View all text of Chapter 19 [§ 391 - § 399]
§ 393. Reporting on penetrations of networks and information systems of certain contractors
(a)Procedures for Reporting Penetrations.—The Secretary of Defense shall establish procedures that require each cleared defense contractor to report to a component of the Department of Defense designated by the Secretary for purposes of such procedures when a network or information system of such contractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.
(b)Networks and Information Systems Subject to Reporting.—
(1)Criteria.—The Secretary of Defense shall designate a senior official to, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting system penetrations under subsection (a).
(2)Officials.—The officials specified in this subsection are the following:
(A) The Under Secretary of Defense for Policy.
(B) The Under Secretary of Defense for Acquisition and Sustainment.
(C) the Under Secretary of Defense for Research and Engineering.
(D) The Under Secretary of Defense for Intelligence and Security.
(E) The Chief Information Officer of the Department of Defense.
(F) The Commander of the United States Cyber Command.
(c)Procedure Requirements.—
(1)Rapid reporting.—The procedures established pursuant to subsection (a) shall require each cleared defense contractor to rapidly report to a component of the Department of Defense designated pursuant to subsection (a) of each successful penetration of the network or information systems of such contractor that meet the criteria established pursuant to subsection (b). Each such report shall include the following:
(A) A description of the technique or method used in such penetration.
(B) A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration.
(C) A summary of information created by or for the Department in connection with any Department program that has been potentially compromised due to such penetration.
(2)Access to equipment and information by department of defense personnel.—The procedures established pursuant to subsection (a) shall—
(A) include mechanisms for Department of Defense personnel to, upon request, obtain access to equipment or information of a cleared defense contractor necessary to conduct forensic analysis in addition to any analysis conducted by such contractor;
(B) provide that a cleared defense contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated; and
(C) provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
(3)Dissemination of information.—The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through such procedures to entities—
(A) with missions that may be affected by such information;
(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C) that conduct counterintelligence or law enforcement investigations; or
(D) for national security purposes, including cyber situational awareness and defense purposes.
(d)Protection From Liability of Cleared Defense Contractors.—
(1) No cause of action shall lie or be maintained in any court against any cleared defense contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the procedures established pursuant to subsection (a).
(2)
(A) Nothing in this section shall be construed—
(i) to require dismissal of a cause of action against a cleared defense contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (a); or
(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each cleared defense contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
(C) In this subsection, the term “willful misconduct” means an act or omission that is taken—
(i) intentionally to achieve a wrongful purpose;
(ii) knowingly without legal or factual justification; and
(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
(e)Definitions.—In this section:
(1)Cleared defense contractor.—The term “cleared defense contractor” means a private entity granted clearance by the Department of Defense to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense.
(2)Covered network.—The term “covered network” means a network or information system of a cleared defense contractor that contains or processes information created by or for the Department of Defense with respect to which such contractor is required to apply enhanced protection.
(Added and amended Pub. L. 114–92, div. A, title XVI, § 1641(a), Nov. 25, 2015, 129 Stat. 1114; Pub. L. 116–92, div. A, title IX, § 902(8), title XVI, § 1621(e)(1)(A)(vi), Dec. 20, 2019, 133 Stat. 1543, 1733; Pub. L. 116–283, div. A, title X, § 1081(a)(15), Jan. 1, 2021, 134 Stat. 3871; Pub. L. 117–81, div. A, title X, § 1081(a)(9), Dec. 27, 2021, 135 Stat. 1920.)