Skip to content

Title 10, Chapter 19

Armed Forces — 7 active sections

Table of Contents (7 sections)

§ 391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors

History & diffs →

§ 391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors

  • (a) The Secretary of Defense shall designate a component of the Department of Defense to receive reports of cyber incidents from contractors in accordance with this section and section 393 of this title or from other governmental entities.
  • (b) The Secretary of Defense shall establish procedures that require an operationally critical contractor to report in a timely manner to component designated under subsection (a) each time a cyber incident occurs with respect to a network or information system of such operationally critical contractor.
  • (c)
    • (1) The procedures established pursuant to subsection (a) shall include a process for—
      • (A) designating operationally critical contractors; and
      • (B) notifying a contractor that it has been designated as an operationally critical contractor.
    • (2) The procedures established pursuant to subsection (a) shall require each operationally critical contractor to rapidly report to the component of the Department designated pursuant to subsection (d)(2)(A) on each cyber incident with respect to any network or information systems of such contractor. Each such report shall include the following:
      • (A) An assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of the Department.
      • (B) The technique or method used in such cyber incident.
      • (C) A sample of any malicious software, if discovered and isolated by the contractor, involved in such cyber incident.
      • (D) A summary of information compromised by such cyber incident.
    • (3) The procedures established pursuant to subsection (a) shall—
      • (A) include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations; and
      • (B) provide that an operationally critical contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.
    • (4) The procedures established pursuant to subsection (a) shall provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
    • (5) The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through the procedures to entities—
      • (A) with missions that may be affected by such information;
      • (B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
      • (C) that conduct counterintelligence or law enforcement investigations; or
      • (D) for national security purposes, including cyber situational awareness and defense purposes.
  • (d)
    • (1) No cause of action shall lie or be maintained in any court against any operationally critical contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with procedures established pursuant to subsection (b).
    • (2)
      • (A) Nothing in this section shall be construed—
        • (i) to require dismissal of a cause of action against an operationally critical contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (b); or
        • (ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
      • (B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each operationally critical contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
      • (C) In this subsection, the term “willful misconduct” means an act or omission that is taken—
        • (i) intentionally to achieve a wrongful purpose;
        • (ii) knowingly without legal or factual justification; and
        • (iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
  • (e) In this section:
    • (1) The term “cyber incident” means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.
    • (2) The term “operationally critical contractor” means a contractor designated by the Secretary for purposes of this section as a critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.

§ 392. Executive agents for cyber test and training ranges

History & diffs →

§ 392. Executive agents for cyber test and training ranges

  • (a) The Secretary of Defense, in consultation with the Principal Cyber Advisor, shall—
    • (1) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology test ranges; and
    • (2) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology training ranges.
  • (b)
    • (1) The Secretary of Defense shall prescribe the roles, responsibilities, and authorities of the executive agents designated under subsection (a). Such roles, responsibilities, and authorities shall include the development of a biennial integrated plan for cyber and information technology test and training resources.
    • (2) The biennial integrated plan required under paragraph (1) shall include plans for the following:
      • (A) Developing and maintaining a comprehensive list of cyber and information technology ranges, test facilities, test beds, and other means of testing, training, and developing software, personnel, and tools for accommodating the mission of the Department. Such list shall include resources from both governmental and nongovernmental entities.
      • (B) Organizing and managing designated cyber and information technology test ranges, including—
        • (i) establishing the priorities for cyber and information technology ranges to meet Department objectives;
        • (ii) enforcing standards to meet requirements specified by the United States Cyber Command, the training community, and the research, development, testing, and evaluation community;
        • (iii) identifying and offering guidance on the opportunities for integration amongst the designated cyber and information technology ranges regarding test, training, and development functions;
        • (iv) finding opportunities for cost reduction, integration, and coordination improvements for the appropriate cyber and information technology ranges;
        • (v) adding or consolidating cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;
        • (vi) finding opportunities to continuously enhance the quality and technical expertise of the cyber and information technology test workforce through training and personnel policies; and
        • (vii) coordinating with interagency and industry partners on cyber and information technology range issues.
      • (C) Defining a cyber range architecture that—
        • (i) may add or consolidate cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;
        • (ii) coordinates with interagency and industry partners on cyber and information technology range issues;
        • (iii) allows for integrated closed loop testing in a secure environment of cyber and electronic warfare capabilities;
        • (iv) supports science and technology development, experimentation, testing and training; and
        • (v) provides for interconnection with other existing cyber ranges and other kinetic range facilities in a distributed manner.
      • (D) Certifying all cyber range investments of the Department of Defense.
      • (E) Performing such other assessments or analyses as the Secretary considers appropriate.
    • (3) The executive agents designated under subsection (a), in consultation with the Chief Information Officer of the Department of Defense, shall jointly select a standard language from open-source candidates for representing and communicating cyber event and threat data. Such language shall be machine-readable for the Joint Information Environment and associated test and training ranges.
  • (c) The Secretary of Defense shall ensure that the military departments, Defense Agencies, and other components of the Department of Defense provide the executive agents designated under subsection (a) with the appropriate support and resources needed to perform the roles, responsibilities, and authorities of the executive agents.
  • (d) The Secretary shall carry out this section in compliance with Directive 5101.1.
  • (e) In this section:
    • (1) The term “designated cyber and information technology range” includes the National Cyber Range, the Joint Information Operations Range, the Defense Information Assurance Range, and the C4 Assessments Division of J6 of the Joint Staff.
    • (2) The term “Directive 5101.1” means Department of Defense Directive 5101.1, or any successor directive relating to the responsibilities of an executive agent of the Department of Defense.
    • (3) The term “executive agent” has the meaning given the term “DoD Executive Agent” in Directive 5101.1.

§ 393. Reporting on penetrations of networks and information systems of certain contractors

History & diffs →

§ 393. Reporting on penetrations of networks and information systems of certain contractors

  • (a) The Secretary of Defense shall establish procedures that require each cleared defense contractor to report to a component of the Department of Defense designated by the Secretary for purposes of such procedures when a network or information system of such contractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.
  • (b)
    • (1) The Secretary of Defense shall designate a senior official to, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting system penetrations under subsection (a).
    • (2) The officials specified in this subsection are the following:
      • (A) The Under Secretary of Defense for Policy.
      • (B) The Under Secretary of Defense for Acquisition and Sustainment.
      • (C) the Under Secretary of Defense for Research and Engineering.
      • (D) The Under Secretary of Defense for Intelligence and Security.
      • (E) The Chief Information Officer of the Department of Defense.
      • (F) The Commander of the United States Cyber Command.
  • (c)
    • (1) The procedures established pursuant to subsection (a) shall require each cleared defense contractor to rapidly report to a component of the Department of Defense designated pursuant to subsection (a) of each successful penetration of the network or information systems of such contractor that meet the criteria established pursuant to subsection (b). Each such report shall include the following:
      • (A) A description of the technique or method used in such penetration.
      • (B) A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration.
      • (C) A summary of information created by or for the Department in connection with any Department program that has been potentially compromised due to such penetration.
    • (2) The procedures established pursuant to subsection (a) shall—
      • (A) include mechanisms for Department of Defense personnel to, upon request, obtain access to equipment or information of a cleared defense contractor necessary to conduct forensic analysis in addition to any analysis conducted by such contractor;
      • (B) provide that a cleared defense contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated; and
      • (C) provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
    • (3) The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through such procedures to entities—
      • (A) with missions that may be affected by such information;
      • (B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
      • (C) that conduct counterintelligence or law enforcement investigations; or
      • (D) for national security purposes, including cyber situational awareness and defense purposes.
  • (d)
    • (1) No cause of action shall lie or be maintained in any court against any cleared defense contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the procedures established pursuant to subsection (a).
    • (2)
      • (A) Nothing in this section shall be construed—
        • (i) to require dismissal of a cause of action against a cleared defense contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (a); or
        • (ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
      • (B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each cleared defense contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
      • (C) In this subsection, the term “willful misconduct” means an act or omission that is taken—
        • (i) intentionally to achieve a wrongful purpose;
        • (ii) knowingly without legal or factual justification; and
        • (iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
  • (e) In this section:
    • (1) The term “cleared defense contractor” means a private entity granted clearance by the Department of Defense to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense.
    • (2) The term “covered network” means a network or information system of a cleared defense contractor that contains or processes information created by or for the Department of Defense with respect to which such contractor is required to apply enhanced protection.

§ 394. Authorities concerning military cyber operations

History & diffs →

§ 394. Authorities concerning military cyber operations

  • (a) The Secretary of Defense shall develop, prepare, and coordinate; make ready all armed forces for purposes of; and, when appropriately authorized to do so, conduct, military cyber activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to defend the United States and its allies, including in response to malicious cyber activity carried out against the United States or a United States person by a foreign power.
  • (b) Congress affirms that the activities or operations referred to in subsection (a), when appropriately authorized, include the conduct of military activities or operations in cyberspace short of hostilities (as such term is used in the War Powers Resolution ( Public Law 93–148 ; 50 U.S.C. 1541 et seq.)) or in areas in which hostilities are not occurring, including for the purpose of preparation of the environment, information operations, force protection, and deterrence of hostilities, or counterterrorism operations involving the Armed Forces of the United States.
  • (c) A clandestine military activity or operation in cyberspace shall be considered a traditional military activity for the purposes of section 503(e)(2) of the National Security Act of 1947 ( 50 U.S.C. 3093(e)(2) ).
  • (d) The Secretary shall brief the congressional defense committees about any military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, occurring during the previous quarter during the quarterly briefing required by section 484 of this title .
  • (e) Nothing in this section may be construed to limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine military activities or operations in cyberspace, to authorize specific military activities or operations, or to alter or otherwise affect the War Powers Resolution ( 50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force ( Public Law 107–40 ; 50 U.S.C. 1541 note), or reporting of sensitive military cyber activities or operations required by section 395 of this title .
  • (f) In this section:
    • (1) The term “clandestine military activity or operation in cyberspace” means a military activity or military operation carried out in cyberspace, or associated preparatory actions, authorized by the President or the Secretary that—
      • (A) is marked by, held in, or conducted with secrecy, where the intent is that the activity or operation will not be apparent or acknowledged publicly; and
      • (B) is to be carried out—
        • (i) as part of a military operation plan approved by the President or the Secretary in anticipation of hostilities or as directed by the President or the Secretary;
        • (ii) to deter, safeguard, or defend against attacks or malicious cyber activities against the United States or Department of Defense information, networks, systems, installations, facilities, or other assets; or
        • (iii) in support of information related capabilities.
    • (2) The term “foreign power” has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 ( 50 U.S.C. 1801 ).
    • (3) The term “United States person” has the meaning given such term in such section.

§ 395. Notification requirements for sensitive military cyber operations

History & diffs →

§ 395. Notification requirements for sensitive military cyber operations

  • (a) Except as provided in subsection (d), the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of any sensitive military cyber operation conducted under this title no later than 48 hours following such operation.
  • (b)
    • (1) The Secretary of Defense shall establish and submit to the congressional defense committees procedures for complying with the requirements of subsection (a) consistent with the national security of the United States and the protection of operational integrity. The Secretary shall promptly notify the congressional defense committees in writing of any changes to such procedures at least 14 days prior to the adoption of any such changes.
    • (2) The congressional defense committees shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to the committees pursuant to this section.
    • (3) In the event of an unauthorized disclosure of a sensitive military cyber operation covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the sensitive military cyber operation concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification, signed by the Secretary, or the Secretary’s designee, shall be provided by not later than 48 hours after the provision of the verbal notification.
  • (c)
    • (1) In this section, the term “sensitive military cyber operation” means an action described in paragraph (2) that—
      • (A) is carried out by the armed forces of the United States;
      • (B) is determined to—
        • (i) have a medium or high collateral effects estimate;
        • (ii) have a medium or high intelligence gain or loss;
        • (iii) have a medium or high probability of political retaliation, as determined by the political military assessment contained within the associated concept of operations;
        • (iv) have a medium or high probability of detection when detection is not intended; or
        • (v) result in medium or high collateral effects; and
      • (C) is intended to cause cyber effects outside a geographic location—
        • (i) where the armed forces of the United States are involved in hostilities (as that term is used in section 1543 of title 50 , United States Code); or
        • (ii) with respect to which hostilities have been declared by the United States.
    • (2) The actions described in this paragraph are the following:
      • (A) An offensive cyber operation.
      • (B) A defensive cyber operation.
  • (d) The notification requirement under subsection (a) does not apply—
    • (1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or
    • (2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 ( 50 U.S.C. 3093 )).
  • (e) Nothing in this section shall be construed to provide any new authority or to alter or otherwise affect the War Powers Resolution ( 50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force ( Public Law 107–40 ; 50 U.S.C. 1541 note), or any requirement under the National Security Act of 1947 ( 50 U.S.C. 3001 et seq.).

§ 396. Notification requirements for cyber weapons

History & diffs →

§ 396. Notification requirements for cyber weapons

  • (a) Except as provided in subsection (c), the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of the following:
    • (1) With respect to a cyber capability that is intended for use as a weapon, on a quarterly basis, the aggregated results of all reviews of the capability for legality under international law pursuant to Department of Defense Directive 5000.01 carried out by any military department concerned.
    • (2) The use as a weapon of any cyber capability that has been approved for such use under international law by a military department no later than 48 hours following such use.
  • (b)
    • (1) The Secretary of Defense shall establish and submit to the congressional defense committees procedures for complying with the requirements of subsection (a) consistent with the national security of the United States and the protection of operational integrity. The Secretary shall promptly notify the congressional defense committees in writing of any changes to such procedures at least 14 days prior to the adoption of any such changes.
    • (2) The congressional defense committees shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to the committees pursuant to this section.
    • (3) In the event of an unauthorized disclosure of a cyber capability covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the cyber capability concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification shall be provided by not later than 48 hours after the provision of the verbal notification.
  • (c) The notification requirement under subsection (a) does not apply—
    • (1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or
    • (2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 ( 50 U.S.C. 3093 )).
  • (d) Nothing in this section shall be construed to provide any new authority or to alter or otherwise affect the War Powers Resolution ( 50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force ( Public Law 107–40 ; 50 U.S.C. 1541 note), or any requirement under the National Security Act of 1947 ( 50 U.S.C. 3001 et seq.).

§ 397. Principal Information Operations Advisor

History & diffs →

§ 397. Principal Information Operations Advisor

  • (a) Not later than 30 days after the enactment of this Act, the Secretary of Defense shall designate, from among officials appointed to a position in the Department of Defense by and with the advice and consent of the Senate, a Principal Information Operations Advisor to act as the principal advisor to the Secretary on all aspects of information operations conducted by the Department.
  • (b) The Principal Information Operations Advisor shall have the following responsibilities:
    • (1) Oversight of policy, strategy, planning, resource management, operational considerations, personnel, and technology development across all the elements of information operations of the Department.
    • (2) Overall integration and supervision of the deterrence of, conduct of, and defense against information operations.
    • (3) Promulgation of policies to ensure adequate coordination and deconfliction with the Department of State, the intelligence community (as such term is defined in section 3 of the National Security Act of 1947 ( 50 U.S.C. 3003 )), and other relevant agencies and departments of the Federal Government.
    • (4) Coordination with the head of the Global Engagement Center to support the purpose of the Center (as set forth by section 1287(a)(2) of the National Defense Authorization Act for Fiscal Year 2017 ( Public Law 114–328 ; 22 U.S.C. 2656 note)) and liaison with the Center and other relevant Federal Government entities to support such purpose.
    • (5) Establishing and supervising a rigorous risk management process to mitigate the risk of potential exposure of United States Persons 1 1 So in original. “Persons” probably should not be capitalized. to information intended exclusively for foreign audiences.
    • (6) Promulgation of standards for the attribution or public acknowledgment, if any, of operations in the information environment.
    • (7) Development of guidance for, and promotion of, the capability of the Department to liaison with the private sector and academia on matters relating to the influence activities of malign actors.
    • (8) Such other matters relating to information operations as the Secretary shall specify for purposes of this subsection.
← Back to Title 10 table of contents