The Department of Defense has issued a final rule that seeks to firm up revisions to the eligibility criteria for the Defense Industrial Base Cybersecurity Program as part of efforts to improve program participation and enable defense contractors to benefit from bilateral information sharing.

The rule will take effect on April 11, according to a notice published Tuesday in the Federal Register.

The department solicited comments on the proposed rule in May 2023 and received four submissions.

One of the commenters suggested that DOD should launch a targeted marketing campaign to help small businesses explain the purpose of a medium assurance certificate, which is used to validate digital identity and facilitate the exchange of encrypted data.

DOD considered and moved to modify the requirement for industry to secure the certificate.

According to the rule, the department has proposed a revision that would require registration with the Procurement Integrated Enterprise Environment when filing mandatory cyber incident reports.

“This change will align the identity proofing processes used by DoD for the majority of DIB companies and will eliminate the cost associated with procuring medium assurance certificates,” the rule states.

The department will continue to accept medium assurance certificates to meet identity proofing requirements, according to the document.

For readability, DOD said it has finalized proposed changes to some definitions, including that of government-furnished information and DIB CS Program participants.

“With the revisions to the eligibility criteria, the Department will be able to reduce the impact of cyber threat activity on DIB networks and information systems and, in turn, preserve its technological advantage and protect DoD information and warfighting capabilities,” the rule reads.

Join the Potomac Officers Club’s 2024 Cyber Summit on June 6 and hear cyber experts, government and industry leaders discuss the latest trends and the dynamic role of cyber in the public sector. Register here.

The Cybersecurity and Infrastructure Security Agency’s Secure Cloud Business Applications project, a.k.a. SCuBA, has released new guidance to assist federal agencies in implementing cybersecurity capabilities as they migrate identity authentication from traditional on-premises enterprise networks  to the cloud.

The SCuBA Hybrid Identity Solutions Guidance aims to help agencies better understand identity management in a hybrid environment in which on-premises and cloud-based identity services are deployed as an agency’s primary identity system, CISA said Tuesday.

CISA outlined different approaches for incorporating cloud-based identity services for authentication and defined associated implementation and security considerations.

According to the document, agencies must plan to migrate to cloud-based, password-less authentication via their existing investments in public key infrastructure and personal identity verification or common access cards.

Agencies may also use the second version of the Fast Identity Online standardized authentication protocol or the Web Authentication standard.

CISA also recommends that agencies use modern authenticators and open standards-based protocols when transitioning to a cloud-primary authentication approach.