U.S.C. Title 10 - ARMED FORCES

Sec.

391.

Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors.

392.

Executive agents for cyber test and training ranges.

393.

Reporting on penetrations of networks and information systems of certain contractors.

394.

Authorities concerning military cyber operations.

395.

Notification requirements for sensitive military cyber operations.

396.

Notification requirements for cyber weapons.

Amendments

2018—Pub. L. 115–232, div. A, title XVI, §1631(c)(2), Aug. 13, 2018, 132 Stat. 2123, added items 394 to 396.

2015—Pub. L. 114–92, div. A, title X, §1081(a)(4), title XVI, §1641(c)(2), Nov. 25, 2015, 129 Stat. 1001, 1116, substituted "Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors" for "Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors" in item 391 and added item 393.

2014—Pub. L. 113–291, div. A, title XVI, §1633(d), Dec. 19, 2014, 128 Stat. 3643, added item 392.

§391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors

(a) Designation of Department Component to Receive Reports.—The Secretary of Defense shall designate a component of the Department of Defense to receive reports of cyber incidents from contractors in accordance with this section and section 393 of this title or from other governmental entities.

(b) Procedures for Reporting Cyber Incidents.—The Secretary of Defense shall establish procedures that require an operationally critical contractor to report in a timely manner to component designated under subsection (a) each time a cyber incident occurs with respect to a network or information system of such operationally critical contractor.

(1) Designation and notification.—The procedures established pursuant to subsection (a) shall include a process for—

(B) notifying a contractor that it has been designated as an operationally critical contractor.

(2) Rapid reporting.—The procedures established pursuant to subsection (a) shall require each operationally critical contractor to rapidly report to the component of the Department designated pursuant to subsection (d)(2)(A) on each cyber incident with respect to any network or information systems of such contractor. Each such report shall include the following:

(A) An assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of the Department.

(3) Department assistance and access to equipment and information by department personnel.—The procedures established pursuant to subsection (a) shall—

(A) include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations; and

(B) provide that an operationally critical contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.

(4) Protection of trade secrets and other information.—The procedures established pursuant to subsection (a) shall provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.

(5) Dissemination of information.—The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through the procedures to entities—

(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(D) for national security purposes, including cyber situational awareness and defense purposes.

(d) Protection From Liability of Operationally Critical Contractors.—(1) No cause of action shall lie or be maintained in any court against any operationally critical contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with procedures established pursuant to subsection (b).

(i) to require dismissal of a cause of action against an operationally critical contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (b); or

(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.

(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each operationally critical contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.

(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.

(1) Cyber incident.—The term "cyber incident" means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.

(2) Operationally critical contractor.—The term "operationally critical contractor" means a contractor designated by the Secretary for purposes of this section as a critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.

(Added Pub. L. 113–291, div. A, title XVI, §1632(a), Dec. 19, 2014, 128 Stat. 3639; amended Pub. L. 114–92, div. A, title XVI, §1641(b), (c)(1), Nov. 25, 2015, 129 Stat. 1115, 1116.)

Amendments

2015—Subsec. (a). Pub. L. 114–92, §1641(c)(1), substituted "and section 393 of this title" for "and with section 941 of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note)".

Subsecs. (d), (e). Pub. L. 114–92, §1641(b), added subsec. (d) and redesignated former subsec. (d) as (e).

Issuance of Procedures

Pub. L. 113–291, div. A, title XVI, §1632(b), Dec. 19, 2014, 128 Stat. 3640, provided that: "The Secretary shall establish the procedures required by subsection (b) of section 391 of title 10, United States Code, as added by subsection (a) of this section, not later than 90 days after the date of the enactment of this Act [Dec. 19, 2014]."

Assessment of Department Policies

Pub. L. 113–291, div. A, title XVI, §1632(c), Dec. 19, 2014, 128 Stat. 3640, provided that:

"(1) In general.—Not later than 90 days after the date of the enactment of the Act [Dec. 19, 2014], the Secretary of Defense shall complete an assessment of—

"(A) requirements that were in effect on the day before the date of the enactment of this Act for contractors to share information with Department components regarding cyber incidents (as defined in subsection (d) [now (e)] of such section 391 [10 U.S.C. 391(e)]) with respect to networks or information systems of contractors; and

"(B) Department policies and systems for sharing information on cyber incidents with respect to networks or information systems of Department contractors.

"(2) Actions following assessment.—Upon completion of the assessment required by paragraph (1), the Secretary shall—

"(A) designate a Department component under subsection (a) of such section 391; and

"(B) issue or revise guidance applicable to Department components that ensures the rapid sharing by the component designated pursuant to such section 391 or section 941 of the National Defense Authorization Act for Fiscal Year 2013 [Pub. L. 112–239] (10 U.S.C. 2224 note) of information relating to cyber incidents with respect to networks or information systems of contractors with other appropriate Department components."

§392. Executive agents for cyber test and training ranges

(a) Executive Agent.—The Secretary of Defense, in consultation with the Principal Cyber Advisor, shall—

(1) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology test ranges; and

(2) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology training ranges.

(1) Establishment.—The Secretary of Defense shall prescribe the roles, responsibilities, and authorities of the executive agents designated under subsection (a). Such roles, responsibilities, and authorities shall include the development of a biennial integrated plan for cyber and information technology test and training resources.

(2) Biennial integrated plan.—The biennial integrated plan required under paragraph (1) shall include plans for the following:

(A) Developing and maintaining a comprehensive list of cyber and information technology ranges, test facilities, test beds, and other means of testing, training, and developing software, personnel, and tools for accommodating the mission of the Department. Such list shall include resources from both governmental and nongovernmental entities.

(B) Organizing and managing designated cyber and information technology test ranges, including—

(i) establishing the priorities for cyber and information technology ranges to meet Department objectives;

(ii) enforcing standards to meet requirements specified by the United States Cyber Command, the training community, and the research, development, testing, and evaluation community;

(iii) identifying and offering guidance on the opportunities for integration amongst the designated cyber and information technology ranges regarding test, training, and development functions;

(iv) finding opportunities for cost reduction, integration, and coordination improvements for the appropriate cyber and information technology ranges;

(v) adding or consolidating cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;

(vi) finding opportunities to continuously enhance the quality and technical expertise of the cyber and information technology test workforce through training and personnel policies; and

(vii) coordinating with interagency and industry partners on cyber and information technology range issues.

(i) may add or consolidate cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;

(ii) coordinates with interagency and industry partners on cyber and information technology range issues;

(iii) allows for integrated closed loop testing in a secure environment of cyber and electronic warfare capabilities;

(iv) supports science and technology development, experimentation, testing and training; and

(v) provides for interconnection with other existing cyber ranges and other kinetic range facilities in a distributed manner.

(E) Performing such other assessments or analyses as the Secretary considers appropriate.

(3) Standard for cyber event data.—The executive agents designated under subsection (a), in consultation with the Chief Information Officer of the Department of Defense, shall jointly select a standard language from open-source candidates for representing and communicating cyber event and threat data. Such language shall be machine-readable for the Joint Information Environment and associated test and training ranges.

(c) Support Within Department of Defense.—The Secretary of Defense shall ensure that the military departments, Defense Agencies, and other components of the Department of Defense provide the executive agents designated under subsection (a) with the appropriate support and resources needed to perform the roles, responsibilities, and authorities of the executive agents.

(d) Compliance With Existing Directive.—The Secretary shall carry out this section in compliance with Directive 5101.1.

(1) The term "designated cyber and information technology range" includes the National Cyber Range, the Joint Information Operations Range, the Defense Information Assurance Range, and the C4 Assessments Division of J6 of the Joint Staff.

(2) The term "Directive 5101.1" means Department of Defense Directive 5101.1, or any successor directive relating to the responsibilities of an executive agent of the Department of Defense.

(3) The term "executive agent" has the meaning given the term "DoD Executive Agent" in Directive 5101.1.

(Added Pub. L. 113–291, div. A, title XVI, §1633(a), Dec. 19, 2014, 128 Stat. 3641.)

Designation and Roles and Responsibilities; Selection of Standard Language

Pub. L. 113–291, div. A, title XVI, §1633(b), (c), Dec. 19, 2014, 128 Stat. 3642, provided that:

"(b) Designation and Roles and Responsibilities.—The Secretary of Defense shall—

"(1) not later than 120 days after the date of the enactment of this Act [Dec. 19, 2014], designate the executive agents required under subsection (a) of section 392 of title 10, United States Code, as added by subsection (a) of this section; and

"(2) not later than one year after the date of the enactment of this Act, prescribe the roles, responsibilities, and authorities required under subsection (b) of such section 392.

"(c) Selection of Standard Language.—Not later than June 1, 2015, the executive agents designated under subsection (a) of section 392 of title 10, United States Code, as added by subsection (a) of this section, shall select the standard language under subsection (b)(3) of such section 392."

§393. Reporting on penetrations of networks and information systems of certain contractors

(a) Procedures for Reporting Penetrations.—The Secretary of Defense shall establish procedures that require each cleared defense contractor to report to a component of the Department of Defense designated by the Secretary for purposes of such procedures when a network or information system of such contractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.

(1) Criteria.—The Secretary of Defense shall designate a senior official to, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting system penetrations under subsection (a).

(1) Rapid reporting.—The procedures established pursuant to subsection (a) shall require each cleared defense contractor to rapidly report to a component of the Department of Defense designated pursuant to subsection (a) of each successful penetration of the network or information systems of such contractor that meet the criteria established pursuant to subsection (b). Each such report shall include the following:

(B) A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration.

(C) A summary of information created by or for the Department in connection with any Department program that has been potentially compromised due to such penetration.

(2) Access to equipment and information by department of defense personnel.—The procedures established pursuant to subsection (a) shall—

(A) include mechanisms for Department of Defense personnel to, upon request, obtain access to equipment or information of a cleared defense contractor necessary to conduct forensic analysis in addition to any analysis conducted by such contractor;

(B) provide that a cleared defense contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated; and

(C) provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.

(3) Dissemination of information.—The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through such procedures to entities—

(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(D) for national security purposes, including cyber situational awareness and defense purposes.

(d) Protection From Liability of Cleared Defense Contractors.—(1) No cause of action shall lie or be maintained in any court against any cleared defense contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the procedures established pursuant to subsection (a).

(i) to require dismissal of a cause of action against a cleared defense contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (a); or

(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.

(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each cleared defense contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.

(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.

(1) Cleared defense contractor.—The term "cleared defense contractor" means a private entity granted clearance by the Department of Defense to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense.

(2) Covered network.—The term "covered network" means a network or information system of a cleared defense contractor that contains or processes information created by or for the Department of Defense with respect to which such contractor is required to apply enhanced protection.

(Added and amended Pub. L. 114–92, div. A, title XVI, §1641(a), Nov. 25, 2015, 129 Stat. 1114.)

Codification

Section, as added and amended by Pub. L. 114–92, is based on Pub. L. 112–239, div. A, title IX, §941, Jan. 2, 2013, 126 Stat. 1889, which was formerly set out as a note under section 2224 of this title before being transferred to this chapter and renumbered as this section.

Amendments

2015—Pub. L. 114–92, §1641(a)(1), substituted "Reporting on penetrations of networks and information systems of certain contractors" for "Reports to Department of Defense on penetrations of networks and information systems of certain contractors" in section catchline.

Pub. L. 114–92, §1641(a), transferred section 941 of Pub. L. 112–239 to this chapter and renumbered it as this section. See Codification note above.

Subsec. (c)(3). Pub. L. 114–92, §1641(a)(2), added par. (3) and struck out former par. (3). Prior to amendment, text read as follows: "The procedures established pursuant to subsection (a) shall prohibit the dissemination outside the Department of Defense of information obtained or derived through such procedures that is not created by or for the Department except with the approval of the contractor providing such information."

Subsec. (d). Pub. L. 114–92, §1641(a)(3), added subsec. (d) and struck out former subsec. (d). Prior to amendment, text read as follows:

"(1) In general.—Not later than 90 days after the date of the enactment of this Act—

"(A) the Secretary of Defense shall establish the procedures required under subsection (a); and

"(B) the senior official designated under subsection (b)(1) shall establish the criteria required under such subsection.

"(2) Applicability date.—The requirements of this section shall apply on the date on which the Secretary of Defense establishes the procedures required under this section."

§394. Authorities concerning military cyber operations

(a) In General.—The Secretary of Defense shall develop, prepare, and coordinate; make ready all armed forces for purposes of; and, when appropriately authorized to do so, conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response to malicious cyber activity carried out against the United States or a United States person by a foreign power.

(b) Affirmation of Authority.—Congress affirms that the activities or operations referred to in subsection (a), when appropriately authorized, include the conduct of military activities or operations in cyberspace short of hostilities (as such term is used in the War Powers Resolution (Public Law 93–148; 50 U.S.C. 1541 et seq.)) or in areas in which hostilities are not occurring, including for the purpose of preparation of the environment, information operations, force protection, and deterrence of hostilities, or counterterrorism operations involving the Armed Forces of the United States.

(c) Clandestine Activities or Operations.—A clandestine military activity or operation in cyberspace shall be considered a traditional military activity for the purposes of section 503(e)(2) of the National Security Act of 1947 (50 U.S.C. 3093(e)(2)).

(d) Congressional Oversight.—The Secretary shall brief the congressional defense committees about any military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, occurring during the previous quarter during the quarterly briefing required by section 484 of this title.

(e) Rule of Construction.—Nothing in this section may be construed to limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to authorize specific military activities or operations, or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or reporting of sensitive military cyber activities or operations required by section 395 of this title.

(1) The term "clandestine military activity or operation in cyberspace" means a military activity or military operation carried out in cyberspace, or associated preparatory actions, authorized by the President or the Secretary that—

(A) is marked by, held in, or conducted with secrecy, where the intent is that the activity or operation will not be apparent or acknowledged publicly; and

(i) as part of a military operation plan approved by the President or the Secretary in anticipation of hostilities or as directed by the President or the Secretary;

(ii) to deter, safeguard, or defend against attacks or malicious cyber activities against the United States or Department of Defense information, networks, systems, installations, facilities, or other assets; or

(2) The term "foreign power" has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

(3) The term "United States person" has the meaning given such term in such section.

(Added Pub. L. 114–92, div. A, title XVI, §1642(a), Nov. 25, 2015, 129 Stat. 1116, §130g; renumbered §394 and amended Pub. L. 115–232, div. A, title XVI, §§1631(a), 1632, Aug. 13, 2018, 132 Stat. 2123.)

References in Text

The War Powers Resolution, referred to in subsecs. (b) and (e), is Pub. L. 93–148, Nov. 7, 1973, 87 Stat. 555, which is classified generally to chapter 33 (§1541 et seq.) of Title 50, War and National Defense. For complete classification of this Resolution to the Code, see Short Title note set out under section 1541 of Title 50 and Tables.

The Authorization for Use of Military Force, referred to in subsec. (e), is Pub. L. 107–40, Sept. 18, 2001, 115 Stat. 224, which is set out as a note under section 1541 of Title 50, War and National Defense.

Amendments

2018—Pub. L. 115–232, §1632, designated existing provisions as subsec. (a), inserted heading, substituted "conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response" for "conduct, a military cyber operation in response", struck out "(as such terms are defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801))" after "foreign power", and added subsecs. (b) to (f).

Pub. L. 115–232, §1631(a), renumbered section 130g of this title as this section.

Policy of the United States on Cyberspace, Cybersecurity, Cyber Warfare, and Cyber Deterrence

Pub. L. 115–232, div. A, title XVI, §1636, Aug. 13, 2018, 132 Stat. 2126, provided that:

"(a) In General.—It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity, and cyber warfare, that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States interests with the intent to—

"(1) cause casualties among United States persons or persons of United States allies;

"(2) significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government);

"(3) threaten the command and control of the Armed Forces, the freedom of maneuver of the Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or

"(4) achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.

"(b) Response Options.—In carrying out the policy set forth in subsection (a), the United States shall plan, develop, and, when appropriate, demonstrate response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.

"(c) Denial Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall, to the greatest extent practicable, prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities described in subsection (a) of infrastructure critical to the political integrity, economic security, and national security of the United States.

"(d) Cost-imposition Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall develop and, when appropriate, demonstrate, or otherwise make known to adversaries the existence of, cyber capabilities to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity described in subsection (a).

"(e) Multi-prong Response.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall leverage all instruments of national power.

"(1) In general.—Not later than 180 days after the date of the enactment of this Act [Aug. 13, 2018], the President shall transmit, in unclassified and classified forms, as appropriate, to the appropriate congressional committees a report containing an update to the report provided to the Congress on the policy of the United States on cyberspace, cybersecurity, and cyber warfare pursuant to section 1633 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 10 U.S.C. 130g note) [now 10 U.S.C. 394 note].

"(2) Contents.—The report required under paragraph (1) shall include the following:

"(A) An assessment of the current posture in cyberspace, including assessments of—

"(i) whether past responses to major cyber attacks have had the desired deterrent effect; and

"(ii) varying levels of cyber incursion and steps taken to date to prepare for the imposition of the consequences referred to in clause (i); and

"(C) Information relating to the Administration's plans, including specific planned actions, regulations, and legislative action required, for—

"(i) advancing technologies in attribution, inherently secure technology, and artificial intelligence society-wide;

"(iv) implementing the policy referred to in paragraph (1), including any realignment of government or government responsibilities required, writ large.

"(f) [probably should be "(g)"] Rule of Construction.—Nothing in this subsection may be construed to limit the authority of the President or Congress to authorize the use of military force.

"(1) Appropriate congressional committees.—The term 'appropriate congressional committees' means—

"(A) the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];

"(B) the Permanent Select Committee on Intelligence of the House of Representatives;

"(D) the Committee on Foreign Affairs, the Committee on Homeland Security, and the Committee on the Judiciary of the House of Representatives; and

"(E) the Committee on Foreign Relations, the Committee on Homeland Security and Governmental Affairs, and the Committee on the Judiciary of the Senate.

"(2) Foreign power.—The term 'foreign power' has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801)."

Pub. L. 115–91, div. A, title XVI, §1633, Dec. 12, 2017, 131 Stat. 1738, provided that:

"(1) develop a national policy for the United States relating to cyberspace, cybersecurity, and cyber warfare; and

"(b) Elements.—The national policy required under subsection (a) shall include the following elements:

"(1) Delineation of the instruments of national power available to deter or respond to cyber attacks or other malicious cyber activities by a foreign power or actor that targets United States interests.

"(2) Available or planned response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.

"(3) Available or planned denial options that prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities that are carried out against infrastructure critical to the political integrity, economic security, and national security of the United States.

"(4) Available or planned cyber capabilities that may be used to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity.

"(A) boosting the cyber resilience of critical United States strike systems (including cyber, nuclear, and non-nuclear systems) in order to ensure the United States can credibly threaten to impose unacceptable costs in response to even the most sophisticated large-scale cyber attack;

"(B) developing offensive cyber capabilities and specific plans and strategies to put at risk targets most valued by adversaries of the United States and their key decision makers; and

"(C) enhancing attribution capabilities and developing intelligence and offensive cyber capabilities to detect, disrupt, and potentially expose malicious cyber activities.

"(1) In general.—Of the funds authorized to be appropriated by this Act [see Tables for classification] or otherwise made available for fiscal year 2018 for procurement, research, development, test and evaluation, and operations and maintenance, for the covered activities of the Defense Information Systems Agency, not more than 60 percent may be obligated or expended until the date on which the President submits to the appropriate congressional committees the report under subsection (a)(2).

"(2) Covered activities described.—The covered activities referred to in paragraph (1) are the activities of the Defense Information Systems Agency in support of—

"(1) The term 'foreign power' has the meaning given that term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

"(A) the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];

"(B) the Committee on Foreign Affairs, the Committee on Homeland Security, and the Committee on the Judiciary of the House of Representatives; and

"(C) the Committee on Foreign Relations, the Committee on Homeland Security and Governmental Affairs, and the Committee on the Judiciary of the Senate."

Active Defense Against the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, and Islamic Republic of Iran Attacks in Cyberspace

Pub. L. 115–232, div. A, title XVI, §1642, Aug. 13, 2018, 132 Stat. 2132, provided that:

"(1) In general.—In the event that the National Command Authority determines that the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, or Islamic Republic of Iran is conducting an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes, the National Command Authority may authorize the Secretary of Defense, acting through the Commander of the United States Cyber Command, to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks under the authority and policy of the Secretary of Defense to conduct cyber operations and information operations as traditional military activities.

"(A) Notification of operations.—In exercising the authority provided in paragraph (1), the Secretary shall provide notices to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] in accordance with section 395 of title 10, United States Code (as transferred and redesignated pursuant to section 1631).

"(i) In general.—In any fiscal year in which the Commander of the United States Cyber Command carries out an action under paragraph (1), the Secretary of Defense shall, not less frequently than quarterly, submit to the congressional defense committees a report on the actions of the Commander under such paragraph in such fiscal year.

"(ii) Manner of reporting.—Reports submitted under clause (i) shall be submitted in a manner that is consistent with the recurring quarterly report required by section 484 of title 10, United States Code.

"(b) Private Sector Cooperation.—The Secretary may make arrangements with private sector entities, on a voluntary basis, to share threat information related to malicious cyber actors, and any associated false online personas or compromised infrastructure, associated with a determination under subsection (a)(1), consistent with the protection of sources and methods and classification guidelines, as necessary.

"(c) Annual Report.—Not less frequently than once each year, the Secretary shall submit to the congressional defense committees, the congressional intelligence committees (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)), the Committee on Foreign Affairs of the House of Representatives, and the Committee on Foreign Relations of the Senate a report on—

"(1) the scope and intensity of the information operations and attacks through cyberspace by the countries specified in subsection (a)(1) against the government or people of the United States observed by the cyber mission forces of the United States Cyber Command and the National Security Agency; and

"(2) adjustments of the Department of Defense in the response directed or recommended by the Secretary with respect to such operations and attacks.

"(1) limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine activities or operations in cyberspace; or

"(2) affect the War Powers Resolution (Public Law 93–148; 50 U.S.C. 1541 et seq.) or the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note)."

Pilot Program To Model Cyber Attacks on Critical Infrastructure

Pub. L. 115–232, div. A, title XVI, §1649, Aug. 13, 2018, 132 Stat. 2137, provided that:

"(1) In general.—The Assistant Secretary of Defense for Homeland Defense and Global Security shall carry out a pilot program to model cyber attacks on critical infrastructure in order to identify and develop means of improving Department of Defense responses to requests for defense support to civil authorities for such attacks.

"(2) Research exercises.—The pilot program shall source data from and include consideration of the 'Jack Voltaic' research exercises conducted by the Army Cyber Institute, industry partners of the Institute, and the cities of New York, New York, and Houston, Texas.

"(b) Purpose.—The purpose of the pilot program shall be to accomplish the following:

"(1) The development and demonstration of risk analysis methodologies, and the application of commercial simulation and modeling capabilities, based on artificial intelligence and hyperscale cloud computing technologies, as applicable—

"(A) to assess defense critical infrastructure vulnerabilities and interdependencies to improve military resiliency;

"(B) to determine the likely effectiveness of attacks described in subsection (a)(1), and countermeasures, tactics, and tools supporting responsive military homeland defense operations;

"(E) to foster collaboration and learning between and among departments and agencies of the Federal Government, State and local governments, and private entities responsible for critical infrastructure; and

"(F) improve intra-agency and inter-agency coordination for consideration and approval of requests for defense support to civil authorities.

"(2) The development and demonstration of the foundations for establishing and maintaining a program of record for a shared high-fidelity, interactive, affordable, cloud-based modeling and simulation of critical infrastructure systems and incident response capabilities that can simulate complex cyber and physical attacks and disruptions on individual and multiple sectors on national, regional, State, and local scales.

"(1) In general.—At the same time the budget of the President for fiscal year 2021 is submitted to Congress pursuant to section 1105(a) of title 31, United States Code, the Assistant Secretary shall, in consultation with the Secretary of Homeland Security, submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the pilot program.

"(2) Contents.—The report required by paragraph (1) shall include the following:

"(A) A description of the results of the pilot program as of the date of the report.

"(B) A description of the risk analysis methodologies and modeling and simulation capabilities developed and demonstrated pursuant to the pilot program, and an assessment of the potential for future growth of commercial technology in support of the homeland defense mission of the Department of Defense.

"(C) Such recommendations as the Secretary considers appropriate regarding the establishment of a program of record for the Department on further development and sustainment of risk analysis methodologies and advanced, large-scale modeling and simulation on critical infrastructure and cyber warfare.

"(D) Lessons learned from the use of novel risk analysis methodologies and large-scale modeling and simulation carried out under the pilot program regarding vulnerabilities, required capabilities, and reconfigured force structure, coordination practices, and policy.

Identification of Countries of Concern Regarding Cybersecurity

Pub. L. 115–232, div. A, title XVI, §1654, Aug. 13, 2018, 132 Stat. 2148, provided that:

"(a) Identification of Countries of Concern.—Not later than 180 days after the date of the enactment of this Act [Aug. 13, 2018], the Secretary of Defense shall create a list of countries that pose a risk to the cybersecurity of United States defense and national security systems and infrastructure. Such list shall reflect the level of threat posed by each country included on such list. In creating such list, the Secretary shall take in to account the following:

"(1) A foreign government's activities that pose force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.

"(2) A foreign government's willingness and record of providing financing, logistics, training or intelligence to other persons, countries or entities posing a force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.

"(3) A foreign government's engagement in foreign intelligence activities against the United States for the purpose of undermining United States national security.

"(4) A foreign government's knowing participation in transnational organized crime or criminal activity.

"(5) A foreign government's cyber activities and operations to affect the supply chain of the United States Government.

"(6) A foreign government's use of cyber means to unlawfully or inappropriately obtain intellectual property from the United States Government or United States persons.

"(b) Updates.—The Secretary shall continuously update and maintain the list under subsection (a) to preempt obsolescence.

"(c) Report to Congress.—Not later than one year after the date of the enactment of this Act, the Secretary shall submit to the appropriate committees of Congress the list created pursuant to subsection (a) and any accompanying analysis that contributed to the creation of the list."

§395. Notification requirements for sensitive military cyber operations

(a) In General.—Except as provided in subsection (d), the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of any sensitive military cyber operation conducted under this title no later than 48 hours following such operation.

(b) Procedures.—(1) The Secretary of Defense shall establish and submit to the congressional defense committees procedures for complying with the requirements of subsection (a) consistent with the national security of the United States and the protection of operational integrity. The Secretary shall promptly notify the congressional defense committees in writing of any changes to such procedures at least 14 days prior to the adoption of any such changes.

(2) The congressional defense committees shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to the committees pursuant to this section.

(3) In the event of an unauthorized disclosure of a sensitive military cyber operation covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the sensitive military cyber operation concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification shall be provided by not later than 48 hours after the provision of the verbal notification.

(c) Sensitive Military Cyber Operation Defined.—(1) In this section, the term "sensitive military cyber operation" means an action described in paragraph (2) that—

(i) where the armed forces of the United States are involved in hostilities (as that term is used in section 1543 of title 50, United States Code); or

(B) A defensive cyber operation outside the Department of Defense Information Networks to defeat an ongoing or imminent threat.

(d) Exceptions.—The notification requirement under subsection (a) does not apply—

(1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or

(2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 (50 U.S.C. 3093)).

(e) Rule of Construction.—Nothing in this section shall be construed to provide any new authority or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or any requirement under the National Security Act of 1947 (50 U.S.C. 3001 et seq.).

(Added Pub. L. 115–91, div. A, title XVI, §1631(a), Dec. 12, 2017, 131 Stat. 1736, §130j; renumbered §395 and amended Pub. L. 115–232, div. A, title X, §1081(a)(1), title XVI, §1631(a), Aug. 13, 2018, 132 Stat. 1983, 2123.)

References in Text

The War Powers Resolution, referred to in subsec. (e), is Pub. L. 93–148, Nov. 7, 1973, 87 Stat. 555, which is classified generally to chapter 33 (§1541 et seq.) of Title 50, War and National Defense. For complete classification of this Resolution to the Code, see Short Title note set out under section 1541 of Title 50 and Tables.

The National Security Act of 1947, referred to in subsec. (e), is act July 26, 1947, ch. 343, 61 Stat. 495, which is classified principally to chapter 44 (§3001 et seq.) of Title 50, War and National Defense. For complete classification of this Act to the Code, see Tables.

Amendments

2018—Pub. L. 115–232, §1631(a), renumbered section 130j of this title as this section.

Subsec. (d)(2). Pub. L. 115–232, §1081(a)(1), substituted "section 503 of the National Security Act of 1947 (50 U.S.C. 3093)" for "section 3093 of title 50, United States Code".

§396. Notification requirements for cyber weapons

(a) In General.—Except as provided in subsection (c), the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of the following:

(1) With respect to a cyber capability that is intended for use as a weapon, on a quarterly basis, the aggregated results of all reviews of the capability for legality under international law pursuant to Department of Defense Directive 5000.01 carried out by any military department concerned.

(2) The use as a weapon of any cyber capability that has been approved for such use under international law by a military department no later than 48 hours following such use.

(3) In the event of an unauthorized disclosure of a cyber capability covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the cyber capability concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification shall be provided by not later than 48 hours after the provision of the verbal notification.

(1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or

(2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 (50 U.S.C. 3093)).

(d) Rule of Construction.—Nothing in this section shall be construed to provide any new authority or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or any requirement under the National Security Act of 1947 (50 U.S.C. 3001 et seq.).

(Added Pub. L. 115–91, div. A, title XVI, §1631(a), Dec. 12, 2017, 131 Stat. 1737, §130k; renumbered §396 and amended Pub. L. 115–232, div. A, title X, §1081(a)(1), title XVI, §1631(a), Aug. 13, 2018, 132 Stat. 1983, 2123.)

References in Text

The War Powers Resolution, referred to in subsec. (d), is Pub. L. 93–148, Nov. 7, 1973, 87 Stat. 555, which is classified generally to chapter 33 (§1541 et seq.) of Title 50, War and National Defense. For complete classification of this Resolution to the Code, see Short Title note set out under section 1541 of Title 50 and Tables.

The Authorization for Use of Military Force, referred to in subsec. (d), is Pub. L. 107–40, Sept. 18, 2001, 115 Stat. 224, which is set out as a note under section 1541 of Title 50, War and National Defense.

The National Security Act of 1947, referred to in subsec. (d), is act July 26, 1947, ch. 343, 61 Stat. 495, which is classified principally to chapter 44 (§3001 et seq.) of Title 50, War and National Defense. For complete classification of this Act to the Code, see Tables.

Amendments

2018—Pub. L. 115–232, §1631(a), renumbered section 130k of this title as this section.

Subsec. (c)(2). Pub. L. 115–232, §1081(a)(1), substituted "section 503 of the National Security Act of 1947 (50 U.S.C. 3093)" for "section 3093 of title 50, United States Code".

CHAPTER 19—CYBER MATTERS

Amendments

§391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors

Amendments

Issuance of Procedures

Assessment of Department Policies

§392. Executive agents for cyber test and training ranges

Designation and Roles and Responsibilities; Selection of Standard Language

§393. Reporting on penetrations of networks and information systems of certain contractors

Codification

Amendments

§394. Authorities concerning military cyber operations

References in Text

Amendments

Policy of the United States on Cyberspace, Cybersecurity, Cyber Warfare, and Cyber Deterrence

Active Defense Against the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, and Islamic Republic of Iran Attacks in Cyberspace

Pilot Program To Model Cyber Attacks on Critical Infrastructure

Identification of Countries of Concern Regarding Cybersecurity

§395. Notification requirements for sensitive military cyber operations

References in Text

Amendments

§396. Notification requirements for cyber weapons

References in Text

Amendments