Collapse to view only § 10306. Vulnerability disclosure policy and bug bounty program report
- § 10301. United States international cyberspace policy
- § 10302. International cyberspace and digital policy strategy
- § 10303. Cybersecurity recruitment and retention
- § 10304. Short course on emerging technologies for senior officials
- § 10305. Establishment and expansion of Regional Technology Officer Program
- § 10306. Vulnerability disclosure policy and bug bounty program report
- § 10307. Digital Connectivity and Cybersecurity Partnership
- § 10308. Cyber protection support for personnel of the Department of State in positions highly vulnerable to cyber attack
§ 10301. United States international cyberspace policy
(a) In generalIt is the policy of the United States—
(1) to work internationally to promote an open, interoperable, reliable, and secure internet governed by the multi-stakeholder model, which—
(A) promotes democracy, the rule of law, and human rights, including freedom of expression;
(B) supports the ability to innovate, communicate, and promote economic prosperity; and
(C) is designed to protect privacy and guard against deception, malign influence, incitement to violence, harassment and abuse, fraud, and theft;
(2) to encourage and aid United States allies and partners in improving their own technological capabilities and resiliency to pursue, defend, and protect shared interests and values, free from coercion and external pressure; and
(3) in furtherance of the efforts described in paragraphs (1) and (2)—
(A) to provide incentives to the private sector to accelerate the development of the technologies referred to in such paragraphs;
(B) to modernize and harmonize with allies and partners export controls and investment screening regimes and associated policies and regulations; and
(C) to enhance United States leadership in technical standards-setting bodies and avenues for developing norms regarding the use of digital tools.
(b) ImplementationIn implementing the policy described in subsection (a), the President, in consultation with outside actors, as appropriate, including private sector companies, nongovernmental organizations, security researchers, and other relevant stakeholders, in the conduct of bilateral and multilateral relations, shall strive—
(1) to clarify the applicability of international laws and norms to the use of information and communications technology (referred to in this subsection as “ICT”);
(2) to reduce and limit the risk of escalation and retaliation in cyberspace, damage to critical infrastructure, and other malicious cyber activity that impairs the use and operation of critical infrastructure that provides services to the public;
(3) to cooperate with like-minded countries that share common values and cyberspace policies with the United States, including respect for human rights, democracy, and the rule of law, to advance such values and policies internationally;
(4) to encourage the responsible development of new, innovative technologies and ICT products that strengthen a secure internet architecture that is accessible to all;
(5) to secure and implement commitments on responsible country behavior in cyberspace, including commitments by countries—
(A) not to conduct, or knowingly support, cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors;
(B) to take all appropriate and reasonable efforts to keep their territories clear of intentionally wrongful acts using ICT in violation of international commitments;
(C) not to conduct or knowingly support ICT activity that intentionally damages or otherwise impairs the use and operation of critical infrastructure providing services to the public, in violation of international law;
(D) to take appropriate measures to protect the country’s critical infrastructure from ICT threats;
(E) not to conduct or knowingly support malicious international activity that harms the information systems of authorized international emergency response teams (also known as “computer emergency response teams” or “cybersecurity incident response teams”) of another country or authorize emergency response teams to engage in malicious international activity, in violation of international law;
(F) to respond to appropriate requests for assistance to mitigate malicious ICT activity emanating from their territory and aimed at the critical infrastructure of another country;
(G) not to restrict cross-border data flows or require local storage or processing of data; and
(H) to protect the exercise of human rights and fundamental freedoms on the internet, while recognizing that the human rights that people have offline also need to be protected online; and
(6) to advance, encourage, and support the development and adoption of internationally recognized technical standards and best practices.
(Pub. L. 117–263, div. I, title XCV, § 9501, Dec. 23, 2022, 136 Stat. 3897.)
§ 10302. International cyberspace and digital policy strategy
(a) Strategy required
(b) ElementsThe strategy required under subsection (a) shall include—
(1) a review of actions and activities undertaken to support the policy described in section 10301(a) of this title;
(2) a plan of action to guide the diplomacy of the Department with regard to foreign countries, including—
(A) conducting bilateral and multilateral activities—
(i) to develop and support the implementation of norms of responsible country behavior in cyberspace consistent with the commitments listed in section 10301(b)(5) of this title;
(ii) to reduce the frequency and severity of cyberattacks on United States individuals, businesses, governmental agencies, and other organizations;
(iii) to reduce cybersecurity risks to United States and allied critical infrastructure;
(iv) to improve allies’ and partners’ collaboration with the United States on cybersecurity issues, including information sharing, regulatory coordination and improvement, and joint investigatory and law enforcement operations related to cybercrime; and
(v) to share best practices and advance proposals to strengthen civilian and private sector resiliency to threats and access to opportunities in cyberspace; and
(B) reviewing the status of existing efforts in relevant multilateral fora, as appropriate, to obtain commitments on international norms regarding cyberspace;
(3) a review of alternative concepts for international norms regarding cyberspace offered by foreign countries;
(4) a detailed description, in consultation with the Office of the National Cyber Director and relevant Federal agencies, of new and evolving threats regarding cyberspace from foreign adversaries, state-sponsored actors, and non-state actors to—
(A) United States national security;
(B) the Federal and private sector cyberspace infrastructure of the United States;
(C) intellectual property in the United States; and
(D) the privacy and security of citizens of the United States;
(5) a review of the policy tools available to the President to deter and de-escalate tensions with foreign countries, state-sponsored actors, and private actors regarding—
(A) threats in cyberspace;
(B) the degree to which such tools have been used; and
(C) whether such tools have been effective deterrents;
(6) a review of resources required to conduct activities to build responsible norms of international cyber behavior;
(7) a review, in coordination with the Office of the National Cyber Director and the Office of Management and Budget, to determine whether the budgetary resources, technical expertise, legal authorities, and personnel available to the Department are adequate to achieve the actions and activities undertaken by the Department to support the policy described in section 10301(a) of this title;
(8) a review to determine whether the Department is properly organized and coordinated with other Federal agencies to achieve the objectives described in section 10301(b) of this title; and
(9) a plan of action, developed in coordination with the Department of Defense and in consultation with other relevant Federal departments and agencies as the President may direct, with respect to the inclusion of cyber issues in mutual defense agreements.
(c) Form of strategy
(1) Public availability
(2) Classified annex
(d) Briefing
(e) UpdatesThe strategy required under subsection (a) shall be updated—
(1) not later than 90 days after any material change to United States policy described in such strategy; and
(2) not later than 1 year after the inauguration of each new President.
(Pub. L. 117–263, div. I, title XCV, § 9503, Dec. 23, 2022, 136 Stat. 3902.)
§ 10303. Cybersecurity recruitment and retention
(a) Sense of CongressIt is the sense of Congress that improving computer programming language proficiency will improve—
(1) the cybersecurity effectiveness of the Department; and
(2) the ability of foreign service officers to engage with foreign audiences on cybersecurity matters.
(b) Technology talent acquisition
(1) Establishment
(2) GoalsThe goals of the positions described in paragraph (1) shall be—
(A) to fulfill the critical need of the Department to recruit and retain employees for cybersecurity, digital, and technology positions;
(B) to actively recruit relevant candidates from academic institutions, the private sector, and related industries;
(C) to work with the Office of Personnel Management and the United States Digital Service to develop and implement best strategies for recruiting and retaining technology talent; and
(D) to inform and train supervisors at the Department on the use of the authorities listed in subsection (c)(1).
(3) Implementation plan
(4) Authorization of appropriations
(c) Annual report on hiring authoritiesNot later than 1 year after December 23, 2022, and annually thereafter for the following 5 years, the Secretary shall submit a report to the appropriate congressional committees that includes—
(1) a list of the hiring authorities available to the Department to recruit and retain personnel with backgrounds in cybersecurity, engineering, data science, application development, artificial intelligence, critical and emerging technology, and technology and digital policy;
(2) a list of which hiring authorities described in paragraph (1) have been used during the previous 5 years;
(3) the number of employees in qualified positions hired, aggregated by position and grade level or pay band;
(4) the number of employees who have been placed in qualified positions, aggregated by bureau and offices within the Department;
(5) the rate of attrition of individuals who begin the hiring process and do not complete the process and a description of the reasons for such attrition;
(6) the number of individuals who are interviewed by subject matter experts and the number of individuals who are not interviewed by subject matter experts; and
(7) recommendations for—
(A) reducing the attrition rate referred to in paragraph (5) by 5 percent each year;
(B) additional hiring authorities needed to acquire needed technology talent;
(C) hiring personnel to hold public trust positions until such personnel can obtain the necessary security clearance; and
(D) informing and training supervisors within the Department on the use of the authorities listed in paragraph (1).
(d) Incentive pay for cybersecurity professionalsTo increase the number of qualified candidates available to fulfill the cybersecurity needs of the Department, the Secretary shall—
(1) include computer programming languages within the Recruitment Language Program; and
(2) provide appropriate language incentive pay.
(e) ReportNot later than 1 year after December 23, 2022, and annually thereafter for the following 5 years, the Secretary shall provide a list to the appropriate congressional committees that identifies—
(1) the computer programming languages included within the Recruitment Language Program and the language incentive pay rate; and
(2) the number of individuals benefitting from the inclusion of such computer programming languages in the Recruitment Language Program and language incentive pay.
(Pub. L. 117–263, div. I, title XCV, § 9506, Dec. 23, 2022, 136 Stat. 3904.)
§ 10304. Short course on emerging technologies for senior officials
(a) In general
(b) Throughput objectives
The Secretary should ensure that—
(1) during the first year that the course developed pursuant to subsection (a) is offered, not fewer than 20 percent of senior officials are certified as having passed such course; and
(2) in each subsequent year, until the date on which 80 percent of senior officials are certified as having passed such course, an additional 10 percent of senior officials are certified as having passed such course.
(Pub. L. 117–263, div. I, title XCV, § 9507, Dec. 23, 2022, 136 Stat. 3906.)
§ 10305. Establishment and expansion of Regional Technology Officer Program
(a) Regional Technology Officer Program
(1) Establishment
(2) GoalsThe goals of the Program shall include the following:
(A) Promoting United States leadership in technology abroad.
(B) Working with partners to increase the deployment of critical and emerging technology in support of democratic values.
(C) Shaping diplomatic agreements in regional and international fora with respect to critical and emerging technologies.
(D) Building diplomatic capacity for handling critical and emerging technology issues.
(E) Facilitating the role of critical and emerging technology in advancing the foreign policy objectives of the United States through engagement with research labs, incubators, and venture capitalists.
(F) Maintaining the advantages of the United States with respect to critical and emerging technologies.
(b) Implementation planNot later than 180 days after December 23, 2022, the Secretary shall submit an implementation plan to the appropriate congressional committees that outlines strategies for—
(1) advancing the goals described in subsection (a)(2);
(2) hiring Regional Technology Officers and increasing the competitiveness of the Program within the Foreign Service bidding process;
(3) expanding the Program to include a minimum of 15 Regional Technology Officers; and
(4) assigning not fewer than 2 Regional Technology Officers to posts within—
(A) each regional bureau of the Department; and
(B) the Bureau of International Organization Affairs.
(c) Annual briefing requirement
(d) Authorization of appropriations
(Pub. L. 117–263, div. I, title XCV, § 9508, Dec. 23, 2022, 136 Stat. 3906.)
§ 10306. Vulnerability disclosure policy and bug bounty program report
(a) DefinitionsIn this section:
(1) Bug bounty program
(2) Information technology
(b) Vulnerability Disclosure Policy
(1) In generalNot later than 180 days after December 23, 2022, the Secretary shall design, establish, and make publicly known a Vulnerability Disclosure Policy (referred to in this section as the “VDP”) to improve Department cybersecurity by—
(A) creating Department policy and infrastructure to receive reports of and remediate discovered vulnerabilities in line with existing policies of the Office of Management and Budget and the Department of Homeland Security Binding Operational Directive 20–01 or any subsequent directive; and
(B) providing a report on such policy and infrastructure to Congress.
(2) Annual reportsNot later than 180 days after the establishment of the VDP pursuant to paragraph (1), and annually thereafter for the following 5 years, the Secretary shall submit a report on the VDP to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Select Committee on Intelligence of the Senate, the Committee on Foreign Affairs of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Permanent Select Committee on Intelligence of the House of Representatives that includes information relating to—
(A) the number and severity of all security vulnerabilities reported;
(B) the number of previously unidentified security vulnerabilities remediated as a result;
(C) the current number of outstanding previously unidentified security vulnerabilities and Department of State remediation plans;
(D) the average time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(E) the resources, surge staffing, roles, and responsibilities within the Department used to implement the VDP and complete security vulnerability remediation;
(F) how the VDP identified vulnerabilities are incorporated into existing Department vulnerability prioritization and management processes;
(G) any challenges in implementing the VDP and plans for expansion or contraction in the scope of the VDP across Department information systems; and
(H) any other topic that the Secretary determines to be relevant.
(c) Bug bounty program report
(1) In general
(2) ReportNot later than 180 days after the date on which any bug bounty program is established, the Secretary shall submit a report to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Foreign Affairs of the House of Representatives, and the Committee on Homeland Security of the House of Representatives regarding such program, including information relating to—
(A) the number of approved individuals, organizations, or companies involved in such program, disaggregated by the number of approved individuals, organizations, or companies that—
(i) registered;
(ii) were approved;
(iii) submitted security vulnerabilities; and
(iv) received compensation;
(B) the number and severity of all security vulnerabilities reported as part of such program;
(C) the number of previously unidentified security vulnerabilities remediated as a result of such program;
(D) the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans for such outstanding vulnerabilities;
(E) the average length of time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(F) the types of compensation provided under such program;
(G) the lessons learned from such program;
(H) the public accessibility of contact information for the Department regarding the bug bounty program;
(I) the incorporation of bug bounty program identified vulnerabilities into existing Department vulnerability prioritization and management processes; and
(J) any challenges in implementing the bug bounty program and plans for expansion or contraction in the scope of the bug bounty program across Department information systems.
(Pub. L. 117–263, div. I, title XCV, § 9509, Dec. 23, 2022, 136 Stat. 3907.)
§ 10307. Digital Connectivity and Cybersecurity Partnership
(a) Digital Connectivity and Cybersecurity Partnership
The Secretary is authorized to establish a program, which may be known as the “Digital Connectivity and Cybersecurity Partnership”, to help foreign countries—
(1) expand and increase secure internet access and digital infrastructure in emerging markets, including demand for and availability of high-quality information and communications technology (ICT) equipment, software, and services;
(2) protect technological assets, including data;
(3) adopt policies and regulatory positions that foster and encourage open, interoperable, reliable, and secure internet, the free flow of data, multi-stakeholder models of internet governance, and pro-competitive and secure ICT policies and regulations;
(4) access United States exports of ICT goods and services;
(5) expand interoperability and promote the diversification of ICT goods and supply chain services to be less reliant on imports from the People’s Republic of China;
(6) promote best practices and common standards for a national approach to cybersecurity; and
(7) advance other priorities consistent with paragraphs (1) through (6), as determined by the Secretary.
(b) Use of funds
(c) Implementation plan
(d) Consultation
In developing and operationalizing the implementation plan required under subsection (c), the Secretary shall consult with—
(1) the appropriate congressional committees, the Committee on Appropriations of the Senate, and the Committee on Appropriations of the House of Representatives;
(2) United States industry leaders;
(3) other relevant technology experts, including the Open Technology Fund;
(4) representatives from relevant United States Government agencies; and
(5) representatives from like-minded allies and partners.
(e) Authorization of appropriations
(Pub. L. 118–31, div. F, title LXIII, § 6306, Dec. 22, 2023, 137 Stat. 989.)
§ 10308. Cyber protection support for personnel of the Department of State in positions highly vulnerable to cyber attack
(a) Definitions
In this section:
(1) At-risk personnel
The term “at-risk personnel” means personnel of the Department—
(A) whom the Secretary determines to be highly vulnerable to cyber attacks and hostile information collection activities because of their positions in the Department; and
(B) whose personal technology devices or personal accounts are highly vulnerable to cyber attacks and hostile information collection activities.
(2) Personal accounts
(3) Personal technology devices
(b) Requirement to provide cyber protection support
The Secretary, in consultation with the Secretary of Homeland Security and the Director of National Intelligence, as appropriate—
(1) shall offer cyber protection support for the personal technology devices and personal accounts of at-risk personnel; and
(2) may provide the support described in paragraph (1) to any Department personnel who request such support.
(c) Nature of cyber protection support
(d) Privacy protections for personal devices
The Department is prohibited pursuant to this section from accessing or retrieving any information from any personal technology device or personal account of Department employees unless—
(1) access or information retrieval is necessary for carrying out the cyber protection support specified in this section; and
(2) the Department has received explicit consent from the employee to access a personal technology device or personal account prior to each time such device or account is accessed.
(e) Rule of construction
Nothing in this section may be construed—
(1) to encourage Department personnel to use personal technology devices for official business; or
(2) to authorize cyber protection support for senior Department personnel using personal devices, networks, and personal accounts in an official capacity.
(f) Report
(1) In general
Not later than 180 days after December 22, 2023, the Secretary shall submit to the appropriate committees of Congress a report regarding the provision of cyber protection support pursuant to subsection (b), which shall include—
(A) a description of the methodology used to make the determination under subsection (a)(1); and
(B) guidance for the use of cyber protection support and tracking of support requests for personnel receiving cyber protection support pursuant to subsection (b).
(2) Appropriate committees of Congress defined
In this subsection, the term “appropriate committees of Congress” means—
(A) the appropriate congressional committees;
(B) the Select Committee on Intelligence and the Committee on Homeland Security and Governmental Affairs of the Senate; and
(C) the Permanent Select Committee on Intelligence and the Committee on Oversight and Accountability of the House of Representatives.
(Pub. L. 118–31, div. F, title LXIII, § 6308, Dec. 22, 2023, 137 Stat. 993.)