(A) designating operationally critical contractors; and
(B) notifying a contractor that it has been designated as an operationally critical contractor.
(A) An assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of the Department.
(B) The technique or method used in such cyber incident.
(C) A sample of any malicious software, if discovered and isolated by the contractor, involved in such cyber incident.
(D) A summary of information compromised by such cyber incident.
(A) include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations; and
(B) provide that an operationally critical contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.
(A) with missions that may be affected by such information;
(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C) that conduct counterintelligence or law enforcement investigations; or
(D) for national security purposes, including cyber situational awareness and defense purposes.
(2)(A) Nothing in this section shall be construed—
(i) to require dismissal of a cause of action against an operationally critical contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (b); or
(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each operationally critical contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
(C) In this subsection, the term "willful misconduct" means an act or omission that is taken—
(i) intentionally to achieve a wrongful purpose;
(ii) knowingly without legal or factual justification; and
(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
(Added Pub. L. 113–291, div. A, title XVI, §1632(a), Dec. 19, 2014, 128 Stat. 3639; amended Pub. L. 114–92, div. A, title XVI, §1641(b), (c)(1), Nov. 25, 2015, 129 Stat. 1115, 1116.)
2015—Subsec. (a). Pub. L. 114–92, §1641(c)(1), substituted "and section 393 of this title" for "and with section 941 of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note)".
Subsecs. (d), (e). Pub. L. 114–92, §1641(b), added subsec. (d) and redesignated former subsec. (d) as (e).
Pub. L. 116–92, div. A, title IX, §905, Dec. 20, 2019, 133 Stat. 1557, provided that:
"(A) The Senior Military Advisor for Cyber Policy to the Under Secretary of Defense for Policy.
"(B) The Deputy Principal Cyber Advisor to the Secretary of Defense.
"(A) The Under Secretary with respect to Senior Military Advisor for Cyber Policy duties.
"(B) The Principal Cyber Advisor with respect to Deputy Principal Cyber Advisor duties.
"(A) To serve as the principal uniformed military advisor on military cyber forces and activities to the Under Secretary of Defense for Policy.
"(B) To assess and advise the Under Secretary on aspects of policy relating to military cyberspace operations, resources, personnel, cyber force readiness, cyber workforce development, and defense of Department of Defense networks.
"(C) To advocate, in consultation with the Joint Staff, and senior officers of the Armed Forces and the combatant commands, for consideration of military issues within the Office of the Under Secretary of Defense for Policy, including coordination and synchronization of Department cyber forces and activities.
"(D) To maintain open lines of communication between the Chief Information Officer of the Department of Defense, senior civilian leaders within the Office of the Under Secretary, and senior officers on the Joint Staff, the Armed Forces, and the combatant commands on cyber matters, and to ensure that military leaders are informed on cyber policy decisions.
"(A) To synchronize, coordinate, and oversee implementation of the Cyber Strategy of the Department of Defense and other relevant policy and planning.
"(B) To advise the Secretary of Defense on cyber programs, projects, and activities of the Department, including with respect to policy, training, resources, personnel, manpower, and acquisitions and technology.
"(C) To oversee implementation of Department policy and operational directives on cyber programs, projects, and activities, including with respect to resources, personnel, manpower, and acquisitions and technology.
"(D) To assist in the overall supervision of Department cyber activities relating to offensive missions.
"(E) To assist in the overall supervision of Department defensive cyber operations, including activities of component-level cybersecurity service providers and the integration of such activities with activities of the Cyber Mission Force.
"(F) To advise senior leadership of the Department on, and advocate for, investment in capabilities to execute Department missions in and through cyberspace.
"(G) To identify shortfalls in capabilities to conduct Department missions in and through cyberspace, and make recommendations on addressing such shortfalls in the Program Budget Review process.
"(H) To coordinate and consult with stakeholders in the cyberspace domain across the Department in order to identify other issues on cyberspace for the attention of senior leadership of the Department.
"(I) On behalf of the Principal Cyber Advisor, to lead the cross-functional team established pursuant to 932(c)(3) of the National Defense Authorization Act for Fiscal Year 2014 [Pub. L. 113–66] (10 U.S.C. 2224 note) in order to synchronize and coordinate military and civilian cyber forces and activities of the Department."
Pub. L. 116–92, div. A, title XVI, §1657, Dec. 20, 2019, 133 Stat. 1767, provided that:
"(A) be a senior civilian leadership position, filled by a senior member of the Senior Executive Service, not lower than the equivalent of a 3-star general officer, or by exception a comparable military officer with extensive cyber experience;
"(B) exclusively occupy the Principal Cyber Advisor position and not assume any other position or responsibility in the relevant military department;
"(C) be independent of the relevant service's chief information officer; and
"(D) report directly to and advise the secretary of the relevant military department and advise the relevant service's senior uniformed officer.
"(1) The recruitment, resourcing, and training of military cyberspace operations forces, assessment of these forces against standardized readiness metrics, and maintenance of these forces at standardized readiness levels.
"(2) Acquisition of offensive, defensive, and Department of Defense Information Networks cyber capabilities for military cyberspace operations.
"(3) Cybersecurity management and operations.
"(4) Acquisition of cybersecurity tools and capabilities, including those used by cybersecurity service providers.
"(5) Evaluating, improving, and enforcing a culture of cybersecurity warfighting and accountability for cybersecurity and cyberspace operations.
"(6) Cybersecurity and related supply chain risk management of the industrial base.
"(7) Cybersecurity of Department of Defense information systems, information technology services, and weapon systems, including the incorporation of cybersecurity threat information as part of secure development processes, cybersecurity testing, and the mitigation of cybersecurity risks.
"(1) Service chief information officers.
"(2) Service cyber component commanders.
"(3) Principal Cyber Advisor to the Secretary of Defense.
"(4) Department of Defense Chief Information Officer.
"(5) Defense Digital Service.
"(A) An assessment of whether additional changes beyond the appointment of a Principal Cyber Advisor pursuant to subsection (a) are required.
"(B) Consideration of whether the current governance structure and assignment of authorities—
"(i) enable effective governance;
"(ii) enable effective Chief Information Officer and Chief Information Security Officer action;
"(iii) are adequately consolidated so that the authority and responsibility for cybersecurity risk management are clear and at an appropriate level of seniority;
"(iv) provide authority to a single individual to certify compliance of Department of Defense information systems and information technology services with all current cybersecurity standards; and
"(v) support efficient coordination across the military services, the Office of the Secretary of Defense, the Defense Information Systems Agency, and United States Cyber Command.
Pub. L. 116–92, div. A, title XVI, §1659, Dec. 20, 2019, 133 Stat. 1770, provided that:
"(1) To provide the Secretary a formal mechanism to communicate with consortium or consortia members regarding the Department of Defense's cybersecurity strategic plans, cybersecurity requirements, and priorities for basic and applied cybersecurity research.
"(2) To advise the Secretary on the needs of academic institutions related to cybersecurity and research conducted on behalf of the Department and provide feedback to the Secretary from members of the consortium or consortia.
"(3) To serve as a focal point or focal points for the Secretary and the Department for the academic community on matters related to cybersecurity, cybersecurity research, conceptual and academic developments in cybersecurity, and opportunities for closer collaboration between academia and the Department.
"(4) To provide to the Secretary access to the expertise of the institutions of the consortium or consortia on matters relating to cybersecurity.
"(5) To align the efforts of such members in support of the Department.
"(A) act as the leader of the consortium for the term specified by the Secretary under paragraph (1);
"(B) be the liaison between the consortium and the Secretary;
"(C) distribute requests from the Secretary for advice and assistance to appropriate members of the consortium and coordinate responses back to the Secretary; and
"(D) act as a clearinghouse for Department of Defense requests relating to assistance on matters relating to cybersecurity and to provide feedback to the Secretary from members of the consortium.
Pub. L. 113–291, div. A, title XVI, §1632(b), Dec. 19, 2014, 128 Stat. 3640, provided that: "The Secretary shall establish the procedures required by subsection (b) of section 391 of title 10, United States Code, as added by subsection (a) of this section, not later than 90 days after the date of the enactment of this Act [Dec. 19, 2014]."
Pub. L. 113–291, div. A, title XVI, §1632(c), Dec. 19, 2014, 128 Stat. 3640, provided that:
"(A) requirements that were in effect on the day before the date of the enactment of this Act for contractors to share information with Department components regarding cyber incidents (as defined in subsection (d) [now (e)] of such section 391 [10 U.S.C. 391(e)]) with respect to networks or information systems of contractors; and
"(B) Department policies and systems for sharing information on cyber incidents with respect to networks or information systems of Department contractors.
"(A) designate a Department component under subsection (a) of such section 391; and
"(B) issue or revise guidance applicable to Department components that ensures the rapid sharing by the component designated pursuant to such section 391 or section 941 of the National Defense Authorization Act for Fiscal Year 2013 [Pub. L. 112–239] (10 U.S.C. 2224 note) of information relating to cyber incidents with respect to networks or information systems of contractors with other appropriate Department components."