(a)
(b)
(c)
(1) A vulnerability and threat assessment of elements of the defense and supporting nondefense information infrastructures that are essential to the operations of the Department and the armed forces.
(2) Development of essential information assurances technologies and programs.
(3) Organization of the Department, the armed forces, and supporting activities to defend against information warfare.
(4) Joint activities of the Department with other departments and agencies of the Government, State and local agencies, and elements of the national information infrastructure.
(5) The conduct of exercises, war games, simulations, experiments, and other activities designed to prepare the Department to respond to information warfare threats.
(6) Development of proposed legislation that the Secretary considers necessary for implementing the program or for otherwise responding to the information warfare threat.
(d)
[(e) Repealed. Pub. L. 108–136, div. A, title X, §1031(a)(12), Nov. 24, 2003, 117 Stat. 1597.]
(f)
(1) an integrated organization structure to plan and facilitate the conduct of simulations, war games, exercises, experiments, and other activities to prepare and inform the Department regarding information warfare threats; and
(2) organization and planning means for the conduct by the Department of the integrated or joint exercises and experiments with elements of the national information systems infrastructure and other non-Department of Defense organizations that are responsible for the oversight and management of critical information systems and infrastructures on which the Department, the armed forces, and supporting activities depend for the conduct of daily operations and operations during crisis.
(Added Pub. L. 106–65, div. A, title X, §1043(a), Oct. 5, 1999, 113 Stat. 760; amended Pub. L. 106–398, §1 [[div. A], title X, §1063], Oct. 30, 2000, 114 Stat. 1654, 1654A–274; Pub. L. 107–296, title X, §1001(c)(1)(B), Nov. 25, 2002, 116 Stat. 2267; Pub. L. 107–347, title III, §301(c)(1)(B), Dec. 17, 2002, 116 Stat. 2955; Pub. L. 108–136, div. A, title X, §1031(a)(12), Nov. 24, 2003, 117 Stat. 1597; Pub. L. 108–375, div. A, title X, §1084(d)(17), Oct. 28, 2004, 118 Stat. 2062.)
2004—Subsec. (c). Pub. L. 108–375 substituted "subchapter II" for "subtitle II" in introductory provisions.
2003—Subsec. (e). Pub. L. 108–136 struck out subsec. (e) which directed the Secretary of Defense to annually submit to Congress a report on the Defense Information Assurance Program.
2002—Subsec. (b). Pub. L. 107–296, §1001(c)(1)(B)(i), and Pub. L. 107–347, §301(c)(1)(B)(i), amended subsec. (b) identically, substituting "Objectives of the Program" for "Objectives and Minimum Requirements" in heading and striking out par. (1) designation before "The objectives".
Subsec. (b)(2). Pub. L. 107–347, §301(c)(1)(B)(ii), struck out par. (2) which read as follows: "The program shall at a minimum meet the requirements of sections 3534 and 3535 of title 44."
Pub. L. 107–296, §1001(c)(1)(B)(ii), which directed the striking out of "(2) the program shall at a minimum meet the requirements of section 3534 and 3535 of title 44, United States Code." could not be executed. See above par.
Subsec. (c). Pub. L. 107–347, §301(c)(1)(B)(iii), inserted ", including through compliance with subchapter III of chapter 35 of title 44" after "infrastructure" in introductory provisions.
Pub. L. 107–296, §1001(c)(1)(B)(iii), inserted ", including through compliance with subtitle II of chapter 35 of title 44" after "infrastructure" in introductory provisions.
2000—Subsec. (b). Pub. L. 106–398, §1 [[div. A], title X, §1063(a)], substituted "
Subsec. (e)(7). Pub. L. 106–398, §1 [[div. A], title X, §1063(b)], added par. (7).
Amendment by Pub. L. 107–296 effective 60 days after Nov. 25, 2002, see section 4 of Pub. L. 107–296, set out as an Effective Date note under section 101 of Title 6, Domestic Security.
Amendment by Pub. L. 106–398 effective 30 days after Oct. 30, 2000, see section 1 [[div. A], title X, §1065] of Pub. L. 106–398, Oct. 30, 2000, 114 Stat. 1654, formerly set out as an Effective Date note under former section 3531 of Title 44, Public Printing and Documents.
Pub. L. 118–31, div. A, title XV, §1507, Dec. 22, 2023, 137 Stat. 540, provided that:
"(a)
"(1)
"(2)
"(A) the timelines associated with each such recommendation, regardless of whether the recommendation is fully implemented or yet to be fully implemented; and
"(B) a description of any impediments to the implementation of such recommendations encountered.
"(b)
"(1)
"(A) a description of the funding necessary for such cyber red teams to achieve such capacity and capability;
"(B) a description of any other resources, personnel, infrastructure, or authorities for access to information necessary for such cyber red teams to achieve such capacity and capability (including with respect to the emulation of threats from foreign countries with advanced cyber capabilities, automation, artificial intelligence or machine learning, and data collection and correlation); and
"(C) updated joint service standards and metrics to ensure the training, staffing, and equipping of such cyber red teams at levels necessary to achieve such capacity and capability.
"(2)
"(c)
"(d)
"(1) The results of test and evaluation events, including any resource or capability shortfalls limiting the capacity or capability of cyber red teams of the Department of Defense to meet operational requirements.
"(2) The extent to which operations of such cyber red teams have expanded across the competition continuum, including during cooperation and competition phases, to match adversary positioning and cyber activities.
"(3) A summary of identified categories of common gaps and shortfalls across cyber red teams of the military departments and Defense Agencies (as such terms are defined in section 101 of title 10, United States Code).
"(4) Any identified lessons learned that would affect training or operational employment decisions relating to the cyber red teams of the Department of Defense."
Pub. L. 118–31, div. A, title XV, §1514, Dec. 22, 2023, 137 Stat. 545, provided that:
"(a)
"(b)
"(1) enter into cooperative research and development agreements under section 4026 of title 10, United States Code; and
"(2) use such other mechanisms for the transfer of technology and data as are authorized by law.
"(c) [sic; there are two subsecs. (c)]
"(1) An identification of the data or technology to be transferred.
"(2) An identification of the eligible private sector entity, including an identification of the specific individual employed by or otherwise associated with such entity responsible for the security and integrity of the data or technology to be received.
"(3) A detailed description of any special security handling instructions required pursuant to an agreement entered into between the Secretary and the eligible private sector entity for such transfer.
"(4) Timelines associated with such transfer.
"(c) [sic]
"(1) The term 'eligible private sector entity' means a private sector entity that—
"(A) has functions relevant to the civil electricity sector; and
"(B) is determined by the Secretary of Defense to be eligible to receive data and technology transferred under subsection (a).
"(2) The term 'MOSAICS program' means the program of the Department of Defense known as the 'More Situational Awareness for Industrial Control Systems Joint Capabilities Technology Demonstration program', or successor program."
Pub. L. 118–31, div. A, title XV, §1515, Dec. 22, 2023, 137 Stat. 546, provided that:
"(a)
"(b)
"(1)
"(2)
"(A) By September 30, 2026, completion of—
"(i) the pilot program specified in subsection (a) and the deployment of modernized network boundary defense capabilities to the Internet access points managed by the Director of the Defense Information Systems Agency; and
"(ii) the extension of modernized network boundary defense capabilities to all additional Internet access points of the information network of the Department of Defense.
"(B) By September 30, 2027, the conduct of a survey, completion of a pilot program, and deployment of modernized network boundary defense capabilities to the access points and cross-domain capabilities of the Secret Internet Protocol Router Network.
"(C) By September 30, 2028, the conduct of a survey, completion of a pilot program, and deployment of modernized network boundary defense capabilities to any remaining classified network or enclave of the information network of the Department.
"(c)
"(1) a summary of findings from the pilot program specified in subsection (a); and
"(2) an identification of the resources necessary for such implementation, including for implementing the phase of the modernization program specified in subsection (b)(2)(C)."
Pub. L. 118–31, div. A, title XV, §1516, Dec. 22, 2023, 137 Stat. 546, provided that:
"(a)
"(1)
"(2)
"(A) Correcting weaknesses in authentication and credentialing security, including with respect to the program of the Department of Defense known as the 'Public Key Infrastructure' program (or any successor program), identified by the Director of Operational Test and Evaluation in a report submitted to Congress in April, 2023, titled 'FY14–21 Observations of the Compromise of Cyber Credentials'.
"(B) Implementing improved authentication technologies, such as biometric and behavioral authentication techniques and other non-password-based solutions.
"(3)
"(b)
"(1)
"(2)
"(A) an explanation of why the establishment of a program of record is not the preferred approach to achieve the objectives listed in subsection (a)(2);
"(B) details relating to the management approach proposed to be implemented in lieu of the establishment of a program of record;
"(C) an implementation plan for such proposed alternative approach; and
"(D) such other information as the Secretary of Defense determines appropriate.
"(c)
"(d)
"(e)
"(1) The term 'covered activity' means any activity of the Office of the Secretary of Defense or a Defense Agency relating to the identity, credential, and access management initiative of the Department of Defense.
"(2) The term 'Defense Agency' has the meaning given that term in section 101 of title 10, United States Code."
Pub. L. 118–31, div. A, title XV, §1517, Dec. 22, 2023, 137 Stat. 548, provided that:
"(a)
"(b)
"(1)
"(2)
"(A)
"(B)
"(i) connected to national-level infrastructure;
"(ii) located near a commercial port; or
"(iii) located near a national financial hub.
"(c)
"(1) without duplicating or disrupting existing cyber exercise activities under the National Cyber Exercise Program under section 2220B of the Homeland Security Act of 2002 (6 U.S.C. 665h), conduct cyber resiliency and reconstitution stress test scenarios through tabletop exercises and, if possible, live exercises—
"(A) to assess how to prioritize restoration of power, water, and telecommunications for a military installation in the event of a significant cyberattack on regional critical infrastructure that has similar impacts on State and local infrastructure; and
"(B) to determine the recovery process needed to ensure the military installation has the capability to function and support an overseas contingency operation or a homeland defense mission, as appropriate;
"(2) map dependencies on power, water, and telecommunications at the military installation and the connections to distribution and generation outside the military installation;
"(3) recommend priorities for the order of recovery for the military installation in the event of a significant cyberattack, considering both the requirements needed for operations of the military installation and the potential participation of personnel at the military installation in an overseas contingency operation or a homeland defense mission; and
"(4) develop a lessons-learned database from the exercises conducted under paragraph (1) across all military installations participating in the pilot program, to be shared with the Committees on Armed Services of the House of Representatives and the Senate.
"(d)
"(1) private entities that operate power, water, and telecommunications for a military installation participating in the pilot program under subsection (a);
"(2) relevant military and civilian personnel; and
"(3) any other entity that the Assistant Secretary of Defense for Homeland Defense and Hemispheric Affairs determines is relevant to the execution of activities under subsection (c).
"(e)
"(f)
"(1) The term 'critical infrastructure' has the meaning given that term in the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c).
"(2) The term 'Sector Risk Management Agency' has the meaning given that term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650)."
Pub. L. 118–31, div. A, title XV, §1537, Dec. 22, 2023, 137 Stat. 570, provided that:
"(a)
"(1) The Committee on National Security Systems Directive 504, issued on February 4, 2014, relating to the protection of national security systems from insider threats (including any annex to such directive).
"(2) Department of Defense Directive 5205.16, issued on September 30, 2014, relating to the insider threat program of the Department of Defense.
"(b)
"(c)
"(1) conducts insider threat testing using threat-realistic tactics, techniques, and procedures; and
"(2) submits to the Under Secretary of Defense for Intelligence and Security, the Chief Information Officer of the Department of Defense, and the Director of Operational Test and Evaluation of the Department of Defense a report on the findings of the head with respect to the testing conducted pursuant to paragraph (1).
"(d)
"(e)
"(1) the Committee on Armed Services and the Permanent Select Committee on Intelligence of the House of Representatives; and
"(2) the Committee on Armed Services and the Select Committee on Intelligence of the Senate."
Pub. L. 118–31, div. A, title XV, §1552, Dec. 22, 2023, 137 Stat. 579, provided that:
"(a)
"(1)
"(2)
"(b)
"(1)
"(A) the installation and use of covered applications on Federal Government devices; and
"(B) the use of covered applications on the Department of Defense Information Network on personal devices.
"(2)
Pub. L. 118–31, div. A, title XVI, §1686, Dec. 22, 2023, 137 Stat. 620, provided that:
"(a)
"(1) establish requirements for and assign sufficient priority to ensuring electronic protection of military sensor, navigation, and communications systems and subsystems against jamming, spoofing, and unintended interference from military systems of the United States and foreign adversaries; and
"(2) provide management oversight and supervision of the military departments to ensure military systems that emit and receive radio frequencies are protected against threats and interference from United States and foreign adversary military systems operating in the same or adjacent radio frequencies.
"(b)
"(1) Not later than 270 days after the date of the enactment of this Act [Dec. 22, 2023], develop and approve requirements, through the Joint Requirements Oversight Council as appropriate, for every radar, signals intelligence, navigation, and communications system and subsystem subject to the Global Force Management process to ensure such systems and subsystems are able to withstand threat-realistic levels of jamming, spoofing, and unintended interference, including self-generated interference.
"(2) Not less frequently than once every 4 years, test each system and subsystem described in paragraph (1) at a test range that permits threat-realistic electronic warfare attacks against the system or subsystem by a red team or simulated opposition force, with the first set of highest priority systems to be initially tested by not later than the end of fiscal year 2025.
"(3) With respect to each system and subsystem described in paragraph (1) that fails to meet electronic protection requirements during testing conducted under paragraph (2)—
"(A) not later than 3 years after the initial failed test, retrofit the system or subsystem with electronic protection measures that can withstand threat-realistic jamming, spoofing, and unintended interference; and
"(B) not later than 4 years after the initial failed test, retest such systems and subsystems.
"(4) Survey, identify, and test available technology that can be practically and affordably retrofitted on the systems and subsystems described in paragraph (1) and which provides robust protection against threat-realistic jamming, spoofing, and unintended interference.
"(5) Design and build electronic protection into ongoing and future development programs to withstand expected jamming and spoofing threats and unintended interference.
"(c)
"(d)
"(1) aggregates and summarizes information received from the military departments and combat support agencies for purposes of the preparation of the report; and
"(2) includes a description of—
"(A) the activities carried out to implement the requirements of this section;
"(B) the systems and subsystems subject to testing in the previous year and the results of such tests, including a description of the requirements for electronic protection established for the tested systems and subsystems; and
"(C) each waiver issued in the previous year with respect to such requirements, together with a detailed rationale for the waiver and a plan for addressing any issues that formed the basis of the waiver request."
Pub. L. 117–263, div. A, title XV, §1514, Dec. 23, 2022, 136 Stat. 2895, provided that:
"(a)
"(b)
"(1) ensure covered cybersecurity capabilities are appropriately tested, evaluated, and proven operationally effective, suitable, and survivable prior to operation on a Department of Defense network; and
"(2) specify how test results will be expeditiously provided to the Director of Operational Test and Evaluation.
"(c)
"(1) Threat-realistic operational testing, including representative environments, variation of operational conditions, and inclusion of a realistic opposing force.
"(2) The use of Department of Defense cyber red teams, as well as any enabling contract language required to permit threat-representative red team assessments.
"(3) Collaboration with the personnel using the commercial cybersecurity capability regarding the results of the testing to improve operators' ability to recognize and defend against cyberattacks.
"(4) The extent to which additional resources may be needed to remediate any shortfalls in capability to make the commercial cybersecurity capability effective, suitable, and cyber survivable in an operational environment of the Department.
"(5) Identification of training requirements, and changes to training, sustainment practices, or concepts of operation or employment that may be needed to ensure the effectiveness, suitability, and cyber survivability of the commercial cybersecurity capability.
"(d)
"(e)
"(1) The status of the plans developed under subsection (a).
"(2) The number and type of test and evaluation events completed in the past year for such plans, disaggregated by component of the Department, and including resources devoted to each event.
"(3) The results from such test and evaluation events, including any resource shortfalls affecting the number of commercial cybersecurity capabilities that could be assessed.
"(4) A summary of identified categories of common gaps and shortfalls found during testing.
"(5) The extent to which entities responsible for developing and testing commercial cybersecurity capabilities have responded to recommendations made by the Director in an effort to gain favorable determinations.
"(6) Any identified lessons learned that would impact training, sustainment, or concepts of operation or employment decisions relating to the assessed commercial cybersecurity capabilities.
"(f)
"(1) Commercial products (as defined in section 103 of title 41, United States Code) acquired and deployed by the Department of Defense to satisfy the cybersecurity requirements of one or more Department components.
"(2) Commercially available off-the-shelf items (as defined in section 104 of title 41, United States Code) acquired and deployed by the Department of Defense to satisfy the cybersecurity requirements of one or more Department components.
"(3) Noncommercial items acquired through the Adaptive Acquisition Framework and deployed by the Department of Defense to satisfy the cybersecurity requirements of one or more Department components."
Pub. L. 117–263, div. A, title XV, §1553, Dec. 23, 2022, 136 Stat. 2920, provided that:
"(a)
"(b)
"(1) A requirement that, beginning on the date of the enactment of this Act, future contracts with cloud service providers for storage or computing of classified data of the Department include provisions that permit the Secretary to conduct independent, threat-realistic assessments of the commercial cloud infrastructure, including with respect to—
"(A) the storage, compute, and enabling elements, including the control plane and virtualization hypervisor for mission elements of the Department supported by the cloud provider; and
"(B) the supporting systems used in the fulfillment, facilitation, or operations relating to the mission of the Department under the contract, including the interfaces with these systems.
"(2) An explanation as to how the Secretary intends to proceed on amending existing contracts with cloud service providers to permit the same level of assessments required for future contracts under paragraph (1).
"(3) Identification and description of any proposed tiered test and evaluation requirements aligned with different impact and classification levels.
"(c)
"(d)
"(e)
"(1) are designed to accurately emulate cyber threats from advanced nation state adversaries, such as Russia and China; and
"(2) include cooperative penetration testing and no-notice threat-emulation activities where personnel of the Department of Defense attempt to penetrate and gain control of the cloud-provider facilities, networks, systems, and defenses associated with, or which enable, the supported missions of the Department."
Pub. L. 117–263, div. A, title XV, §1559, Dec. 23, 2022, 136 Stat. 2926, as amended by Pub. L. 118–31, div. A, title XV, §1502(a)(2)(F), Dec. 22, 2023, 137 Stat. 538, provided that:
"(a)
"(b)
"(1) identification of such vulnerabilities and risks;
"(2) ranking of vulnerability, severity, and priority;
"(3) development and selection of options, with associated costs and schedule, to correct such vulnerabilities, including installation of intrusion detection capabilities;
"(4) an evaluation of the cybersecurity sufficiency for Military Standard 1553; and
"(5) development of integrated risk-based plans to implement the corrective actions selected.
"(c)
"(1) consider the missions supported by the assessed weapons systems, aircraft, ships, ground vehicles, space systems, sensors, or datalink networks, as the case may be, to ensure that the corrective actions focus on the vulnerabilities that create the greatest risks to the missions;
"(2) be shared and coordinated with the principal staff assistant with primary responsibility for the strategic cybersecurity program; and
"(3) address requirements for deployed and nondeployed members of the Armed Forces to analyze data collected on the weapons systems and respond to attacks.
"(d)
"(e)
"(1)
"(2)
Pub. L. 117–81, div. A, title XV, §1508, Dec. 27, 2021, 135 Stat. 2032, provided that:
"(a)
"(1) private sector entities operating inside the United States to defend against foreign malicious cyber actors could assist, or be coordinated with, the actions of United States Cyber Command operating outside the United States against such foreign malicious cyber actors; and
"(2) United States Cyber Command operating outside the United States against foreign malicious cyber actors could assist, or be coordinated with, the actions of private sector entities operating inside the United States against such foreign malicious cyber actors.
"(b)
"(1)
"(2)
"(A) Such recommendations for legislative or administrative action as the Commander of United States Cyber Command considers appropriate to improve and facilitate the exploration and development of methods and plans under subsection (a).
"(B) Such recommendations as the Commander may have for increasing private sector participation in such exploration and development.
"(C) A description of the challenges encountered in carrying out subsection (a), including any concerns expressed to the Commander by private sector partners regarding participation in such exploration and development.
"(D) Information relating to how such exploration and development with the private sector could assist military planning by United States Cyber Command.
"(E) Such other matters as the Commander considers appropriate.
"(c)
"(d)
"(1) The Joint Cyber Defense Collaborative of the Cybersecurity and Infrastructure Security Agency.
"(2) The Cybersecurity Collaboration Center and Enduring Security Framework of the National Security Agency.
"(3) The office for joint cyber planning of the Department of Homeland Security.
"(e)
"(f)
Pub. L. 117–81, div. A, title XV, §1521, Dec. 27, 2021, 135 Stat. 2040, as amended by Pub. L. 118–31, div. A, title XV, §1522, Dec. 22, 2023, 137 Stat. 553, provided that:
"(a)
"(1) Surveying components of the Department for the cyber data products and services needs of such components.
"(2) Conducting market research of cyber data products and services.
"(3) Developing or facilitating development of requirements, both independently and through consultation with components, for the acquisition of cyber data products and services.
"(4) Developing and instituting model contract language for the acquisition of cyber data products and services, including contract language that facilitates components' requirements for ingesting, sharing, using and reusing, structuring, and analyzing data derived from such products and services.
"(5) Conducting procurement of cyber data products and services on behalf of the Department of Defense, including negotiating contracts with a fixed number of licenses based on aggregate component demand and negotiation of extensible contracts.
"(6) Evaluating emerging cyber technologies, such as artificial intelligence-enabled security tools, for efficacy and applicability to the requirements of the Department of Defense.
"(7) Carrying out the responsibilities specified in paragraphs (1) through (6) with respect to the cyber data products and services needs of the Cyberspace Operations Forces, such as cyber data products and services germane to cyberspace topology and identification of adversary threat activity and infrastructure, including—
"(A) facilitating the development of cyber data products and services requirements for the Cyberspace Operations Forces, conducting market research regarding the future cyber data products and services needs of the Cyberspace Operations Forces, and conducting acquisitions pursuant to such requirements and market research;
"(B) coordinating cyber data products and services acquisition and management activities with Joint Cyber Warfighting Architecture acquisition and management activities, including activities germane to data storage, data management, and development of analytics;
"(C) implementing relevant Department of Defense and United States Cyber Command policy germane to acquisition of cyber data products and services;
"(D) leading or informing the integration of relevant datasets and services, including Government-produced threat data, commercial cyber threat information, collateral telemetry data, topology-relevant data, sensor data, and partner-provided data; and
"(E) facilitating the development of tradecraft and operational workflows based on relevant cyber data products and services.
"(b)
"(c)
"(1) such component is able to procure such product or service at a lower per-unit price than that available through such office; or
"(2) such office has approved such independent purchase.
"(d)
"(e)
Pub. L. 117–81, div. A, title XV, §1524, Dec. 27, 2021, 135 Stat. 2042, provided that:
"(a)
"(b)
"(c)
"(1) each component of the Department of Defense that uses a PDNS instantiation offered by the Department;
"(2) each component exempt from using a PDNS instantiation pursuant to subsection (b); and
"(3) efforts to ensure that each PDNS instantiation offered by the Department connects and shares relevant and timely data."
Pub. L. 117–81, div. A, title XV, §1527, Dec. 27, 2021, 135 Stat. 2043, provided that:
"(a)
"(1) access, acquire, and use mission-relevant data to support offensive cyber, defensive cyber, and DODIN operations from the intelligence community, other elements of the Department of Defense, and the private sector;
"(2) develop policy, processes, and operating procedures governing the access, ingest, structure, storage, analysis, and combination of mission-relevant data, including—
"(A) intelligence data;
"(B) internet traffic, topology, and activity data;
"(C) cyber threat information;
"(D) Department of Defense Information Network sensor, tool, routing infrastructure, and endpoint data; and
"(E) other data management and analytic platforms pertinent to United States Cyber Command missions that align with the principles of Joint All Domain Command and Control;
"(3) pilot efforts to develop operational workflows and tactics, techniques, and procedures for the operational use of mission-relevant data by the Cyberspace Operations Forces; and
"(4) evaluate data management platforms used to carry out paragraphs (1), (2), and (3) to ensure such platforms operate consistently with the Deputy Secretary of Defense's Data Decrees signed on May 5, 2021.
"(b)
"(1)
"(A) United States Cyber Command.
"(B) Program offices responsible for the components of the Joint Cyber Warfighting Architecture.
"(C) The military services.
"(D) Entities in the Office of the Secretary of Defense.
"(E) Any other program office, headquarters element, or operational component newly instantiated or determined relevant by the Secretary.
"(2)
Pub. L. 117–81, div. A, title XV, §1528, Dec. 27, 2021, 135 Stat. 2044, as amended by Pub. L. 117–263, div. A, title XV, §1501(c)(2), Dec. 23, 2022, 136 Stat. 2879, provided that:
"(a)
"(b)
"(1) Prioritized policies and procedures for establishing implementations of mature zero trust enabling capabilities within on-premises, hybrid, and pure cloud environments, including access control policies that determine which persona or device shall have access to which resources and the following:
"(A) Identity, credential, and access management.
"(B) Macro and micro network segmentation, whether in virtual, logical, or physical environments.
"(C) Traffic inspection.
"(D) Application security and containment.
"(E) Transmission, ingest, storage, and real-time analysis of cybersecurity metadata endpoints, networks, and storage devices.
"(F) Data management, data rights management, and access controls.
"(G) End-to-end encryption.
"(H) User access and behavioral monitoring, logging, and analysis.
"(I) Data loss detection and prevention methodologies.
"(J) Least privilege, including system or network administrator privileges.
"(K) Endpoint cybersecurity, including secure host, endpoint detection and response, and comply-to-connect requirements.
"(L) Automation and orchestration.
"(M) Configuration management of virtual machines, devices, servers, routers, and similar to be maintained on a single virtual device approved list (VDL).
"(2) Policies specific to operational technology, critical data, infrastructures, weapon systems, and classified networks.
"(3) Specification of enterprise-wide acquisitions of capabilities conducted or to be conducted pursuant to the policies referred to in paragraph (2).
"(4) Specification of standard zero trust principles supporting reference architectures and metrics-based assessment plan.
"(5) Roles, responsibilities, functions, and operational workflows of zero trust cybersecurity architecture and information technology personnel—
"(A) at combatant commands, military services, and defense agencies; and
"(B) Joint Forces Headquarters-Department of Defense Information Network.
"(c)
"(1) coordinate with—
"(A) the Principal Cyber Advisor to the Secretary of Defense;
"(B) the Director of the National Security Agency Cybersecurity Directorate;
"(C) the Director of the Defense Advanced Research Projects Agency;
"(D) the Chief Information Officer of each military service;
"(E) the Commanders of the cyber components of the military services;
"(F) the Principal Cyber Advisor of each military service;
"(G) the Chairman of the Joints Chiefs of Staff; and
"(H) any other component of the Department of Defense as determined by the Chief Information Officer and the Commander;
"(2) assess the utility of the Joint Regional Security Stacks, automated continuous endpoint monitoring program, assured compliance assessment solution, and each of the defenses at the Internet Access Points for their relevance and applicability to the zero trust architecture and opportunities for integration or divestment;
"(3) employ all available resources, including online training, leveraging commercially available zero trust training material, and other Federal agency training, where feasible, to implement cybersecurity training on zero trust at the—
"(A) executive level;
"(B) cybersecurity professional or implementer level; and
"(C) general knowledge levels for Department of Defense users;
"(4) facilitate cyber protection team and cybersecurity service provider threat hunting and discovery of novel adversary activity;
"(5) assess and implement means to effect Joint Force Headquarters-Department of Defense Information Network's automated command and control of the entire Department of Defense Information Network;
"(6) assess the potential of and, as appropriate, encourage, use of third-party cybersecurity-as-a-service models;
"(7) engage with and conduct outreach to industry, academia, international partners, and other departments and agencies of the Federal Government on issues relating to deployment of zero trust architectures;
"(8) assess the current Comply-to-Connect Plan; and
"(9) review past and conduct additional pilots to guide development, including—
"(A) utilization of networks designated for testing and accreditation under section 1658 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116–92; 10 U.S.C. 2224 note) [set out below];
"(B) use of automated red team products for assessment of pilot architectures; and
"(C) accreditation of piloted cybersecurity products for enterprise use in accordance with the findings on enterprise accreditation standards conducted pursuant to section 1654 of such Act (Public Law 116–92) [133 Stat. 1764].
"(d)
"(1)
"(2)
"(A) Specific acquisitions, implementations, instrumentations, and operational workflows to be implemented across unclassified and classified networks, operational technology, and weapon systems.
"(B) A detailed schedule with target milestones and required expenditures.
"(C) Interim and final metrics, including a phase migration plan.
"(D) Identification of additional funding, authorities, and policies, as may be required.
"(E) Requested waivers, exceptions to Department of Defense policy, and expected delays.
"(e)
"(1)
"(A) assess the implementation plans transmitted pursuant to subsection (d)(1) for—
"(i) adequacy and responsiveness to the zero trust strategy, principles, and model architecture required under subsection (a); and
"(ii) appropriate use of enterprise-wide acquisitions;
"(B) ensure, at a high level, the interoperability and compatibility of individual components' Solutions Architectures, including the leveraging of enterprise capabilities where appropriate through standards derivation, policy, and reviews;
"(C) use the annual investment guidance of the Chief to ensure appropriate implementation of such plans, including appropriate use of enterprise-wide acquisitions;
"(D) track use of waivers and exceptions to policy;
"(E) use the Cybersecurity Scorecard to track and drive implementation of Department components; and
"(F) leverage the authorities of the Commander of Joint Forces Headquarters-Department of Defense Information Network and the Director of the Defense Information Systems Agency to begin implementation of such zero trust strategy, principles, and model architecture.
"(2)
"(f)
"(1)
"(2)
"(g)
Pub. L. 117–81, div. A, title XV, §1529, Dec. 27, 2021, 135 Stat. 2048, provided that:
"(a)
"(1) mitigating cyber hygiene challenges;
"(2) supporting ongoing efforts of the Department to assess weapon systems resiliency;
"(3) quantifying enterprise security effectiveness of enterprise security controls, to inform future acquisition decisions of the Department;
"(4) assisting portfolio managers with balancing capability costs and capability coverage of the threat landscape; and
"(5) supporting the Department's Cybersecurity Analysis and Review threat framework.
"(b)
"(1) integration into automated security validation tools of advanced commercially available threat intelligence;
"(2) metrics and scoring of security controls;
"(3) cyber analysis, cyber campaign tracking, and cybersecurity information sharing;
"(4) integration into cybersecurity enclaves and existing cybersecurity controls of security instrumentation and testing capability;
"(5) endpoint sandboxing; and
"(6) use of actual adversary attack methodologies.
"(c)
"(d)
"(e)
"(1)
"(2)
Pub. L. 116–283, div. A, title X, §1058, Jan. 1, 2021, 134 Stat. 3856, provided that:
"(a)
"(1) any steps being taken by the host country to mitigate any potential risks to the weapon systems, military units, or personnel, and the Department of Defense's assessment of those efforts;
"(2) any steps being taken by the United States Government, separately or in collaboration with the host country, to mitigate any potential risks to the weapon systems, permanently deployed forces, or personnel;
"(3) any defense mutual agreements between the host country and the United States intended to allay the costs of risk mitigation posed by the at-risk infrastructure; and
"(4) any other matters the Secretary determines to be relevant.
"(b)
"(1) apply with respect to the permanent long-term stationing of equipment and permanently assigned forces; and
"(2) do not apply with respect to the short-term deployment or rotational presence of equipment or forces to a military installation outside the United States in connection with any exercise, dynamic force employment, contingency operation, or combat operation.
"(c)
"(1)
"(A) the risk to personnel, equipment, and operations of the Department of Defense in host countries posed by the current or intended use by such countries of 5G or 6G telecommunications architecture provided by at-risk vendors, including Huawei and ZTE; and
"(B) measures required to mitigate the risk described in paragraph (1).
"(2)
"(d)
Pub. L. 116–283, div. A, title XVII, §1724, Jan. 1, 2021, 134 Stat. 4111, as amended by Pub. L. 118–31, div. A, title XV, §1511, Dec. 22, 2023, 137 Stat. 541, provided that:
"(a)
"(b)
"(c)
"(1) The Sector Risk Management Agency functions under Presidential Policy Directive-21 the Department of Defense has assigned to the Under Secretary of Defense for Policy for implementation.
"(2) The Under Secretary of Defense for Acquisition and Sustainment's policies and programs germane to contracting and contractual enforcement as such relate to cybersecurity assessment and assistance, and industrial base health and security.
"(3) The Under Secretary of Defense for Intelligence and Security's policies and programs germane to physical security, information security, industrial security, acquisition security and cybersecurity, all source intelligence, classified threat intelligence sharing related to defense industrial base cybersecurity activities, counterintelligence, and foreign ownership control or influence, including the Defense Intelligence Agency and National Security Agency support provided to the Department of Defense – Defense Industrial Base Collaborative Information Sharing Environment and cyber intrusion damage assessment analysis as part of defense industrial base cybersecurity activities.
"(4) The Department of Defense Chief Information Officer's policies and programs for cybersecurity standards and integrating cybersecurity threat intelligence-sharing activities and enhancing Department of Defense and defense industrial base cyber situational awareness.
"(5) The Under Secretary of Defense for Research and Engineering's policies and programs germane to protection planning requirements of emerging technologies as such relate to cybersecurity assessment and assistance, and industrial base health and security.
"(6) Other Department of Defense components' policies and programs germane to the cybersecurity of the defense industrial base, including the policies and programs of the military services and the combatant commands.
"(d)
"(1) coordinate or facilitate coordination with relevant Federal departments and agencies, defense industrial base entities, independent regulatory agencies, and with State, local, territorial, and Tribal entities, as appropriate;
"(2) facilitate or coordinate the provision of incident management support to defense industrial base entities, as appropriate;
"(3) facilitate or coordinate the provision of technical assistance to and consultations with defense industrial base entities to identify cyber or cyber-physical vulnerabilities and minimize the damage of potential incidents, as appropriate; and
"(4) support or facilitate the supporting of the statutorily required reporting requirements of such relevant Federal departments and agencies by providing or facilitating the provision to such departments and agencies on an annual basis relevant critical infrastructure information, as appropriate.
"(e)
"(1) A plan for implementation of this section, including an assessment of the roles and responsibilities of entities across the Department of Defense and mechanisms and processes for coordination of policy and programs germane to defense industrial base cybersecurity.
"(2) An analysis of the feasibility and advisability of separating cybersecurity functions of a Sector Risk Management Agency pursuant to section 9002 of the National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a) from non-cybersecurity functions of a Sector Risk Management Agency."
Pub. L. 116–283, div. A, title XVII, §1726(b), Jan. 1, 2021, 134 Stat. 4116, provided that:
"(1)
"(A) Recommendations regarding how to improve and better utilize such programs, including regarding individuals who have completed such programs.
"(B) An implementation plan to carry out such recommendations.
"(2)
Pub. L. 116–283, div. A, title XVII, §1727, Jan. 1, 2021, 134 Stat. 4117, provided that:
"(a)
"(1)
"(2)
"(3)
"(b)
"(1) Risk categorization.
"(2) Duration.
"(3) Estimated time remaining."
Pub. L. 116–283, div. A, title XVII, §1733, Jan. 1, 2021, 134 Stat. 4123, provided that:
"(a)
"(b)
"(1)
"(B) The Chief Information Officer and the Commander shall ensure that the metrics developed under subparagraph (A) are commensurate with the representative timelines of nation-state and non-nation-state actors when gaining access to, and compromising, Department networks.
"(2)
"(B) In carrying out the pilot program under subsection (a), the Secretary shall evaluate the effectiveness of operators, capabilities available to operators, and operators' tactics, techniques, and procedures.
"(c)
"(1) assess select security operations centers and cyber security service providers—
"(A) over the course of their mission performance; or
"(B) in the testing and accreditation of cybersecurity products and services on test networks designated pursuant to section 1658 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116–92) [set out as a note below]; and
"(2) assess select elements' use of security orchestration and response technologies, modern endpoint security technologies, Big Data Platform instantiations, and technologies relevant to zero trust architectures.
"(d)
"(1)
"(2)
"(A) The pilot metrics developed under subsection (b)(1).
"(B) The findings of the Secretary with respect to the assessments carried out under subsection (b)(2).
"(C) An analysis of the utility of speed-based metrics in assessing security operations centers and cyber security service providers.
"(D) An analysis of the utility of the extension of the pilot metrics to or speed-based assessment of the Cyber Mission Forces.
"(E) An assessment of the technical and procedural measures that would be necessary to meet the speed-based metrics developed and applied in the pilot program."
Pub. L. 116–283, div. A, title XVII, §1735, Jan. 1, 2021, 134 Stat. 4125, provided that:
"(a)
"(b)
"(1) consider using the Big Data Platform instances that host cybersecurity metadata for storage and analysis of all user activity monitoring data collected across the Department of Defense Information Network at all security classification levels;
"(2) develop policies and procedures governing access to user activity monitoring data or data derived from user activity monitoring by cybersecurity operators; and
"(3) develop processes and capabilities for using metadata on host and network activity for user activity monitoring in support of the insider threat mission.
"(c)
Pub. L. 116–283, div. A, title XVII, §1737, Jan. 1, 2021, 134 Stat. 4127, provided that:
"(a)
"(b)
"(1) The feasibility and suitability of, and requirements for, the establishment of a defense industrial base threat information sharing program, including cybersecurity incident reporting requirements applicable to the defense industrial base that—
"(A) extend beyond mandatory cybersecurity incident reporting requirements as in effect on the day before the date of the enactment of this Act;
"(B) set specific, consistent timeframes for all categories of cybersecurity incident reporting;
"(C) establish a single clearinghouse for all mandatory cybersecurity incident reporting to the Department of Defense, including incidents involving covered unclassified information, and classified information; and
"(D) provide that, unless authorized or required by another provision of law or the element of the defense industrial base making the report consents, nonpublic information of which the Department becomes aware only because of a report provided pursuant to the program shall be disseminated and used only for a cybersecurity purpose (as such term is defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)) and in support of national defense activities.
"(2) A mechanism for developing a shared and real-time picture of the threat environment.
"(3) Options for joint, collaborative, and co-located analytics.
"(4) Possible investments in technology and capabilities to support automated detection and analysis across the defense industrial base.
"(5) Coordinated information tipping, sharing, and deconfliction, as necessary, with relevant Federal Government agencies with similar information sharing programs.
"(6) Processes for direct sharing of threat information related to a specific defense industrial base entity with such entity.
"(7) Mechanisms for providing defense industrial base entities with clearances for national security information access, as appropriate.
"(8) Requirements to consent to queries of foreign intelligence collection databases related to a specific defense industrial base entity as a condition of participation in the threat information sharing program.
"(9) Recommendations with respect to threat information sharing program participation, including the following:
"(A) Incentives for defense industrial base entities to participate in the threat information sharing program.
"(B) Mandating minimum levels of threat information sharing program participation for any entity that is part of the defense industrial base.
"(C) Procurement prohibitions on any defense industrial base entity that are not in compliance with the requirements of the threat information sharing program.
"(D) Waiver authority and criteria.
"(E) Adopting tiers of requirements for participation within the threat information sharing program based on—
"(i) the role of and relative threats related to defense industrial base entities; and
"(ii) Cybersecurity Maturity Model Certification level.
"(10) Options to utilize an existing federally recognized information sharing program to satisfy the requirement for a threat information sharing program if—
"(A) the existing program includes, or is modified to include, two-way sharing of threat information that is specifically relevant to the defense industrial base; and
"(B) such a program is coordinated with other Federal Government agencies with existing information sharing programs where overlap occurs.
"(11) Methods to encourage participation of defense industrial base entities in appropriate private sector information sharing and analysis centers (ISACs).
"(12) Methods to coordinate collectively with defense industrial base entities to consider methods for mitigating compliance costs.
"(13) The resources needed, governance roles and structures required, and changes in regulation or law needed for execution of a threat information sharing program, as well as any other considerations determined relevant by the Secretary.
"(14) Identification of any barriers that would prevent the establishment of a defense industrial base threat information sharing program.
"(c)
"(d)
"(1) the findings of the Secretary with respect to such assessment and such determination; and
"(2) such implementation plans as the Secretary may have arising from such findings.
"(e)
Pub. L. 116–283, div. A, title XVII, §1738, Jan. 1, 2021, 134 Stat. 4129, provided that:
"(a)
"(b)
"(c)
"(1) shall be used by a Center to provide small manufacturers with cybersecurity services, including—
"(A) compliance with the cybersecurity requirements of the Department of Defense Supplement to the Federal Acquisition Regulation, including awareness, assessment, evaluation, preparation, and implementation of cybersecurity services; and
"(B) achieving compliance with the Cybersecurity Maturity Model Certification framework of the Department of Defense; and
"(2) may be used by a Center to employ trained personnel to deliver cybersecurity services to small manufacturers.
"(d)
"(1)
"(2)
"(A) The number of small manufacturers assisted.
"(B) A description of the cybersecurity services provided.
"(C) A description of the cybersecurity matters addressed.
"(D) An analysis of the operational effectiveness and cost-effectiveness of such cybersecurity services.
"(e)
"(f)
"(1)
"(2)
Pub. L. 116–283, div. A, title XVII, §1739, Jan. 1, 2021, 134 Stat. 4130, provided that:
"(a)
"(b)
"(1) Existing defense industrial base cybersecurity threat hunting policies and programs, including the threat hunting elements at each level of the compliance-based Cybersecurity Maturity Model Certification program of the Department of Defense, including requirements germane to continuous monitoring, discovery, and investigation of anomalous activity indicative of a cybersecurity incident.
"(2) The suitability of a continuous cybersecurity threat hunting program, as a supplement to the cyber hygiene requirements of the Cybersecurity Maturity Model Certification, including consideration of the following:
"(A) Collection and analysis of metadata on network activity to detect possible intrusions.
"(B) Rapid investigation and remediation of possible intrusions.
"(C) Requirements for mitigating any vulnerabilities identified pursuant to the cybersecurity threat hunting program.
"(D) Mechanisms for the Department of Defense to share with entities in the defense industrial base malicious code, indicators of compromise, and insights on the evolving threat landscape.
"(3) Recommendations with respect to cybersecurity threat hunting program participation of prime contractors and subcontractors, including relating to the following:
"(A) Incentives for defense industrial base entities to share with the Department of Defense threat and vulnerability information collected pursuant to threat monitoring and hunting activities.
"(B) Mandating minimum levels of program participation for any defense industrial base entity.
"(C) Procurement prohibitions on any defense industrial base entity that is not in compliance with the requirements of the cybersecurity threat hunting program.
"(D) Waiver authority and criteria.
"(E) Consideration of a tiered cybersecurity threat hunting program that takes into account the following:
"(i) The cybersecurity maturity of defense industrial base entities.
"(ii) The roles of such entities.
"(iii) Whether each such entity possesses classified information or controlled unclassified information and covered defense networks.
"(iv) The covered defense information to which each such entity has access as a result of contracts with the Department of Defense.
"(4) Whether the continuous cybersecurity threat-hunting program described in paragraph (2) should be conducted by—
"(A) qualified prime contractors or subcontractors;
"(B) accredited third-party cybersecurity vendors;
"(C) with contractor consent—
"(i) United States Cyber Command; or
"(ii) a component of the Department of Defense other than United States Cyber Command;
"(D) the deployment of network sensing technologies capable of identifying and filtering malicious network traffic; or
"(E) a combination of the entities specified in subparagraphs (A) through (D).
"(5) The resources necessary, governance structures or changes in regulation or law needed, and responsibility for execution of a defense industrial base cybersecurity threat hunting program, as well as any other considerations determined relevant by the Secretary.
"(6) A timelime [sic] for establishing the defense industrial base cybersecurity threat hunting program not later than two years after the date of the enactment of this Act [Jan. 1, 2021].
"(7) Identification of any barriers that would prevent such establishment.
"(c)
"(d)
"(1) the findings of the Secretary with respect to such assessment and such determination; and
"(2) such implementation plans as the Secretary may have arising from such findings.
"(e)
Pub. L. 116–92, div. A, title XVI, §1641, Dec. 20, 2019, 133 Stat. 1750, provided that:
"(a)
"(1) fit into an enterprise-wide cybersecurity architecture;
"(2) are maximally interoperable with each other, including those programs and capabilities deployed by the components of the Department;
"(3) enhance enterprise-level visibility and responsiveness to threats; and
"(4) are developed, procured, instituted, and managed in a cost-efficient manner, exploiting economies of scale and enterprise-wide services and discouraging unnecessary customization and piecemeal acquisition.
"(b)
"(1) manage and modernize the cybersecurity architecture of the Department, including—
"(A) ensuring the cybersecurity architecture of the Department maximizes cybersecurity capability, network, and endpoint activity data sharing across Department components;
"(B) ensuring the cybersecurity architecture of the Department supports improved automaticity of cybersecurity detection and response; and
"(C) modernizing and configuring the Department's standardized deployed perimeter, network-level, and endpoint capabilities to improve interoperability, meet pressing capability needs, and negate common adversary tactics, techniques, and procedures;
"(2) establish mechanisms to enable and mandate, as necessary, cybersecurity capability and network and endpoint activity data-sharing across Department components;
"(3) make mission data, through data tagging, automatic transmission, and other means, accessible and discoverable by Department components other than owners of such mission data;
"(4) incorporate into the cybersecurity architecture of the Department emerging cybersecurity technologies from the Defense Advanced Research Projects Agency, the Strategic Capabilities Office, the Defense Innovation Unit, the laboratories of the military departments, and the commercial sector;
"(5) ensure that the Department possesses the necessary computing infrastructure, through technology refresh, installation or acquisition of bandwidth, and the use of cloud computing power, to host and enable necessary cybersecurity capabilities; and
"(6) utilize the Department's cybersecurity expertise to improve cybersecurity performance, operations, and acquisition, including—
"(A) the cybersecurity testing, architecting, and engineering expertise of the National Security Agency; and
"(B) the technology policy, workforce, and engineering expertise of the Defense Digital Service."
Pub. L. 116–92, div. A, title XVI, §1646, Dec. 20, 2019, 133 Stat. 1753, provided that:
"(a)
"(1) is in the possession of a component of the Department, the Secretary shall—
"(A) either transfer or replicate and transfer such Department data in a prompt and secure manner to a secure repository with access by Department personnel appropriately limited on a need-to-know basis or otherwise ensure such consistent access to the relevant data by other means;
"(B) ensure the Department applies such automated analytic tools and capabilities to the repository of potentially compromised data as are necessary to rapidly understand the scope and effect of the potential compromise;
"(C) for high priority and mission critical Department systems, develop analytic products that characterize the scope of data compromised;
"(D) ensure that relevant mission-affected entities in the Department are made aware of the theft or possible theft and, as damage assessment and mitigation proceeds, are kept apprised of the extent of the data stolen; and
"(E) ensure that Department counterintelligence organizations are—
"(i) fully integrated with any damage assessment team assigned to the breach;
"(ii) fully informed of the data that have or potentially have been stolen and the effect of such theft; and
"(iii) provided resources and tasked, in conjunction with subject matter experts and responsible authorities, to immediately and appropriately respond, including through the development and execution of relevant countermeasures, to any breach involving espionage and data theft; or
"(2) is in the possession of or under controls or restrictions imposed by the Federal Bureau of Investigation, or a national counterintelligence or intelligence organization, the Secretary shall determine, jointly with the Director of the Federal Bureau of Investigation or the Director of National Intelligence, as appropriate, the most expeditious process, means, and conditions for carrying out the activities otherwise required by paragraph (1).
"(b)
Pub. L. 116–92, div. A, title XVI, §1647, Dec. 20, 2019, 133 Stat. 1754, as amended by Pub. L. 116–283, div. A, title X, §1081(c)(7), Jan. 1, 2021, 134 Stat. 3873, provided that:
"(a)
"(b)
"(1)
"(2)
"(A) test and evaluate commercially available cybersecurity products and services using—
"(i) generally known cyber operations techniques; and
"(ii) tools and cyber operations techniques and advanced tools and techniques available to the National Security Agency;
"(B) develop and establish standard procedures, techniques, and threat-informed metrics to perform the testing and evaluation required by subparagraph (A); and
"(C) advise the Chief Information Officer and the components of the Department of Defense on the merits and disadvantages of evaluated cybersecurity products, including with respect to—
"(i) any synergies between products;
"(ii) value;
"(iii) matters relating to operation and maintenance; and
"(iv) matters relating to customization requirements.
"(3)
"(A) be used to accredit cybersecurity products and services for use by the Department;
"(B) create approved products lists; or
"(C) be used for the procurement and fielding of cybersecurity products on behalf of the Department."
[Pub. L. 116–283, div. A, title X, §1081(c), Jan. 1, 2021, 134 Stat. 3873, provided that the amendment made by section 1081(c)(7) of Pub. L. 116–283 to section 1647 of Pub. L. 116–92, set out above, is effective as of Dec. 20, 2020 (probably should be Dec. 20, 2019) and as if included in Pub. L. 116–92.]
Pub. L. 116–92, div. A, title XVI, §1648, Dec. 20, 2019, 133 Stat. 1755, as amended by Pub. L. 117–81, div. A, title XV, §1526, Dec. 27, 2021, 135 Stat. 2043, provided that:
"(a)
"(b)
"(1) Identification of unified cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements to be imposed on the defense industrial base for the purpose of assessing the cybersecurity of individual contractors.
"(2) Roles and responsibilities of the Under Secretary of Defense for Acquisition and Sustainment, the Under Secretary of Defense for Intelligence and Security, the Chief Information Officer, the Director of the Protecting Critical Technologies Task Force, and the Secretaries of the military departments relating to the following:
"(A) Establishing and ensuring compliance with cybersecurity standards, regulations, and policies.
"(B) Deconflicting existing cybersecurity standards, regulations, and policies.
"(C) Coordinating with and providing assistance to the defense industrial base for cybersecurity matters, particularly as relates to the programs and processes described in paragraphs (8) and (9).
"(D) Management and oversight of the acquisition process, including responsibility determination, solicitation, award, and contractor management, relating to cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements.
"(3) The responsibilities of the prime contractors, and all subcontractors in the supply chain, for implementing the required cybersecurity standards, regulations, metrics, ratings, third-party certifications, and requirements identified under paragraph (1).
"(4) Definitions for 'Controlled Unclassified Information' (CUI) and 'For Official Use Only' (FOUO), policies regarding protecting information designated as either of such, and an explanation of the 'DoD CUI Program' and Department of Defense compliance with the responsibilities specified in Department of Defense Instruction (DoDI) 5200.48, 'Controlled Unclassified Information (CUI),' including the following:
"(A) The extent to which the Department of Defense is identifying whether information is CUI via a contracting vehicle and marking documents, material, and media containing such information in a clear and consistent manner.
"(B) Recommended regulatory or policy changes to ensure consistency and clarity in CUI identification and marking requirements.
"(C) Circumstances under which commercial information is considered CUI, and any impacts to the commercial supply chain associated with security and marking requirements pursuant to this paragraph.
"(D) Benefits and drawbacks of requiring all CUI to be marked with a unique CUI legend, versus requiring that all data marked with an appropriate restricted legend be handled as CUI.
"(E) The extent to which the Department of Defense clearly delineates Federal Contract Information (FCI) from CUI.
"(F) Examples or scenarios to illustrate information that is and is not CUI.
"(5) Methods and programs for managing controlled unclassified information, and for limiting the presence of unnecessary sensitive information on contractor networks.
"(6) A plan to provide implementation guidance, education, manuals, and, as necessary, direct technical support or assistance, to contractors on matters relating to cybersecurity.
"(7) Quantitative metrics for assessing the effectiveness of the overall framework over time, with respect to the exfiltration of controlled unclassified information from the defense industrial base.
"(8) A comprehensive list of current and planned Department of Defense programs to assist the defense industrial base with cybersecurity compliance requirements of the Department, including those programs that provide training, expertise, and funding, and maintain approved security products lists and approved providers lists.
"(9) Processes for enhanced threat information sharing between the Department of Defense and the defense industrial base.
"(c)
"(1) Designating an official to be responsible for the cybersecurity of the defense industrial base.
"(2) Risk-based methodologies, standards, metrics, and tiered cybersecurity requirements for the defense industrial base, including third-party certifications such as the Cybersecurity Maturity Model Certification pilot program, as the basis for a mandatory Department standard.
"(3) Tailoring cybersecurity requirements for small- and medium-sized contractors based on a risk-based approach.
"(4) Ensuring a consistent approach across the Department to cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements of the defense industrial base.
"(5) Ensuring the Department's traceability and visibility of cybersecurity compliance of suppliers to all levels of the supply chain.
"(6) Evaluating incentives and penalties for cybersecurity performance of suppliers.
"(7) Integrating cybersecurity and traditional counterintelligence measures, requirements, and programs.
"(8) Establishing a secure software development environment (DevSecOps) in a cloud environment inside the perimeter of the Department for contractors to perform their development work.
"(9) Establishing a secure cloud environment through which contractors may access the data of the Department needed for their contract work.
"(10) An evaluation of the resources and utilization of Department programs to assist the defense industrial base in complying with cybersecurity compliance requirements referred to in subsection (b)(1).
"(11) Technological means, operational concepts, reference architectures, offensive counterintelligence operation concepts, and plans for operationalization to complicate adversary espionage, including honeypotting and data obfuscation.
"(12) Implementing enhanced security vulnerability assessments for contractors working on critical acquisition programs, technologies, manufacturing capabilities, and research areas.
"(13) Identifying ways to better leverage technology and employ machine learning or artificial intelligence capabilities, such as Internet Protocol monitoring and data integrity capabilities, to be applied to contractor information systems that host, receive, or transmit controlled unclassified information.
"(14) Developing tools to easily segregate program data to only allow subcontractors access to their specific information.
"(15) Appropriate communications of threat assessments of the defense industrial base to the acquisition workforce at all classification levels.
"(16) A single Sector Coordinating Council for the defense industrial base.
"(17) Appropriate communications with the defense industrial base on the impact of cybersecurity requirements in contracting and procurement decisions.
"(d)
"(1) Industry groups representing the defense industrial base.
"(2) Contractors in the defense industrial base.
"(3) The Director of the National Institute of Standards and Technology.
"(4) The Secretary of Energy.
"(5) The Director of National Intelligence.
"(6) Relevant Federal regulatory agencies.
"(e)
"(1)
"(2)
"(A) An overview of the framework developed pursuant to subsection (a).
"(B) Identification of such pilot programs as the Secretary considers may be required to improve the cybersecurity of the defense industrial base.
"(C) Implementation timelines and identification of costs.
"(D) Such recommendations as the Secretary may have for legislative action to improve the cybersecurity of the defense industrial base.
"(f)
"(1)
"(2)
"(3)
"(A) The current status of the development and implementation of the framework developed pursuant to subsection (a).
"(B) A description of the efforts undertaken by the Secretary to evaluate the matters for consideration set forth in subsection (c).
"(C) The current status of any pilot programs the Secretary is carrying out to develop the framework."
Pub. L. 116–92, div. A, title XVI, §1658, Dec. 20, 2019, 133 Stat. 1769, provided that:
"(a)
"(b)
"(1) be of sufficient scale to realistically test cybersecurity products and services;
"(2) feature substantially different architectures and configurations;
"(3) be live, operational networks; and
"(4) feature cybersecurity processes, tools, and technologies that are appropriate for test purposes and representative of the processes, tools, and technologies that are widely used throughout the Department.
"(c)
Pub. L. 115–232, div. A, title XVI, §1639, Aug. 13, 2018, 132 Stat. 2129, provided that:
"(a)
"(b)
"(c)
"(1)
"(2)
Pub. L. 115–232, div. A, title XVI, §1641, Aug. 13, 2018, 132 Stat. 2131, provided that:
"(a)
"(b)
"(c)
"(d)
"(1)
"(2)
"(e)
"(f)
Pub. L. 115–232, div. A, title XVI, §1643, Aug. 13, 2018, 132 Stat. 2133, provided that:
"(a)
"(b)
Pub. L. 115–232, div. A, title XVI, §1644, Aug. 13, 2018, 132 Stat. 2133, as amended by Pub. L. 116–283, div. A, title XVIII, §§1844(e)(2), 1869(e), Jan. 1, 2021, 134 Stat. 4246, 4284; Pub. L. 117–81, div. A, title XVII, §1701(u)(5)(B), Dec. 27, 2021, 135 Stat. 2154, provided that:
"(a)
"(1)
"(2)
"(3)
"(4)
"(5)
"(b)
"(c)
"(1)
"(2)
"(3)
"(d)
"(e)
"(1)
"(2)
"(3)
"(f)
"(1) The Manufacturing Technology Program established under section 4841 of title 10, United States Code.
"(2) The Centers for Science, Technology, and Engineering Partnership program under section 2368 of title 10, United States Code [now 10 U.S.C. 4124].
"(3) The Manufacturing Engineering Education Program established under section 2196 of title 10, United States Code [now 10 U.S.C. 4843].
"(4) The Small Business Innovation Research program.
"(5) The mentor-protégé program.
"(6) Other legal authorities as the Secretary determines necessary to effectively and efficiently carry out this section.
"(g)
"(1)
"(2)
"(3)
"(4)
Pub. L. 115–232, div. A, title XVI, §1645, Aug. 13, 2018, 132 Stat. 2135, provided that:
"(a)
"(b)
"(c)
Pub. L. 115–232, div. A, title XVI, §1647(c), Aug. 13, 2018, 132 Stat. 2136, provided that: "The Chief Information Officer of the Department of Defense, in coordination with the Principal Cyber Advisor, the Director of Operations of the Joint Staff, and the Commander of United States Cyber Command, shall establish risk thresholds for systems and network operations that, when exceeded, would trigger heightened security measures, such as enhanced monitoring and access policy changes."
Pub. L. 115–232, div. A, title XVI, §1655, Aug. 13, 2018, 132 Stat. 2149, provided that:
"(a)
"(1) Whether, and if so, when, within five years before or at any time after the date of the enactment of this Act, the person has allowed a foreign government to review the code of a non-commercial product, system, or service developed for the Department, or whether the person is under any obligation to allow a foreign person or government to review the code of a non-commercial product, system, or service developed for the Department as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.
"(2) Whether, and if so, when, within five years before or at any time after the date of the enactment of this Act, the person has allowed a foreign government listed in section 1654 [of Pub. L. 115–232, 10 U.S.C. 394 note] to review the source code of a product, system, or service that the Department is using or intends to use, or is under any obligation to allow a foreign person or government to review the source code of a product, system, or service that the Department is using or intends to use as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.
"(3) Whether or not the person holds or has sought a license pursuant to the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations, or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the non-commercial product, system, or service the Department is using or intends to use.
"(b)
"(1)
"(2)
"(c)
"(d)
"(1)
"(2)
"(e)
"(f)
"(1) establish within the operational capabilities of the Committee for National Security Systems (CNSS) or within such other agency as the Secretary considers appropriate a registry containing the information disclosed under subsection (a); and
"(2) upon request, make such information available to any agency conducting a procurement pursuant to the Federal Acquisition Regulations or the Defense Federal Acquisition Regulations.
"(g)
"(h)
"(1)
"(A) the Committee on Armed Services, the Select Committee on Intelligence, and the Committee on Homeland Security and Governmental Affairs of the Senate; and
"(B) the Committee on Armed Services, the Permanent Select Committee on Intelligence, the Committee on Homeland Security, and the Committee on Oversight and Government Reform [now Committee on Oversight and Accountability] of the House of Representatives.
"(2)
"(3)
"(4)
"(5)
"(6)
Pub. L. 115–91, div. A, title XVI, §1637, Dec. 12, 2017, 131 Stat. 1742, provided that:
"(a)
"(1)
"(A) establish processes and procedures to integrate strategic information operations and cyber-enabled information operations across the elements of the Department of Defense responsible for such operations, including the elements of the Department responsible for military deception, public affairs, electronic warfare, and cyber operations; and
"(B) ensure that such processes and procedures provide for integrated Defense-wide strategy, planning, and budgeting with respect to the conduct of such operations by the Department, including activities conducted to counter and deter such operations by malign actors.
"(2)
"(3)
"(A) Oversight of strategic policy and guidance.
"(B) Overall resource management for the integration of information operations and cyber-enabled information operations of the Department.
"(C) Coordination with the head of the Global Engagement Center to support the purpose of the Center (as described [in] section 1287(a)(2) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 22 U.S.C. 2656 note)) and liaison with the Center and other relevant Federal Government entities to support such purpose.
"(D) Development of a strategic framework for the conduct of information operations by the Department of Defense, including cyber-enabled information operations, coordinated across all relevant elements of the Department of Defense, including both near-term and long-term guidance for the conduct of such coordinated operations.
"(E) Development and dissemination of a common operating paradigm across the elements of the Department of Defense specified in paragraph (1) to counter the influence, deception, and propaganda activities of key malign actors, including in cyberspace.
"(F) Development of guidance for, and promotion of, the capability of the Department of Defense to liaison with the private sector, including social media, on matters relating to the influence activities of malign actors.
"(b)
"(1)
"(B) The Secretary shall require each commander of a combatant command to develop such requirements and specific plans as may be necessary for the conduct of information operations in support of the strategy required under subparagraph (A), including plans for deterring information operations, including deterrence in the cyber domain, by malign actors against the United States, allies of the United States, and interests of the United States.
"(2)
"(A)
"(i) review the strategy of the Department of Defense titled 'Department of Defense Strategy for Operations in the Information Environment' and dated June 2016; and
"(ii) submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a plan for implementation of such strategy.
"(B)
"(i) An accounting of the efforts undertaken in support of the strategy described in subparagraph (A)(i) in the period since it was issued in June 2016.
"(ii) A description of any updates or changes to such strategy that have been made since it was first issued, as well as any expected updates or changes resulting from the designation of the designated senior official.
"(iii) A description of the role of the Department of Defense as part of a broader whole-of-Government strategy for strategic communications, including a description of any assumptions about the roles and contributions of other departments and agencies of the Federal Government with respect to such a strategy.
"(iv) Defined actions, performance metrics, and projected timelines for achieving each of the 15 tasks specified in the strategy described in subparagraph (A)(i).
"(v) An analysis of any personnel, resourcing, capability, authority, or other gaps that will need to be addressed to ensure effective implementation of the strategy described in subparagraph (A)(i) across all relevant elements of the Department of Defense.
"(vi) An investment framework and projected timeline for addressing any gaps identified under clause (v).
"(vii) Such other matters as the Secretary of Defense considers relevant.
"(C)
"(c)
Pub. L. 115–91, div. A, title XVI, §1638, Dec. 12, 2017, 131 Stat. 1744, provided that:
"(a)
"(b)
"(1) agrees to participate in such exercise; and
"(2) agrees to allow vulnerability testing of the components of the State's election system.
"(c)
Pub. L. 115–91, div. A, title XVI, §1639, Dec. 12, 2017, 131 Stat. 1744, provided that:
"(a)
"(b)
Pub. L. 115–91, div. A, title XVI, §1640, Dec. 12, 2017, 131 Stat. 1745, as amended by Pub. L. 116–283, div. A, title XVII, §1712(b), Jan. 1, 2021, 134 Stat. 4087; Pub. L. 117–81, div. A, title XV, §1525, Dec. 27, 2021, 135 Stat. 2043; Pub. L. 117–263, div. A, title XV, §1503, Dec. 23, 2022, 136 Stat. 2880, which provided for the establishment of the Strategic Cybersecurity Program to ensure the Department of Defense's ability to conduct the most important military missions of the Department, was repealed by Pub. L. 118–31, div. A, title XV, §1502(a)(2)(C), Dec. 22, 2023, 137 Stat. 537. See section 391b of this title.
Pub. L. 114–328, div. A, title XVI, §1644, Dec. 23, 2016, 130 Stat. 2602, provided that:
"(a)
"(1) to support a high state of mission readiness in the command through the use of one or more cyber opposition forces in continuous exercises and other training activities as considered appropriate by the commander of the command; and
"(2) in conducting such exercises and training activities, [to] meet the standard required under subsection (b).
"(b)
"(c)
"(1) provide for applied training and exercise capabilities; and
"(2) use expertise and capabilities from other departments and agencies of the Federal Government, as appropriate.
"(d)
"(1) a list of each combatant command that has established an agreement under subsection (a);
"(2) with respect to each such agreement—
"(A) special conditions in the agreement placed on any cyber opposition force used by the command;
"(B) the process for making decisions about deconfliction and risk mitigation of cyber opposition force activities in continuous exercises and training;
"(C) identification of cyber opposition forces trained and certified to operate at the joint standard, as issued under subsection (b);
"(D) identification of the annual exercises that will include participation of the cyber opposition forces; and
"(E) identification of any shortfalls in resources that may prevent annual exercises using cyber opposition forces; and
"(3) any other matters the Secretary of Defense considers appropriate."
Pub. L. 114–328, div. A, title XVI, §1645, Dec. 23, 2016, 130 Stat. 2603, provided that:
"(a)
"(1)
"(2)
"(A) who the Secretary determines to be highly vulnerable to cyber attacks and hostile information collection activities because of the positions occupied by such personnel in the Department; and
"(B) whose personal technology devices are highly vulnerable to cyber attacks and hostile information collection activities.
"(b)
"(c)
"(1) to encourage personnel of the Department of Defense to use personal technology devices for official business; or
"(2) to authorize cyber protection support for senior Department personnel using personal devices and networks in an official capacity.
"(d)
"(1) a description of the methodology used to make the determination under subsection (a)(2); and
"(2) guidance for the use of cyber protection support and tracking of support requests for personnel receiving cyber protection support under subsection (a).
"(e)
Pub. L. 114–328, div. A, title XVI, §1646, Dec. 23, 2016, 130 Stat. 2604, provided that:
"(a)
"(1) the department or Defense Agency concerned completes operational test and evaluation activities to determine the effectiveness, suitability, and survivability of the joint regional security stacks system of such department or Defense Agency; and
"(2) written certification that such testing and evaluation activities have been completed is provided to the Secretary of such department or the head of such Defense Agency by the appropriate operational test and evaluation organization of such department or Defense Agency.
"(b)
"(1)
"(A) the Secretary of the military department or the head of the Defense Agency concerned;
"(B) the Director of Operational Test and Evaluation for the Department of Defense; and
"(C) the Chief Information Officer of the Department of Defense.
"(2)
"(A) the testing and evaluation activities required under subsection (a) are unnecessary, accompanied by an explanation of the reasons such activities are unnecessary;
"(B) the effectiveness, suitability, and survivability of the joint regional security stacks system of the military department or Defense Agency concerned has been demonstrated by methods other than the testing and evaluation activities required under subsection (a), accompanied by supporting data; or
"(C) national security needs justify full deployment of the joint regional security stacks system of the military department or Defense Agency concerned before the test and evaluation activities required under subsection (a) can be completed, accompanied by an explanation of such justification and a risk management plan."
Pub. L. 114–328, div. A, title XVI, §1650, Dec. 23, 2016, 130 Stat. 2607, as amended by Pub. L. 115–91, div. A, title XVI, §1643, Dec. 12, 2017, 131 Stat. 1748; Pub. L. 115–232, div. A, title XVI, §1634, Aug. 13, 2018, 132 Stat. 2125; Pub. L. 118–31, div. A, title XV, §1502(a)(2)(B), Dec. 22, 2023, 137 Stat. 537, provided that:
"(a)
"(1)
"(2)
"(A) an identification of each of the military installations to be evaluated; and
"(B) an estimate of the cost of the evaluation.
"(3)
"(A) the Armed Forces stationed at such military installations; and
"(B) threats to such military installations.
"(4)
"(b)
"(1)
"(A) to improve the defense of control systems against cyber attacks;
"(B) to increase the resilience of military installations against cybersecurity threats;
"(C) to prevent or mitigate the potential for high-consequence cyber attacks;
"(D) to inform future requirements for the development of such control systems; and
"(E) to assess the strategic benefits derived from, and the challenges associated with, isolating military infrastructure from the national electric grid and the use of microgrids.
"(2)
"(3)
"(4)
"(A) a description of the activities carried out under the pilot program at each military installation concerned;
"(B) an assessment of the value of the methodologies or tools applied during the pilot program in increasing the resilience of military installations against cybersecurity threats;
"(C) recommendations for administrative or legislative actions to improve the ability of the Department to employ methodologies and tools for reducing cyber vulnerabilities in other activities of the Department of Defense; and
"(D) recommendations for including such methodologies or tools as requirements for relevant activities, including technical requirements for systems or military construction projects.
"(5)
"(c)
"(1)
"(2)
"(d)
"(1) develop tools that improve assessments of cyber vulnerabilities of Department of Defense critical infrastructure;
"(2) conduct non-recurring engineering for the design of mitigation solutions for such vulnerabilities; and
"(3) establish Department-wide information repositories to share findings relating to such assessments and to share such mitigation solutions.
"(e)
"(1)
"(2)
"(A) a research laboratory of the Department of Defense; or
"(B) a research laboratory of the Department of Energy approved by the Secretary of Energy to carry out the pilot program under subsection (b)."
Pub. L. 114–328, div. A, title XVI, §1653, Dec. 23, 2016, 130 Stat. 2610, provided that:
"(a)
"(1)
"(A) a plan for a modernized, Department-wide automated information security continuous monitoring capability that includes—
"(i) a proposed information security architecture for the capability;
"(ii) a concept of operations for the capability; and
"(iii) requirements with respect to the functionality and interoperability of the tools, sensors, systems, processes, and other components of the continuous monitoring capability; and
"(B) a comply-to-connect policy that requires systems to automatically comply with the configurations of the networks of the Department as a condition of connecting to such networks.
"(2)
"(3)
"(4)
"(5)
"(6)
"(b)
"(1)
"(A) to count the number of such licenses in use; and
"(B) to determine the security status of each instance of use of the software licensed.
"(2)
"(A) beginning on January 1, 2018, with respect to any contract entered into by the Secretary of Defense on or after such date for the licensing of software; and
"(B) beginning on January 1, 2020, with respect to any contract entered into by the Secretary for the licensing of software that was in effect on December 31, 2017."
Pub. L. 114–92, div. A, title VIII, §807, Nov. 25, 2015, 129 Stat. 886, as amended by Pub. L. 115–232, div. A, title XVI, §1635, Aug. 13, 2018, 132 Stat. 2125; Pub. L. 116–92, div. A, title VIII, §821, Dec. 20, 2019, 133 Stat. 1490; Pub. L. 116–283, div. A, title XVII, §1711, Jan. 1, 2021, 134 Stat. 4086, provided that:
"(a)
"(1)
"(A) Development and acquisition of cyber operations-peculiar equipment and capabilities.
"(B) Acquisition and sustainment of cyber capability-peculiar equipment, capabilities, and services.
"(2)
"(b)
"(1)
"(A) to negotiate memoranda of agreement with the military departments and Department of Defense components to carry out the acquisition of equipment, capabilities, and services described in subsection (a)(1) on behalf of the Command;
"(B) to supervise the acquisition of equipment, capabilities, and services described in subsection (a)(1);
"(C) to represent the Command in discussions with the military departments regarding acquisition programs for which the Command is a customer; and
"(D) to work with the military departments to ensure that the Command is appropriately represented in any joint working group or integrated product team regarding acquisition programs for which the Command is a customer.
"(2)
"(A) responsible to the Commander for rapidly delivering acquisition solutions to meet validated cyber operations-peculiar requirements;
"(B) subordinate to the defense acquisition executive in matters of acquisition;
"(C) subject to the same oversight as the service acquisition executives; and
"(D) included on the distribution list for acquisition directives and instructions of the Department of Defense.
"(c)
"(1)
"(A) program acquisition;
"(B) the Joint Capabilities Integration and Development System Process;
"(C) program management;
"(D) system engineering; and
"(E) costing.
"(2)
"(d)
"(1) development and acquisition of cyber operations-peculiar equipment; and
"(2) acquisition and sustainment of other capabilities or services that are peculiar to cyber operations activities.
"(e)
"(f)
"(1) A Department of Defense definition of—
"(A) cyber operations-peculiar equipment and capabilities; and
"(B) cyber capability-peculiar equipment, capabilities, and services.
"(2) Summaries of the components to be negotiated in the memorandum of agreements with the military departments and other Department of Defense components to carry out the development, acquisition, and sustainment of equipment, capabilities, and services described in subparagraphs (A) and (B) of subsection (a)(1).
"(3) Memorandum of agreement negotiation and approval timelines.
"(4) Plan for oversight of the command acquisition executive established in subsection (b).
"(5) Assessment of the acquisition workforce needs of the United States Cyber Command to support the authority in subsection (a) until 2021.
"(6) Other matters as appropriate.
"(g)
Pub. L. 114–92, div. A, title XVI, §1647, Nov. 25, 2015, 129 Stat. 1118, as amended by Pub. L. 114–328, div. A, title XVI, §1649(b), Dec. 23, 2016, 130 Stat. 2606; Pub. L. 116–92, div. A, title XVI, §1633, Dec. 20, 2019, 133 Stat. 1746; Pub. L. 116–283, div. A, title XVII, §1712(a), Jan. 1, 2021, 134 Stat. 4087; Pub. L. 118–31, div. A, title XV, §1502(a)(2)(A), Dec. 22, 2023, 137 Stat. 537, provided that:
"(a)
"(1)
"(2)
"(b)
"(1)
"(2)
"(3)
"(c)
"(1) develop tools to improve the detection and evaluation of cyber vulnerabilities;
"(2) conduct non-recurring engineering for the design of solutions to mitigate cyber vulnerabilities; and
"(3) establish Department-wide information repositories to share findings relating to the evaluation and mitigation of cyber vulnerabilities.
"(d)
"(e)
"(f)
"(1) An identification of each major weapon system for which an evaluation will not be complete by the date specified in subsection (a)(1), the anticipated date of completion of the evaluation of each such weapon system, and a description of the remaining work to be done for the evaluation of each such weapon system.
"(2) A justification for the inability to complete such an evaluation by the date specified in subsection (a)(1).
"(g)
"(1) An identification of cyber vulnerabilities of each major weapon system requiring mitigation.
"(2) An identification of current and planned efforts to address the cyber vulnerabilities of each major weapon system requiring mitigation, including efforts across the doctrine, organization, training, materiel, leadership and education, personnel, and facilities of the Department.
"(3) A description of joint and common cyber vulnerability mitigation solutions and efforts, including solutions and efforts across the doctrine, organization, training, materiel, leadership and education, personnel, and facilities of the Department.
"(4) A description of lessons learned and best practices regarding evaluations of the cyber vulnerabilities and cyber vulnerability mitigation efforts relating to major weapon systems, including an identification of useful tools and technologies for discovering and mitigating vulnerabilities, such as those specified in section 1657 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232) [132 Stat. 2151], and steps taken to institutionalize the use of these tools and technologies.
"(5) A description of efforts to share lessons learned and best practices regarding evaluations of the cyber vulnerabilities and cyber vulnerability mitigation efforts of major weapon systems across the Department.
"(6) An identification of measures taken to institutionalize evaluations of cyber vulnerabilities of major weapon systems, including an identification of which major weapon systems evaluated under this section will be reevaluated in the future, when these evaluations will occur, and how evaluations will occur for future major weapon systems.
"(7) Information relating to guidance, processes, procedures, or other activities established to mitigate or address the likelihood of cyber vulnerabilities of major weapon systems by incorporation of lessons learned in the research, development, test, evaluation, and acquisition cycle, including promotion of cyber education of the acquisition workforce.
"(8) An identification of systems to be incorporated into or that have been incorporated into the National Security Agency's Strategic Cybersecurity Program and the status of these systems in the Program.
"(9) Any other matters the Secretary determines relevant.
"(h)
"(i)
Pub. L. 113–291, div. A, title X, §1078, Dec. 19, 2014, 128 Stat. 3520, provided that:
"(a)
"(1)
"(2)
"(3)
"(b)
"(c)
Pub. L. 113–66, div. A, title IX, §932, Dec. 26, 2013, 127 Stat. 829, as amended by Pub. L. 116–283, div. A, title XVII, §1713(a), Jan. 1, 2021, 134 Stat. 4089; Pub. L. 117–81, div. A, title XV, §1503(a), Dec. 27, 2021, 135 Stat. 2021; Pub. L. 117–263, div. A, title X, §1081(d), title XV, §1501(a), (b)(2)(A), (B), Dec. 23, 2022, 136 Stat. 2797, 2877, 2878, provided that:
"(a)
"(b)
"(1)
"(2)
"(A) have not been previously identified and prepared for attack; and
"(B) must be compromised or neutralized immediately without regard to whether the adversary can detect or attribute the attack.
"[(c) Transferred to section 392a(a) of this title.]
"(d)
Pub. L. 114–328, div. A, title XVI, §1643(b), Dec. 23, 2016, 130 Stat. 2602, as amended by Pub. L. 117–263, div. A, title XV, §1501(c)(3), Dec. 23, 2022, 136 Stat. 2879, provided that: "The Principal Cyber Advisor to the Secretary of Defense, acting through the cross-functional team under section 392a(a)(3) of title 10, United States Code, and in consultation with the Commander of the United States Cyber Command, shall supervise—
"(1) the development of training standards for computer network operations tool developers for military, civilian, and contractor personnel supporting the cyber mission forces;
"(2) the rapid enhancement of capacity to train personnel to those standards to meet the needs of the cyber mission forces for tool development; and
"(3) actions necessary to ensure timely completion of personnel security investigations and adjudications of security clearances for tool development personnel."
Pub. L. 113–66, div. A, title IX, §937, Dec. 26, 2013, 127 Stat. 834, as amended by Pub. L. 114–92, div. A, title II, §231, Nov. 25, 2015, 129 Stat. 778, provided that:
"(a)
"(1)
"(2)
"(b)
"(c)
"(1) be established pursuant to the trusted defense systems strategy of the Department and supporting policies related to software assurance and supply chain risk management; and
"(2) set forth—
"(A) the role of the federation in supporting program offices in implementing the trusted defense systems strategy of the Department;
"(B) the software and hardware assurance expertise and capabilities of the federation, including policies, standards, requirements, best practices, contracting, training, and testing;
"(C) the requirements for the discharge by the federation of a program of research and development to improve automated software code vulnerability analysis and testing tools;
"(D) the requirements for the federation to procure, manage, and distribute enterprise licenses for automated software vulnerability analysis tools; and
"(E) the requirements for the discharge by the federation of a program of research and development to improve hardware vulnerability, testing, and protection tools.
"(d)
Pub. L. 112–239, div. A, title IX, §933, Jan. 2, 2013, 126 Stat. 1884, as amended by Pub. L. 116–283, div. A, title XVIII, §1806(e)(2)(A), Jan. 1, 2021, 134 Stat. 4155, provided that:
"(a)
"(b)
"(1) require use of appropriate automated vulnerability analysis tools in computer software code during the entire lifecycle of a covered system, including during development, operational testing, operations and sustainment phases, and retirement;
"(2) require covered systems to identify and prioritize security vulnerabilities and, based on risk, determine appropriate remediation strategies for such security vulnerabilities;
"(3) ensure such remediation strategies are translated into contract requirements and evaluated during source selection;
"(4) promote best practices and standards to achieve software security, assurance, and quality; and
"(5) support competition and allow flexibility and compatibility with current or emerging software methodologies.
"(c)
"(1) collect data on implementation of the policy developed under subsection (a) and measure the effectiveness of such policy, including the particular elements required under subsection (b); and
"(2) identify and promote best practices, tools, and standards for developing and validating assured software for the Department of Defense.
"(d)
"(1) A research and development strategy to advance capabilities in software assurance and vulnerability detection.
"(2) The state-of-the-art of software assurance analysis and test.
"(3) How the Department might hold contractors liable for software defects or vulnerabilities.
"(e)
"(1)
"(A) a major system, as that term is defined in section 3041 of title 10, United States Code;
"(B) a national security system, as that term is defined in [former] section 3542(b)(2) of title 44, United States Code [see now 44 U.S.C. 3552(b)(6)]; or
"(C) a Department of Defense information system categorized as Mission Assurance Category I in Department of Defense Directive 8500.01E that is funded by the Department of Defense.
"(2)
Pub. L. 112–239, div. A, title IX, §941, Jan. 2, 2013, 126 Stat. 1889, which authorized the Secretary of Defense to establish criteria and reporting procedures applicable to penetration of cleared defense contractors' networks or information systems, was transferred to chapter 19 of this title, redesignated as section 393, and amended by Pub. L. 114–92, div. A, title XVI, §1641(a), Nov. 25, 2015, 129 Stat. 1114.
Pub. L. 112–81, div. A, title IX, §922, Dec. 31, 2011, 125 Stat. 1537, as amended by Pub. L. 114–92, div. A, title X, §1073(e), Nov. 25, 2015, 129 Stat. 996, provided that:
"(a)
"(b)
"(1) Technology solutions for deployment within the Department of Defense that allow for centralized monitoring and detection of unauthorized activities, including—
"(A) monitoring the use of external ports and read and write capability controls;
"(B) disabling the removable media ports of computers physically or electronically;
"(C) electronic auditing and reporting of unusual and unauthorized user activities;
"(D) using data-loss prevention and data-rights management technology to prevent the unauthorized export of information from a network or to render such information unusable in the event of the unauthorized export of such information;
"(E) a roles-based access certification system;
"(F) cross-domain guards for transfers of information between different networks; and
"(G) patch management for software and security updates.
"(2) Policies and procedures to support such program, including special consideration for policies and procedures related to international and interagency partners and activities in support of ongoing operations in areas of hostilities.
"(3) A governance structure and process that integrates information security and sharing technologies with the policies and procedures referred to in paragraph (2). Such structure and process shall include—
"(A) coordination with the existing security clearance and suitability review process;
"(B) coordination of existing anomaly detection techniques, including those used in counterintelligence investigation or personnel screening activities; and
"(C) updating and expediting of the classification review and marking process.
"(4) A continuing analysis of—
"(A) gaps in security measures under the program; and
"(B) technology, policies, and processes needed to increase the capability of the program beyond the initially established full operating capability to address such gaps.
"(5) A baseline analysis framework that includes measures of performance and effectiveness.
"(6) A plan for how to ensure related security measures are put in place for other departments or agencies with access to Department of Defense networks.
"(7) A plan for enforcement to ensure that the program is being applied and implemented on a uniform and consistent basis.
"(c)
"(1) achieves initial operating capability not later than October 1, 2012; and
"(2) achieves full operating capability not later than October 1, 2013.
"(d)
"(1) the implementation plan for the program established under subsection (a);
"(2) the resources required to implement the program;
"(3) specific efforts to ensure that implementation does not negatively impact activities in support of ongoing operations in areas of hostilities;
"(4) a definition of the capabilities that will be achieved at initial operating capability and full operating capability, respectively; and
"(5) a description of any other issues related to such implementation that the Secretary considers appropriate.
"(e)
"(1) Not later than 90 days after the date of the enactment of this Act [Dec. 31, 2011], a briefing describing the governance structure referred to in subsection (b)(3).
"(2) Not later than 120 days after the date of the enactment of this Act, a briefing detailing the inventory and status of technology solutions deployment referred to in subsection (b)(1), including an identification of the total number of host platforms planned for such deployment, the current number of host platforms that provide appropriate security, and the funding and timeline for remaining deployment.
"(3) Not later than 180 days after the date of the enactment of this Act, a briefing detailing the policies and procedures referred to in subsection (b)(2), including an assessment of the effectiveness of such policies and procedures and an assessment of the potential impact of such policies and procedures on information sharing within the Department of Defense and with interagency and international partners."
Pub. L. 112–81, div. A, title IX, §953, Dec. 31, 2011, 125 Stat. 1550, provided that:
"(a)
"(b)
"(1)
"(A) be adequate to enable well-trained analysts to discover the sophisticated attacks conducted by nation-state adversaries that are categorized as 'advanced persistent threats';
"(B) be appropriate for—
"(i) endpoints or hosts;
"(ii) network-level gateways operated by the Defense Information Systems Agency where the Department of Defense network connects to the public Internet; and
"(iii) global networks owned and operated by private sector Tier 1 Internet Service Providers;
"(C) at the endpoints or hosts, add new discovery capabilities to the Host-Based Security System of the Department, including capabilities such as—
"(i) automatic blocking of unauthorized software programs and accepting approved and vetted programs;
"(ii) constant monitoring of all key computer attributes, settings, and operations (such as registry keys, operations running in memory, security settings, memory tables, event logs, and files); and
"(iii) automatic baselining and remediation of altered computer settings and files;
"(D) at the network-level gateways and internal network peering points, include the sustainment and enhancement of a system that is based on full-packet capture, session reconstruction, extended storage, and advanced analytic tools, by—
"(i) increasing the number and skill level of the analysts assigned to query stored data, whether by contracting for security services, hiring and training Government personnel, or both; and
"(ii) increasing the capacity of the system to handle the rates for data flow through the gateways and the storage requirements specified by the United States Cyber Command; and
"(E) include the behavior-based threat detection capabilities of Tier 1 Internet Service Providers and other companies that operate on the global Internet.
"(2)
"(c)
"(d)
"(e)
Pub. L. 111–383, div. A, title IX, §932, Jan. 7, 2011, 124 Stat. 4335, as amended by Pub. L. 116–283, div. A, title XVIII, §1806(e)(2)(B), Jan. 1, 2021, 134 Stat. 4155, provided that:
"(a)
"(b)
"(1) A major system, as that term is defined in section 3041 of title 10, United States Code.
"(2) A national security system, as that term is defined in [former] section 3542(b)(2) of title 44, United States Code [see now 44 U.S.C. 3552(b)(6)].
"(3) Any Department of Defense information system categorized as Mission Assurance Category I.
"(4) Any Department of Defense information system categorized as Mission Assurance Category II in accordance with Department of Defense Directive 8500.01E.
"(c)
"(1) Policy and regulations on the following:
"(A) Software assurance generally.
"(B) Contract requirements for software assurance for covered systems in development and production.
"(C) Inclusion of software assurance in milestone reviews and milestone approvals.
"(D) Rigorous test and evaluation of software assurance in development, acceptance, and operational tests.
"(E) Certification and accreditation requirements for software assurance for new systems and for updates for legacy systems, including mechanisms to monitor and enforce reciprocity of certification and accreditation processes among the military departments and Defense Agencies.
"(F) Remediation in legacy systems of critical software assurance deficiencies that are defined as critical in accordance with the Application Security Technical Implementation Guide of the Defense Information Systems Agency.
"(2) Allocation of adequate facilities and other resources for test and evaluation and certification and accreditation of software to meet applicable requirements for research and development, systems acquisition, and operations.
"(3) Mechanisms for protection against compromise of information systems through the supply chain or cyber attack by acquiring and improving automated tools for—
"(A) assuring the security of software and software applications during software development;
"(B) detecting vulnerabilities during testing of software; and
"(C) detecting intrusions during real-time monitoring of software applications.
"(4) Mechanisms providing the Department of Defense with the capabilities—
"(A) to monitor systems and applications in order to detect and defeat attempts to penetrate or disable such systems and applications; and
"(B) to ensure that such monitoring capabilities are integrated into the Department of Defense system of cyber defense-in-depth capabilities.
"(5) An update to Committee for National Security Systems Instruction No. 4009, entitled 'National Information Assurance Glossary', to include a standard definition for software security assurance.
"(6) Either—
"(A) mechanisms to ensure that vulnerable Mission Assurance Category III information systems, if penetrated, cannot be used as a foundation for penetration of protected covered systems, and means for assessing the effectiveness of such mechanisms; or
"(B) plans to address critical vulnerabilities in Mission Assurance Category III information systems to prevent their use for intrusions of Mission Assurance Category I systems and Mission Assurance Category II systems.
"(7) A funding mechanism for remediation of critical software assurance vulnerabilities in legacy systems.
"(d)
"(1) A description of the current status of the strategy required by subsection (a) and of the implementation of the strategy, including a description of the role of the strategy in the risk management by the Department regarding the supply chain and in operational planning for cyber security.
"(2) A description of the risks, if any, that the Department will accept in the strategy due to limitations on funds or other applicable constraints."
Pub. L. 106–398, §1 [[div. A], title IX, §921], Oct. 30, 2000, 114 Stat. 1654, 1654A–233, provided that:
"(a)
"(b)
"(1) to conduct research and technology development that is relevant to foreseeable computer and network security requirements and information assurance requirements of the Department of Defense with a principal focus on areas not being carried out by other organizations in the private or public sector; and
"(2) to facilitate the exchange of information regarding cyberthreats, technology, tools, and other relevant issues.
"(c)
"(d)
"(e)