Collapse to view only § 396. Notification requirements for cyber weapons

§ 391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors
(a)Designation of Department Component to Receive Reports.—The Secretary of Defense shall designate a component of the Department of Defense to receive reports of cyber incidents from contractors in accordance with this section and section 393 of this title or from other governmental entities.
(b)Procedures for Reporting Cyber Incidents.—The Secretary of Defense shall establish procedures that require an operationally critical contractor to report in a timely manner to component designated under subsection (a) each time a cyber incident occurs with respect to a network or information system of such operationally critical contractor.
(c)Procedure Requirements.—
(1)Designation and notification.—The procedures established pursuant to subsection (a) shall include a process for—
(A) designating operationally critical contractors; and
(B) notifying a contractor that it has been designated as an operationally critical contractor.
(2)Rapid reporting.—The procedures established pursuant to subsection (a) shall require each operationally critical contractor to rapidly report to the component of the Department designated pursuant to subsection (d)(2)(A) on each cyber incident with respect to any network or information systems of such contractor. Each such report shall include the following:
(A) An assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of the Department.
(B) The technique or method used in such cyber incident.
(C) A sample of any malicious software, if discovered and isolated by the contractor, involved in such cyber incident.
(D) A summary of information compromised by such cyber incident.
(3)Department assistance and access to equipment and information by department personnel.—The procedures established pursuant to subsection (a) shall—
(A) include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations; and
(B) provide that an operationally critical contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.
(4)Protection of trade secrets and other information.—The procedures established pursuant to subsection (a) shall provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
(5)Dissemination of information.—The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through the procedures to entities—
(A) with missions that may be affected by such information;
(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C) that conduct counterintelligence or law enforcement investigations; or
(D) for national security purposes, including cyber situational awareness and defense purposes.
(d)Protection From Liability of Operationally Critical Contractors.—
(1) No cause of action shall lie or be maintained in any court against any operationally critical contractor, and such action shall be promptly dismissed, for compliance with this section and contract requirements established pursuant to Defense Federal Acquisition Regulation Supplement clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, that is conducted in accordance with procedures established pursuant to subsection (b) and such contract requirements.
(2)
(A) Nothing in this section shall be construed—
(i) to require dismissal of a cause of action against an operationally critical contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (b); or
(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each operationally critical contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
(C) In this subsection, the term “willful misconduct” means an act or omission that is taken—
(i) intentionally to achieve a wrongful purpose;
(ii) knowingly without legal or factual justification; and
(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
(e)Definitions.—In this section:
(1)Cyber incident.—The term “cyber incident” means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.
(2)Operationally critical contractor.—The term “operationally critical contractor” means a contractor designated by the Secretary for purposes of this section as a critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.
(Added Pub. L. 113–291, div. A, title XVI, § 1632(a), Dec. 19, 2014, 128 Stat. 3639; amended Pub. L. 114–92, div. A, title XVI, § 1641(b), (c)(1), Nov. 25, 2015, 129 Stat. 1115, 1116; Pub. L. 116–283, div. A, title XVII, § 1704, Jan. 1, 2021, 134 Stat. 4082.)
§ 391a. Annual reports on support by military departments for United States Cyber Command
(a)Reports.—Not later than 15 days after the date on which the Secretary of Defense submits to Congress the defense budget materials (as defined in section 239 of this title) for a fiscal year, the Commander of the United States Cyber Command shall submit to the congressional defense committees a report containing the following:
(1) An evaluation of whether each military department is meeting the requirements established by the Commander and validated by the Office of the Secretary of Defense, and is effectively implementing the plan required by section 1534 of the National Defense Authorization Act for Fiscal Year 2023, and the requirements established pursuant to section 1533 of such Act.
(2) For each military department evaluated under paragraph (1)—
(A) a certification that the military department is meeting such requirements; or
(B) a detailed explanation regarding how the military department is not meeting such requirements.
(b)Elements of Evaluation.—Each evaluation under subsection (a)(1) shall include, with respect to the military department being evaluated, the following:
(1) The adequacy of the policies, procedures, and execution of manning, training, and equipping personnel for employment within the Cyber Mission Force.
(2) The sufficiency and robustness of training curricula for personnel to be assigned to either the Cyber Mission Force or units within the cyberspace operations forces, and the compliance by the military department with training standards.
(3) The adequacy of the policies and procedures relating to the assignment and assignment length of members of the Army, Navy, Air Force, Marine Corps, or Space Force to the Cyber Mission Force.
(4) The efficacy of the military department in filling key work roles within the Cyber Mission Force, including the proper force mix of civilian, military, and contractor personnel, and the means necessary to meet requirements established by the Commander and validated by the Secretary of Defense.
(5) The adequacy of the investment to advance cyber-peculiar science and technology, particularly with respect to capability development for the Cyber Mission Force.
(6) The sufficiency of the policies, procedures, and investments relating to the establishment and management of military occupational specialty, designator, rating, or Air Force specialty code for personnel responsible for cyberspace operations, including an assessment of the effectiveness of the combination of policies determining availability and retention of sufficient numbers of proficient personnel in key work roles, including length of service commitment, the use of bonuses and special pays, alternative compensation mechanisms, and consecutive tours in preferred assignments.
(7) In coordination with the Principal Cyber Advisor of the Department of Defense, an evaluation of the use by the military department of the shared lexicon of the Department of Defense specific to cyberspace activities.
(8) The readiness of personnel serving in the Cyber Mission Force and the cyberspace operations forces to accomplish assigned missions.
(9) The adequacy of actions taken during the period of evaluation by the military department to respond to findings from any previous years’ evaluations.
(10) Any other element determined relevant by the Commander.
(Added Pub. L. 117–263, div. A, title XV, § 1502(a), Dec. 23, 2022, 136 Stat. 2879.)
§ 391b. Strategic cybersecurity program
(a)In General.—
(1) There is a program to be known as the “Strategic Cybersecurity Program” (in this section referred to as the “Program”) to ensure the ability of the Department of Defense to conduct the most critical military missions of the Department.
(2) The Secretary of Defense shall designate a principal staff assistant from within the Office of the Secretary of Defense whose office shall serve as the office of primary responsibility for the Program, and provide policy, direction, and oversight regarding the execution of the responsibilities of the program manager selected pursuant to subsection (c)(1).
(b)Membership.—In addition to the office of primary responsibility for the Program under subsection (a)(2) and the program manager selected pursuant to subsection (c)(1), membership in the Program shall include the following:
(1) The Vice Chairman of the Joint Chiefs of Staff.
(2) The Commanders of the United States Cyber Command, United States European Command, United States Indo-Pacific Command, United States Northern Command, United States Strategic Command, United States Space Command, United States Transportation Command.
(3) The Under Secretary of Defense for Acquisition and Sustainment.
(4) The Under Secretary of Defense for Policy.
(5) The Chief Information Officer of the Department of Defense.
(6) The Chief Digital and Artificial Intelligence Officer of the Department of Defense.
(7) The chief information officers of the military departments.
(8) The Principal Cyber Advisor of the Department of Defense.
(9) The Principal Cyber Advisors of the military departments.
(10) Each senior official identified pursuant to subsection (i) of section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (Public Law 114–92; 129 Stat. 1118).
(11) Such other officials as may be determined necessary by the Secretary of Defense.
(c)Program Office.—
(1) There is in the Cybersecurity Directorate of the National Security Agency a program office to support the Program by identifying threats to, vulnerabilities in, and remediations for, the missions and mission elements specified in subsection (d)(1). Such program office shall be headed by a program manager selected by the Director of the National Security Agency.
(2) The Chief Information Officer of the Department of Defense, in exercising authority, direction, and control over the Cybersecurity Directorate of the National Security Agency, shall ensure that the program office under paragraph (1) is responsive to the requirements and direction of the program manager selected pursuant to such paragraph.
(3) The Secretary may augment the personnel assigned to the program office under paragraph (1) by assigning personnel as appropriate from among members of any covered armed force (including the reserve components thereof), civilian employees of the Department of Defense (including the Defense Intelligence Agency), and personnel of the research laboratories of the Department of Defense, who have particular expertise in the areas of responsibility referred to in subsection (d).
(d)Designation of Mission Elements of Program.—
(1) The Under Secretary of Defense for Policy, the Under Secretary of Defense for Acquisition and Sustainment, and the Vice Chairman of the Joint Chiefs of Staff shall identify and designate for inclusion in the Program all of the systems, critical infrastructure, kill chains, and processes, including systems and components in development, that comprise the following military missions of the Department of Defense:
(A) Nuclear deterrence and strike.
(B) Select long-range conventional strike missions germane to the warfighting plans of the United States European Command and the United States Indo-Pacific Command.
(C) Offensive cyber operations.
(D) Homeland missile defense.
(2) The Vice Chairman of the Joint Chiefs of Staff shall coordinate the identification and prioritization of the missions and mission components, and the development and approval of requirements relating to the cybersecurity of the missions and mission components, of the Program.
(e)Additional Responsibilities of Head of Office of Primary Responsibility.—In addition to providing policy, direction, and oversight as specified in subsection (a)(2), the head of the office of primary responsibility for the Program designated under such subsection shall be responsible—
(1) for overseeing and providing direction on any covered statutory requirement that is ongoing, recurrent (including on an annual basis), or unfulfilled, including by—
(A) reviewing any materials required to be submitted to Congress under the covered statutory requirement prior to such submission; and
(B) ensuring such submissions occur by the applicable deadline under the covered statutory requirement: 1
1 So in original. The colon probably should be a semicolon.
and
(2) recording and monitoring the remediation of identified vulnerabilities in constituent systems, infrastructure, kill chains, and processes of the missions specified in subsection (d)(1).
(f)Responsibilities of Program Manager.—The program manager selected pursuant to subsection (c)(1) shall be responsible for the following:
(1) Conducting end-to-end vulnerability assessments of the constituent systems, infrastructure, kill chains, and processes of the missions specified in subsection (d)(1).
(2) Prioritizing and facilitating the remediation of identified vulnerabilities in such constituent systems, infrastructure, kill chains, and processes.
(3) Conducting, prior to the Milestone B approval for any proposed such system or infrastructure germane to the missions of the Program, appropriate reviews of the acquisition and system engineering plans for that proposed system or infrastructure, in accordance with the policy and guidance of the Under Secretary of Defense for Acquisition and Sustainment regarding the components of such reviews and the range of systems and infrastructure to be reviewed.
(4) Advising the Secretaries of the military departments, the commanders of the combatant commands, and the Joint Staff on the vulnerabilities and cyberattack vectors that pose substantial risk to the missions of the Program and their constituent systems, critical infrastructure, kill chains, or processes.
(5) Ensuring that the Program builds upon (including through the provision of oversight and direction by the head of the office of primary responsibility for the Program pursuant to subsection (e), as applicable), and does not duplicate, other efforts of the Department of Defense relating to cybersecurity, including the following:
(A) The evaluation of cyber vulnerabilities of major weapon systems of the Department of Defense required under section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (Public Law 114–92; 129 Stat. 1118).
(B) The evaluation of cyber vulnerabilities of critical infrastructure of the Department of Defense required under section 1650 of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 10 U.S.C. 2224 note).
(C) The activities of the cyber protection teams of the Department of Defense.
(g)Responsibilities of Secretary of Defense.—The Secretary of Defense shall define and issue guidance on the roles and responsibilities for components of the Department of Defense other than those specified in this section with respect to the Program, including—
(1) the roles and responsibilities of the acquisition and sustainment organizations of the military departments in supporting and implementing remedial actions;
(2) the alignment of Cyber Protection Teams with the prioritized missions of the Program;
(3) the role of the Director of Operational Test and Evaluation in conducting periodic assessments, including through cyber red teams, of the cybersecurity of missions in the Program; and
(4) the role of the Principal Cyber Adviser in coordinating and monitoring the execution of the Program.
(h)Annual Reporting.—Not later than December 31 of each year, the head of the office of primary responsibility for the Program, in coordination with the appropriate members of the Program under subsection (b), shall submit to the congressional defense committees an annual report on the efforts carried out pursuant to this section or any covered provision of law, including with respect to such efforts concerning—
(1) the evaluation of cyber vulnerabilities of each major weapon system of the Department of Defense and related mitigation activities under section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (Public Law 114–92; 129 Stat. 1118);
(2) the evaluation of cyber vulnerabilities of the critical infrastructure of the Department of Defense under section 1650 of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 10 U.S.C. 2224 note);
(3) operational technology and the mapping of mission-relevant terrain in cyberspace under section 1505 of the National Defense Authorization Act for Fiscal Year 2022 (Public Law 117–81; 10 U.S.C. 394 note);
(4) the assessments of the vulnerabilities to and mission risks presented by radio-frequency enabled cyber attacks with respect to the operational technology embedded in weapons systems, aircraft, ships, ground vehicles, space systems, sensors, and datalink networks of the Department of Defense under section 1559 of the National Defense Authorization Act for Fiscal Year 2023; and
(5) the work of the Program in general, including information relating to staffing and accomplishments.
(i)Annual Budget Display.—
(1) On an annual basis for each fiscal year, concurrently with the submission of the budget of the President for that fiscal year under section 1105(a) of title 31, United States Code, the head of the office of primary responsibility for the Program, in coordination with the appropriate members of the Program under subsection (b), shall submit to the congressional defense committees a consolidated budget justification display that covers all programs and activities associated with this section and any covered provision of law, including with respect to the matters listed in subsection (h).
(2) Each display under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.
(3) For the purpose of facilitating the annual budget display requirement under paragraph (1), the Chief Information Officer of the Department of Defense shall provide to the head of the office of primary responsibility for the Program and the appropriate members of the Program under subsection (b) fiscal guidance on the programming of funds in support of the Program.
(j)Definitions.—In this section:
(1) The term “covered armed force” means the Army, Navy, Air Force, Marine Corps, or Space Force.
(2) The term “covered statutory requirement” means a requirement under any covered provision of law.
(3) The term “covered provision of law” means the following:
(A) Section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (Public Law 114–92; 129 Stat. 1118).
(B) Section 1650 of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 10 U.S.C. 2224 note).
(C) Section 1505 of the National Defense Authorization Act for Fiscal Year 2022 (Public Law 117–81; 10 U.S.C. 394 note).
(D) Section 1559 of the National Defense Authorization Act for Fiscal Year 2023.
(Added Pub. L. 118–31, div. A, title XV, § 1502(a)(1), Dec. 22, 2023, 137 Stat. 533.)
§ 392. Executive agents for cyber test and training ranges
(a)Executive Agent.—The Secretary of Defense, in consultation with the Principal Cyber Advisor, shall—
(1) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology test ranges; and
(2) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology training ranges.
(b)Roles, Responsibilities, and Authorities.—
(1)Establishment.—The Secretary of Defense shall prescribe the roles, responsibilities, and authorities of the executive agents designated under subsection (a). Such roles, responsibilities, and authorities shall include the development of a biennial integrated plan for cyber and information technology test and training resources.
(2)Biennial integrated plan.—The biennial integrated plan required under paragraph (1) shall include plans for the following:
(A) Developing and maintaining a comprehensive list of cyber and information technology ranges, test facilities, test beds, and other means of testing, training, and developing software, personnel, and tools for accommodating the mission of the Department. Such list shall include resources from both governmental and nongovernmental entities.
(B) Organizing and managing designated cyber and information technology test ranges, including—
(i) establishing the priorities for cyber and information technology ranges to meet Department objectives;
(ii) enforcing standards to meet requirements specified by the United States Cyber Command, the training community, and the research, development, testing, and evaluation community;
(iii) identifying and offering guidance on the opportunities for integration amongst the designated cyber and information technology ranges regarding test, training, and development functions;
(iv) finding opportunities for cost reduction, integration, and coordination improvements for the appropriate cyber and information technology ranges;
(v) adding or consolidating cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;
(vi) finding opportunities to continuously enhance the quality and technical expertise of the cyber and information technology test workforce through training and personnel policies; and
(vii) coordinating with interagency and industry partners on cyber and information technology range issues.
(C) Defining a cyber range architecture that—
(i) may add or consolidate cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;
(ii) coordinates with interagency and industry partners on cyber and information technology range issues;
(iii) allows for integrated closed loop testing in a secure environment of cyber and electronic warfare capabilities;
(iv) supports science and technology development, experimentation, testing and training; and
(v) provides for interconnection with other existing cyber ranges and other kinetic range facilities in a distributed manner.
(D) Certifying all cyber range investments of the Department of Defense.
(E) Performing such other assessments or analyses as the Secretary considers appropriate.
(3)Standard for cyber event data.—The executive agents designated under subsection (a), in consultation with the Chief Information Officer of the Department of Defense, shall jointly select a standard language from open-source candidates for representing and communicating cyber event and threat data. Such language shall be machine-readable for the Joint Information Environment and associated test and training ranges.
(c)Support Within Department of Defense.—The Secretary of Defense shall ensure that the military departments, Defense Agencies, and other components of the Department of Defense provide the executive agents designated under subsection (a) with the appropriate support and resources needed to perform the roles, responsibilities, and authorities of the executive agents.
(d)Compliance With Existing Directive.—The Secretary shall carry out this section in compliance with Directive 5101.1.
(e)Definitions.—In this section:
(1) The term “designated cyber and information technology range” includes the National Cyber Range, the Joint Information Operations Range, the Defense Information Assurance Range, and the C4 Assessments Division of J6 of the Joint Staff.
(2) The term “Directive 5101.1” means Department of Defense Directive 5101.1, or any successor directive relating to the responsibilities of an executive agent of the Department of Defense.
(3) The term “executive agent” has the meaning given the term “DoD Executive Agent” in Directive 5101.1.
(Added Pub. L. 113–291, div. A, title XVI, § 1633(a), Dec. 19, 2014, 128 Stat. 3641.)
§ 392a. Principal Cyber Advisors
(a)Principal Cyber Advisor to Secretary of Defense.—
(1)Establishment.—There is a Principal Cyber Advisor in the Department of Defense.
(2)Responsibilities.—The Principal Cyber Advisor shall be responsible for the following:
(A) Acting as the principal advisor to the Secretary on military cyber forces and activities.
(B) Overall integration of Cyber Operations Forces activities relating to cyberspace operations, including associated policy and operational considerations, resources, personnel, technology development and transition, and acquisition.
(C) Assessing and overseeing the implementation of the cyber strategy of the Department and execution of the cyber posture review of the Department on behalf of the Secretary.
(D) Coordinating activities pursuant to subparagraphs (A) and (B) of paragraph (3) with the Principal Information Operations Advisor, the Chief Information Officer of the Department, and other officials as determined by the Secretary of Defense, to ensure the integration of activities in support of cyber, information, and electromagnetic spectrum operations.
(E) Such other matters relating to the offensive military cyber forces of the Department as the Secretary shall specify for the purposes of this subsection.
(3)Cross-functional team.—Consistent with section 911 of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 10 U.S.C. 111 note), the Principal Cyber Advisor shall—
(A) integrate the cyber expertise and perspectives of appropriate organizations within the Office of the Secretary of Defense, Joint Staff, military departments, the Defense Agencies and Field Activities, and combatant commands, by establishing and maintaining a full-time cross-functional team of subject matter experts from those organizations; and
(B) select team members, and designate a team leader, from among those personnel nominated by the heads of such organizations.
(4)Budget review.—
(A) The Secretary of Defense, acting through the Under Secretary of Defense (Comptroller), shall require the Secretaries of the military departments and the heads of the Defense agencies with responsibilities associated with any activity specified in paragraph (2) to transmit the proposed budget for such activities for a fiscal year and for the period covered by the future-years defense program submitted to Congress under section 221 of this title for that fiscal year to the Principal Cyber Advisor for review under subparagraph (B) before submitting the proposed budget to the Under Secretary of Defense (Comptroller).
(B) The Principal Cyber Advisor shall review each proposed budget transmitted under subparagraph (A) and, not later than January 31 of the year preceding the fiscal year for which the budget is proposed, shall submit to the Secretary of Defense a report containing the comments of the Principal Cyber Advisor with respect to all such proposed budgets, together with the certification of the Principal Cyber Advisor regarding whether each proposed budget is adequate.
(C) Not later than March 31 of each year, the Secretary of Defense shall submit to Congress a report specifying each proposed budget that the Principal Cyber Advisor did not certify to be adequate. The report of the Secretary shall include the following matters:
(i) A discussion of the actions that the Secretary proposes to take, together with any recommended legislation that the Secretary considers appropriate, to address the inadequacy of the proposed budgets specified in the report.
(ii) Any additional comments that the Secretary considers appropriate regarding the inadequacy of the proposed budgets.
(b)Senior Military Advisor for Cyber Policy and Deputy Principal Cyber Advisor.—
(1)Advisor.—
(A)In general.—The Secretary of Defense shall, acting through the Joint Staff, designate an officer within the Office of the Under Secretary of Defense for Policy to serve within that Office as the Senior Military Advisor for Cyber Policy, and concurrently, as the Deputy Principal Cyber Advisor.
(B)Officers eligible for designation.—The officer designated pursuant to this paragraph shall be designated from among commissioned regular officers of the Armed Forces in a general or flag officer grade who are qualified for designation.
(C)Grade.—The officer designated pursuant to this paragraph shall have the grade of major general or rear admiral (upper half) while serving in that position, without vacating the officer’s permanent grade.
(2)Scope of Positions.—
(A)In general.—The officer designated pursuant to paragraph (1) is each of the following:
(i) The Senior Military Advisor for Cyber Policy to the Under Secretary of Defense for Policy.
(ii) The Deputy Principal Cyber Advisor to the Secretary of Defense.
(B)Direction and control and reporting.—In carrying out duties under this section, the officer designated pursuant to paragraph (1) shall be subject to the authority, direction, and control of, and shall report directly to, the following:
(i) The Under Secretary with respect to Senior Military Advisor for Cyber Policy duties.
(ii) The Principal Cyber Advisor with respect to Deputy Principal Cyber Advisor duties.
(3)Duties.—
(A)Duties as senior military advisor for cyber policy.—The duties of the officer designated pursuant to paragraph (1) as Senior Military Advisor for Cyber Policy are as follows:
(i) To serve as the principal uniformed military advisor on military cyber forces and activities to the Under Secretary of Defense for Policy.
(ii) To assess and advise the Under Secretary on aspects of policy relating to military cyberspace operations, resources, personnel, cyber force readiness, cyber workforce development, and defense of Department of Defense networks.
(iii) To advocate, in consultation with the Joint Staff, and senior officers of the Armed Forces and the combatant commands, for consideration of military issues within the Office of the Under Secretary of Defense for Policy, including coordination and synchronization of Department cyber forces and activities.
(iv) To maintain open lines of communication between the Chief Information Officer of the Department of Defense, senior civilian leaders within the Office of the Under Secretary, and senior officers on the Joint Staff, the Armed Forces, and the combatant commands on cyber matters, and to ensure that military leaders are informed on cyber policy decisions.
(B)Duties as deputy principal cyber advisor.—The duties of the officer designated pursuant to paragraph (1) as Deputy Principal Cyber Advisor are as follows:
(i) To synchronize, coordinate, and oversee implementation of the Cyber Strategy of the Department of Defense and other relevant policy and planning.
(ii) To advise the Secretary of Defense on cyber programs, projects, and activities of the Department, including with respect to policy, training, resources, personnel, manpower, and acquisitions and technology.
(iii) To oversee implementation of Department policy and operational directives on cyber programs, projects, and activities, including with respect to resources, personnel, manpower, and acquisitions and technology.
(iv) To assist in the overall supervision of Department cyber activities relating to offensive missions.
(v) To assist in the overall supervision of Department defensive cyber operations, including activities of component-level cybersecurity service providers and the integration of such activities with activities of the Cyber Mission Force.
(vi) To advise senior leadership of the Department on, and advocate for, investment in capabilities to execute Department missions in and through cyberspace.
(vii) To identify shortfalls in capabilities to conduct Department missions in and through cyberspace, and make recommendations on addressing such shortfalls in the Program Budget Review process.
(viii) To coordinate and consult with stakeholders in the cyberspace domain across the Department in order to identify other issues on cyberspace for the attention of senior leadership of the Department.
(ix) On behalf of the Principal Cyber Advisor, to lead the cross-functional team established pursuant to 932(c)(3) 1
1 So in original. Probably should be preceded by “section”.
of the National Defense Authorization Act for Fiscal Year 2014 (10 U.S.C. 2224 note) 2
2 See References in Text note below.
in order to synchronize and coordinate military and civilian cyber forces and activities of the Department.
(c)Cyber Governance Structures and Principal Cyber Advisors on Military Cyber Force Matters.—
(1)Designation.—
(A)In general.—Not later than 270 days after the date of the enactment of this Act, each of the secretaries of the military departments, in consultation with the service chiefs, shall appoint an independent Principal Cyber Advisor for each service to act as the principal advisor to the relevant secretary on all cyber matters affecting that military service.
(B)Nature of position.—Each Principal Cyber Advisor position under subparagraph (A) shall—
(i) be a senior civilian leadership position, filled by a senior member of the Senior Executive Service, not lower than the equivalent of a 3-star general officer, or by exception a comparable military officer with extensive cyber experience;
(ii) exclusively occupy the Principal Cyber Advisor position and not assume any other position or responsibility in the relevant military department;
(iii) be independent of the relevant service’s chief information officer; and
(iv) report directly to and advise the secretary of the relevant military department and advise the relevant service’s senior uniformed officer.
(C)Notification.—Each of the secretaries of the military departments shall notify the Committees on Armed Services of the Senate and House of Representatives of his or her Principal Cyber Advisor appointment. In the case that the appointee is a military officer, the notification shall include a justification for the selection and an explanation of the appointee’s ability to execute the responsibilities of the Principal Cyber Advisor.
(2)Responsibilities of Principal Cyber Advisors.—Each Principal Cyber Advisor under paragraph (1) shall be responsible for advising both the secretary of the relevant military department and the senior uniformed military officer of the relevant military service and implementing the Department of Defense Cyber Strategy within the service by coordinating and overseeing the execution of the service’s policies and programs relevant to the following:
(A) The recruitment, resourcing, and training of military cyberspace operations forces, assessment of these forces against standardized readiness metrics, and maintenance of these forces at standardized readiness levels.
(B) Acquisition of offensive, defensive, and Department of Defense Information Networks cyber capabilities for military cyberspace operations.
(C) Cybersecurity management and operations.
(D) Acquisition of cybersecurity tools and capabilities, including those used by cybersecurity service providers.
(E) Evaluating, improving, and enforcing a culture of cybersecurity warfighting and accountability for cybersecurity and cyberspace operations.
(F) Cybersecurity and related supply chain risk management of the industrial base.
(G) Cybersecurity of Department of Defense information systems, information technology services, and weapon systems, including the incorporation of cybersecurity threat information as part of secure development processes, cybersecurity testing, and the mitigation of cybersecurity risks.
(3)Coordination.—To ensure service compliance with the Department of Defense Cyber Strategy, each Principal Cyber Advisor under paragraph (1) shall work in close coordination with the following:
(A) Service chief information officers.
(B) Service cyber component commanders.
(C) Principal Cyber Advisor to the Secretary of Defense.
(D) Department of Defense Chief Information Officer.
(E) Defense Digital Service.
(4)Budget Certification Authority.—
(A)In general.—Each of the secretaries of the military departments shall require service components with responsibilities associated with cyberspace operations forces, offensive or defensive cyberspace operations and capabilities, and cyberspace issues relevant to the duties specified in paragraph (2) to transmit the proposed budget for such responsibilities for a fiscal year and for the period covered by the future-years defense program submitted to Congress under section 221 of title 10, United States Code, for that fiscal year to the relevant service’s Principal Cyber Advisor for review under subparagraph (B) before submitting the proposed budget to the department’s comptroller.
(B)Review.—Each Principal Cyber Advisor under paragraph (1)(A) shall review each proposed budget transmitted under subparagraph (A) and submit to the secretary of the relevant military department a report containing the comments of the Principal Cyber Advisor with respect to all such proposed budgets, together with the certification of the Principal Cyber Advisor regarding whether each proposed budget is adequate.
(C)Report.—Not later than March 31 of each year, each of the secretaries of the military departments shall submit to the congressional defense committees a report specifying each proposed budget for the subsequent fiscal year contained in the most-recent report submitted under subparagraph (B) that the Principal Cyber Advisor did not certify to be adequate. The report of the secretary shall include a discussion of the actions that the secretary took or proposes to take, together with any additional comments that the Secretary considers appropriate regarding the adequacy or inadequacy of the proposed budgets.
(5)Principal Cyber Advisors’ Briefing to Congress.—Not later than February 1, 2021, and biannually thereafter, each Principal Cyber Advisor under paragraph (1) shall brief the Committees on Armed Services of the Senate and House of Representatives on that Advisor’s activities and ability to perform the functions specified in paragraph (2).
(Added and amended Pub. L. 117–263, div. A, title XV, § 1501(b), Dec. 23, 2022, 136 Stat. 2877; Pub. L. 118–31, div. A, title XVIII, § 1801(a)(5), Dec. 22, 2023, 137 Stat. 683.)
§ 393. Reporting on penetrations of networks and information systems of certain contractors
(a)Procedures for Reporting Penetrations.—The Secretary of Defense shall establish procedures that require each cleared defense contractor to report to a component of the Department of Defense designated by the Secretary for purposes of such procedures when a network or information system of such contractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.
(b)Networks and Information Systems Subject to Reporting.—
(1)Criteria.—The Secretary of Defense shall designate a senior official to, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting system penetrations under subsection (a).
(2)Officials.—The officials specified in this subsection are the following:
(A) The Under Secretary of Defense for Policy.
(B) The Under Secretary of Defense for Acquisition and Sustainment.
(C) the Under Secretary of Defense for Research and Engineering.
(D) The Under Secretary of Defense for Intelligence and Security.
(E) The Chief Information Officer of the Department of Defense.
(F) The Commander of the United States Cyber Command.
(c)Procedure Requirements.—
(1)Rapid reporting.—The procedures established pursuant to subsection (a) shall require each cleared defense contractor to rapidly report to a component of the Department of Defense designated pursuant to subsection (a) of each successful penetration of the network or information systems of such contractor that meet the criteria established pursuant to subsection (b). Each such report shall include the following:
(A) A description of the technique or method used in such penetration.
(B) A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration.
(C) A summary of information created by or for the Department in connection with any Department program that has been potentially compromised due to such penetration.
(2)Access to equipment and information by department of defense personnel.—The procedures established pursuant to subsection (a) shall—
(A) include mechanisms for Department of Defense personnel to, upon request, obtain access to equipment or information of a cleared defense contractor necessary to conduct forensic analysis in addition to any analysis conducted by such contractor;
(B) provide that a cleared defense contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated; and
(C) provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
(3)Dissemination of information.—The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through such procedures to entities—
(A) with missions that may be affected by such information;
(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C) that conduct counterintelligence or law enforcement investigations; or
(D) for national security purposes, including cyber situational awareness and defense purposes.
(d)Protection From Liability of Cleared Defense Contractors.—
(1) No cause of action shall lie or be maintained in any court against any cleared defense contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the procedures established pursuant to subsection (a).
(2)
(A) Nothing in this section shall be construed—
(i) to require dismissal of a cause of action against a cleared defense contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (a); or
(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each cleared defense contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
(C) In this subsection, the term “willful misconduct” means an act or omission that is taken—
(i) intentionally to achieve a wrongful purpose;
(ii) knowingly without legal or factual justification; and
(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
(e)Definitions.—In this section:
(1)Cleared defense contractor.—The term “cleared defense contractor” means a private entity granted clearance by the Department of Defense to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense.
(2)Covered network.—The term “covered network” means a network or information system of a cleared defense contractor that contains or processes information created by or for the Department of Defense with respect to which such contractor is required to apply enhanced protection.
(Added and amended Pub. L. 114–92, div. A, title XVI, § 1641(a), Nov. 25, 2015, 129 Stat. 1114; Pub. L. 116–92, div. A, title IX, § 902(8), title XVI, § 1621(e)(1)(A)(vi), Dec. 20, 2019, 133 Stat. 1543, 1733; Pub. L. 116–283, div. A, title X, § 1081(a)(15), Jan. 1, 2021, 134 Stat. 3871; Pub. L. 117–81, div. A, title X, § 1081(a)(9), Dec. 27, 2021, 135 Stat. 1920.)
§ 394. Authorities concerning military cyber operations
(a)In General.—The Secretary of Defense shall develop, prepare, and coordinate; make ready all armed forces for purposes of; and, when appropriately authorized to do so, conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response to malicious cyber activity carried out against the United States or a United States person by a foreign power.
(b)Affirmation of Authority.—Congress affirms that the activities or operations referred to in subsection (a), when appropriately authorized, include the conduct of military activities or operations in cyberspace short of hostilities (as such term is used in the War Powers Resolution (Public Law 93–148; 50 U.S.C. 1541 et seq.)) or in areas in which hostilities are not occurring, including for the purpose of preparation of the environment, information operations, force protection, and deterrence of hostilities, or counterterrorism operations involving the Armed Forces of the United States.
(c)Clandestine Activities or Operations.—A clandestine military activity or operation in cyberspace shall be considered a traditional military activity for the purposes of section 503(e)(2) of the National Security Act of 1947 (50 U.S.C. 3093(e)(2)).
(d)Congressional Oversight.—The Secretary shall brief the congressional defense committees about any military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, occurring during the previous quarter during the quarterly briefing required by section 484 of this title.
(e)Rule of Construction.—Nothing in this section may be construed to limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to authorize specific military activities or operations, or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or reporting of sensitive military cyber activities or operations required by section 395 of this title.
(f)Definitions.—In this section:
(1) The term “clandestine military activity or operation in cyberspace” means a military activity or military operation carried out in cyberspace, or associated preparatory actions, authorized by the President or the Secretary that—
(A) is marked by, held in, or conducted with secrecy, where the intent is that the activity or operation will not be apparent or acknowledged publicly; and
(B) is to be carried out—
(i) as part of a military operation plan approved by the President or the Secretary in anticipation of hostilities or as directed by the President or the Secretary;
(ii) to deter, safeguard, or defend against attacks or malicious cyber activities against the United States or Department of Defense information, networks, systems, installations, facilities, or other assets; or
(iii) in support of information related capabilities.
(2) The term “foreign power” has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
(3) The term “United States person” has the meaning given such term in such section.
(Added Pub. L. 114–92, div. A, title XVI, § 1642(a), Nov. 25, 2015, 129 Stat. 1116, § 130g; renumbered § 394 and amended Pub. L. 115–232, div. A, title XVI, §§ 1631(a), 1632, Aug. 13, 2018, 132 Stat. 2123.)
§ 395. Notification requirements for sensitive military cyber operations
(a)In General.—Except as provided in subsection (d), the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of any sensitive military cyber operation conducted under this title no later than 48 hours following such operation.
(b)Procedures.—
(1) The Secretary of Defense shall establish and submit to the congressional defense committees procedures for complying with the requirements of subsection (a) consistent with the national security of the United States and the protection of operational integrity. The Secretary shall promptly notify the congressional defense committees in writing of any changes to such procedures at least 14 days prior to the adoption of any such changes.
(2) The congressional defense committees shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to the committees pursuant to this section.
(3) In the event of an unauthorized disclosure of a sensitive military cyber operation covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the sensitive military cyber operation concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification, signed by the Secretary, or the Secretary’s designee, shall be provided by not later than 48 hours after the provision of the verbal notification.
(c)Sensitive Military Cyber Operation Defined.—
(1) In this section, the term “sensitive military cyber operation” means an action described in paragraph (2) that—
(A) is carried out by the armed forces of the United States;
(B) is intended to achieve a cyber effect against a foreign terrorist organization or a country, including its armed forces and the proxy forces of that country located elsewhere—
(i) with which the armed forces of the United States are not involved in hostilities (as that term is used in section 4 of the War Powers Resolution (50 U.S.C. 1543)); or
(ii) with respect to which the involvement of the armed forces of the United States in hostilities has not been acknowledged publicly by the United States; and
(C)
(i) is determined to—(I) have a medium or high collateral effects estimate;(II) have a medium or high intelligence gain or loss;(III) have a medium or high probability of political retaliation, as determined by the political military assessment contained within the associated concept of operations;(IV) have a medium or high probability of detection when detection is not intended; or(V) result in medium or high collateral effects; or
(ii) is a matter the Secretary determines to be appropriate.
(2) The actions described in this paragraph are the following:
(A) An offensive cyber operation.
(B) A defensive cyber operation.
(d)Exceptions.—The notification requirement under subsection (a) does not apply—
(1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or
(2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 (50 U.S.C. 3093)).
(e)Rule of Construction.—Nothing in this section shall be construed to provide any new authority or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or any requirement under the National Security Act of 1947 (50 U.S.C. 3001 et seq.).
(Added Pub. L. 115–91, div. A, title XVI, § 1631(a), Dec. 12, 2017, 131 Stat. 1736, § 130j; renumbered § 395 and amended Pub. L. 115–232, div. A, title X, § 1081(a)(1), title XVI, § 1631(a), Aug. 13, 2018, 132 Stat. 1983, 2123; Pub. L. 116–92, div. A, title XVI, § 1632, Dec. 20, 2019, 133 Stat. 1745; Pub. L. 116–283, div. A, title XVII, § 1702, Jan. 1, 2021, 134 Stat. 4080.)
§ 396. Notification requirements for cyber weapons
(a)In General.—Except as provided in subsection (c), the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of the following:
(1) With respect to a cyber capability that is intended for use as a weapon, on a quarterly basis, the aggregated results of all reviews of the capability for legality under international law pursuant to Department of Defense Directive 5000.01 carried out by any military department concerned.
(2) The use as a weapon of any cyber capability that has been approved for such use under international law by a military department no later than 48 hours following such use.
(b)Procedures.—
(1) The Secretary of Defense shall establish and submit to the congressional defense committees procedures for complying with the requirements of subsection (a) consistent with the national security of the United States and the protection of operational integrity. The Secretary shall promptly notify the congressional defense committees in writing of any changes to such procedures at least 14 days prior to the adoption of any such changes.
(2) The congressional defense committees shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to the committees pursuant to this section.
(3) In the event of an unauthorized disclosure of a cyber capability covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the cyber capability concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification shall be provided by not later than 48 hours after the provision of the verbal notification.
(c)Exceptions.—The notification requirement under subsection (a) does not apply—
(1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or
(2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 (50 U.S.C. 3093)).
(d)Rule of Construction.—Nothing in this section shall be construed to provide any new authority or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or any requirement under the National Security Act of 1947 (50 U.S.C. 3001 et seq.).
(Added Pub. L. 115–91, div. A, title XVI, § 1631(a), Dec. 12, 2017, 131 Stat. 1737, § 130k; renumbered § 396 and amended Pub. L. 115–232, div. A, title X, § 1081(a)(1), title XVI, § 1631(a), Aug. 13, 2018, 132 Stat. 1983, 2123.)
§ 397. Principal Information Operations Advisor
(a)Designation.—Not later than 30 days after the enactment of this Act, the Secretary of Defense shall designate, from among officials appointed to a position in the Department of Defense by and with the advice and consent of the Senate, a Principal Information Operations Advisor to act as the principal advisor to the Secretary on all aspects of information operations conducted by the Department.
(b)Responsibilities.—The Principal Information Operations Advisor shall have the following responsibilities:
(1) Oversight of policy, strategy, planning, resource management, operational considerations, personnel, and technology development across all the elements of information operations of the Department.
(2) Overall integration and supervision of the deterrence of, conduct of, and defense against information operations.
(3) Promulgation of policies to ensure adequate coordination and deconfliction with the Department of State, the intelligence community (as such term is defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)), and other relevant agencies and departments of the Federal Government.
(4) Coordination with the head of the Global Engagement Center to support the purpose of the Center (as set forth by section 1287(a)(2) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 22 U.S.C. 2656 note)) and liaison with the Center and other relevant Federal Government entities to support such purpose.
(5) Establishing and supervising a rigorous risk management process to mitigate the risk of potential exposure of United States persons to information intended exclusively for foreign audiences.
(6) Promulgation of standards for the attribution or public acknowledgment, if any, of operations in the information environment.
(7) Development of guidance for, and promotion of, the capability of the Department to liaison with the private sector and academia on matters relating to the influence activities of malign actors.
(8) Such other matters relating to information operations as the Secretary shall specify for purposes of this subsection.
(Added Pub. L. 116–92, div. A, title XVI, § 1631(a)(1), Dec. 20, 2019, 133 Stat. 1741; amended Pub. L. 116–283, div. A, title X, § 1081(a)(16), Jan. 1, 2021, 134 Stat. 3871.)
§ 398. Military information support operations in information environment
(a)Congressional Notification Requirement.—
(1) Not later than 48 hours after the execution of any new military information support operation plan (in this section referred to as a “MISO plan”) approved by the commander of a combatant command, or any change in scope of any existing MISO plan, including any underlying MISO supporting plan, the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of such approval or execution of change in scope.
(2) A notification under paragraph (1) with respect to a MISO plan shall include each of the following:
(A) A description of the military information support operation program (in this section referred to as a “MISO program”) supported by the MISO plan.
(B) A description of the objectives of the MISO plan.
(C) A description of the intended target audience for military information support operation activities under the MISO plan.
(D) A description of the tactics, techniques, and procedures to be used in executing the MISO plan.
(E) A description of the personnel engaged in supporting or facilitating the operation.
(F) The amount of funding anticipated to be obligated and expended to execute the MISO plan during the current and subsequent fiscal years.
(G) The expected duration and desired outcome of the MISO plan.
(H) Any other elements the Secretary determines appropriate.
(3) To the maximum extent practicable, the Secretary shall ensure that the congressional defense committees are notified promptly of any unauthorized disclosure of a clandestine military support operation covered by this section. A notification under this subsection may be verbal or written, but in the event of a verbal notification, the Secretary shall provide a written notification by not later than 48 hours after the provision of the verbal notification.
(b)Annual Report.—Not later than 90 days after the last day of any fiscal year during which the Secretary conducts a MISO plan, the Secretary shall submit to the congressional defense committees a report on all such MISO plans conducted during such fiscal year. Such report shall include each of the following:
(1) A list of each MISO program and the combatant command responsible for the program.
(2) For each MISO plan—
(A) a description of the plan and any supporting plans, including the objectives for the plan;
(B) a description of the intended target audience for the activities carried out under the plan and the means of distribution; and
(C) the cost of executing the plan.
(c)Prohibition on Clandestine Operations Designed to Influence Opinions and Politics in United States.—None of the funds authorized to be appropriated or otherwise made available for the Department of Defense for any fiscal year may be used to conduct a clandestine military information support operation that is designed to influence—
(1) any political process taking place in the United States;
(2) the opinions of United States persons;
(3) United States policies; or
(4) media produced by United States entities for United States persons.
(Added Pub. L. 117–263, div. A, title X, § 1052(a), Dec. 23, 2022, 136 Stat. 2776.)
§ 398a. Pilot program for sharing cyber capabilities and related information with foreign operational partners
(a)Authority to Establish Pilot Program to Share Cyber Capabilities.—The Secretary of Defense may, with the concurrence of the Secretary of State, provide cyber capabilities and related information developed or procured by the Department of Defense to foreign countries or organizations described in subsection (b) without compensation, to meet operational imperatives if the Secretary of Defense determines that the provision of such cyber capabilities is in the national security interests of the United States.
(b)List of Foreign Countries.—The Secretary of Defense, with the concurrence of the Secretary of State, shall—
(1) establish—
(A) a list of foreign countries that the Secretary of Defense considers suitable for sharing of cyber capabilities and related information under the authority established under subsection (a); and
(B) criteria for establishing the list under subparagraph (A);
(2) not later than 14 days after establishing the list required by paragraph (1), submit to the appropriate committees of Congress such list; and
(3) notify the appropriate committees of Congress in writing of any changes to the list established under paragraph (1) at least 14 days prior to the adoption of any such changes.
(c)Procedures.—
(1) establish and submit to the appropriate committees of Congress procedures for a coordination process for subsection (a) that is consistent with the operational timelines required to support the national security of the United States; and
(2) notify the appropriate committees of Congress in writing of any changes to the procedures established under paragraph (1) at least 14 days prior to the adoption of any such changes.
(d)Notification Required.—
(1) The Secretary of Defense and Secretary of State jointly shall promptly submit to the appropriate committees of Congress notice in writing of any use of the authority provided by subsection (a) no later than 48 hours following the use of the authority.
(2) Notification under paragraph (1) shall include a certification that the provision of the cyber capabilities was in the national security interests of the United States.
(3) The notification under paragraph (1) shall include an analysis of whether the transfer and the underlying operational imperative could have been met using another authority.
(e)Termination.—The authority established under subsection (a) shall terminate on the date that is 3 years after the date on which this authority becomes law.
(f)Performance Metrics.—
(1) The Secretary of Defense shall maintain performance metrics to track the results of sharing cyber capabilities and related information with foreign operational partners under a pilot program authorized by subsection (a).
(2) The performance metrics under paragraph (1) shall include the following:
(A) Whom the cyber capability was used against.
(B) The effect of the cyber capability, including whether and how the transfer of the cyber capability improved the operational cyber posture of the United States and achieved operational objectives of the United States, or had no effect.
(C) Such other outcome-based or appropriate performance metrics as the Secretary considers appropriate for evaluating the effectiveness of a pilot program carried out under subsection (a).
(g)Definitions.—In this section:
(1) The term “appropriate committees of Congress” means—
(A) the congressional defense committees;
(B) the Committee on Foreign Relations of the Senate; and
(C) Committee on Foreign Affairs of the House of Representatives.
(2) The term “cyber capability” means a device or computer program, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace.
(h)Rule of Construction.—Nothing in this section shall be construed as amending, diminishing, or otherwise impacting reporting or other obligations under the War Powers Resolution.
(Added Pub. L. 117–263, div. A, title XV, § 1551(a), Dec. 23, 2022, 136 Stat. 2918, § 398; renumbered § 398a and amended Pub. L. 118–31, div. A, title XV, § 1501, title XVIII, § 1801(a)(6), (7), Dec. 22, 2023, 137 Stat. 533, 683.)
§ 399. Notifications relating to military operations in the information environment: requirement to notify Chief of Mission

The Secretary may not authorize a military operation in the information environment under this title intended to cause an effect in a country unless the Secretary fully informs the chief of mission for that country under section 207 of the Foreign Service Act of 1980 (22 U.S.C. 3927) of the planned operation.

(Added Pub. L. 117–263, div. A, title XV, § 1521, Dec. 23, 2022, 136 Stat. 2897.)