(a) All defense contractors that meet the requirements set forth in § 236.7 are eligible to join the DIB CS Program as a DIB CS Program participant. Defense contractors meeting the additional eligibility requirements in § 236.7 can elect to access and receive classified information electronically.
(b) Under the voluntary activities of the DIB CS Program, the Government and each DIB CS Program participant will execute a standardized agreement, referred to as a Framework Agreement (FA) to share, in a timely and secure manner, on a recurring basis, and to the greatest extent possible, cybersecurity information.
(c) Each such FA between the Government and a DIB CS Program participant must comply with and implement the requirements of this part, and will include additional terms and conditions as necessary to effectively implement the voluntary information sharing activities described in this part with individual DIB CS Program participants.
(d) DoD's DIB CS Program Management Office is the overall point of contact for the program. The DC3 managed DoD-DIB Collaborative Information Sharing Environment (DCISE) is the operational focal point for cyber threat information sharing and incident reporting under the DIB CS Program.
(e) The Government will maintain a website or other internet-based capability to provide potential DIB CS Program participants with information about eligibility and participation in the program, to enable online application or registration for participation, and to support the execution of necessary agreements with the Government.
(f) As participants of the DIB CS Program, defense contractors are encouraged to share cyber threat indicators and information that they believe are valuable in alerting the Government and other DIB CS Program participants to better counter threat actor activity. Cyber activity that is not covered under § 236.4 may be of interest to DIB CS Program participants and DoD.
(g) The Government shall share GFI DIB CS Program participant or designated SP in accordance with this part.
(h) Prior to receiving GFI, each DIB CS Program participant shall provide the requisite points of contact information, to include U.S. citizenship and security clearance information, as applicable, for the designated personnel within their company in order to facilitate the DoD-DIB interaction in the DIB CS Program. The Government will confirm the accuracy of the information provided as a condition of that point of contact being authorized to act on behalf of the DIB CS Program participant for this program.
(i) GFI will be issued via both unclassified and classified means. DIB CS Program participants handling and safeguarding of classified information shall be in compliance with 32 CFR part 117. The Government shall specify transmission and distribution procedures for all GFI, and shall inform DIB CS Program participants of any revisions to previously specified transmission or procedures.
(j) Except as authorized in this part or in writing by the Government, DIB CS Program participants may:
(1) Use GFI only on U.S. based covered contractor information systems, or U.S. based networks or information systems used to provide operationally critical support; and
(2) Share GFI only within their company or organization, on a need-to-know basis, with distribution restricted to U.S. citizens.
(k) In individual cases DIB CS Program participants may request, and the Government may authorize, disclosure and use of GFI under applicable terms and conditions when the DIB CS Program participant can demonstrate that appropriate information handling and protection mechanisms are in place and has determined that it requires the ability:
(1) To share the GFI with a non-U.S. citizen; or
(2) To use the GFI on a non-U.S. based covered contractor information system; or
(3) To use the GFI on a non-U.S. based network or information system in order to better protect a contractor's ability to provide operationally critical support.
(l) DIB CS Program participants shall maintain the capability to electronically disseminate GFI within the Company in an encrypted fashion (e.g., using Secure/Multipurpose internet Mail Extensions (S/MIME), secure socket layer (SSL), Transport Layer Security (TLS) protocol version 1.2, DoD-approved medium assurance certificates).
(m) DIB CS Program participants shall not share GFI outside of their company or organization, regardless of personnel clearance level, except as authorized in this part or otherwise authorized in writing by the Government.
(n) If the DIB CS Program participant utilizes a SP for information system security services, the DIB CS Program participant may share GFI with that SP under the following conditions and as authorized in writing by the Government:
(1) The DIB CS Program participant must identify the SP to the Government and request permission to share or disclose any GFI with that SP (which may include a request that the Government share information directly with the SP on behalf of the DIB CS Program participant) solely for the authorized purposes of this program.
(2) The SP must provide the Government with sufficient information to enable the Government to determine whether the SP is eligible to receive such information, and possesses the capability to provide appropriate protections for the GFI.
(3) Upon approval by the Government, the SP must enter into a legally binding agreement with the DIB CS Program participant (and also an appropriate agreement with the Government in any case in which the SP will receive or share information directly with the Government on behalf of the DIB CS Program participant) under which the SP is subject to all applicable requirements of this part and of any supplemental terms and conditions in the DIB CS Program participant's FA with the Government, and which authorizes the SP to use the GFI only as authorized by the Government.
(o) The DIB CS Program participant may not sell, lease, license, or otherwise incorporate the GFI into its products or services, except that this does not prohibit a DIB CS Program participant from being appropriately designated an SP in accordance with paragraph (n) of this section.
[80 FR 59584, Oct. 2, 2015, as amended at 81 FR 68317, Oct. 4, 2016; 89 FR 17747, Mar. 12, 2024]