View all text of Subchapter III [§ 3091 - § 3115]
§ 3099. Vulnerability assessments of major systems
(a) Initial vulnerability assessments
(1)
(A) Except as provided in subparagraph (B), the Director of National Intelligence shall conduct and submit to the congressional intelligence committees an initial vulnerability assessment for each major system and its significant items of supply—
(i) except as provided in clause (ii), prior to the completion of Milestone B or an equivalent acquisition decision for the major system; or
(ii) prior to the date that is 1 year after October 7, 2010, in the case of a major system for which Milestone B or an equivalent acquisition decision—(I) was completed prior to such date; or(II) is completed on a date during the 180-day period following such date.
(B) The Director may submit to the congressional intelligence committees an initial vulnerability assessment required by clause (ii) of subparagraph (A) not later than 180 days after the date such assessment is required to be submitted under such clause if the Director notifies the congressional intelligence committees of the extension of the submission date under this subparagraph and provides a justification for such extension.
(C) The initial vulnerability assessment of a major system and its significant items of supply shall include use of an analysis-based approach to—
(i) identify vulnerabilities;
(ii) define exploitation potential;
(iii) examine the system’s potential effectiveness;
(iv) determine overall vulnerability; and
(v) make recommendations for risk reduction.
(2) If an initial vulnerability assessment for a major system is not submitted to the congressional intelligence committees as required by paragraph (1), funds appropriated for the acquisition of the major system may not be obligated for a major contract related to the major system. Such prohibition on the obligation of funds for the acquisition of the major system shall cease to apply on the date on which the congressional intelligence committees receive the initial vulnerability assessment.
(b) Subsequent vulnerability assessments
(1) The Director of National Intelligence shall, periodically throughout the procurement of a major system or if the Director determines that a change in circumstances warrants the issuance of a subsequent vulnerability assessment, conduct a subsequent vulnerability assessment of each major system and its significant items of supply within the National Intelligence Program.
(2) Upon the request of a congressional intelligence committee, the Director of National Intelligence may, if appropriate, recertify the previous vulnerability assessment or may conduct a subsequent vulnerability assessment of a particular major system and its significant items of supply within the National Intelligence Program.
(3) Any subsequent vulnerability assessment of a major system and its significant items of supply shall include use of an analysis-based approach and, if applicable, a testing-based approach, to monitor the exploitation potential of such system and reexamine the factors described in clauses (i) through (v) of subsection (a)(1)(C).
(c) Major system management
(d) Congressional oversight
(1) The Director of National Intelligence shall provide to the congressional intelligence committees a copy of each vulnerability assessment conducted under subsection (a) or (b) not later than 10 days after the date of the completion of such assessment.
(2) The Director of National Intelligence shall provide the congressional intelligence committees with a proposed schedule for subsequent periodic vulnerability assessments of a major system under subsection (b)(1) when providing such committees with the initial vulnerability assessment under subsection (a) of such system as required by paragraph (1).
(e) DefinitionsIn this section:
(1) The term “item of supply” has the meaning given that term in section 4(10) 1
1 See References in Text note below.
of the Office of Federal Procurement Policy Act (41 U.S.C. 403(10)).(2) The term “major contract” means each of the 6 largest prime, associate, or Government-furnished equipment contracts under a major system that is in excess of $40,000,000 and that is not a firm, fixed price contract.
(3) The term “major system” has the meaning given that term in section 3097(e) of this title.
(4) The term “Milestone B” means a decision to enter into major system development and demonstration pursuant to guidance prescribed by the Director of National Intelligence.
(5) The term “vulnerability assessment” means the process of identifying and quantifying vulnerabilities in a major system and its significant items of supply.
(July 26, 1947, ch. 343, title V, § 506C, as added Pub. L. 111–259, title III, § 321(a)(1), Oct. 7, 2010, 124 Stat. 2667.)