View all text of Subchapter III [§ 4121 - § 4128]

§ 4128.1
1 Another section 4128 is set out preceding this section.
Joint Federated Assurance Center
(a)Establishment.—There is in the Office of the Under Secretary of Defense for Research and Engineering a Joint Federated Assurance Center (referred to in this section as the “Center”).
(b)Purpose.—The purpose of the Center shall be to serve as a joint, Department-wide federation of organizations and capabilities to support the assurance needs of the Department of Defense by ensuring, pursuant to policies related to hardware and software assurance and supply chain risk management, that the software and hardware developed, acquired, maintained, and used by the Department are free from intentional and unintentional vulnerability during the life-cycle of development and deployment of assured, trustworthy defense systems.
(c)Governance.—
(1) The Center shall be governed by an Executive Steering Group. The Executive Steering Group shall continually evaluate the Center’s capabilities to support the hardware and software assurance needs of the Department.
(2) The Executive Steering Group shall be composed of one or more representatives from each of the organizations that comprise the Center.
(3) The Under Secretary of Defense for Research and Engineering and the Under Secretary of Defense for Acquisition and Sustainment shall serve as co-Chairpersons of the Executive Steering Group.
(d)Duties.—The duties of the Center are as follows:
(1) Providing knowledge management capabilities for hardware and software assurance for the Department.
(2) Providing Department-wide visibility on strategy, use cases, procurement, investment, and other relevant activities to aggregate, to the extent practicable, assurance tool purchases by the Department.
(3) Developing and standardizing policies, procedures, competencies, risk assessment methodologies, and independent validation and verification test capabilities—
(A) to support timely and cost-effective fielding of current and future technologies to the Department;
(B) to ensure sustainment of enduring capability needs across the life-cycle of Department of Defense programs and determine the sustainment factors related to the assurance of future hardware and software systems;
(C) to increase efficiencies across Department of Defense programs through the use of emerging assurance technologies; and
(D) to leverage economies of scale through coordinated acquisition and use of hardware and software assurance technologies.
(4) Promoting assurance capabilities for hardware and software assurance—
(A) to mature assessment criteria and enable scalable deployment of commercial best practices, such as through the fostering and maturation of evidence-based assurance of trusted defense microelectronics system needs, with emphasis on commercial security protocols that are transferable to defense applications;
(B) to scale the Center for Department-wide access, through the resourcing of adequate personnel to address standardization and automation of data collection and analysis;
(C) to utilize data from commercial assurance processes to support the development of Department hardware and software that meet standards, applications, and requirements, including through comparative analysis and data modeling;
(D) to seek and apply commercial best practices, where practicable, through industry collaboration; and
(E) to develop and align Department policy, investments, and activities with commercial best practices, to the extent practicable.
(5) For contracts for application-specific integrated circuits designed by defense industrial base contractors, develop guidance for—
(A) the consideration of evidence-based assurance processes and techniques that are included in the contract data requirements list, to the extent practicable;
(B) the use of commercial best practices, as applicable, for confidentiality, integrity and availability; and
(C) the development of a library of certified third-party intellectual property for reuse, including streamlining legal mechanisms for data collection and sharing, and enhanced use of automation technology to achieve efficiency.
(6) The assessment, creation, prototyping, maturation, and maintenance of relevant assurance practices, including the validation and maturation of evidence based assurance methods, for the development, procurement, and deployment of hardware and software assurance tools and processes, including—
(A) development and assessment of validation methods for such processes and techniques, in coordination with the developmental and operational test and evaluation community, as the Executive Steering Group determines necessary;
(B) development and assessment of threat models that comprehensively characterize the threat to microelectronics confidentiality, integrity, and availability across the entire supply chain, and the design, production, packaging, and deployment cycle to support risk management and risk mitigation; and
(C) support development of guides to inform use and decision-making by program evaluators, program offices, and industry to meet software and hardware assurance requirements.
(e)Revised Charter.—Not later than 180 days after the date of the enactment of this section, the Secretary of Defense shall issue a revised charter for the Center. The charter shall set forth—
(1) the role and authorities of the Center and the Executive Steering Group;
(2) the requirement of the Center to establish guidelines for the development of improved software code vulnerability analysis and testing tools;
(3) the requirement of the Center to establish guidelines for the development of improved hardware vulnerability testing and protection tools; and
(4) the manner in which the Center will connect to the Department’s major governance and resourcing processes to ensure the continuation of Center duties.
(Added Pub. L. 118–159, div. A, title IX, § 922(a), Dec. 23, 2024, 138 Stat. 2037.)