(A) designating operationally critical contractors; and
(B) notifying a contractor that it has been designated as an operationally critical contractor.
(A) An assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of the Department.
(B) The technique or method used in such cyber incident.
(C) A sample of any malicious software, if discovered and isolated by the contractor, involved in such cyber incident.
(D) A summary of information compromised by such cyber incident.
(A) include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations; and
(B) provide that an operationally critical contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.
(A) with missions that may be affected by such information;
(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C) that conduct counterintelligence or law enforcement investigations; or
(D) for national security purposes, including cyber situational awareness and defense purposes.
(2)(A) Nothing in this section shall be construed—
(i) to require dismissal of a cause of action against an operationally critical contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (b); or
(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each operationally critical contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
(C) In this subsection, the term "willful misconduct" means an act or omission that is taken—
(i) intentionally to achieve a wrongful purpose;
(ii) knowingly without legal or factual justification; and
(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
(Added Pub. L. 113–291, div. A, title XVI, §1632(a), Dec. 19, 2014, 128 Stat. 3639; amended Pub. L. 114–92, div. A, title XVI, §1641(b), (c)(1), Nov. 25, 2015, 129 Stat. 1115, 1116.)
2015—Subsec. (a). Pub. L. 114–92, §1641(c)(1), substituted "and section 393 of this title" for "and with section 941 of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note)".
Subsecs. (d), (e). Pub. L. 114–92, §1641(b), added subsec. (d) and redesignated former subsec. (d) as (e).
Pub. L. 113–291, div. A, title XVI, §1632(b), Dec. 19, 2014, 128 Stat. 3640, provided that: "The Secretary shall establish the procedures required by subsection (b) of section 391 of title 10, United States Code, as added by subsection (a) of this section, not later than 90 days after the date of the enactment of this Act [Dec. 19, 2014]."
Pub. L. 113–291, div. A, title XVI, §1632(c), Dec. 19, 2014, 128 Stat. 3640, provided that:
"(A) requirements that were in effect on the day before the date of the enactment of this Act for contractors to share information with Department components regarding cyber incidents (as defined in subsection (d) of such section 391 [10 U.S.C. 391]) with respect to networks or information systems of contractors; and
"(B) Department policies and systems for sharing information on cyber incidents with respect to networks or information systems of Department contractors.
"(A) designate a Department component under subsection (a) of such section 391; and
"(B) issue or revise guidance applicable to Department components that ensures the rapid sharing by the component designated pursuant to such section 391 or section 941 of the National Defense Authorization Act for Fiscal Year 2013 [Pub. L. 112–239] (10 U.S.C. 2224 note) of information relating to cyber incidents with respect to networks or information systems of contractors with other appropriate Department components."