Yesterday the Office of Management and Budget (OMB) announced that the Department of Defense submitted their final rule for the Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Activities. The interim final rule on this program was published last year and apparently DOD takes seriously their responsibility for actually finishing the rule making process.
Last year I described the proposed program this way:
This program is based upon the realization that both sides have unique sorts of cybersecurity information that will have value for the other side if the information were to be shared. Because of its extensive intelligence collection and analysis capabilities DOD is likely to have information about cybersecurity threats (capabilities, techniques, intentions and other actual attacks) that could be used by DIB entities to protect their cybersecurity systems. DIB entities would have details about intrusions and attempted intrusions on their systems (attack vectors, methodologies, information targeted and information compromised) that DOD could use to assess the extent that DOD unclassified information has been compromised and to extend the analysis of cybersecurity threats to DOD/DIB systems.
Of course, the same could be said about DHS and critical infrastructure organizations. Maybe this will be one of the things that comes out of the development of the Cybersecurity Framework.
There are no details available on how the submitted final rule will change the interim rule. We will just have to wait and see. It could take months for OMB to approve this for publication.