While Congress is unable or unwilling to move forward on cybersecurity information sharing legislation, the Department of Defense published their final rule on cybersecurity information sharing with its Defense Industrial Base (DIB) partners in today’s Federal Register (78 FR 62430-62438). I discussed many of the details of this rule last year when DOD published their interim final rule on the topic.
Public Comments and DOD Responses
With the numerous controversies surrounding this topic (controversies that are responsible in large part for the congressional paralysis on the issue) it is not unexpected that the DOD received a large number of comments. The bulk of the preamble to this final rule deals with identifying and responding to the issues raised. In all but two cases the DOD response boiled down to: “No change is made to the rule”.
The first comment eliciting a change in the rule dealt with the definition of a “US Citizen” in the rule and the DOD clarified that issue by removing the phrase ‘holding a U.S. passport’ as part of the definition of ‘U.S. citizen’ in §236.2(o).
The second comment dealt with a requirement in the program to conduct a legal review of the implementation of the program and the language in §236.6 that appeared to require a violation of attorney-client privilege. DOD responded by removing the second sentence in §236.6(c), noting that that sentence “was not intended to imply that there was a requirement to provide such information as a condition of the program”.
This program is currently running under the interim final rule. The limited changes made in this final rule become effective on November 21st, 2013.