She assumed the role effective Feb. 18.

A familiar face, Arrington comes back to the Pentagon where she was the chief information security officer for the department’s acquisition and sustainment organization during the first Trump administration.

She was best known for starting the Pentagon’s Cybersecurity Maturity Model Certification program over six years ago, which aims to improve the cybersecurity posture of the defense industrial base and contractors by requiring minimum cyber standards to win contracts.

Arrington previously ran for Congress in South Carolina. Prior to exiting government, she was embroiled in a scandal that saw her security clearance revoked before eventually reaching a settlement.

In the role, Arrington will be expected to provide policy and technical expertise on DOD-wide oversight on all matters related to cybersecurity, including protecting critical infrastructure from cyber threats, coordinating cybersecurity standards and delivering information dominance to defeat adversaries.

Arrington posted on LinkedIn announcing her role.

The post Katie Arrington returns to DOD as CISO appeared first on DefenseScoop.

The final rule for the revamped CMMC 2.0 program went into effect in December, meaning defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) must meet one of three levels of CMMC compliance depending on the sensitivity of the information they handle. After nearly five years of high-profile and oftentimes controversial scoping and rulemaking efforts, the Pentagon plans to implement the new cybersecurity requirements for contractors by mid-2025.

However, a report published Tuesday by Redspin — an authorized CMMC third-party assessment organization (C3PAO) — found there is a significant gap in readiness for CMMC 2.0 requirements across the defense industrial base. The assessment is based on a survey conducted in September 2024 that received 107 responses from a range of military contractors.

“The largest share (42%) of respondents feel Moderately Prepared, and 16% still have a long way to go by being Slightly Prepared or Not at All Prepared. This means that 58% of respondents are not ready for a rule that is now final and effective,” according to the report, titled “Aware but Not Prepared: The State of Defense Industrial Base CMMC Readiness.”

Furthermore, 13 percent of participants indicated they haven’t taken any preparatory action to meet CMMC compliance. The report highlighted that as a “critical concern” given companies have been mandated to maintain a Supplier Performance Risk System self-assessment score since 2020, “meaning those companies are significantly behind and at risk of non-compliance and not properly safeguarding their CUI.”

While the statistic is alarming, Redspin Vice President and Chief Information Security Officer Thomas Graham told DefenseScoop that the lack of action isn’t surprising considering the CMMC program’s contentious history, and that companies should not feel like they’re alone if they are unprepared.

“Since CMMC started, you’ve had a lot of misnomers, you’ve had a lot of rumors, you’ve even had a lot of naysayers. And they are even now saying this is never going to happen,” Graham said Monday during an interview. “The reality is, it is a formal program. It’s not your implementation — your implementation has been in place for a number of years now. All CMMC is doing is just verifying that implementation.”

Graham also noted that so many contractors could be feeling unprepared because they’ve just been waiting to see if the program would actually happen.

CMMC was first conceived in 2019 as a way to protect contractor information from being exploited by adversaries by putting these types of cybersecurity requirements for the defense industrial base into federal regulations, with Pentagon leadership arguing that companies should already have those protocols in place simply because they’re working with the department. 

However, the program received pushback from others who argued CMMC would be too difficult to follow. The Defense Department later pared down the program’s scope and contractor expectations in 2021, unveiling a three-tiered framework now known as CMMC 2.0.

The new model allows contractors working with less sensitive information to conduct self-assessments of their cybersecurity compliance. More sensitive information will require companies to validate their posture from either third-party assessors or the Defense Industrial Base Cybersecurity Assessment Center.

A key criticism of CMMC has been that the requirements would penalize small businesses that can’t afford to comply with them, but Redspin’s survey found that concern isn’t exclusive to smaller companies and subcontractors. According to the report, 52 percent of respondents who indicated cost as a top preparation challenge were prime contractors and dual-role companies. 

Graham said the concern was likely caused by inaccurate information released about CMMC over the years, as well as misunderstandings about what the program is trying to accomplish.

“Larger organizations that I’ve talked with, a lot of times there’s a separation between the decision makers and the folks that are actually implementing this stuff,” he said. “And when you break it down to them, then the light bulbs start coming on and they’re like, ‘Oh my god, I never realized we were supposed to be doing this stuff for years.’ Then it becomes a different conversation.”

Despite the readiness gap, Redspin’s survey did show that three-fourths of respondents have already or are in the process of establishing a required system security plan (SSP), which outlines the cyber defenses needed to protect sensitive information.

Over half of the respondents also indicated that they were working with an external service provider (ESP) to reach CMMC certification, underscoring the importance third-party organizations have and will continue to play in maintaining compliance, according to the report. 

That means moving forward, ESPs must also ensure their own cybersecurity protocols meet requirements, Graham emphasized.

“ESPs have got to understand they’re going to be part of this, that they are being given access to information that is not theirs — much like the contractors are being given access to information that is not theirs, either,” he said. “With working with these organizations, there’s going to be certain requirements that they are going to have to provide to the [organizations seeking assessment] so now they can get through their own assessment.”

The post Report finds large gap in CMMC readiness among defense industrial base appeared first on DefenseScoop.

As part of the new role, McKeown will stand up and lead the CIO’s Cybersecurity Center of Excellence, which will focus on tackling long-range and complex innovation challenges for cybersecurity modernization. He will be responsible for a range of programs and operations that will ensure the Pentagon is prepared to meet emerging cybersecurity threats, the DOD CIO noted in a statement posted on LinkedIn.

“Establishing this new office divorces the day-to-day activities such as zero trust implementation, defense industrial base cybersecurity programs and policy development from the requirement to look over the horizon and take on the following cybersecurity threat,” the statement said. “With the Special Advisor for Cybersecurity Innovation, we are building an office to create transformational breakthroughs and drive strategic invention in cybersecurity.”

McKeown most recently served as both the deputy CIO for cybersecurity and chief information security officer since 2020 — a dual-hatted position where he led the department’s wide-ranging cybersecurity modernization efforts and associated policies. His tenure has seen the introduction of cutting-edge technologies and robust protocols to fortify the Pentagon’s cyber defenses.

He has been at the forefront of implementing the DOD’s zero trust strategy while overseeing adoption of the new cybersecurity standards at organizations across the Pentagon. McKeown has also worked to strengthen cybersecurity within the defense industrial base and helped the department revamp the Cybersecurity Maturity Model Certification (CMMC) standards. 

McKeown has over three decades of experience working in the Defense Department, including 27 years serving in the Air Force and 8 years as a government civilian employee. His prior roles include working as an Air Force cyberspace operations officer; the director of enterprise information and mission assurance for the Army’s Information Technology Agency; and the cybersecurity center chief and enterprise services center chief for the Defense Information Systems Agency’s Joint Service Provider.

Prior to joining the DOD CIO, McKeown also led the Department of Justice’s Service Delivery Staff. Prior to that role, he ran enterprise services and cybersecurity for the DOD’s Joint Service Provider.

Gurpreet Bhatia will assume the duties of acting deputy CIO for cybersecurity and CISO. He previously served as the DOD’s principal director for cybersecurity and deputy chief information security officer.

The post DOD taps McKeown to serve as new special assistant for cybersecurity innovation  appeared first on DefenseScoop.

The CMMC program is intended to protect DOD data on contractor systems from being exploited by U.S. adversaries by ensuring those firms comply with National Institute of Standards and Technology security controls.

The final rule will require defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of CMMC compliance, depending on the sensitivity of the info they’re handling.

The journey toward CMMC implementation — a controversial initiative that has raised concerns among some contractors about the costs involved and other regulatory burdens — has been a long one. After receiving feedback from companies, the department moved away from its original CMMC framework toward a more streamlined version that officials have dubbed CMMC 2.0, which has also entailed a lengthy rulemaking process.

The final rule was released for inspection in October on the Federal Register and was scheduled to go into effect Dec. 16. A follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC program was slated for publication in early to mid-2025. 

“Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award,” the Pentagon said in a press release in October.

“With the publication of this updated … rule, DoD will allow businesses to self-assess their compliance when appropriate. Basic protection of FCI will require self-assessment at CMMC Level 1. General protection of CUI will require either third-party assessment or self-assessment at CMMC Level 2.A higher level of protection against risk from advanced persistent threats will be required for some CUI. This enhanced protection will require a Defense Industrial Base Cybersecurity Assessment Center led assessment at CMMC Level 3,” per the release.

According to a notice in the Federal Register, the Pentagon estimates that 8,350 medium and large entities will be required to meet Level 2 CMMC third-party assessment organization (C3PAO) assessment requirements as a condition of contract award.

Much fewer companies are expected to be required to meet the more stringent Level 3 requirements.

“It’s Official! #CMMC 2.0 completed its 60-day Congressional Review period without any changes. Rulemaking is now complete and the new program is in effect. Companies should now begin working towards their CMMC certifications and C3PAOs can begin assessments in accordance with the guidance in the rule,” the Office of the DOD Chief Information Officer wrote in a LinkedIn post on Monday, noting that CMMC requirements won’t be included in DOD contracts until the DFARS is revised through a 48 CFR rule change is complete and effective. “At that time we will begin a 3-year phased implementation.”

The rollout of CMMC comes as the the Pentagon is taking a variety of other measures to try to improve the digital defenses of contractors.

For example, earlier this year the department released a new Defense Industrial Base Cybersecurity Strategy.

Officials plan to routinely evaluate contractor compliance with the CMMC program, the document noted.

The “increasing number of threats resulting from the evolution and expansion of the digital ecosystem drives the need for enhanced requirements for a subset of critical programs or high value assets. Future rulemaking efforts will expand existing information safeguarding requirements for these companies by implementing supplemental guidelines defined in NIST SP 800-172,” the strategy states. “While DFARS specifies the minimum DIB cybersecurity requirements for companies that process, transmit, and store CUI, the Department must also support efforts by the DIB to make risk-informed decisions to exceed these requirements.”

The department also launched a new official program that allows for independent white-hat hackers to find and analyze vulnerabilities in contractors’ systems.

The Defense Department’s Cyber Crime Center (DC3) is partnering with the Defense Counterintelligence and Security Agency on the Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP), and participation is free and voluntary for companies.

“Most of the DIB, some 200,000 companies, are small and medium-sized businesses. They are not equipped to defend themselves against advanced adversaries. And so the question becomes, how can we help them defend themselves? What can we provide to them? … And the answer is some form of cybersecurity as a service, usually focused on small to medium-sized companies, again, to provide capabilities that they would not be able to work with themselves,” Terry Kalka, director of the defense industrial base collaborative information sharing environment at DC3, said at CyberTalks in October.

Officials are working to counter a variety of malicious cyber activities.

“Phishing is always a constant threat, but I think we’re seeing phishing more as an interrupter to operations, like part of ransomware. The more prevalent threats in the last year have to do with actual exploitation and exfiltration of data. And what that indicates to me is that phishing is still effective but it’s not necessarily the most effective attack vector anymore. And so we really need to work on closing vulnerabilities, patching systems and through CISA’s leadership, secure by design, because that’s how we’re going to block adversarial attacks,” Kalka told DefenseScoop.

The post Final rule for CMMC cybersecurity program goes into effect for defense contractors appeared first on DefenseScoop.

The rule was released for public inspection on the Federal Register on Friday, and the Defense Department anticipates officially publishing the new guidelines Oct. 15, according to a Pentagon press release.

The CMMC program is based on a tiered cybersecurity framework that requires defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of CMMC compliance, depending on the sensitivity of the information. The effort was conceptualized as a way to protect DOD data on contractor systems from being exploited by U.S. adversaries by ensuring those firms comply with widely accepted National Institute of Standards and Technology security controls.

The publication of the final rule comes after several years of work to revamp the original CMMC assessment framework initially developed during the Trump administration. Under CMMC 2.0, the Pentagon has reduced the number of assessment levels from five to three to streamline the compliance process for small and medium-sized contractors.

The Defense Department published its proposed rule for CMMC 2.0 in December 2023 to kickstart the federal rulemaking process. Another proposal to amend the Defense Federal Acquisition Regulation Supplement (DFARS) and implement cybersecurity compliance requirements in Pentagon contracts was later released in August of this year.

Moving forward, the Pentagon intends to publish the follow-on DFARS rule change by mid-2025, according to the department. 

“Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award,” the Pentagon press release stated.

The new model will allow contractors working with less sensitive information to conduct self-assessments of their cybersecurity compliance. More sensitive information will require companies to complete either third-party assessments or one conducted by the Defense Industrial Base Cybersecurity Assessment Center that will verify the implementation of the standards.

The CMMC program has received criticism in the past, as some defense contractor advocates have argued that it will be expensive, difficult and confusing for companies to comply with — especially small businesses and non-traditional contractors. In response, the Pentagon has worked to provide industry with resources to assist in their efforts to meet the cybersecurity standards.

In addition, the revised CMMC program will introduce “Plans of Action and Milestones” (POA&Ms), which allows contractors that do not meet every cybersecurity standard to receive a conditional certification for 180 days as they work to achieve compliance, according to the Pentagon.

“The Department understands the significant time and resources required for industry to comply with DoD’s cybersecurity requirements for safeguarding CUI and is intent upon implementing CMMC requirements to assess the degree to which they have done so,” the press release stated. “Businesses in the defense industrial base should take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments.”

The post DOD releases final rule for CMMC, setting the stage for implementation next year appeared first on DefenseScoop.

The Department of Defense submitted a proposed rule that, once approved, would incorporate new cyber requirements into all contracts for vendors who want to do business with the U.S. military that involves sensitive but unclassified information.

Under the CMMC 2.0 program, any contractor or subcontractor that does work with the DOD involving what’s referred to as controlled unclassified information or federal contract information must obtain — or in some cases self-attest to — one of three levels of CMMC compliance, depending on the sensitivity of the information involved in the work.

Specifically, the new proposal, published in the Federal Register, aims to amend the Defense Federal Acquisition Regulation Supplement to implement those cybersecurity requirements in contracts as part of the larger CMMC 2.0 program — which itself is in the middle of the federal rulemaking process kickstarted with a separate rule proposal last December after a previous iteration of the CMMC program with more stringent requirements failed.

That previous proposed rule put forth in December 2023 would establish the CMMC program into federal law, laying out “requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have … implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.”

This latest proposed rule looks to complement that by spelling out how that program will be implemented in DOD contracts.

“These amendments require at the time of award the results of a current CMMC certificate or CMMC self-assessment, at the level required, for all information systems that process, store, or transmit FCI or CUI during contract performance, when a CMMC level is included in the solicitation,” the proposed rule reads.

It also includes a few other key clarifications for the administration of CMMC in defense contracts once these two rules are final. Notably, Thursday’s proposal spells out a phased rollout of requirements into contracts over the subsequent three years.

“In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period will be determined by the program office or requiring activity after consulting the CMMC 2.0 requirements” laid out in the December 2023 proposed rule, the latest proposal says. “During the phase-in period, when there is a requirement in the contract for CMMC, CMMC certification requirements must be flowed down to subcontractors at all tiers, when the subcontractor will process, store, or transmit Federal contract information (FCI) or CUI, based on the sensitivity of the unclassified information flowed down to each of the subcontractors in accordance with the proposed CMMC 2.0 requirements.”

Once that period ends, CMMC will be in effect for all DOD contract solicitations.

More granularly, the newly proposed rule sets requirements for contracting officers to ensure bidding contractors are CMMC compliant, issues an updated definition for controlled unclassified information — the distinguishing element for contracts that require CMMC compliance — and introduces a provision to notify contractors when there are CMMC requirements in a contract, among other things.

Now, the clock starts on the comment period for the proposed rule, which will run through Oct. 15. At that point, the DOD will sort through any comments and make tweaks as necessary before submitting the rule for final approval to the Office of Information and Regulatory Affairs to be issued as a final rule.

Given the current timing, if things go smoothly during the next steps of the rulemaking process, the phased rollout of CMMC could begin sometime in mid-to-late 2025.

The post Pentagon a step closer to CMMC starting line with new contract rule proposal appeared first on DefenseScoop.

Top cybersecurity officials with the military components speaking on a panel Thursday at the Google Defense Forum, presented by DefenseScoop, said they are working on initiatives to provide those small contractors with secured virtual desktops that would ensure any transaction of sensitive Department of Defense data meets the DOD’s security requirements.

These initiatives come as the Pentagon’s Cybersecurity Maturity Model Certification nears becoming an official rule. The certification program is currently a proposed rule and the department is accepting comments on it until Feb. 26.

Under CMMC, most defense industrial base companies that handle controlled unclassified information under contract with the DOD would need to meet security requirements laid out in National Institute of Standards and Technology Special Publication 800–171 and attest — either through a self-assessment or a third-party assessment, depending on the sensitivity of information shared — to meeting those requirements.

Many small businesses are worried that the assessment process is too burdensome and could keep them from doing business with the DOD.

But the military services don’t want to miss out on the innovation generated by those smaller contractors. That’s why they’re engineering solutions that could keep that partnership alive if a company itself can’t afford to enhance its cybersecurity in the near term.

“We’re exploring virtual desktops … how we may have been able to extend virtual desktops out to our partners, how our department primes and large companies can extend virtual desktops out to medium- and small-sized businesses, affording them additional protections for their data,” Tony Plater, chief information security officer of the Department of the Navy, said on the panel.

While many of the primes the Navy works with already have the measures required by CMMC in place with robust security operations centers, Plater said the Navy has “learned that the medium- and small-sized companies struggle to meet those requirements.” So the Navy is continuing to look strategically at ways to uplift those partners.

“We have to keep in mind how they can meet those requirements,” he said.

The Army similarly is working on an initiative partnering with Google and others to “extend a secure work environment to small businesses,” said Matthew Picerno, chief cyber acquisition officer for the Army. The service is currently “thinking through the challenges of that, legalities, if we build it will they come?” Picerno said.

Both Plater and Picerno also emphasized that, outside of the technical requirements that will be enforced by CMMC, it’s important to treat those small companies as an extension of the services by supporting the development of the personnel across those organizations and ensuring that threat intelligence is shared openly.

“It’s not just about IT. I think about anything that we talked about today, a lot of it’s going to be about the people,” Picerno said. “So the training, understanding what the data is, what we’re trying to present, understanding, you know, what the crown jewels are, and ensuring that we take a holistic organizational phased approach, not just thinking that, you know, some basic IT is going to solve everything.”

For the Navy, as it looks to automate its own assessments of threats and adversaries, Plater said the service is looking for ways to push that intelligence to its defense industrial base partners.

“We need to know what our security posture looks like to the adversary,” he said. “So as we continue to learn and have to have agility and protection internally, we recognize … the importance of the information and technological advantage and innovation that our partners are holding is extremely important. So in order to be a win-win, you got to work together to share that information.”

The post With CMMC looming, military services explore ways to extend secure environments to small businesses appeared first on DefenseScoop.

Following several years of development, the DOD in late 2021 shifted gears and unveiled the Cybersecurity Maturity Model Certification 2.0, which includes enhancements to the initial program first developed during the Trump administration. After reforming the program, the Pentagon has been working on a final rule that will mandate contractors that work with the department’s controlled unclassified information be CMMC certified, or risk losing their business.

The CMMC program is based upon a tiered cybersecurity framework that sets requirements for companies based on the level of security necessary for their work. The initiative was conceived to protect contractor information from being exploited by adversaries. Officials in years past have attributed $600 billion in annual losses to cyber thefts from adversaries.

An unpublished version of the proposed rule appeared on the Federal Register Dec. 22 — a few days before its official publication on Dec. 26.

The public comment period is 60 days from publication date.

The program is not without controversy, as some contractor advocates in the past have argued the program will be expensive, onerous — particularly for small businesses and non-traditional contractors — and confusing to keep up with.

CMMC 2.0 sought to simplify things with three key features:

• The first is a tiered model that requires contractors to implement cybersecurity standards on a three-level scale based on the sensitivity of the information.
• The second is an assessment requirement that allows DOD to verify implementation of the standards.
• And the third is implementation through contracts. Once CMMC contracts are fully implemented, DOD contractors that handle sensitive information must achieve a particular CMMC level in order to win the prospective contract.

Updated on Dec. 28, 2023: This story has been updated to include a link to the proposed rule that was officially published Dec. 26.

The post Pentagon releases proposed rule on cybersecurity standards for contractors appeared first on DefenseScoop.

DOD sent its CMMC framework to OMB’s Office of Information and Regulatory Affairs, which will take the next 90 days or less to review the rule.

At that point, OIRA will publish the rule in the Federal Register under one of two classifications. The typical rulemaking process entails publishing a new rule or regulation as a proposed rule, which can be a lengthy endeavor, in many cases taking the better part of a year to get across the finish line. Or, the office could agree to publish CMMC as an interim final rule, a scenario in which the rule, under “good cause,” would bypass certain requirements and take effect as a final rule over the following 60 days, allowing CMMC to hit DOD contracts soon after.

Both processes include a period of taking open public comments on the rule, even if it’s published as an interim final rule.

While the submission signifies yet another period of uncertain waiting for the DOD contracting community to see what happens in what’s already been a yearslong journey, it does solidify the fact that DOD has come to a consensus on a final rule and that CMMC is coming in the not-so-distant future.

CMMC is the Pentagon’s ambitious framework to more thoroughly assess and accredit any contractors that handle its controlled unclassified information (CUI) on their systems, ensuring they meet certain National Institutes of Standards and Technology cybersecurity requirements included in NIST 800-171 and 800-172. After reforming the program in 2021, the Pentagon has been working on a final rule that will mandate those contractors that work with the department’s CUI be CMMC certified, or risk losing its business.

The post CMMC final rulemaking process kicks off with submission to OMB for review appeared first on DefenseScoop.

With the proposed rule change, the DOD’s Office of the Chief Information Officer hopes to expand eligibility beyond “cleared contractors” to allow thousands more vendors from the defense industrial base to participate in the voluntary program, which supplements the department’s mandatory cyber incident reporting requirements.

The Pentagon believes this is incredibly important as more threats are targeting weak points in the defense industrial base as vectors for larger cyberattacks on the DOD. Similarly, the department is also looking to shore up cybersecurity across the DIB through its Cybersecurity Maturity Model Certification (CMMC) program.

Currently, about 1,000 cleared contractors participate in the voluntary Defense Industrial Base Cybersecurity Program program and share classified information bidirectionally with the Pentagon. Their participation also grants them “access to technical exchange meetings, a collaborative web platform (DIBNet-U), and threat products and services through the DoD Cyber Crime Center (DC3).”

Through ongoing engagement with private sector and academic partners, “the overwhelming feedback was for the Department to facilitate engagement with the broader community of defense contractors beyond just the cleared defense community,” the DOD wrote in its proposed rule, posted to the Federal Register on May 3.

“In general, smaller defense contractors have fewer resources to devote to cybersecurity, which may provide a vector for adversaries to access information critical to national security. In addition, the Department is working on providing more tailored threat information to support the needs of a broader community of defense contractors with varying cybersecurity capabilities. The gap in eligibility in the current program, feedback from interested but ineligible contractors, a vulnerable DoD supply chain, and a pervasive cyber threat have prompted DoD to propose revising the eligibility requirements of the DIB CS Program to allow participation by non-cleared defense contractors,” it added.

The DOD estimates that roughly 80,000 contractors are subject to its mandatory cyber incident reporting requirement under Defense Federal Acquisition Regulation Supplement clause 252.204–7012. Under the existing rule that allows only cleared contractors to participate, just 12,000 of that larger 80,000 are eligible.

With the rule change, the full 80,000 would be open to participating and sharing controlled unclassified information; though based on past experience with cleared contractors, the DOD understands only about 10% of those do.

The Pentagon also has evidence to show there’s a demand for the expansion, claiming the “percentage of applications received from ineligible defense contractors has risen at an average rate of 5% per year since 2016,” up to 45% last year.

The costs for the rule change, the DOD says, would be minimal, while the benefits could be huge.

“This program benefits the Department by increasing awareness and improving assessments of cyber incidents that may affect mission critical capabilities and services,” the rule reads.

And for the expanded pool of industry participants, “this program provides valuable cyber threat information they cannot obtain from anywhere else and technical assistance through analyst-to-analyst exchanges, mitigation and remediation strategies, and cybersecurity best practices in a collaborative environment. The shared unclassified and classified cyber threat information is used to bolster a company’s cybersecurity posture and mitigate the growing cyber threat. The program’s tailored support for small, mid-size, and large companies with varying cybersecurity maturity levels is an asset for participants.”

The Pentagon will accept comments on the proposed change through June 20.

The post Pentagon looks to expand voluntary cyber information-sharing with contractors appeared first on DefenseScoop.