View all text of Part A [§ 2651 - § 2662]
§ 2662. Reporting on penetrations of networks of contractors and subcontractors
(a) Procedures for reporting penetrations
(b) Establishment of criteria for covered networks
(1) In general
(2) Officials specifiedThe officials specified in this paragraph are the following officials of the Administration:
(A) The Deputy Administrator for Defense Programs.
(B) The Associate Administrator for Acquisition and Project Management.
(C) The Chief Information Officer.
(D) Any other official of the Administration the Administrator considers necessary.
(c) Procedure requirements
(1) Rapid reporting
(A) In general
(B) ElementsSubject to subparagraph (C), each report required by subparagraph (A) with respect to a successful penetration of a covered network of a contractor or subcontractor shall include the following:
(i) A description of the technique or method used in such penetration.
(ii) A sample of the malicious software, if discovered and isolated by the contractor or subcontractor, involved in such penetration.
(iii) A summary of information created by or for the Administration in connection with any program of the Administration that has been potentially compromised as a result of such penetration.
(C) Avoidance of delays in reportingIf a contractor or subcontractor is not able to obtain all of the information required by subparagraph (B) to be included in a report required by subparagraph (A) by the date that is 60 days after the discovery of a successful penetration of a covered network of the contractor or subcontractor, the contractor or subcontractor shall—
(i) include in the report all information available as of that date; and
(ii) provide to the Chief Information Officer the additional information required by subparagraph (B) as the information becomes available.
(2) Access to equipment and information by Administration personnelConcurrent with the establishment of the procedures pursuant to subsection (a), the Administrator shall establish procedures to be used if information owned by the Administration was in use during or at risk as a result of the successful penetration of a covered network—
(A) in order to—
(i) in the case of a penetration of a covered network of a management and operating contractor, enhance the access of personnel of the Administration to Government-owned equipment and information; and
(ii) in the case of a penetration of a covered network of a contractor or subcontractor that is not a management and operating contractor, facilitate the access of personnel of the Administration to the equipment and information of the contractor or subcontractor; and
(B) which shall—
(i) include mechanisms for personnel of the Administration to, upon request, obtain access to equipment or information of a contractor or subcontractor necessary to conduct forensic analysis in addition to any analysis conducted by the contractor or subcontractor;
(ii) provide that a contractor or subcontractor is only required to provide access to equipment or information as described in clause (i) to determine whether information created by or for the Administration in connection with any program of the Administration was successfully exfiltrated from a network of the contractor or subcontractor and, if so, what information was exfiltrated; and
(iii) provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
(3) Dissemination of informationThe procedures established pursuant to subsection (a) shall allow for limiting the dissemination of information obtained or derived through such procedures so that such information may be disseminated only to entities—
(A) with missions that may be affected by such information;
(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C) that conduct counterintelligence or law enforcement investigations; or
(D) for national security purposes, including cyber situational awareness and defense purposes.
(d) DefinitionsIn this section:
(1) Chief Information Officer
(2) Contractor
(3) Covered networkThe term “covered network” includes any network or information system that accesses, receives, or stores—
(A) classified information; or
(B) sensitive unclassified information germane to any program of the Administration, as determined by the Administrator.
(4) Subcontractor
(Pub. L. 107–314, div. D, title XLV, § 4511, as added Pub. L. 116–283, div. C, title XXXI, § 3131(a), Jan. 1, 2021, 134 Stat. 4383.)