U.S.C. Title 10 - ARMED FORCES

Sec.

391.

Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors.

392.

Executive agents for cyber test and training ranges.

393.

Reporting on penetrations of networks and information systems of certain contractors.

394.

Authorities concerning military cyber operations.

395.

Notification requirements for sensitive military cyber operations.

396.

Notification requirements for cyber weapons.

397.

Principal Information Operations Advisor.

Amendments

2019—Pub. L. 116–92, div. A, title XVI, §1631(a)(2)(A), Dec. 20, 2019, 133 Stat. 1742, substituted "CYBER AND INFORMATION OPERATIONS MATTERS" for "CYBER MATTERS" in chapter heading and added item 397.

2018—Pub. L. 115–232, div. A, title XVI, §1631(c)(2), Aug. 13, 2018, 132 Stat. 2123, added items 394 to 396.

2015—Pub. L. 114–92, div. A, title X, §1081(a)(4), title XVI, §1641(c)(2), Nov. 25, 2015, 129 Stat. 1001, 1116, substituted "Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors" for "Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors" in item 391 and added item 393.

2014—Pub. L. 113–291, div. A, title XVI, §1633(d), Dec. 19, 2014, 128 Stat. 3643, added item 392.

§391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors

(a) Designation of Department Component to Receive Reports.—The Secretary of Defense shall designate a component of the Department of Defense to receive reports of cyber incidents from contractors in accordance with this section and section 393 of this title or from other governmental entities.

(b) Procedures for Reporting Cyber Incidents.—The Secretary of Defense shall establish procedures that require an operationally critical contractor to report in a timely manner to component designated under subsection (a) each time a cyber incident occurs with respect to a network or information system of such operationally critical contractor.

(1) Designation and notification.—The procedures established pursuant to subsection (a) shall include a process for—

(B) notifying a contractor that it has been designated as an operationally critical contractor.

(2) Rapid reporting.—The procedures established pursuant to subsection (a) shall require each operationally critical contractor to rapidly report to the component of the Department designated pursuant to subsection (d)(2)(A) on each cyber incident with respect to any network or information systems of such contractor. Each such report shall include the following:

(A) An assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of the Department.

(3) Department assistance and access to equipment and information by department personnel.—The procedures established pursuant to subsection (a) shall—

(A) include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations; and

(B) provide that an operationally critical contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.

(4) Protection of trade secrets and other information.—The procedures established pursuant to subsection (a) shall provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.

(5) Dissemination of information.—The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through the procedures to entities—

(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(D) for national security purposes, including cyber situational awareness and defense purposes.

(d) Protection From Liability of Operationally Critical Contractors.—(1) No cause of action shall lie or be maintained in any court against any operationally critical contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with procedures established pursuant to subsection (b).

(i) to require dismissal of a cause of action against an operationally critical contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (b); or

(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.

(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each operationally critical contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.

(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.

(1) Cyber incident.—The term "cyber incident" means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.

(2) Operationally critical contractor.—The term "operationally critical contractor" means a contractor designated by the Secretary for purposes of this section as a critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.

(Added Pub. L. 113–291, div. A, title XVI, §1632(a), Dec. 19, 2014, 128 Stat. 3639; amended Pub. L. 114–92, div. A, title XVI, §1641(b), (c)(1), Nov. 25, 2015, 129 Stat. 1115, 1116.)

Amendments

2015—Subsec. (a). Pub. L. 114–92, §1641(c)(1), substituted "and section 393 of this title" for "and with section 941 of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note)".

Subsecs. (d), (e). Pub. L. 114–92, §1641(b), added subsec. (d) and redesignated former subsec. (d) as (e).

Senior Military Advisor for Cyber Policy and Deputy Principal Cyber Advisor

Pub. L. 116–92, div. A, title IX, §905, Dec. 20, 2019, 133 Stat. 1557, provided that:

"(1) In general.—The Under Secretary of Defense for Policy shall, acting through the Joint Staff, designate an officer within the Office of the Under Secretary of Defense for Policy to serve within that Office as the Senior Military Advisor for Cyber Policy, and concurrently, as the Deputy Principal Cyber Advisor.

"(2) Officers eligible for designation.—The officer designated pursuant to this subsection shall be designated from among commissioned regular officers of the Armed Forces in a general or flag officer grade who are qualified for designation[.]

"(3) Grade.—The officer designated pursuant to this subsection shall have the grade of major general or rear admiral (upper half) while serving in that position, without vacating the officer's permanent grade.

"(1) In general.—The officer designated pursuant to subsection (a) is each of the following:

"(A) The Senior Military Advisor for Cyber Policy to the Under Secretary of Defense for Policy.

"(2) Direction and control and reporting.—In carrying out duties under this section, the officer designed [sic, probably should be "designated"] pursuant to subsection (a) shall be subject to the authority, direction, and control of, and shall report directly to, the following:

"(A) The Under Secretary with respect to Senior Military Advisor for Cyber Policy duties.

"(B) The Principal Cyber Advisor with respect to Deputy Principal Cyber Advisor duties.

"(1) Duties as senior military advisor for cyber policy.—The duties of the officer designated pursuant to subsection (a) as Senior Military Advisor for Cyber Policy are as follows:

"(A) To serve as the principal uniformed military advisor on military cyber forces and activities to the Under Secretary of Defense for Policy.

"(B) To assess and advise the Under Secretary on aspects of policy relating to military cyberspace operations, resources, personnel, cyber force readiness, cyber workforce development, and defense of Department of Defense networks.

"(C) To advocate, in consultation with the Joint Staff, and senior officers of the Armed Forces and the combatant commands, for consideration of military issues within the Office of the Under Secretary of Defense for Policy, including coordination and synchronization of Department cyber forces and activities.

"(D) To maintain open lines of communication between the Chief Information Officer of the Department of Defense, senior civilian leaders within the Office of the Under Secretary, and senior officers on the Joint Staff, the Armed Forces, and the combatant commands on cyber matters, and to ensure that military leaders are informed on cyber policy decisions.

"(2) Duties as deputy principal cyber advisor.—The duties of the officer designated pursuant to subsection (a) as Deputy Principal Cyber Advisor are as follows:

"(A) To synchronize, coordinate, and oversee implementation of the Cyber Strategy of the Department of Defense and other relevant policy and planning.

"(B) To advise the Secretary of Defense on cyber programs, projects, and activities of the Department, including with respect to policy, training, resources, personnel, manpower, and acquisitions and technology.

"(C) To oversee implementation of Department policy and operational directives on cyber programs, projects, and activities, including with respect to resources, personnel, manpower, and acquisitions and technology.

"(D) To assist in the overall supervision of Department cyber activities relating to offensive missions.

"(E) To assist in the overall supervision of Department defensive cyber operations, including activities of component-level cybersecurity service providers and the integration of such activities with activities of the Cyber Mission Force.

"(F) To advise senior leadership of the Department on, and advocate for, investment in capabilities to execute Department missions in and through cyberspace.

"(G) To identify shortfalls in capabilities to conduct Department missions in and through cyberspace, and make recommendations on addressing such shortfalls in the Program Budget Review process.

"(H) To coordinate and consult with stakeholders in the cyberspace domain across the Department in order to identify other issues on cyberspace for the attention of senior leadership of the Department.

"(I) On behalf of the Principal Cyber Advisor, to lead the cross-functional team established pursuant to 932(c)(3) of the National Defense Authorization Act for Fiscal Year 2014 [Pub. L. 113–66] (10 U.S.C. 2224 note) in order to synchronize and coordinate military and civilian cyber forces and activities of the Department."

Cyber Governance Structures and Principal Cyber Advisors on Military Cyber Force Matters

Pub. L. 116–92, div. A, title XVI, §1657, Dec. 20, 2019, 133 Stat. 1767, provided that:

"(1) In general.—Not later than 270 days after the date of the enactment of this Act [Dec. 20, 2019], each of the secretaries of the military departments, in consultation with the service chiefs, shall appoint an independent Principal Cyber Advisor for each service to act as the principal advisor to the relevant secretary on all cyber matters affecting that military service.

"(2) Nature of position.—Each Principal Cyber Advisor position under paragraph (1) shall—

"(A) be a senior civilian leadership position, filled by a senior member of the Senior Executive Service, not lower than the equivalent of a 3-star general officer, or by exception a comparable military officer with extensive cyber experience;

"(B) exclusively occupy the Principal Cyber Advisor position and not assume any other position or responsibility in the relevant military department;

"(D) report directly to and advise the secretary of the relevant military department and advise the relevant service's senior uniformed officer.

"(3) Notification.—Each of the secretaries of the military departments shall notify the Committees on Armed Services of the Senate and House of Representatives of his or her Principal Cyber Advisor appointment. In the case that the appointee is a military officer, the notification shall include a justification for the selection and an explanation of the appointee's ability to execute the responsibilities of the Principal Cyber Advisor.

"(b) Responsibilities of Principal Cyber Advisors.—Each Principal Cyber Advisor under subsection (a) shall be responsible for advising both the secretary of the relevant military department and the senior uniformed military officer of the relevant military service and implementing the Department of Defense Cyber Strategy within the service by coordinating and overseeing the execution of the service's policies and programs relevant to the following:

"(1) The recruitment, resourcing, and training of military cyberspace operations forces, assessment of these forces against standardized readiness metrics, and maintenance of these forces at standardized readiness levels.

"(2) Acquisition of offensive, defensive, and Department of Defense Information Networks cyber capabilities for military cyberspace operations.

"(4) Acquisition of cybersecurity tools and capabilities, including those used by cybersecurity service providers.

"(5) Evaluating, improving, and enforcing a culture of cybersecurity warfighting and accountability for cybersecurity and cyberspace operations.

"(6) Cybersecurity and related supply chain risk management of the industrial base.

"(7) Cybersecurity of Department of Defense information systems, information technology services, and weapon systems, including the incorporation of cybersecurity threat information as part of secure development processes, cybersecurity testing, and the mitigation of cybersecurity risks.

"(c) Coordination.—To ensure service compliance with the Department of Defense Cyber Strategy, each Principal Cyber Advisor under subsection (a) shall work in close coordination with the following:

"(1) In general.—Each of the secretaries of the military departments shall require service components with responsibilities associated with cyberspace operations forces, offensive or defensive cyberspace operations and capabilities, and cyberspace issues relevant to the duties specified in subsection (b) to transmit the proposed budget for such responsibilities for a fiscal year and for the period covered by the future-years defense program submitted to Congress under section 221 of title 10, United States Code, for that fiscal year to the relevant service's Principal Cyber Advisor for review under subparagraph (B) before submitting the proposed budget to the department's comptroller.

"(2) Review.—Each Principal Cyber Advisor under subsection (a)(1) shall review each proposed budget transmitted under paragraph (1) and submit to the secretary of the relevant military department a report containing the comments of the Principal Cyber Advisor with respect to all such proposed budgets, together with the certification of the Principal Cyber Advisor regarding whether each proposed budget is adequate.

"(3) Report.—Not later than March 31 of each year, each of the secretaries of the military departments shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report specifying each proposed budget for the subsequent fiscal year contained in the most-recent report submitted under paragraph (2) that the Principal Cyber Advisor did not certify to be adequate. The report of the secretary shall include a discussion of the actions that the secretary took or proposes to take, together with any additional comments that the Secretary considers appropriate regarding the adequacy or inadequacy of the proposed budgets.

"(e) Principal Cyber Advisors' Briefing to Congress.—Not later than February 1, 2021, and biannually thereafter, each Principal Cyber Advisor under subsection (a) shall brief the Committees on Armed Services of the Senate and House of Representatives on that Advisor's activities and ability to perform the functions specified in subsection (b).

"(1) In general.—Not later than January 1, 2021, each of the secretaries of the military departments shall review the relevant military department's current governance model for cybersecurity with respect to current authorities and responsibilities.

"(A) An assessment of whether additional changes beyond the appointment of a Principal Cyber Advisor pursuant to subsection (a) are required.

"(B) Consideration of whether the current governance structure and assignment of authorities—

"(ii) enable effective Chief Information Officer and Chief Information Security Officer action;

"(iii) are adequately consolidated so that the authority and responsibility for cybersecurity risk management are clear and at an appropriate level of seniority;

"(iv) provide authority to a single individual to certify compliance of Department of Defense information systems and information technology services with all current cybersecurity standards; and

"(v) support efficient coordination across the military services, the Office of the Secretary of Defense, the Defense Information Systems Agency, and United States Cyber Command.

"(3) Briefing.—Not later than October 1, 2020, each of the secretaries of the military departments shall brief the Committees on Armed Services of the Senate and House of Representatives on the findings of the Secretary with respect to the review conducted by the Secretary pursuant to paragraph (1)."

Consortia of Universities To Advise Secretary of Defense on Cybersecurity Matters

Pub. L. 116–92, div. A, title XVI, §1659, Dec. 20, 2019, 133 Stat. 1770, provided that:

"(a) Establishment and Function.—The Secretary of Defense shall establish one or more consortia of universities to assist the Secretary on cybersecurity matters relating to the following:

"(1) To provide the Secretary a formal mechanism to communicate with consortium or consortia members regarding the Department of Defense's cybersecurity strategic plans, cybersecurity requirements, and priorities for basic and applied cybersecurity research.

"(2) To advise the Secretary on the needs of academic institutions related to cybersecurity and research conducted on behalf of the Department and provide feedback to the Secretary from members of the consortium or consortia.

"(3) To serve as a focal point or focal points for the Secretary and the Department for the academic community on matters related to cybersecurity, cybersecurity research, conceptual and academic developments in cybersecurity, and opportunities for closer collaboration between academia and the Department.

"(4) To provide to the Secretary access to the expertise of the institutions of the consortium or consortia on matters relating to cybersecurity.

"(b) Membership.—The consortium or consortia established under subsection (a) shall be open to all universities that have been designated as centers of academic excellence by the Director of the National Security Agency or the Secretary of Homeland Security.

"(1) Designation of administrative chair and terms.—For each consortium established under subsection (a), the Secretary of Defense, based on recommendations from the members of the consortium, shall designate one member of the consortium to function as an administrative chair of the consortium for a term with a specific duration specified by the Secretary.

"(2) Subsequent terms.—No member of a consortium designated under paragraph (1) may serve as the administrative chair of that consortium for two consecutive terms.

"(3) Duties of administrative chair.—Each administrative chair designated under paragraph (1) for a consortium shall—

"(A) act as the leader of the consortium for the term specified by the Secretary under paragraph (1);

"(C) distribute requests from the Secretary for advice and assistance to appropriate members of the consortium and coordinate responses back to the Secretary; and

"(D) act as a clearinghouse for Department of Defense requests relating to assistance on matters relating to cybersecurity and to provide feedback to the Secretary from members of the consortium.

"(4) Executive committee.—For each consortium, the Secretary, in consultation with the administrative chair, may form an executive committee comprised of university representatives to assist the chair with the management and functions of the consortia. Executive committee institutions may not serve consecutive terms before all other consortium institutions have been afforded the opportunity to hold the position.

"(d) Consultation.—The Secretary, or a senior level designee, shall meet with each consortium not less frequently than twice per year, or at a periodicity agreed to between the Department and each such consortium.

"(e) Procedures.—The Secretary shall establish procedures for organizations within the Department to access the work product produced by and the research, capabilities, and expertise of a consortium established under subsection (a) and the universities that constitute such consortium."

Issuance of Procedures

Pub. L. 113–291, div. A, title XVI, §1632(b), Dec. 19, 2014, 128 Stat. 3640, provided that: "The Secretary shall establish the procedures required by subsection (b) of section 391 of title 10, United States Code, as added by subsection (a) of this section, not later than 90 days after the date of the enactment of this Act [Dec. 19, 2014]."

Assessment of Department Policies

Pub. L. 113–291, div. A, title XVI, §1632(c), Dec. 19, 2014, 128 Stat. 3640, provided that:

"(1) In general.—Not later than 90 days after the date of the enactment of the Act [Dec. 19, 2014], the Secretary of Defense shall complete an assessment of—

"(A) requirements that were in effect on the day before the date of the enactment of this Act for contractors to share information with Department components regarding cyber incidents (as defined in subsection (d) [now (e)] of such section 391 [10 U.S.C. 391(e)]) with respect to networks or information systems of contractors; and

"(B) Department policies and systems for sharing information on cyber incidents with respect to networks or information systems of Department contractors.

"(2) Actions following assessment.—Upon completion of the assessment required by paragraph (1), the Secretary shall—

"(A) designate a Department component under subsection (a) of such section 391; and

"(B) issue or revise guidance applicable to Department components that ensures the rapid sharing by the component designated pursuant to such section 391 or section 941 of the National Defense Authorization Act for Fiscal Year 2013 [Pub. L. 112–239] (10 U.S.C. 2224 note) of information relating to cyber incidents with respect to networks or information systems of contractors with other appropriate Department components."

§392. Executive agents for cyber test and training ranges

(a) Executive Agent.—The Secretary of Defense, in consultation with the Principal Cyber Advisor, shall—

(1) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology test ranges; and

(2) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology training ranges.

(1) Establishment.—The Secretary of Defense shall prescribe the roles, responsibilities, and authorities of the executive agents designated under subsection (a). Such roles, responsibilities, and authorities shall include the development of a biennial integrated plan for cyber and information technology test and training resources.

(2) Biennial integrated plan.—The biennial integrated plan required under paragraph (1) shall include plans for the following:

(A) Developing and maintaining a comprehensive list of cyber and information technology ranges, test facilities, test beds, and other means of testing, training, and developing software, personnel, and tools for accommodating the mission of the Department. Such list shall include resources from both governmental and nongovernmental entities.

(B) Organizing and managing designated cyber and information technology test ranges, including—

(i) establishing the priorities for cyber and information technology ranges to meet Department objectives;

(ii) enforcing standards to meet requirements specified by the United States Cyber Command, the training community, and the research, development, testing, and evaluation community;

(iii) identifying and offering guidance on the opportunities for integration amongst the designated cyber and information technology ranges regarding test, training, and development functions;

(iv) finding opportunities for cost reduction, integration, and coordination improvements for the appropriate cyber and information technology ranges;

(v) adding or consolidating cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;

(vi) finding opportunities to continuously enhance the quality and technical expertise of the cyber and information technology test workforce through training and personnel policies; and

(vii) coordinating with interagency and industry partners on cyber and information technology range issues.

(i) may add or consolidate cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;

(ii) coordinates with interagency and industry partners on cyber and information technology range issues;

(iii) allows for integrated closed loop testing in a secure environment of cyber and electronic warfare capabilities;

(iv) supports science and technology development, experimentation, testing and training; and

(v) provides for interconnection with other existing cyber ranges and other kinetic range facilities in a distributed manner.

(E) Performing such other assessments or analyses as the Secretary considers appropriate.

(3) Standard for cyber event data.—The executive agents designated under subsection (a), in consultation with the Chief Information Officer of the Department of Defense, shall jointly select a standard language from open-source candidates for representing and communicating cyber event and threat data. Such language shall be machine-readable for the Joint Information Environment and associated test and training ranges.

(c) Support Within Department of Defense.—The Secretary of Defense shall ensure that the military departments, Defense Agencies, and other components of the Department of Defense provide the executive agents designated under subsection (a) with the appropriate support and resources needed to perform the roles, responsibilities, and authorities of the executive agents.

(d) Compliance With Existing Directive.—The Secretary shall carry out this section in compliance with Directive 5101.1.

(1) The term "designated cyber and information technology range" includes the National Cyber Range, the Joint Information Operations Range, the Defense Information Assurance Range, and the C4 Assessments Division of J6 of the Joint Staff.

(2) The term "Directive 5101.1" means Department of Defense Directive 5101.1, or any successor directive relating to the responsibilities of an executive agent of the Department of Defense.

(3) The term "executive agent" has the meaning given the term "DoD Executive Agent" in Directive 5101.1.

(Added Pub. L. 113–291, div. A, title XVI, §1633(a), Dec. 19, 2014, 128 Stat. 3641.)

Designation and Roles and Responsibilities; Selection of Standard Language

Pub. L. 113–291, div. A, title XVI, §1633(b), (c), Dec. 19, 2014, 128 Stat. 3642, provided that:

"(b) Designation and Roles and Responsibilities.—The Secretary of Defense shall—

"(1) not later than 120 days after the date of the enactment of this Act [Dec. 19, 2014], designate the executive agents required under subsection (a) of section 392 of title 10, United States Code, as added by subsection (a) of this section; and

"(2) not later than one year after the date of the enactment of this Act, prescribe the roles, responsibilities, and authorities required under subsection (b) of such section 392.

"(c) Selection of Standard Language.—Not later than June 1, 2015, the executive agents designated under subsection (a) of section 392 of title 10, United States Code, as added by subsection (a) of this section, shall select the standard language under subsection (b)(3) of such section 392."

§393. Reporting on penetrations of networks and information systems of certain contractors

(a) Procedures for Reporting Penetrations.—The Secretary of Defense shall establish procedures that require each cleared defense contractor to report to a component of the Department of Defense designated by the Secretary for purposes of such procedures when a network or information system of such contractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.

(1) Criteria.—The Secretary of Defense shall designate a senior official to, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting system penetrations under subsection (a).

(1) Rapid reporting.—The procedures established pursuant to subsection (a) shall require each cleared defense contractor to rapidly report to a component of the Department of Defense designated pursuant to subsection (a) of each successful penetration of the network or information systems of such contractor that meet the criteria established pursuant to subsection (b). Each such report shall include the following:

(B) A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration.

(C) A summary of information created by or for the Department in connection with any Department program that has been potentially compromised due to such penetration.

(2) Access to equipment and information by department of defense personnel.—The procedures established pursuant to subsection (a) shall—

(A) include mechanisms for Department of Defense personnel to, upon request, obtain access to equipment or information of a cleared defense contractor necessary to conduct forensic analysis in addition to any analysis conducted by such contractor;

(B) provide that a cleared defense contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated; and

(C) provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.

(3) Dissemination of information.—The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through such procedures to entities—

(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(D) for national security purposes, including cyber situational awareness and defense purposes.

(d) Protection From Liability of Cleared Defense Contractors.—(1) No cause of action shall lie or be maintained in any court against any cleared defense contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the procedures established pursuant to subsection (a).

(i) to require dismissal of a cause of action against a cleared defense contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (a); or

(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.

(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each cleared defense contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.

(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.

(1) Cleared defense contractor.—The term "cleared defense contractor" means a private entity granted clearance by the Department of Defense to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense.

(2) Covered network.—The term "covered network" means a network or information system of a cleared defense contractor that contains or processes information created by or for the Department of Defense with respect to which such contractor is required to apply enhanced protection.

(Added and amended Pub. L. 114–92, div. A, title XVI, §1641(a), Nov. 25, 2015, 129 Stat. 1114; Pub. L. 116–92, div. A, title IX, §902(8), title XVI, §1621(e)(1)(A)(vi), Dec. 20, 2019, 133 Stat. 1543, 1733.)

Codification

Section, as added and amended by Pub. L. 114–92, is based on Pub. L. 112–239, div. A, title IX, §941, Jan. 2, 2013, 126 Stat. 1889, which was formerly set out as a note under section 2224 of this title before being transferred to this chapter and renumbered as this section.

Amendments

2019—Subsec. (b)(2)(B). Pub. L. 116–92, §902(8)(A), substituted "Under Secretary of Defense for Acquisition and Sustainment" for "Under Secretary of Defense for Acquisition, Technology, and Logistics".

Subsec. (b)(2)(C). Pub. L. 116–92, §902(8)(B), added subpar. (C). Former subpar. (C) redesignated (D).

Subsec. (b)(2)(D). Pub. L. 116–92, §1621(e)(1)(A)(vi), which directed amendment of subpar. (C) by substituting "Under Secretary of Defense for Intelligence and Security" for "Under Secretary of Defense for Intelligence", was executed by making the substitution in subpar. (D) to reflect the probable intent of Congress and the amendment by Pub. L. 116–92, §902(8)(C). See note below.

Pub. L. 116–92, §902(8)(C), redesignated subpar. (C) as (D). Former subpar. (D) redesignated (E).

Subsec. (b)(2)(E), (F). Pub. L. 116–92, §902(8)(C), redesignated subpars. (D) and (E) as (E) and (F), respectively.

2015—Pub. L. 114–92, §1641(a)(1), substituted "Reporting on penetrations of networks and information systems of certain contractors" for "Reports to Department of Defense on penetrations of networks and information systems of certain contractors" in section catchline.

Pub. L. 114–92, §1641(a), transferred section 941 of Pub. L. 112–239 to this chapter and renumbered it as this section. See Codification note above.

Subsec. (c)(3). Pub. L. 114–92, §1641(a)(2), added par. (3) and struck out former par. (3). Prior to amendment, text read as follows: "The procedures established pursuant to subsection (a) shall prohibit the dissemination outside the Department of Defense of information obtained or derived through such procedures that is not created by or for the Department except with the approval of the contractor providing such information."

Subsec. (d). Pub. L. 114–92, §1641(a)(3), added subsec. (d) and struck out former subsec. (d). Prior to amendment, text read as follows:

"(1) In general.—Not later than 90 days after the date of the enactment of this Act—

"(A) the Secretary of Defense shall establish the procedures required under subsection (a); and

"(B) the senior official designated under subsection (b)(1) shall establish the criteria required under such subsection.

"(2) Applicability date.—The requirements of this section shall apply on the date on which the Secretary of Defense establishes the procedures required under this section."

§394. Authorities concerning military cyber operations

(a) In General.—The Secretary of Defense shall develop, prepare, and coordinate; make ready all armed forces for purposes of; and, when appropriately authorized to do so, conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response to malicious cyber activity carried out against the United States or a United States person by a foreign power.

(b) Affirmation of Authority.—Congress affirms that the activities or operations referred to in subsection (a), when appropriately authorized, include the conduct of military activities or operations in cyberspace short of hostilities (as such term is used in the War Powers Resolution (Public Law 93–148; 50 U.S.C. 1541 et seq.)) or in areas in which hostilities are not occurring, including for the purpose of preparation of the environment, information operations, force protection, and deterrence of hostilities, or counterterrorism operations involving the Armed Forces of the United States.

(c) Clandestine Activities or Operations.—A clandestine military activity or operation in cyberspace shall be considered a traditional military activity for the purposes of section 503(e)(2) of the National Security Act of 1947 (50 U.S.C. 3093(e)(2)).

(d) Congressional Oversight.—The Secretary shall brief the congressional defense committees about any military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, occurring during the previous quarter during the quarterly briefing required by section 484 of this title.

(e) Rule of Construction.—Nothing in this section may be construed to limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to authorize specific military activities or operations, or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or reporting of sensitive military cyber activities or operations required by section 395 of this title.

(1) The term "clandestine military activity or operation in cyberspace" means a military activity or military operation carried out in cyberspace, or associated preparatory actions, authorized by the President or the Secretary that—

(A) is marked by, held in, or conducted with secrecy, where the intent is that the activity or operation will not be apparent or acknowledged publicly; and

(i) as part of a military operation plan approved by the President or the Secretary in anticipation of hostilities or as directed by the President or the Secretary;

(ii) to deter, safeguard, or defend against attacks or malicious cyber activities against the United States or Department of Defense information, networks, systems, installations, facilities, or other assets; or

(2) The term "foreign power" has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

(3) The term "United States person" has the meaning given such term in such section.

(Added Pub. L. 114–92, div. A, title XVI, §1642(a), Nov. 25, 2015, 129 Stat. 1116, §130g; renumbered §394 and amended Pub. L. 115–232, div. A, title XVI, §§1631(a), 1632, Aug. 13, 2018, 132 Stat. 2123.)

References in Text

The War Powers Resolution, referred to in subsecs. (b) and (e), is Pub. L. 93–148, Nov. 7, 1973, 87 Stat. 555, which is classified generally to chapter 33 (§1541 et seq.) of Title 50, War and National Defense. For complete classification of this Resolution to the Code, see Short Title note set out under section 1541 of Title 50 and Tables.

The Authorization for Use of Military Force, referred to in subsec. (e), is Pub. L. 107–40, Sept. 18, 2001, 115 Stat. 224, which is set out as a note under section 1541 of Title 50, War and National Defense.

Amendments

2018—Pub. L. 115–232, §1632, designated existing provisions as subsec. (a), inserted heading, substituted "conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response" for "conduct, a military cyber operation in response", struck out "(as such terms are defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801))" after "foreign power", and added subsecs. (b) to (f).

Pub. L. 115–232, §1631(a), renumbered section 130g of this title as this section.

Notification of Delegation of Authorities to the Secretary of Defense for Military Operations in Cyberspace

Pub. L. 116–92, div. A, title XVI, §1642, Dec. 20, 2019, 133 Stat. 1751, provided that:

"(a) In General.—The Secretary of Defense shall provide written notification to the Committee on Armed Services of the House of Representatives and the Committee on Armed Services of the Senate of the following:

"(1) Authorities delegated to the Secretary by the President for military operations in cyberspace that are otherwise held by the National Command Authority, not later than 15 days after any such delegation. A notification under this paragraph shall include a description of the authorities delegated to the Secretary.

"(2) Concepts of operations approved by the Secretary pursuant to delegated authorities described in paragraph (1), not later than 15 days after any such approval. A notification under this paragraph shall include the following:

"(A) A description of authorized activities to be conducted or planned to be conducted pursuant to such authorities.

"(D) A description of relevant orders issued by the Secretary in accordance with such authorities.

"(1) In general.—The Secretary of Defense shall establish and submit to the Committee on Armed Services of the House of Representatives and the Committee on Armed Services of the Senate procedures for complying with the requirements of subsection (a), consistent with the national security of the United States and the protection of operational integrity. The Secretary shall promptly notify such committees in writing of any changes to such procedures at least 14 days prior to the adoption of any such changes.

"(2) Sufficiency.—The Committee on Armed Services of the House of Representatives and the Committee on Armed Services of the Senate shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to such committees pursuant to this section.

"(3) Notification in event of unauthorized disclosure.—In the event of an unauthorized disclosure of authorities covered by this section, the Secretary of Defense shall ensure, to the maximum extent practicable, that the Committee on Armed Services of the House of Representatives and the Committee on Armed Services of the Senate are notified immediately. Notification under this paragraph may be verbal or written, but in the event of a verbal notification, a written notification signed by the Secretary shall be provided by not later than 48 hours after the provision of such verbal notification."

Annual Military Cyberspace Operations Report

Pub. L. 116–92, div. A, title XVI, §1644, Dec. 20, 2019, 133 Stat. 1752, provided that:

"(a) In General.—Not later than March 1 of each year, the Secretary of Defense shall provide to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a written report summarizing all named military cyberspace operations conducted in the previous calendar year, including cyber effects, operations, cyber effects enabling operations, and cyber operations conducted as defensive operations. Each such summary should be organized by adversarial country and should include the following for each named operation:

"(2) Descriptions of the impacted countries, organizations, or forces, and nature of the impact.

"(3) A description of methodologies used for the cyber effects operation or cyber effects enabling operation.

"(4) An identification of the Cyber Mission Force teams, or other Department of Defense entity or units, that conducted such operation, and supporting teams, entities, or units.

"(5) An identification of the infrastructures on which such operations occurred.

"(7) Additional costs beyond baseline operations and maintenance and personnel costs directly associated with the conduct of the cyber effects operation or cyber effects enabling operation.

"(b) Classification.—The Secretary of Defense shall provide each report required under subsection (a) at a classification level the Secretary determines appropriate.

"(c) Limitation.—This section does not apply to cyber-enabled military information support operations or military deception operations."

Policy of the United States on Cyberspace, Cybersecurity, Cyber Warfare, and Cyber Deterrence

Pub. L. 115–232, div. A, title XVI, §1636, Aug. 13, 2018, 132 Stat. 2126, provided that:

"(a) In General.—It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity, and cyber warfare, that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States interests with the intent to—

"(1) cause casualties among United States persons or persons of United States allies;

"(2) significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government);

"(3) threaten the command and control of the Armed Forces, the freedom of maneuver of the Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or

"(4) achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.

"(b) Response Options.—In carrying out the policy set forth in subsection (a), the United States shall plan, develop, and, when appropriate, demonstrate response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.

"(c) Denial Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall, to the greatest extent practicable, prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities described in subsection (a) of infrastructure critical to the political integrity, economic security, and national security of the United States.

"(d) Cost-imposition Options.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall develop and, when appropriate, demonstrate, or otherwise make known to adversaries the existence of, cyber capabilities to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity described in subsection (a).

"(e) Multi-prong Response.—In carrying out the policy set forth in subsection (a) through response options developed pursuant to subsection (b), the United States shall leverage all instruments of national power.

"(1) In general.—Not later than 180 days after the date of the enactment of this Act [Aug. 13, 2018], the President shall transmit, in unclassified and classified forms, as appropriate, to the appropriate congressional committees a report containing an update to the report provided to the Congress on the policy of the United States on cyberspace, cybersecurity, and cyber warfare pursuant to section 1633 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 10 U.S.C. 130g note) [now 10 U.S.C. 394 note].

"(2) Contents.—The report required under paragraph (1) shall include the following:

"(A) An assessment of the current posture in cyberspace, including assessments of—

"(i) whether past responses to major cyber attacks have had the desired deterrent effect; and

"(ii) varying levels of cyber incursion and steps taken to date to prepare for the imposition of the consequences referred to in clause (i); and

"(C) Information relating to the Administration's plans, including specific planned actions, regulations, and legislative action required, for—

"(i) advancing technologies in attribution, inherently secure technology, and artificial intelligence society-wide;

"(iv) implementing the policy referred to in paragraph (1), including any realignment of government or government responsibilities required, writ large.

"(f) [probably should be "(g)"] Rule of Construction.—Nothing in this subsection may be construed to limit the authority of the President or Congress to authorize the use of military force.

"(1) Appropriate congressional committees.—The term 'appropriate congressional committees' means—

"(A) the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];

"(B) the Permanent Select Committee on Intelligence of the House of Representatives;

"(D) the Committee on Foreign Affairs, the Committee on Homeland Security, and the Committee on the Judiciary of the House of Representatives; and

"(E) the Committee on Foreign Relations, the Committee on Homeland Security and Governmental Affairs, and the Committee on the Judiciary of the Senate.

"(2) Foreign power.—The term 'foreign power' has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801)."

Pub. L. 115–91, div. A, title XVI, §1633, Dec. 12, 2017, 131 Stat. 1738, provided that:

"(1) develop a national policy for the United States relating to cyberspace, cybersecurity, and cyber warfare; and

"(b) Elements.—The national policy required under subsection (a) shall include the following elements:

"(1) Delineation of the instruments of national power available to deter or respond to cyber attacks or other malicious cyber activities by a foreign power or actor that targets United States interests.

"(2) Available or planned response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.

"(3) Available or planned denial options that prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities that are carried out against infrastructure critical to the political integrity, economic security, and national security of the United States.

"(4) Available or planned cyber capabilities that may be used to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity.

"(A) boosting the cyber resilience of critical United States strike systems (including cyber, nuclear, and non-nuclear systems) in order to ensure the United States can credibly threaten to impose unacceptable costs in response to even the most sophisticated large-scale cyber attack;

"(B) developing offensive cyber capabilities and specific plans and strategies to put at risk targets most valued by adversaries of the United States and their key decision makers; and

"(C) enhancing attribution capabilities and developing intelligence and offensive cyber capabilities to detect, disrupt, and potentially expose malicious cyber activities.

"(1) In general.—Of the funds authorized to be appropriated by this Act [see Tables for classification] or otherwise made available for fiscal year 2018 for procurement, research, development, test and evaluation, and operations and maintenance, for the covered activities of the Defense Information Systems Agency, not more than 60 percent may be obligated or expended until the date on which the President submits to the appropriate congressional committees the report under subsection (a)(2).

"(2) Covered activities described.—The covered activities referred to in paragraph (1) are the activities of the Defense Information Systems Agency in support of—

"(1) The term 'foreign power' has the meaning given that term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

"(A) the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];

"(B) the Committee on Foreign Affairs, the Committee on Homeland Security, and the Committee on the Judiciary of the House of Representatives; and

"(C) the Committee on Foreign Relations, the Committee on Homeland Security and Governmental Affairs, and the Committee on the Judiciary of the Senate."

Active Defense Against the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, and Islamic Republic of Iran Attacks in Cyberspace

Pub. L. 115–232, div. A, title XVI, §1642, Aug. 13, 2018, 132 Stat. 2132, provided that:

"(1) In general.—In the event that the National Command Authority determines that the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, or Islamic Republic of Iran is conducting an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes, the National Command Authority may authorize the Secretary of Defense, acting through the Commander of the United States Cyber Command, to take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks under the authority and policy of the Secretary of Defense to conduct cyber operations and information operations as traditional military activities.

"(A) Notification of operations.—In exercising the authority provided in paragraph (1), the Secretary shall provide notices to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] in accordance with section 395 of title 10, United States Code (as transferred and redesignated pursuant to section 1631).

"(i) In general.—In any fiscal year in which the Commander of the United States Cyber Command carries out an action under paragraph (1), the Secretary of Defense shall, not less frequently than quarterly, submit to the congressional defense committees a report on the actions of the Commander under such paragraph in such fiscal year.

"(ii) Manner of reporting.—Reports submitted under clause (i) shall be submitted in a manner that is consistent with the recurring quarterly report required by section 484 of title 10, United States Code.

"(b) Private Sector Cooperation.—The Secretary may make arrangements with private sector entities, on a voluntary basis, to share threat information related to malicious cyber actors, and any associated false online personas or compromised infrastructure, associated with a determination under subsection (a)(1), consistent with the protection of sources and methods and classification guidelines, as necessary.

"(c) Annual Report.—Not less frequently than once each year, the Secretary shall submit to the congressional defense committees, the congressional intelligence committees (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)), the Committee on Foreign Affairs of the House of Representatives, and the Committee on Foreign Relations of the Senate a report on—

"(1) the scope and intensity of the information operations and attacks through cyberspace by the countries specified in subsection (a)(1) against the government or people of the United States observed by the cyber mission forces of the United States Cyber Command and the National Security Agency; and

"(2) adjustments of the Department of Defense in the response directed or recommended by the Secretary with respect to such operations and attacks.

"(1) limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine activities or operations in cyberspace; or

"(2) affect the War Powers Resolution (Public Law 93–148; 50 U.S.C. 1541 et seq.) or the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note)."

Pilot Program To Model Cyber Attacks on Critical Infrastructure

Pub. L. 115–232, div. A, title XVI, §1649, Aug. 13, 2018, 132 Stat. 2137, provided that:

"(1) In general.—The Assistant Secretary of Defense for Homeland Defense and Global Security shall carry out a pilot program to model cyber attacks on critical infrastructure in order to identify and develop means of improving Department of Defense responses to requests for defense support to civil authorities for such attacks.

"(2) Research exercises.—The pilot program shall source data from and include consideration of the 'Jack Voltaic' research exercises conducted by the Army Cyber Institute, industry partners of the Institute, and the cities of New York, New York, and Houston, Texas.

"(b) Purpose.—The purpose of the pilot program shall be to accomplish the following:

"(1) The development and demonstration of risk analysis methodologies, and the application of commercial simulation and modeling capabilities, based on artificial intelligence and hyperscale cloud computing technologies, as applicable—

"(A) to assess defense critical infrastructure vulnerabilities and interdependencies to improve military resiliency;

"(B) to determine the likely effectiveness of attacks described in subsection (a)(1), and countermeasures, tactics, and tools supporting responsive military homeland defense operations;

"(E) to foster collaboration and learning between and among departments and agencies of the Federal Government, State and local governments, and private entities responsible for critical infrastructure; and

"(F) improve intra-agency and inter-agency coordination for consideration and approval of requests for defense support to civil authorities.

"(2) The development and demonstration of the foundations for establishing and maintaining a program of record for a shared high-fidelity, interactive, affordable, cloud-based modeling and simulation of critical infrastructure systems and incident response capabilities that can simulate complex cyber and physical attacks and disruptions on individual and multiple sectors on national, regional, State, and local scales.

"(1) In general.—At the same time the budget of the President for fiscal year 2021 is submitted to Congress pursuant to section 1105(a) of title 31, United States Code, the Assistant Secretary shall, in consultation with the Secretary of Homeland Security, submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the pilot program.

"(2) Contents.—The report required by paragraph (1) shall include the following:

"(A) A description of the results of the pilot program as of the date of the report.

"(B) A description of the risk analysis methodologies and modeling and simulation capabilities developed and demonstrated pursuant to the pilot program, and an assessment of the potential for future growth of commercial technology in support of the homeland defense mission of the Department of Defense.

"(C) Such recommendations as the Secretary considers appropriate regarding the establishment of a program of record for the Department on further development and sustainment of risk analysis methodologies and advanced, large-scale modeling and simulation on critical infrastructure and cyber warfare.

"(D) Lessons learned from the use of novel risk analysis methodologies and large-scale modeling and simulation carried out under the pilot program regarding vulnerabilities, required capabilities, and reconfigured force structure, coordination practices, and policy.

Identification of Countries of Concern Regarding Cybersecurity

Pub. L. 115–232, div. A, title XVI, §1654, Aug. 13, 2018, 132 Stat. 2148, provided that:

"(a) Identification of Countries of Concern.—Not later than 180 days after the date of the enactment of this Act [Aug. 13, 2018], the Secretary of Defense shall create a list of countries that pose a risk to the cybersecurity of United States defense and national security systems and infrastructure. Such list shall reflect the level of threat posed by each country included on such list. In creating such list, the Secretary shall take in to account the following:

"(1) A foreign government's activities that pose force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.

"(2) A foreign government's willingness and record of providing financing, logistics, training or intelligence to other persons, countries or entities posing a force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.

"(3) A foreign government's engagement in foreign intelligence activities against the United States for the purpose of undermining United States national security.

"(4) A foreign government's knowing participation in transnational organized crime or criminal activity.

"(5) A foreign government's cyber activities and operations to affect the supply chain of the United States Government.

"(6) A foreign government's use of cyber means to unlawfully or inappropriately obtain intellectual property from the United States Government or United States persons.

"(b) Updates.—The Secretary shall continuously update and maintain the list under subsection (a) to preempt obsolescence.

"(c) Report to Congress.—Not later than one year after the date of the enactment of this Act, the Secretary shall submit to the appropriate committees of Congress the list created pursuant to subsection (a) and any accompanying analysis that contributed to the creation of the list."

Quadrennial Comprehensive Cyber Posture Review

Pub. L. 115–91, div. A, title XVI, §1644, Dec. 12, 2017, 131 Stat. 1748, as amended by Pub. L. 116–92, div. A, title XVI, §1635, Dec. 20, 2019, 133 Stat. 1748, provided that:

"(a) Requirement for Comprehensive Review.—In order to clarify the near-term policy and strategy of the United States with respect to cyber deterrence, the Secretary of Defense shall, not later than December 31, 2022, and quadrennially thereafter, conduct a comprehensive review of the cyber posture of the United States over the posture review period.

"(b) Consultation.—The Secretary of Defense shall conduct each review under subsection (a) in consultation with the Director of National Intelligence, the Attorney General, the Secretary of Homeland Security, and the Secretary of State, as appropriate.

"(c) Elements of Review.—Each review conducted under subsection (a) shall include, for the posture review period, the following elements:

"(1) The role of cyber forces in the military strategy, planning, and programming of the United States.

"(2) Review of the role of cyber operations in combatant commander operational planning, the ability of combatant commanders to respond to hostile acts by adversaries, and the ability of combatant commanders to engage and build capacity with allies.

"(3) A review of the law, policies, and authorities relating to, and necessary for the United States to maintain, a safe, reliable, and credible cyber posture for responding to cyber attacks and for deterrence in cyberspace.

"(4) A declaratory policy relating to the responses of the United States to cyber attacks of significant consequence.

"(5) Proposed norms for the conduct of offensive cyber operations for deterrence and in crisis and conflict.

"(6) Guidance for the development of a cyber deterrence strategy (which may include activities, capability efforts, and operations other than cyber activities, cyber capability efforts, and cyber operations), including—

"(A) a review and assessment of various approaches to cyber deterrence, determined in consultation with experts from Government, academia, and industry;

"(B) a comparison of the strengths and weaknesses of the approaches identified under subparagraph (A) relative to the threat and to each other; and

"(C) an explanation of how the cyber deterrence strategy will inform country-specific deterrence campaign plans focused on key leadership of Russia, China, Iran, North Korea, and any other country the Secretary considers appropriate.

"(7) Identification of the steps that should be taken to bolster stability in cyberspace and, more broadly, stability between major powers, taking into account—

"(B) consideration of the spiral escalatory effects of countries developing increasingly potent offensive cyber capabilities.

"(8) A determination of whether sufficient personnel are trained and equipped to meet validated cyber requirements.

"(9) An assessment of the potential costs, benefits, and value, if any, of establishing a cyber force as a separate uniformed service.

"(10) Any recurrent problems or capability gaps that remain unaddressed since the previous posture review.

"(1) In general.—The Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the results of each cyber posture review conducted under subsection (a).

"(2) Form of report.—Each report under paragraph (1) may be submitted in unclassified form or classified form, as necessary.

"(e) Posture Review Period Defined.—In this section, the term 'posture review period' means the eight-year period that begins on the date of each review conducted under subsection (a)."

§395. Notification requirements for sensitive military cyber operations

(a) In General.—Except as provided in subsection (d), the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of any sensitive military cyber operation conducted under this title no later than 48 hours following such operation.

(b) Procedures.—(1) The Secretary of Defense shall establish and submit to the congressional defense committees procedures for complying with the requirements of subsection (a) consistent with the national security of the United States and the protection of operational integrity. The Secretary shall promptly notify the congressional defense committees in writing of any changes to such procedures at least 14 days prior to the adoption of any such changes.

(2) The congressional defense committees shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to the committees pursuant to this section.

(3) In the event of an unauthorized disclosure of a sensitive military cyber operation covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the sensitive military cyber operation concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification, signed by the Secretary, or the Secretary's designee, shall be provided by not later than 48 hours after the provision of the verbal notification.

(c) Sensitive Military Cyber Operation Defined.—(1) In this section, the term "sensitive military cyber operation" means an action described in paragraph (2) that—

(iii) have a medium or high probability of political retaliation, as determined by the political military assessment contained within the associated concept of operations;

(iv) have a medium or high probability of detection when detection is not intended; or

(i) where the armed forces of the United States are involved in hostilities (as that term is used in section 1543 of title 50, United States Code); or

(d) Exceptions.—The notification requirement under subsection (a) does not apply—

(1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or

(2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 (50 U.S.C. 3093)).

(e) Rule of Construction.—Nothing in this section shall be construed to provide any new authority or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or any requirement under the National Security Act of 1947 (50 U.S.C. 3001 et seq.).

(Added Pub. L. 115–91, div. A, title XVI, §1631(a), Dec. 12, 2017, 131 Stat. 1736, §130j; renumbered §395 and amended Pub. L. 115–232, div. A, title X, §1081(a)(1), title XVI, §1631(a), Aug. 13, 2018, 132 Stat. 1983, 2123; Pub. L. 116–92, div. A, title XVI, §1632, Dec. 20, 2019, 133 Stat. 1745.)

References in Text

The War Powers Resolution, referred to in subsec. (e), is Pub. L. 93–148, Nov. 7, 1973, 87 Stat. 555, which is classified generally to chapter 33 (§1541 et seq.) of Title 50, War and National Defense. For complete classification of this Resolution to the Code, see Short Title note set out under section 1541 of Title 50 and Tables.

The National Security Act of 1947, referred to in subsec. (e), is act July 26, 1947, ch. 343, 61 Stat. 495, which is classified principally to chapter 44 (§3001 et seq.) of Title 50, War and National Defense. For complete classification of this Act to the Code, see Tables.

Amendments

2019—Subsec. (b)(3). Pub. L. 116–92, §1632(1), inserted ", signed by the Secretary, or the Secretary's designee," after "written notification".

Subsec. (c)(1)(B), (C). Pub. L. 116–92, §1632(2)(A), added subpar. (B) and redesignated former subpar. (B) as (C).

Subsec. (c)(2)(B). Pub. L. 116–92, §1632(2)(B), struck out "outside the Department of Defense Information Networks to defeat an ongoing or imminent threat" after "A defensive cyber operation".

2018—Pub. L. 115–232, §1631(a), renumbered section 130j of this title as this section.

Subsec. (d)(2). Pub. L. 115–232, §1081(a)(1), substituted "section 503 of the National Security Act of 1947 (50 U.S.C. 3093)" for "section 3093 of title 50, United States Code".

§396. Notification requirements for cyber weapons

(a) In General.—Except as provided in subsection (c), the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of the following:

(1) With respect to a cyber capability that is intended for use as a weapon, on a quarterly basis, the aggregated results of all reviews of the capability for legality under international law pursuant to Department of Defense Directive 5000.01 carried out by any military department concerned.

(2) The use as a weapon of any cyber capability that has been approved for such use under international law by a military department no later than 48 hours following such use.

(3) In the event of an unauthorized disclosure of a cyber capability covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the cyber capability concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification shall be provided by not later than 48 hours after the provision of the verbal notification.

(1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or

(2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 (50 U.S.C. 3093)).

(d) Rule of Construction.—Nothing in this section shall be construed to provide any new authority or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or any requirement under the National Security Act of 1947 (50 U.S.C. 3001 et seq.).

(Added Pub. L. 115–91, div. A, title XVI, §1631(a), Dec. 12, 2017, 131 Stat. 1737, §130k; renumbered §396 and amended Pub. L. 115–232, div. A, title X, §1081(a)(1), title XVI, §1631(a), Aug. 13, 2018, 132 Stat. 1983, 2123.)

References in Text

The War Powers Resolution, referred to in subsec. (d), is Pub. L. 93–148, Nov. 7, 1973, 87 Stat. 555, which is classified generally to chapter 33 (§1541 et seq.) of Title 50, War and National Defense. For complete classification of this Resolution to the Code, see Short Title note set out under section 1541 of Title 50 and Tables.

The Authorization for Use of Military Force, referred to in subsec. (d), is Pub. L. 107–40, Sept. 18, 2001, 115 Stat. 224, which is set out as a note under section 1541 of Title 50, War and National Defense.

The National Security Act of 1947, referred to in subsec. (d), is act July 26, 1947, ch. 343, 61 Stat. 495, which is classified principally to chapter 44 (§3001 et seq.) of Title 50, War and National Defense. For complete classification of this Act to the Code, see Tables.

Amendments

2018—Pub. L. 115–232, §1631(a), renumbered section 130k of this title as this section.

Subsec. (c)(2). Pub. L. 115–232, §1081(a)(1), substituted "section 503 of the National Security Act of 1947 (50 U.S.C. 3093)" for "section 3093 of title 50, United States Code".

§397. Principal Information Operations Advisor

(a) Designation.—Not later than 30 days after the enactment of this Act, the Secretary of Defense shall designate, from among officials appointed to a position in the Department of Defense by and with the advice and consent of the Senate, a Principal Information Operations Advisor to act as the principal advisor to the Secretary on all aspects of information operations conducted by the Department.

(b) Responsibilities.—The Principal Information Operations Advisor shall have the following responsibilities:

(1) Oversight of policy, strategy, planning, resource management, operational considerations, personnel, and technology development across all the elements of information operations of the Department.

(2) Overall integration and supervision of the deterrence of, conduct of, and defense against information operations.

(3) Promulgation of policies to ensure adequate coordination and deconfliction with the Department of State, the intelligence community (as such term is defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)), and other relevant agencies and departments of the Federal Government.

(4) Coordination with the head of the Global Engagement Center to support the purpose of the Center (as set forth by section 1287(a)(2) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 22 U.S.C. 2656 note)) and liaison with the Center and other relevant Federal Government entities to support such purpose.

(5) Establishing and supervising a rigorous risk management process to mitigate the risk of potential exposure of United States Persons ¹ to information intended exclusively for foreign audiences.

(6) Promulgation of standards for the attribution or public acknowledgment, if any, of operations in the information environment.

(7) Development of guidance for, and promotion of, the capability of the Department to liaison with the private sector and academia on matters relating to the influence activities of malign actors.

(8) Such other matters relating to information operations as the Secretary shall specify for purposes of this subsection.

(Added Pub. L. 116–92, div. A, title XVI, §1631(a)(1), Dec. 20, 2019, 133 Stat. 1741.)

References in Text

The enactment of this Act, referred to in subsec. (a), probably means the date of enactment of Pub. L. 116–92, which added this section and was approved Dec. 20, 2019.

Conducting of Military Operations in the Information Environment

Pub. L. 116–92, div. A, title XVI, §1631(b)–(i), Dec. 20, 2019, 133 Stat. 1742–1745, provided that:

"(b) Affirming the Authority of the Secretary of Defense to Conduct Military Operations in the Information Environment.—(1) Congress affirms that the Secretary of Defense is authorized to conduct military operations, including clandestine operations, in the information environment to defend the United States, allies of the United States, and interests of the United States, including in response to malicious influence activities carried out against the United States or a United States person by a foreign power.

"(2) The military operations referred to in paragraph (1), when appropriately authorized include the conduct of military operations short of hostilities and in areas outside of areas of active hostilities for the purpose of preparation of the environment, influence, force protection, and deterrence of hostilities.

"(c) Treatment of Clandestine Military Operations in the Information Environment as Traditional Military Activities.—A clandestine military operation in the information environment shall be considered a traditional military activity for the purposes of section 503(e)(2) of the National Security Act of 1947 (50 U.S.C. 3093(e)(2)).

"(d) Quarterly Information Operations Briefings.—(1) Not less frequently than once each quarter, the Secretary of Defense shall provide the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a briefing on significant military operations, including all clandestine operations in the information environment, carried out by the Department of Defense during the immediately preceding quarter.

"(2) Each briefing under paragraph (1) shall include, with respect to the military operations in the information environment described in such paragraph, the following:

"(A) An update, disaggregated by geographic and functional command, that describes the operations carried out by the commands.

"(B) An overview of authorities and legal issues applicable to the operations, including any relevant legal limitations.

"(C) An outline of any interagency activities and initiatives relating to the operations.

"(e) Rule of Construction.—Nothing in this section may be construed to limit, expand, or otherwise alter the authority of the Secretary to conduct military operations, including clandestine operations, in the information environment, to authorize specific military operations, or to limit, expand, or otherwise alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.) or an authorization for use of military force that was in effect on the day before the date of the enactment of this Act [Dec. 20, 2019].

"(1) Establishment.—The Principal Information Operations Advisor shall integrate the expertise in all elements of information operations and perspectives of appropriate organizations within the Office of the Secretary of Defense, Joint Staff, military departments, Defense Agencies, and combatant commands by establishing and maintaining a full-time cross-functional team composed of subject-matter experts selected from those organizations.

"(2) Selection and organization.—The cross-functional team established under paragraph (1) shall be selected, organized, and managed in a manner consistent with section 911 of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 10 U.S.C. 111 note).

"(1) Strategy and posture review required.—Not later than 270 days after the date of the enactment of this Act [Dec. 20, 2019], the Secretary of Defense, acting through the Principal Information Operations Advisor under section 397 of title 10, United States Code (as added by subsection (a)) and the cross-functional team established under subsection (f)(1), shall—

"(A) develop or update, as appropriate, a strategy for operations in the information environment, including how such operations will be synchronized across the Department of Defense and the global, regional, and functional interests of the combatant commands;

"(B) conduct an information operations posture review, including an analysis of capability gaps that inhibit the Department's ability to successfully execute the strategy developed or updated pursuant to subparagraph (A);

"(C) designate Information Operations Force Providers and Information Operations Joint Force Trainers for the Department of Defense;

"(D) develop and persistently manage a joint lexicon for terms related to information operations, including 'information operations', 'information environment', 'operations in the information environment', and 'information related capabilities'; and

"(E) determine the collective set of combat capabilities that will be treated as part of operations in the information environment, including cyber warfare, space warfare, military information support operations, electronic warfare, public affairs, and civil affairs.

"(2) Coordination on certain cyber matters.—For any matters in the strategy and posture review under paragraph (1) that involve or relate to Department of Defense cyber capabilities, the Principal Information Operations Advisor shall fully collaborate with the Principal Cyber Advisor to the Secretary of Defense.

"(3) Elements.—At a minimum, the strategy developed or updated pursuant to paragraph (1)(A) shall include the following:

"(A) The establishment of lines of effort, objectives, and tasks that are necessary to implement such strategy and eliminate the capability gaps identified under paragraph (1)(B).

"(B) In partnership with the Principal Cyber Advisor to the Secretary of Defense and in coordination with any other component or Department of Defense entity as selected by the Secretary of Defense, an evaluation of any organizational changes that may be required within the Office of the Secretary of Defense, including potential changes to Under Secretary or Assistant Secretary-level positions to comprehensively conduct oversight of policy development, capabilities, and other aspects of operations in the information environment as determined pursuant to the information operations posture review under paragraph (1)(B).

"(C) An assessment of various models for operationalizing information operations, including the feasibility and advisability of establishing an Army Information Warfare Command.

"(D) A review of the role of information operations in combatant commander operational planning, the ability of combatant commanders to respond to hostile acts by adversaries, and the ability of combatant commanders to engage and build capacity with allies.

"(E) A review of the law, policies, and authorities relating to, and necessary for, the United States to conduct military operations, including clandestine military operations, in the information environment.

"(4) Submission to congress.—Upon completion, the Secretary of Defense shall present the strategy for operations in the information environment and the information operations posture review under subparagraphs (A) and (B), respectively, of paragraph (1) to the Committees on Armed Services of the House of Representatives and the Senate.

"(1) In general.—Not later than 90 days after the date of the enactment of this Act [Dec. 20, 2019], the Secretary of Defense shall provide the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives a report for the structuring and manning of information operations capabilities and forces across the Department of Defense. The Secretary shall provide such Committees with quarterly updates on such plan.

"(2) Elements.—The plan required under paragraph (1) shall address the following:

"(A) How the Department of Defense will organize to develop a combined information operations strategy and posture review under subsection (g).

"(B) How the Department will fulfill the roles and responsibilities of the Principal Information Operations Advisor under section 397 of title 10, United States Code (as added by subsection (a)).

"(C) How the Department will establish the information operations cross-functional team under subsection (f)(1).

"(D) How the Department will utilize boards and working groups involving senior-level Department representatives on information operations.

"(1) The terms 'foreign person' [probably should be "foreign power"] and 'United States person' have the meanings given such terms in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

"(2) The term 'hostilities' has the same meaning as such term is used in the War Powers Resolution (50 U.S.C. 1541 et seq.).

"(3) The term 'clandestine military operation in the information environment' means an operation or activity, or associated preparatory actions, authorized by the President or the Secretary of Defense, that—

"(A) is marked by, held in, or conducted with secrecy, where the intent is that the operation or activity will not be apparent or acknowledged publicly; and

"(i) as part of a military operation plan approved by the President or the Secretary of Defense;

"(ii) to deter, safeguard, or defend against attacks or malicious influence activities against the United States, allies of the United States, and interests of the United States;

"(iii) in support of hostilities or military operations involving the United States armed forces; or

"(iv) in support of military operations short of hostilities and in areas where hostilities are not occurring for the purpose of preparation of the environment, influence, force protection, and deterrence."

CHAPTER 19—CYBER AND INFORMATION OPERATIONS MATTERS

Amendments

§391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors

Amendments

Senior Military Advisor for Cyber Policy and Deputy Principal Cyber Advisor

Cyber Governance Structures and Principal Cyber Advisors on Military Cyber Force Matters

Consortia of Universities To Advise Secretary of Defense on Cybersecurity Matters

Issuance of Procedures

Assessment of Department Policies

§392. Executive agents for cyber test and training ranges

Designation and Roles and Responsibilities; Selection of Standard Language

§393. Reporting on penetrations of networks and information systems of certain contractors

Codification

Amendments

§394. Authorities concerning military cyber operations

References in Text

Amendments

Notification of Delegation of Authorities to the Secretary of Defense for Military Operations in Cyberspace

Annual Military Cyberspace Operations Report

Policy of the United States on Cyberspace, Cybersecurity, Cyber Warfare, and Cyber Deterrence

Active Defense Against the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, and Islamic Republic of Iran Attacks in Cyberspace

Pilot Program To Model Cyber Attacks on Critical Infrastructure

Identification of Countries of Concern Regarding Cybersecurity

Quadrennial Comprehensive Cyber Posture Review

§395. Notification requirements for sensitive military cyber operations

References in Text

Amendments

§396. Notification requirements for cyber weapons

References in Text

Amendments

§397. Principal Information Operations Advisor

References in Text

Conducting of Military Operations in the Information Environment