program, its new changes and, above all, its benefits for DoD contractors and subcontractors.
What is the DIB CS program?
DIB CS is a voluntary information-sharing program between DoD and its suppliers. It aims to help suppliers strengthen their cybersecurity by, for example, giving them access to sensitive strategic information and intelligence on cyber threats. This information may be unclassified or classified.
For example, if DoD has access to information about an ongoing attack targeting some of its suppliers, the indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) of this attack could be shared with all suppliers, enabling them to strengthen their security and avoid the risk.
Information sharing is a two-way street. DoD providers can also share information about threats they observe or hold (e.g. identified malicious tools). They can also share information about attacks they have experienced, if they so wish.
It's a collaborative public-private partnership in cybersecurity around DoD, to reduce the security risks that can impact the global supply chain.
Why has the DIB CS program been revised?
When the DIB CS program was launched in 2012, it was limited solely to DoD suppliers who had an obligation to report cybersecurity incidents targeting them and who held clearance to access classified information (facility clearance or FCL).
The enrolment process was highly restrictive, which is why the program was not a success. In addition to being cleared, DoD suppliers interested in joining the program had to use a medium assurance certificate to interact with DoD systems.
The process was a little too rigid, which is not effective given the current evolution and complexity of cyber-attacks.
What is an average insurance certificate?
Medium assurance certificates are a category of digital certificates issued only by DoD-authorized suppliers. These certificates enable secure communication with DoD systems. For example, if your computer does not have a medium assurance certificate, you will not be able to connect to DoD's security incident reporting platform https://icf.dib.mil/.
There are currently only 2 suppliers authorized by DoD to issue Medium Assurance Certificates: WidePoint (formerly Operational Research Consultants, Inc. (ORC)) and IdenTrust Inc.
New law expands scope of DIB CS program
The new DIB CS Act extends eligibility for the program to all DoD suppliers who own or operate unclassified information systems that process, store or transmit Defense Covered Information (CDI).
The term DCI refers to CUI belonging specifically to DoD.
To put it more simply, if you are required to protect CUI under DFARS 252.204-7012, consider these CUI to be DCI.
What do DoD suppliers gain by joining DIB CS?
By registering with DIB CS, you benefit from sensitive information (classified or unclassified) that allows you to strengthen your protection and makes you immune to certain attacks that target DoD's supply chain. For example, you can
● You can inject the IOCs received from DoD into your intrusion detection system (IDS/IPS) to monitor specific attacks. This increases your detection and response capacity.
● You can anticipate and counter a targeted attack
● Reduce your risk of piracy
● You reduce the risk of unauthorized access to your DCI and CUI.
Summary of changes
● From April 11, 2023, eligibility for the DIB CS program will extend to all DoD suppliers who own or operate unclassified information systems that process, store or transmit CDI.
● The requirement for clearance to access classified information (facility clearance or FCL) has been removed.
● Average insurance certificates are no longer required to join DIB CS.
● Suppliers should register via Procurement Integrated Enterprise Environment (PIEE).
DoD expects around 68,000 new suppliers to join the DIB CS program with these new changes.