SUBCHAPTER IX—ADDITIONAL MISCELLANEOUS PROVISIONS

§3231. Applicability to United States intelligence activities of Federal laws implementing international treaties and agreements

(a) In general

No Federal law enacted on or after December 27, 2000, that implements a treaty or other international agreement shall be construed as making unlawful an otherwise lawful and authorized intelligence activity of the United States Government or its employees, or any other person to the extent such other person is carrying out such activity on behalf of, and at the direction of, the United States, unless such Federal law specifically addresses such intelligence activity.

(b) Authorized intelligence activities

An intelligence activity shall be treated as authorized for purposes of subsection (a) if the intelligence activity is authorized by an appropriate official of the United States Government, acting within the scope of the official duties of that official and in compliance with Federal law and any applicable Presidential directive.

(July 26, 1947, ch. 343, title XI, §1101, formerly title X, §1001, as added Pub. L. 106–567, title III, §308(a), Dec. 27, 2000, 114 Stat. 2839; renumbered title XI, §1101, Pub. L. 107–306, title III, §331(a)(1), (2), Nov. 27, 2002, 116 Stat. 2394.)

Editorial Notes

Codification

Section was formerly classified to section 442 of this title prior to editorial reclassification and renumbering as this section.

§3232. Counterintelligence initiatives

(a) Inspection process

In order to protect intelligence sources and methods from unauthorized disclosure, the Director of National Intelligence shall establish and implement an inspection process for all agencies and departments of the United States that handle classified information relating to the national security of the United States intended to assure that those agencies and departments maintain effective operational security practices and programs directed against counterintelligence activities.

(b) Annual review of dissemination lists

The Director of National Intelligence shall establish and implement a process for all elements of the intelligence community to review, on an annual basis, individuals included on distribution lists for access to classified information. Such process shall ensure that only individuals who have a particularized "need to know" (as determined by the Director) are continued on such distribution lists.

(c) Completion of financial disclosure statements required for access to certain classified information

The Director of National Intelligence shall establish and implement a process by which each head of an element of the intelligence community directs that all employees of that element, in order to be granted access to classified information referred to in subsection (a) of section 1.3 of Executive Order No. 12968 (August 2, 1995; 60 Fed. Reg. 40245; [former] 50 U.S.C. 435 note [now 50 U.S.C. 3161 note]), submit financial disclosure forms as required under subsection (b) of such section.

(d) Arrangements to handle sensitive information

The Director of National Intelligence shall establish, for all elements of the intelligence community, programs and procedures by which sensitive classified information relating to human intelligence is safeguarded against unauthorized disclosure by employees of those elements.

(July 26, 1947, ch. 343, title XI, §1102, as added Pub. L. 108–177, title III, §341(a)(1), Dec. 13, 2003, 117 Stat. 2615; amended Pub. L. 108–458, title I, §1071(a)(1)(NN)–(QQ), Dec. 17, 2004, 118 Stat. 3689, 3690; Pub. L. 111–259, title III, §347(e), title IV, §409, Oct. 7, 2010, 124 Stat. 2699, 2724.)

Editorial Notes

Codification

Section was formerly classified to section 442a of this title prior to editorial reclassification and renumbering as this section.

Amendments

2010—Subsec. (a). Pub. L. 111–259, §409(1), struck out par. (1) designation before "In" and par. (2) which read as follows: "The Director shall carry out the process through the Office of the National Counterintelligence Executive."

Subsec. (b). Pub. L. 111–259, §347(e), struck out par. (1) designation before "The Director" and par. (2) which read as follows: "Not later than October 15 of each year, the Director shall certify to the congressional intelligence committees that the review required under paragraph (1) has been conducted in all elements of the intelligence community during the preceding fiscal year."

Subsec. (c). Pub. L. 111–259, §409(2), struck out par. (1) designation before "The Director" and par. (2) which read as follows: "The Director shall carry out paragraph (1) through the Office of the National Counterintelligence Executive."

2004—Subsec. (a)(1). Pub. L. 108–458, §1071(a)(1)(NN), substituted "Director of National Intelligence" for "Director of Central Intelligence".

Subsec. (b)(1). Pub. L. 108–458, §1071(a)(1)(OO), substituted "Director of National Intelligence" for "Director of Central Intelligence".

Subsec. (c)(1). Pub. L. 108–458, §1071(a)(1)(PP), substituted "Director of National Intelligence" for "Director of Central Intelligence".

Subsec. (d). Pub. L. 108–458, §1071(a)(1)(QQ), substituted "Director of National Intelligence" for "Director of Central Intelligence".

Statutory Notes and Related Subsidiaries

Effective Date of 2004 Amendment

For Determination by President that amendment by Pub. L. 108–458 take effect on Apr. 21, 2005, see Memorandum of President of the United States, Apr. 21, 2005, 70 F.R. 23925, set out as a note under section 3001 of this title.

Amendment by Pub. L. 108–458 effective not later than six months after Dec. 17, 2004, except as otherwise expressly provided, see section 1097(a) of Pub. L. 108–458, set out in an Effective Date of 2004 Amendment; Transition Provisions note under section 3001 of this title.

§3232a. Measures to mitigate counterintelligence threats from proliferation and use of foreign commercial spyware

(a) Definitions

In this section:

(1) Appropriate congressional committees

The term "appropriate congressional committees" means—

(A) the Select Committee on Intelligence, the Committee on Foreign Relations, the Committee on Armed Services, the Committee on Banking, Housing, and Urban Affairs, the Committee on the Judiciary, the Committee on Appropriations, and the Committee on Homeland Security and Governmental Affairs of the Senate; and

(B) the Permanent Select Committee on Intelligence, the Committee on Foreign Affairs, the Committee on Armed Services, the Committee on Financial Services, the Committee on the Judiciary, the Committee on Appropriations, the Committee on Homeland Security, and the Committee on Oversight and Reform of the House of Representatives.

(2) Covered entity

The term "covered entity" means any foreign company that either directly or indirectly develops, maintains, owns, operates, brokers, markets, sells, leases, licenses, or otherwise makes available spyware.

(3) Foreign commercial spyware

The term "foreign commercial spyware" means spyware that is developed (solely or in partnership with a foreign company), maintained, sold, leased, licensed, marketed, sourced (in whole or in part), or otherwise provided, either directly or indirectly, by a foreign company.

(4) Foreign company

The term "foreign company" means a company that is incorporated or domiciled outside of the United States, including any subsidiaries or affiliates wherever such subsidiaries or affiliates are domiciled or incorporated.

(5) Spyware

The term "spyware" means a tool or set of tools that operate as an end-to-end system of software to provide an unauthorized user remote access to information stored on or transiting through an electronic device connected to the Internet and not owned or operated by the unauthorized user, including end-to-end systems that—

(A) allow an unauthorized user to remotely infect electronic devices with malicious software, including without any action required by the user of the device;

(B) can record telecommunications or other audio captured on a device not owned by the unauthorized user;

(C) undertake geolocation, collect cell site location information, or otherwise track the location of a device or person using the internal sensors of an electronic device not owned by the unauthorized user;

(D) allow an unauthorized user access to and the ability to retrieve information on the electronic device, including text messages, files, e-mails, transcripts of chats, contacts, photos, and browsing history; or

(E) any additional criteria described in publicly available documents published by the Director of National Intelligence, such as whether the end-to-end system is used outside the context of a codified lawful intercept system.

(b) Annual assessments of counterintelligence threats

(1) Requirement

Not later than 90 days after December 23, 2022, and annually thereafter, the Director of National Intelligence, in coordination with the Director of the Central Intelligence Agency, the Director of the National Security Agency, and the Director of the Federal Bureau of Investigation, shall submit to the appropriate congressional committees a report with an accompanying classified annex containing an assessment of the counterintelligence threats and other risks to the national security of the United States posed by the proliferation of foreign commercial spyware. The assessment shall incorporate all credible data, including open-source information.

(2) Elements

Each report under paragraph (1) shall include the following, if known:

(A) A list of the most significant covered entities.

(B) A description of the foreign commercial spyware marketed by the covered entities identified under subparagraph (A) and an assessment by the intelligence community of the foreign commercial spyware.

(C) An assessment of the counterintelligence risk to the intelligence community or personnel of the intelligence community posed by foreign commercial spyware.

(D) For each covered entity identified in subparagraph (A), details of any subsidiaries, resellers, or other agents acting on behalf of the covered entity.

(E) Details of where each covered entity identified under subparagraphs (A) and (D) is domiciled.

(F) A description of how each covered entity identified under subparagraphs (A) and (D) is financed, where the covered entity acquired its capital, and the organizations and individuals having substantial investments or other equities in the covered entity.

(G) An assessment by the intelligence community of any relationship between each covered entity identified in subparagraphs (A) and (D) and any foreign government, including any export controls and processes to which the covered entity is subject.

(H) A list of the foreign customers of each covered entity identified in subparagraphs (A) and (D), including the understanding by the intelligence community of the organizations and end-users within any foreign government.

(I) With respect to each foreign customer identified under subparagraph (H), an assessment by the intelligence community regarding how the foreign customer is using the spyware, including whether the foreign customer has targeted personnel of the intelligence community.

(J) With respect to the first report required under paragraph (1), a mitigation plan to reduce the exposure of personnel of the intelligence community to foreign commercial spyware.

(K) With respect to each report following the first report required under paragraph (1), details of steps taken by the intelligence community since the previous report to implement measures to reduce the exposure of personnel of the intelligence community to foreign commercial spyware.

(3) Classified annex

In submitting the report under paragraph (1), the Director shall also include an accompanying but separate classified annex, providing a watchlist of companies selling, leasing, or otherwise providing foreign commercial spyware that the Director determines are engaged in activities that pose a counterintelligence risk to personnel of the intelligence community.

(4) Form

Each report under paragraph (1) shall be submitted in classified form.

(5) Dissemination

The Director of National Intelligence shall separately distribute each report under paragraph (1) and each annex under paragraph (3) to the President, the heads of all elements of the intelligence community, the Secretary of State, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, the National Cyber Director, and the heads of any other departments or agencies the Director of National Intelligence determines appropriate.

(c) Authority to prohibit purchase or use by intelligence community

(1) Foreign commercial spyware

(A) In general

The Director of National Intelligence may prohibit any element of the intelligence community from procuring, leasing, or otherwise acquiring on the commercial market, or extending or renewing a contract to procure, lease, or otherwise acquire, foreign commercial spyware.

(B) Considerations

In determining whether and how to exercise the authority under subparagraph (A), the Director of National Intelligence shall consider—

(i) the assessment of the intelligence community of the counterintelligence threats or other risks to the United States posed by foreign commercial spyware;

(ii) the assessment of the intelligence community of whether the foreign commercial spyware has been used to target United States Government personnel.¹

(iii) whether the original owner or developer retains any of the physical property or intellectual property associated with the foreign commercial spyware;

(iv) whether the original owner or developer has verifiably destroyed all copies of the data collected by or associated with the foreign commercial spyware;

(v) whether the personnel of the original owner or developer retain any access to data collected by or associated with the foreign commercial spyware;

(vi) whether the use of the foreign commercial spyware requires the user to connect to an information system of the original owner or developer or information system of a foreign government; and

(vii) whether the foreign commercial spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States.

(2) Company that has acquired foreign commercial spyware

(A) Authority

The Director of National Intelligence may prohibit any element of the intelligence community from entering into any contract or other agreement for any purpose with a company that has acquired, in whole or in part, any foreign commercial spyware.

(B) Considerations

In considering whether and how to exercise the authority under subparagraph (A), the Director of National Intelligence shall consider—

(i) whether the original owner or developer of the foreign commercial spyware retains any of the physical property or intellectual property associated with the spyware;

(ii) whether the original owner or developer of the foreign commercial spyware has verifiably destroyed all data, and any copies thereof, collected by or associated with the spyware;

(iii) whether the personnel of the original owner or developer of the foreign commercial spyware retain any access to data collected by or associated with the foreign commercial spyware;

(iv) whether the use of the foreign commercial spyware requires the user to connect to an information system of the original owner or developer or information system of a foreign government; and

(v) whether the foreign commercial spyware poses a counterintelligence risk to the United States or any other threat to the national security of the United States.

(3) Notifications of prohibition

Not later than 30 days after the date on which the Director of National Intelligence exercises the authority to issue a prohibition under subsection (c), the Director of National Intelligence shall notify the congressional intelligence committees of such exercise of authority. Such notice shall include—

(A) a description of the circumstances under which the prohibition was issued;

(B) an identification of the company or product covered by the prohibition;

(C) any information that contributed to the decision of the Director of National Intelligence to exercise the authority, including any information relating to counterintelligence or other risks to the national security of the United States posed by the company or product, as assessed by the intelligence community; and

(D) an identification of each element of the intelligence community to which the prohibition has been applied.

(4) Waiver authority

(A) In general

The head of an element of the intelligence community may request from the Director of National Intelligence the waiver of a prohibition made under paragraph (1) or (2).

(B) Director of National Intelligence determination

The Director of National Intelligence, upon receiving the waiver request in subparagraph (A), may issue a waiver for a period not to exceed one year in response to the request from the head of an element of the intelligence community if such waiver is in the national security interest of the United States.

(C) Notice

Not later than 30 days after approving a waiver request pursuant to subparagraph (B), the Director of National Intelligence shall submit to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives a written notification. The notification shall include—

(i) an identification of the head of the element of the intelligence community that requested the waiver;

(ii) the details of the waiver request, including the national security interests of the United States;

(iii) the rationale and basis for the determination that the waiver is in the national security interests of the United States;

(iv) the considerations that informed the ultimate determination of the Director of National Intelligence to issue the waiver; and

(v) and any other considerations contributing to the determination, made by the Director of National Intelligence.

(D) Waiver termination

The Director of National Intelligence may revoke a previously granted waiver at any time. Upon revocation of a waiver, the Director of National Intelligence shall submit a written notification to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives not later than 30 days after making a revocation determination.

(5) Termination of prohibition

The Director of National Intelligence may terminate a prohibition made under paragraph (1) or (2) at any time. Upon termination of a prohibition, the Director of National Intelligence shall submit a notification of the termination to the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives not later than 30 days after terminating a prohibition, detailing the basis for the termination, including any United States national security interests that may be affected by such termination.

(July 26, 1947, ch. 343, title XI, §1102A, as added Pub. L. 117–263, div. F, title LXIII, §6318(c), Dec. 23, 2022, 136 Stat. 3515; amended Pub. L. 118–31, div. G, title IX, §7901(a)(4), Dec. 22, 2023, 137 Stat. 1106.)

Editorial Notes

Amendments

2023—Subsec. (b)(3). Pub. L. 118–31, §7901(a)(4)(A), substituted "paragraph (1)" for "subsection (2)".

Subsec. (c)(4)(C)(iv). Pub. L. 118–31, §7901(a)(4)(B), substituted "waiver" for "wavier".

Statutory Notes and Related Subsidiaries

Change of Name

Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.

Rule of Construction—No Enhanced Authorities

Pub. L. 117–263, div. F, title LXIII, §6318(e), Dec. 23, 2022, 136 Stat. 3521, provided that: "Nothing in this section [enacting this section, amending section 3383 of this title, and enacting provisions set out as notes under this section] or an amendment made by this section shall be construed as enhancing, or otherwise changing, the authorities of the intelligence community to target, collect, process, or disseminate information regarding United States Government personnel."

[For definition of "intelligence community" as used in section 6318(e) of Pub. L. 117–263, set out above, see section 6002 of Pub. L. 117–263, set out as a note under section 3003 of this title.]

Statement of Policy

Pub. L. 117–263, div. F, title LXIII, §6318(b), Dec. 23, 2022, 136 Stat. 3515, provided that: "It shall be the policy of the United States to act decisively against counterintelligence threats posed by foreign commercial spyware, as well as the individuals who lead entities selling foreign commercial spyware and who are reasonably believed to be involved, have been involved, or pose a significant risk to being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States."

[For definition of "foreign commercial spyware" as used in section 6318(b) of Pub. L. 117–263, set out above, see section 6318(a) of Pub. L. 117–263, set out below.]

Protection of Covered Devices

Pub. L. 117–263, div. F, title LXIII, §6318(d)(1)–(3), Dec. 23, 2022, 136 Stat. 3520, provided that:

"(1) Requirement.—Not later than 120 days after the date of the enactment of this Act [Dec. 23, 2022], the Director of National Intelligence shall—

"(A) issue standards, guidance, best practices, and policies for elements of the intelligence community to protect covered devices from being compromised by foreign commercial spyware;

"(B) survey elements of the intelligence community regarding the processes used by the elements to routinely monitor covered devices for indicators of compromise associated with foreign commercial spyware; and

"(C) submit to the congressional intelligence committees a report on the sufficiency of the measures in place to routinely monitor covered devices for indicators of compromise associated with foreign commercial spyware.

"(2) Form.—The report under paragraph (1)(C) may be submitted in classified form.

"(3) Counterintelligence notifications.—Not later than 30 days after the date on which an element of the intelligence community becomes aware that a covered device was targeted or compromised by foreign commercial spyware, the Director of National Intelligence, in coordination with the Director of the Federal Bureau of Investigation, shall notify the congressional intelligence committees, the Subcommittee on Defense of the Committee on Appropriations of the Senate, and the Subcommittee on Defense of the Committee on Appropriations of the House of Representatives of such determination, including—

"(A) the component of the element and the location of the personnel whose covered device was targeted or compromised;

"(B) the number of covered devices compromised or targeted;

"(C) an assessment by the intelligence community of the damage to national security of the United States resulting from any loss of data or sensitive information;

"(D) an assessment by the intelligence community of any foreign government, or foreign organization or entity, and, to the extent possible, the foreign individuals, who directed and benefitted from any information acquired from the targeting or compromise; and

"(E) as appropriate, an assessment by the intelligence community of the capacity and will of such governments or individuals to continue targeting personnel of the United States Government."

[For definitions of "intelligence community" and "congressional intelligence committees" as used in section 6318(d)(1)–(3) of Pub. L. 117–263, set out above, see section 6002 of Pub. L. 117–263, set out as a note under section 3003 of this title.]

[For definitions of "covered device" and "foreign commercial spyware" as used in section 6318(d)(1)–(3) of Pub. L. 117–263, set out above, see section 6318(a) of Pub. L. 117–263, set out below.]

Definitions

Pub. L. 117–263, div. F, title LXIII, §6318(a), Dec. 23, 2022, 136 Stat. 3515, provided that: "In this section:

"(1) Covered device.—The term 'covered device' means any electronic mobile device including smartphones, tablet computing devices, or laptop computing devices, that is issued by an element of the intelligence community for official use.

"(2) Foreign commercial spyware; foreign company; spyware.—The terms 'foreign commercial spyware', 'foreign company', and 'spyware' have the meanings given those terms in section 1102A of the National Security Act of 1947 (50 U.S.C. 3231 et seq. [probably means 50 U.S.C. 3232a]), as added by this section."

[For definition of "intelligence community" as used in section 6318(a) of Pub. L. 117–263, set out above, see section 6002 of Pub. L. 117–263, set out as a note under section 3003 of this title.]

Executive Documents

Ex. Ord. No. 14093. Prohibition on Use by the United States Government of Commercial Spyware That Poses Risks to National Security

Ex. Ord. No. 14093, Mar. 27, 2023, 88 F.R. 18957, provided:

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Policy. Technology is central to the future of our national security, economy, and democracy. The United States has fundamental national security and foreign policy interests in (1) ensuring that technology is developed, deployed, and governed in accordance with universal human rights; the rule of law; and appropriate legal authorization, safeguards, and oversight, such that it supports, and does not undermine, democracy, civil rights and civil liberties, and public safety; and (2) mitigating, to the greatest extent possible, the risk emerging technologies may pose to United States Government institutions, personnel, information, and information systems.

To advance these interests, the United States supports the development of an international technology ecosystem that protects the integrity of international standards development; enables and promotes the free flow of data and ideas with trust; protects our security, privacy, and human rights; and enhances our economic competitiveness. The growing exploitation of Americans' sensitive data and improper use of surveillance technology, including commercial spyware, threatens the development of this ecosystem. Foreign governments and persons have deployed commercial spyware against United States Government institutions, personnel, information, and information systems, presenting significant counterintelligence and security risks to the United States Government. Foreign governments and persons have also used commercial spyware for improper purposes, such as to target and intimidate perceived opponents; curb dissent; limit freedoms of expression, peaceful assembly, or association; enable other human rights abuses or suppression of civil liberties; and track or target United States persons without proper legal authorization, safeguards, or oversight.

The United States has a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware that has been or risks being misused for such purposes, in light of the core interests of the United States in protecting United States Government personnel and United States citizens around the world; upholding and advancing democracy; promoting respect for human rights; and defending activists, dissidents, and journalists against threats to their freedom and dignity. To advance these interests and promote responsible use of commercial spyware, the United States must establish robust protections and procedures to ensure that any United States Government use of commercial spyware helps protect its information systems and intelligence and law enforcement activities against significant counterintelligence or security risks; aligns with its core interests in promoting democracy and democratic values around the world; and ensures that the United States Government does not contribute, directly or indirectly, to the proliferation of commercial spyware that has been misused by foreign governments or facilitate such misuse.

Therefore, I hereby establish as the policy of the United States Government that it shall not make operational use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person. In furtherance of the national security and foreign policy interests of the United States, this order accordingly directs steps to implement that policy and protect the safety and security of United States Government institutions, personnel, information, and information systems; discourage the improper use of commercial spyware; and encourage the development and implementation of responsible norms regarding the use of commercial spyware that are consistent with respect for the rule of law, human rights, and democratic norms and values. The actions directed in this order are consistent with the policy objectives set forth in section 6318 of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (NDAA FY 2023) (Public Law 117–263) [enacting this section and provisions set out as notes above] and section 5502 of the National Defense Authorization Act for Fiscal Year 2022 (NDAA FY 2022) (Public Law 117–81) [22 U.S.C. 2679e].

Sec. 2. Prohibition on Operational Use. (a) Executive departments and agencies (agencies) shall not make operational use of commercial spyware where they determine, based on credible information, that such use poses significant counterintelligence or security risks to the United States Government or that the commercial spyware poses significant risks of improper use by a foreign government or foreign person. For the purposes of this use prohibition:

(i) Commercial spyware may pose counterintelligence or security risks to the United States Government when:

(A) a foreign government or foreign person has used or acquired the commercial spyware to gain or attempt to gain access to United States Government computers or the computers of United States Government personnel without authorization from the United States Government; or

(B) the commercial spyware was or is furnished by an entity that:

(1) maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the United States Government;

(2) has disclosed or intends to disclose non-public United States Government information or non-public information about the activities of the United States Government without authorization from the United States Government; or

(3) is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities, including surveillance or espionage, directed against the United States.

(ii) Commercial spyware may pose risks of improper use by a foreign government or foreign person when:

(A) the commercial spyware, or other commercial spyware furnished by the same vendor, has been used by a foreign government or foreign person for any of the following purposes:

(1) to collect information on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities in order to intimidate such persons; curb dissent or political opposition; otherwise limit freedoms of expression, peaceful assembly, or association; or enable other forms of human rights abuses or suppression of civil liberties; or

(2) to monitor a United States person, without such person's consent, in order to facilitate the tracking or targeting of the person without proper legal authorization, safeguards, and oversight; or

(B) the commercial spyware was furnished by an entity that provides commercial spyware to governments for which there are credible reports in the annual country reports on human rights practices of the Department of State that they engage in systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights, consistent with any findings by the Department of State pursuant to section 5502 of the NDAA FY 2022 or other similar findings.

(iii) In determining whether the operational use of commercial spyware poses significant counterintelligence or security risks to the United States Government or poses significant risks of improper use by a foreign government or foreign person, such that operational use should be prohibited, agencies shall consider, among other relevant considerations, whether the entity furnishing the commercial spyware knew or reasonably should have known that the spyware posed risks described in subsections (a)(i) or (ii) of this section, and whether the entity has taken appropriate measures to remove such risks, such as canceling relevant licensing agreements or contracts that present such risks; taking other verifiable action to prevent continuing uses that present such risks; or cooperating in United States Government efforts to counter improper use of the spyware.

(b) An agency shall not request or directly enable a third party to make operational use of commercial spyware where the agency has determined that such use poses significant counterintelligence or security risks to the United States Government or that the commercial spyware poses significant risks of improper use by a foreign government or foreign person, as described in subsection (a) of this section. For purposes of this order, the term "operational use" includes such indirect use.

(c) To facilitate effective interagency coordination of information relevant to the factors set forth in subsection (a) of this section and to promote consistency of application of this order across the United States Government, the Director of National Intelligence (DNI) shall, within 90 days of the date of this order [Mar. 27, 2023], and on a semiannual basis thereafter, issue a classified intelligence assessment that integrates relevant information—including intelligence, open source, financial, sanctions-related, and export controls-related information—on foreign commercial spyware or foreign government or foreign person use of commercial spyware relevant to the factors set forth in subsection (a) of this section. The intelligence assessment shall incorporate, but not be limited to, the report and assessment required by section 1102A(b) of the National Security Act of 1947 [50 U.S.C. 3232a(b)], 50 U.S.C. 3001 et seq., as amended by section 6318(c) of the NDAA FY 2023. In order to facilitate the production of the intelligence assessment, the head of each agency shall, on an ongoing basis, provide the DNI all new credible information obtained by the agency on foreign commercial spyware vendors or foreign government or foreign person use of commercial spyware relevant to the factors set forth in subsection (a) of this section. Such information shall include intelligence, open source, financial, sanctions-related, export controls-related, and due diligence information, as well as information relevant to the development of the list of covered contractors developed or maintained pursuant to section 5502 of the NDAA FY 2022 or other similar information.

(d) Any agency that makes a determination of whether operational use of a commercial spyware product is prohibited under subsection (a) of this section shall provide the results of that determination and key elements of the underlying analysis to the DNI. After consulting with the submitting agency to protect operational sensitivities, the DNI shall incorporate this information into the intelligence assessment described in subsection (c) of this section and, as needed, shall make this information available to other agencies consistent with section 3(b) of this order.

(e) The Assistant to the President for National Security Affairs (APNSA), or a designee, shall, within 30 days of the issuance of the intelligence assessment described in subsection (c) of this section, and additionally as the APNSA or designee deems necessary, convene agencies to discuss the intelligence assessment, as well as any other information about commercial spyware relevant to the factors set forth in subsection (a) of this section, in order to ensure effective interagency awareness and sharing of such information.

(f) For any commercial spyware intended by an agency for operational use, a relevant official, as provided in section 5(k) of this order, shall certify the determination that the commercial spyware does not pose significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person based on the factors set forth in subsection (a) of this section. The obligation to certify such a determination shall not be delegated, except as provided in section 5(k) of this order.

(g) If an agency decides to make operational use of commercial spyware, the head of the agency shall notify the APNSA of such decision, describing the due diligence completed before the decision was made, providing relevant information on the agency's consideration of the factors set forth in subsection (a) of this section, and providing the reasons for the agency's determination. The agency may not make operational use of the commercial spyware until at least 7 days after providing this information or until the APNSA has notified the agency that no further process is required.

(h) Within 90 days of the issuance of the intelligence assessment described in subsection (c) of this section, each agency shall review all existing operational uses of commercial spyware and discontinue, as soon as the head of the agency determines is reasonably possible without compromising ongoing operations, operational use of any commercial spyware that the agency determines poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person, pursuant to subsection (a) of this section.

(i) Within 180 days of the date of this order, each agency that may make operational use of commercial spyware shall develop appropriate internal controls and oversight procedures for conducting determinations under subsection (a) of this section, as appropriate and consistent with applicable law.

(j) At any time after procuring commercial spyware for operational use, if the agency obtains relevant information with respect to the factors set forth in subsection (a) of this section, the agency shall determine whether the commercial spyware poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person, and, if so, shall terminate such operational use as soon as the head of the agency determines is reasonably possible without compromising ongoing operations, and shall notify the DNI and the APNSA.

(k) The Federal Acquisition Security Council shall consider the intelligence assessment described in subsection (c) of this section in evaluating whether commercial spyware poses a supply chain risk, as appropriate and consistent with applicable law, including 41 CFR Part 201–1 and 41 U.S.C. 1323.

(l) The prohibitions contained in this section shall not apply to the use of commercial spyware for purposes of testing, research, analysis, cybersecurity, or the development of countermeasures for counterintelligence or security risks, or for purposes of a criminal investigation arising out of the criminal sale or use of the spyware.

(m) A relevant official, as provided in section 5(k) of this order, may issue a waiver, for a period not to exceed 1 year, of an operational use prohibition determined pursuant to subsection (a) of this section if the relevant official determines that such waiver is necessary due to extraordinary circumstances and that no feasible alternative is available to address such circumstances. This authority shall not be delegated, except as provided in section 5(k) of this order. A relevant official may, at any time, revoke any waiver previously granted. Within 72 hours of making a determination to issue or revoke a waiver pursuant to this subsection, the relevant official who has issued or revoked the waiver shall notify the President, through the APNSA, of this determination, including the justification for the determination. The relevant official shall provide this information concurrently to the DNI.

Sec. 3. Application to Procurement. An agency seeking to procure commercial spyware for any purpose other than for a criminal investigation arising out of the criminal sale or use of the spyware shall, prior to making such procurement and consistent with its existing statutory and regulatory authorities:

(a) review the intelligence assessment issued by the DNI pursuant to section 2(c) of this order;

(b) request from the DNI any additional information regarding the commercial spyware that is relevant to the factors set forth in section 2(a) of this order;

(c) consider the factors set forth in section 2(a) of this order in light of the information provided by the DNI; and

(d) consider whether any entity furnishing the commercial spyware being considered for procurement has implemented reasonable due diligence procedures and standards—such as the industry-wide norms reflected in relevant Department of State guidance on business and human rights and on transactions linked to foreign government end-users for products or services with surveillance capabilities—and controls that would enable the entity to identify and prevent uses of the commercial spyware that pose significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.

Sec. 4. Reporting Requirements. (a) The head of each agency that has procured commercial spyware, upon completing the review described in section 2(h) of this order, shall submit to the APNSA a report describing the review's findings. If the review identifies any existing operational use of commercial spyware, as defined in this order, the agency report shall include:

(i) a description of such existing operational use;

(ii) a determination of whether the commercial spyware poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person, along with key elements of the underlying analysis, pursuant to section 2(a) of this order; and

(iii) in the event the agency determines that the commercial spyware poses significant risks pursuant to section 2(a) of this order, what steps have been taken to terminate its operational use.

(b) Within 45 days of an agency's procurement of any commercial spyware for any use described in section 2(l) of this order except for use in a criminal investigation arising out of the criminal sale or use of the spyware, the head of the agency shall notify the APNSA of such procurement and shall include in the notification a description of the purpose and authorized uses of the commercial spyware.

(c) Within 6 months of the date of this order, the head of each agency that has made operational use of commercial spyware or has procured commercial spyware for operational use shall submit to the APNSA a report on the actions that the agency has taken to implement this order, including the internal controls and oversight procedures the agency has developed pursuant to section 2(i) of this order.

(d) Within 1 year of the date of this order, and on an annual basis thereafter, the head of each agency that has procured commercial spyware for operational use shall provide the APNSA a report that identifies:

(i) any existing operational use of commercial spyware and the reasons why it does not pose significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person, pursuant to section 2(a) of this order;

(ii) any operational use of commercial spyware that was terminated during the preceding year because it was determined to pose significant risks pursuant to section 2(a) of this order, the circumstances under which this determination was made, and the steps taken to terminate such use; and

(iii) any purchases made of commercial spyware, and whether they were made for operational use, during the preceding year.

Sec. 5. Definitions. For purposes of this order:

(a) The term "agency" means any authority of the United States that is an "agency" under 44 U.S.C. 3502(1), other than those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5).

(b) The term "commercial spyware" means any end-to-end software suite that is furnished for commercial purposes, either directly or indirectly through a third party or subsidiary, that provides the user of the software suite the capability to gain remote access to a computer, without the consent of the user, administrator, or owner of the computer, in order to:

(i) access, collect, exploit, extract, intercept, retrieve, or transmit content, including information stored on or transmitted through a computer connected to the Internet;

(ii) record the computer's audio calls or video calls or use the computer to record audio or video; or

(iii) track the location of the computer.

(c) The term "computer" shall have the same meaning as it has in 18 U.S.C. 1030(e)(1).

(d) The term "entity" means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.

(e) The term "foreign entity" means an entity that is not a United States entity.

(f) The term "foreign government" means any national, state, provincial, or other governing authority, any political party, or any official of any governing authority or political party, in each case of a country other than the United States.

(g) The term "foreign person" means a person that is not a United States person.

(h) The term "furnish," when used in connection with commercial spyware, means to develop, maintain, own, operate, manufacture, market, sell, resell, broker, lease, license, repackage, rebrand, or otherwise make available commercial spyware.

(i) The term "operational use" means use to gain remote access to a computer, without the consent of the user, administrator, or owner of the computer, in order to:

(i) access, collect, exploit, extract, intercept, retrieve, or transmit the computer's content, including information stored on or transmitted through a computer connected to the Internet;

(ii) record the computer's audio calls or video calls or use the computer to otherwise record audio or video; or

(iii) track the location of the computer.

The term "operational use" does not include those uses described in section 2(l) of this order.

(j) The term "person" means an individual or entity.

(k) The term "relevant official," for purposes of sections 2(f) and 2(m) of this order, refers to any of the following: the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the DNI, the Director of the Central Intelligence Agency, or the Director of the National Security Agency. The Attorney General's obligation under section 2(f) of this order and authority under section 2(m) of this order may be delegated only to the Deputy Attorney General.

(l) The term "remote access," when used in connection with commercial spyware, means access to a computer, the computer's content, or the computer's components by using an external network (e.g., the Internet) when the computer is not in the physical possession of the actor seeking access to that computer.

(m) The term "United States entity" means any entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches).

(n) The term "United States person" shall have the same meaning as it has in Executive Order 12333 of December 4, 1981 (United States Intelligence Activities) [50 U.S.C. 3001 note], as amended.

(o) The term "United States Government personnel" means all United States Government employees as defined by 5 U.S.C. 2105.

Sec. 6. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:

(i) the authority granted by law to an executive department or agency, or the head thereof; or

(ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.

(b) Nothing in this order shall be construed to limit the use of any remedies available to the head of an agency or any other official of the United States Government.

(c) This order shall be implemented consistent with applicable law, including section 6318 of the NDAA FY 2023, as well as applicable procurement laws, and subject to the availability of appropriations.

(d) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

J.R. Biden, Jr.      

¹ So in original. The period probably should be a semicolon.

§3233. Misuse of the Office of the Director of National Intelligence name, initials, or seal

(a) Prohibited acts

No person may, except with the written permission of the Director of National Intelligence, or a designee of the Director, knowingly use the words "Office of the Director of National Intelligence", the initials "ODNI", the seal of the Office of the Director of National Intelligence, or any colorable imitation of such words, initials, or seal in connection with any merchandise, impersonation, solicitation, or commercial activity in a manner reasonably calculated to convey the impression that such use is approved, endorsed, or authorized by the Director of National Intelligence.

(b) Injunction

Whenever it appears to the Attorney General that any person is engaged or is about to engage in an act or practice which constitutes or will constitute conduct prohibited by subsection (a), the Attorney General may initiate a civil proceeding in a district court of the United States to enjoin such act or practice. Such court shall proceed as soon as practicable to the hearing and determination of such action and may, at any time before final determination, enter such restraining orders or prohibitions, or take such other action as is warranted, to prevent injury to the United States or to any person or class of persons for whose protection the action is brought.

(July 26, 1947, ch. 343, title XI, §1103, as added Pub. L. 111–259, title IV, §413(a), Oct. 7, 2010, 124 Stat. 2726.)

Editorial Notes

Codification

Section was formerly classified to section 442b of this title prior to editorial reclassification and renumbering as this section.

§3234. Prohibited personnel practices in the intelligence community

(a) Definitions

In this section:

(1) Agency

The term "agency" means an executive department or independent establishment, as defined under sections 101 and 104 of title 5, that contains an intelligence community element, except the Federal Bureau of Investigation.

(2) Covered intelligence community element

The term "covered intelligence community element"—

(A) means—

(i) the Central Intelligence Agency, the Defense Intelligence Agency, the National Geospatial-Intelligence Agency, the National Security Agency, the Office of the Director of National Intelligence, and the National Reconnaissance Office; and

(ii) any executive agency or unit thereof determined by the President under section 2302(a)(2)(C)(ii) of title 5 to have as its principal function the conduct of foreign intelligence or counterintelligence activities; and

(B) does not include the Federal Bureau of Investigation.

(3) Personnel action

The term "personnel action" means, with respect to an employee in a position in a covered intelligence community element (other than a position excepted from the competitive service due to its confidential, policy-determining, policymaking, or policy-advocating character) or a contractor employee—

(A) an appointment;

(B) a promotion;

(C) a disciplinary or corrective action;

(D) a detail, transfer, or reassignment;

(E) a demotion, suspension, or termination;

(F) a reinstatement or restoration;

(G) a performance evaluation;

(H) a decision concerning pay, benefits, or awards;

(I) a decision concerning education or training if such education or training may reasonably be expected to lead to an appointment, promotion, or performance evaluation; or

(J) any other significant change in duties, responsibilities, or working conditions.

(4) Contractor employee

The term "contractor employee" means an employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor, of a covered intelligence community element.

(b) Agency employees

Any employee of a covered intelligence community element or an agency who has authority to take, direct others to take, recommend, or approve any personnel action, shall not, with respect to such authority, take or fail to take, or threaten to take or fail to take, a personnel action with respect to any employee of a covered intelligence community element as a reprisal for—

(1) any lawful disclosure of information by the employee to the Director of National Intelligence (or an employee designated by the Director of National Intelligence for such purpose), the Inspector General of the Intelligence Community, a supervisor in the employee's direct chain of command, or a supervisor of the employing agency with responsibility for the subject matter of the disclosure, up to and including the head of the employing agency (or an employee designated by the head of that agency for such purpose), the appropriate inspector general of the employing agency, a congressional intelligence committee, or a member of a congressional intelligence committee, which the employee reasonably believes evidences—

(A) a violation of any Federal law, rule, or regulation; or

(B) mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety;

(2) any lawful disclosure that complies with—

(A) subsections (a)(1), (d), and (g) of section 8H of the Inspector General Act of 1978 (5 U.S.C. App.); ¹

(B) subparagraphs (A), (D), and (H) of section 3517(d)(5) of this title; or

(C) subparagraphs (A), (D), and (I) of section 3033(k)(5) of this title; or

(3) if the actions do not result in the employee unlawfully disclosing information specifically required by Executive order to be kept classified in the interest of national defense or the conduct of foreign affairs, any lawful disclosure in conjunction with—

(A) the exercise of any appeal, complaint, or grievance right granted by any law, rule, or regulation;

(B) testimony for or otherwise lawfully assisting any individual in the exercise of any right referred to in subparagraph (A); or

(C) cooperation with or disclosing information to the Inspector General of an agency, in accordance with applicable provisions of law in connection with an audit, inspection, or investigation conducted by the Inspector General.

(c) Contractor employees

(1) Any employee of an agency or of a contractor, subcontractor, grantee, subgrantee, or personal services contractor, of a covered intelligence community element who has authority to take, direct others to take, recommend, or approve any personnel action, shall not, with respect to such authority, take or fail to take, or threaten to take or fail to take, a personnel action with respect to any contractor employee as a reprisal for—

(A) any lawful disclosure of information by the contractor employee to the Director of National Intelligence (or an employee designated by the Director of National Intelligence for such purpose), the Inspector General of the Intelligence Community, a supervisor in the contractor employee's direct chain of command, or a supervisor of the employing or contracting agency or employing contractor with responsibility for the subject matter of the disclosure, up to and including the head of the employing or contracting agency (or an employee designated by the head of that agency for that purpose) or employing contractor, the appropriate inspector general of the employing or contracting agency, a congressional intelligence committee, or a member of a congressional intelligence committee, which the contractor employee reasonably believes evidences—

(i) a violation of any Federal law, rule, or regulation (including with respect to evidence of another employee or contractor employee accessing or sharing classified information without authorization); or

(ii) mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety.²

(B) any lawful disclosure that complies with—

(i) subsections (a)(1), (d), and (g) of section 8H of the Inspector General Act of 1978 (5 U.S.C. App.); ¹

(ii) subparagraphs (A), (D), and (H) of section 3517(d)(5) of this title; or

(iii) subparagraphs (A), (D), and (I) of section 3033(k)(5) of this title; or

(C) if the actions do not result in the contractor employee unlawfully disclosing information specifically required by Executive order to be kept classified in the interest of national defense or the conduct of foreign affairs, any lawful disclosure in conjunction with—

(i) the exercise of any appeal, complaint, or grievance right granted by any law, rule, or regulation;

(ii) testimony for or otherwise lawfully assisting any individual in the exercise of any right referred to in clause (i); or

(iii) cooperation with or disclosing information to the Inspector General of an agency, in accordance with applicable provisions of law in connection with an audit, inspection, or investigation conducted by the Inspector General.

(2) A personnel action under paragraph (1) is prohibited even if the action is undertaken at the request of an agency official, unless the request takes the form of a nondiscretionary directive and is within the authority of the agency official making the request.

(d) Rule of construction

Consistent with the protection of intelligence sources and methods, nothing in subsection (b) or (c) shall be construed to authorize—

(1) the withholding of information from Congress; or

(2) the taking of any personnel action against an employee who lawfully discloses information to Congress.

(e) Disclosures

A disclosure shall not be excluded from this section because—

(1) the disclosure was made to an individual, including a supervisor, who participated in an activity that the employee reasonably believed to be covered under subsection (b)(1)(B) or the contractor employee reasonably believed to be covered under subsection (c)(1)(A)(ii);

(2) the disclosure revealed information that had been previously disclosed;

(3) the disclosure was not made in writing;

(4) the disclosure was made while the employee was off duty;

(5) of the amount of time which has passed since the occurrence of the events described in the disclosure; or

(6) the disclosure was made during the normal course of duties of an employee or contractor employee.

(f) Enforcement

The President shall provide for the enforcement of this section consistent, to the fullest extent possible, with the policies and procedures used to adjudicate alleged violations of section 2302(b)(8) of title 5.

(g) Existing rights preserved

Nothing in this section shall be construed to—

(1) preempt or preclude any employee, contractor employee, or applicant for employment, at the Federal Bureau of Investigation from exercising rights provided under any other law, rule, or regulation, including section 2303 of title 5; or

(2) repeal section 2303 of title 5.

(July 26, 1947, ch. 343, title XI, §1104, as added Pub. L. 113–126, title VI, §601(a), July 7, 2014, 128 Stat. 1414; amended Pub. L. 115–118, title I, §110(a), Jan. 19, 2018, 132 Stat. 15; Pub. L. 117–103, div. X, title V, §501(a), (d)(2), (e)(1), (f), (g), Mar. 15, 2022, 136 Stat. 981–984; Pub. L. 117–263, div. F, title LXVI, §6608, title LXVIII, §6824(a)(8), Dec. 23, 2022, 136 Stat. 3559, 3615.)

Editorial Notes

References in Text

Section 8H of the Inspector General Act of 1978, referred to in subsecs. (b)(2)(A) and (c)(1)(B)(i), is section 8H of Pub. L. 95–452, which was set out in the Appendix to Title 5, Government Organization and Employees, and was repealed and restated as section 416 of Title 5 by Pub. L. 117–286, §§3(b), 7, Dec. 27, 2022, 136 Stat. 4242, 4361. Subsecs. (a)(1), (d), and (g) of section 8H were enacted as subsecs. (b)(1), (e), and (h) of section 416 of Title 5.

Amendments

2022—Subsec. (b). Pub. L. 117–103, §501(f)(1), substituted "(1) any lawful disclosure" for "a lawful disclosure", inserted dash after "for", redesignated former pars. (1) and (2) as subpars. (A) and (B), respectively, of par. (1), realigned margins, and added pars. (2) and (3).

Pub. L. 117–103, §501(a)(1)(A), (e)(1)(A), in introductory provisions, substituted "Any employee of a covered intelligence community element or an agency" for "Any employee of an agency" and inserted ", or threaten to take or fail to take," after "take or fail to take" and "a supervisor in the employee's direct chain of command, or a supervisor of the employing agency with responsibility for the subject matter of the disclosure, up to and including" before "the head of the employing agency".

Subsec. (b)(1)(B). Pub. L. 117–263, §6824(a)(8), substituted semicolon for period at end.

Subsec. (c)(1). Pub. L. 117–103, §501(f)(2), substituted "(A) any lawful disclosure" for "a lawful disclosure", inserted dash after "for", redesignated former subpars. (A) and (B) as cls. (i) and (ii), respectively, of subpar. (A), realigned margins, and added subpars. (B) and (C).

Pub. L. 117–103, §501(a)(1)(B), (2), (e)(1)(B), in introductory provisions, inserted "of an agency or" after "Any employee", ", or threaten to take or fail to take," after "take or fail to take", and "a supervisor in the contractor employee's direct chain of command, or a supervisor of the contracting agency with responsibility for the subject matter of the disclosure, up to and including" before "the head of the contracting agency".

Subsec. (c)(1)(A). Pub. L. 117–263, §6608, in introductory provisions, substituted "a supervisor of the employing or contracting agency or employing contractor" for "a supervisor of the contracting agency", "employing or contracting agency (or an employee designated by the head of that agency for that purpose) or employing contractor" for "contracting agency (or an employee designated by the head of that agency for such purpose)", and "appropriate inspector general of the employing or contracting agency" for "appropriate inspector general of the contracting agency".

Subsec. (c)(1)(B). Pub. L. 117–103, §501(d)(2), substituted "mismanagement" for "gross mismanagement".

Subsec. (d). Pub. L. 117–103, §501(g)(2), added subsec. (d). Former subsec. (d) redesignated (f).

Pub. L. 117–103, §501(a)(3), amended subsec. (d) generally. Prior to amendment, text read as follows: "The President shall provide for the enforcement of this section."

Subsec. (e). Pub. L. 117–103, §501(g)(2), added subsec. (e). Former subsec. (e) redesignated (g).

Subsecs. (f), (g). Pub. L. 117–103, §501(g)(1), redesignated subsecs. (d) and (e) as (f) and (g), respectively.

2018—Subsec. (a)(3). Pub. L. 115–118, §110(a)(1)(A), inserted "or a contractor employee" after "character)" in introductory provisions.

Subsec. (a)(4). Pub. L. 115–118, §110(a)(1)(B), added par. (4).

Subsec. (b). Pub. L. 115–118, §110(a)(4), substituted "Agency employees" for "In general" in heading.

Subsecs. (c) to (e). Pub. L. 115–118, §110(a)(2), (3), added subsec. (c) and redesignated former subsecs. (c) and (d) as (d) and (e), respectively.

Subsec. (e)(1). Pub. L. 115–118, §110(a)(5), inserted "contractor employee," after "any employee,".

Statutory Notes and Related Subsidiaries

Policies and Procedures; Nonapplicability to Certain Terminations

Pub. L. 113–126, title VI, §604, July 7, 2014, 128 Stat. 1421, provided that:

"(a) Covered Intelligence Community Element Defined.—In this section, the term 'covered intelligence community element'—

"(1) means—

"(A) the Central Intelligence Agency, the Defense Intelligence Agency, the National Geospatial-Intelligence Agency, the National Security Agency, the Office of the Director of National Intelligence, and the National Reconnaissance Office; and

"(B) any executive agency or unit thereof determined by the President under section 2302(a)(2)(C)(ii) of title 5, United States Code, to have as its principal function the conduct of foreign intelligence or counterintelligence activities; and

"(2) does not include the Federal Bureau of Investigation.

"(b) Regulations.—In consultation with the Secretary of Defense, the Director of National Intelligence shall develop policies and procedures to ensure that a personnel action shall not be taken against an employee of a covered intelligence community element as a reprisal for any disclosure of information described in [section] 1104 of the National Security Act of 1947 [50 U.S.C. 3234], as added by section 601 of this Act.

"(c) Report on the Status of Implementation of Regulations.—Not later than 2 years after the date of the enactment of this Act [July 7, 2014], the Director of National Intelligence shall submit a report on the status of the implementation of the regulations promulgated under subsection (b) to the congressional intelligence committees.

"(d) Nonapplicability to Certain Terminations.—Section 1104 of the National Security Act of 1947, as added by section 601 of this Act, and section 3001 of the Intelligence Reform and Terrorism Prevention Act of 2004 (50 U.S.C. 3341), as amended by section 602 of this Act, shall not apply if—

"(1) the affected employee is concurrently terminated under—

"(A) section 1609 of title 10, United States Code;

"(B) the authority of the Director of National Intelligence under section 102A(m) of the National Security Act of 1947 (50 U.S.C. 3024(m)), if the Director determines that the termination is in the interest of the United States;

"(C) the authority of the Director of the Central Intelligence Agency under section 104A(e) of the National Security Act of 1947 (50 U.S.C. 3036(e)), if the Director determines that the termination is in the interest of the United States; or

"(D) section 7532 of title 5, United States Code, if the head of the agency determines that the termination is in the interest of the United States; and

"(2) not later than 30 days after such termination, the head of the agency that employed the affected employee notifies the congressional intelligence committees of the termination."

[For definition of "congressional intelligence committees" as used in section 604 of Pub. L. 113–126, set out above, see section 2 of Pub. L. 113–126, set out as a note under section 3003 of this title.]

¹ See References in Text note below.

² So in original. The period probably should be a semicolon.

§3235. Semiannual reports on investigations of unauthorized disclosures of classified information

(a) Definitions

In this section:

(1) Covered official

The term "covered official" means—

(A) the heads of each element of the intelligence community; and

(B) the inspectors general with oversight responsibility for an element of the intelligence community.

(2) Investigation

The term "investigation" means any inquiry, whether formal or informal, into the existence of an unauthorized public disclosure of classified information.

(3) Unauthorized disclosure of classified information

The term "unauthorized disclosure of classified information" means any unauthorized disclosure of classified information to any recipient.

(4) Unauthorized public disclosure of classified information

The term "unauthorized public disclosure of classified information" means the unauthorized disclosure of classified information to a journalist or media organization.

(b) Intelligence community reporting

(1) In general

Not less frequently than once every 6 months, each covered official shall submit to the congressional intelligence committees a report on investigations of unauthorized public disclosures of classified information.

(2) Elements

Each report submitted under paragraph (1) shall include, with respect to the preceding 6-month period, the following:

(A) The number of investigations opened by the covered official regarding an unauthorized public disclosure of classified information.

(B) The number of investigations completed by the covered official regarding an unauthorized public disclosure of classified information.

(C) Of the number of such completed investigations identified under subparagraph (B), the number referred to the Attorney General for criminal investigation.

(c) Department of Justice reporting

(1) In general

Not less frequently than once every 6 months, the Assistant Attorney General for National Security of the Department of Justice, in consultation with the Director of the Federal Bureau of Investigation, shall submit to the congressional intelligence committees, the Committee on the Judiciary of the Senate, and the Committee on the Judiciary of the House of Representatives a report on the status of each referral made to the Department of Justice from any element of the intelligence community regarding an unauthorized disclosure of classified information made during the most recent 365-day period or any referral that has not yet been closed, regardless of the date the referral was made.

(2) Contents

Each report submitted under paragraph (1) shall include, for each referral covered by the report, at a minimum, the following:

(A) The date the referral was received.

(B) A statement indicating whether the alleged unauthorized disclosure described in the referral was substantiated by the Department of Justice.

(C) A statement indicating the highest level of classification of the information that was revealed in the unauthorized disclosure.

(D) A statement indicating whether an open criminal investigation related to the referral is active.

(E) A statement indicating whether any criminal charges have been filed related to the referral.

(F) A statement indicating whether the Department of Justice has been able to attribute the unauthorized disclosure to a particular entity or individual.

(d) Form of reports

Each report submitted under this section shall be submitted in unclassified form, but may have a classified annex.

(July 26, 1947, ch. 343, title XI, §1105, as added Pub. L. 116–92, div. E, title LXVII, §6718(a), Dec. 20, 2019, 133 Stat. 2228.)

§3235a. Notice and damage assessment with respect to significant unauthorized disclosure or compromise of classified national intelligence

(a) Notification and damage assessment requirements

(1) Requirements

If the Director of National Intelligence becomes aware of an actual or potential significant unauthorized disclosure or compromise of classified national intelligence—

(A) as soon as practicable, but not later than 7 days after the date on which the Director becomes so aware, the Director shall notify the congressional intelligence committees of such actual or potential disclosure or compromise; and

(B) in the case of an actual disclosure or compromise, not later than 7 days after the date on which the Director becomes so aware, the Director or the head of any element of the intelligence community from which the significant unauthorized disclosure or compromise originated shall initiate a damage assessment consistent with the procedures set forth in Intelligence Community Directive 732 (relating to the conduct of damage assessments), or successor directive, with respect to such disclosure or compromise.

(2) Contents of notification

A notification submitted to the congressional intelligence committees under paragraph (1)(A) with respect to an actual or potential significant unauthorized disclosure or compromise of classified national intelligence shall include—

(A) a summary of the facts and circumstances of such disclosure or compromise;

(B) a summary of the contents of the national intelligence revealed or potentially revealed, as the case may be, by such disclosure or compromise;

(C) an initial appraisal of the level of actual or potential damage, as the case may be, to the national security of the United States as a result of such disclosure or compromise; and

(D) in the case of an actual disclosure or compromise, which elements of the intelligence community will be involved in the damage assessment conducted with respect to such disclosure or compromise pursuant to paragraph (1)(B).

(b) Damage assessment reporting requirements

(1) Recurring reporting requirement

Not later than 30 days after the date of the initiation of a damage assessment pursuant to subsection (a)(1)(B), and every 90 days thereafter until the completion of the damage assessment or upon the request of the congressional intelligence committees, the Director of National Intelligence shall—

(A) submit to the congressional intelligence committees copies of any documents or materials disclosed as a result of the significant unauthorized disclosure or compromise of the classified national intelligence that is the subject of the damage assessment; and

(B) provide to the congressional intelligence committees a briefing on such documents and materials and a status of the damage assessment.

(2) Final damage assessment

As soon as practicable after completing a damage assessment pursuant to subsection (a)(1)(B), the Director of National Intelligence shall submit the final damage assessment to the congressional intelligence committees.

(c) Notification of referral to Department of Justice

If a referral is made to the Department of Justice from any element of the intelligence community regarding a significant unauthorized disclosure or compromise of classified national intelligence under this section, the Director of National Intelligence shall notify the congressional intelligence committees of the referral on the date such referral is made.

(July 26, 1947, ch. 343, title XI, §1105A, as added Pub. L. 118–31, div. G, title III, §7315, Dec. 22, 2023, 137 Stat. 1031.)

§3236. Inspector General external review panel

(a) Request for review

An individual with a claim described in subsection (b) may submit to the Inspector General of the Intelligence Community a request for a review of such claim by an external review panel convened under subsection (c).

(b) Claims and individuals described

A claim described in this subsection is any—

(1) claim by an individual—

(A) that the individual has been subjected to a personnel action that is prohibited under section 3234 of this title; and

(B) who has exhausted the applicable review process for the claim pursuant to enforcement of such section; or

(2) claim by an individual—

(A) that he or she has been subjected to a reprisal prohibited by paragraph (1) of section 3341(j) of this title; and

(B) who received a decision on an appeal regarding that claim under paragraph (4) of such section.

(c) External review panel convened

(1) Discretion to convene

Upon receipt of a request under subsection (a) regarding a claim, the Inspector General of the Intelligence Community may, at the discretion of the Inspector General, convene an external review panel under this subsection to review the claim.

(2) Membership

(A) Composition

An external review panel convened under this subsection shall be composed of three members as follows:

(i) The Inspector General of the Intelligence Community.

(ii) Except as provided in subparagraph (B), two members selected by the Inspector General as the Inspector General considers appropriate on a case-by-case basis from among inspectors general of the following:

(I) The Department of Defense.

(II) The Department of Energy.

(III) The Department of Homeland Security.

(IV) The Department of Justice.

(V) The Department of State.

(VI) The Department of the Treasury.

(VII) The Central Intelligence Agency.

(VIII) The Defense Intelligence Agency.

(IX) The National Geospatial-Intelligence Agency.

(X) The National Reconnaissance Office.

(XI) The National Security Agency.

(B) Limitation

An inspector general of an agency may not be selected to sit on the panel under subparagraph (A)(ii) to review any matter relating to a decision made by such agency.

(C) Chairperson

(i) In general

Except as provided in clause (ii), the chairperson of any panel convened under this subsection shall be the Inspector General of the Intelligence Community.

(ii) Conflicts of interest

If the Inspector General of the Intelligence Community finds cause to recuse himself or herself from a panel convened under this subsection, the Inspector General of the Intelligence Community shall—

(I) select a chairperson from inspectors general of the elements listed under subparagraph (A)(ii) whom the Inspector General of the Intelligence Community considers appropriate; and

(II) notify the congressional intelligence committees of such selection.

(3) Period of review

Each external review panel convened under this subsection to review a claim shall complete review of the claim no later than 270 days after the date on which the Inspector General convenes the external review panel.

(d) Remedies

(1) Panel recommendations

If an external review panel convened under subsection (c) determines, pursuant to a review of a claim submitted by an individual under subsection (a), that the individual was the subject of a personnel action prohibited under section 3234 of this title or was subjected to a reprisal prohibited by section 3341(j)(1) of this title, the panel may recommend that the agency head take corrective action—

(A) in the case of an employee or former employee—

(i) to return the employee or former employee, as nearly as practicable and reasonable, to the position such employee or former employee would have held had the reprisal not occurred; or

(ii) reconsider the employee's or former employee's eligibility for access to classified information consistent with national security; or

(B) in any other case, such other action as the external review panel considers appropriate.

(2) Agency action

(A) In general

Not later than 90 days after the date on which the head of an agency receives a recommendation from an external review panel under paragraph (1), the head shall—

(i) give full consideration to such recommendation; and

(ii) inform the panel and the Director of National Intelligence of what action the head has taken with respect to the recommendation.

(B) Failure to inform

The Director shall notify the President of any failures to comply with subparagraph (A)(ii).

(e) Annual reports

(1) In general

Not less frequently than once each year, the Inspector General of the Intelligence Community shall submit to the congressional intelligence committees and the Director of National Intelligence a report on the activities under this section during the previous year.

(2) Contents

Subject to such limitations as the Inspector General of the Intelligence Community considers necessary to protect the privacy of an individual who has made a claim described in subsection (b), each report submitted under paragraph (1) shall include, for the period covered by the report, the following:

(A) The determinations and recommendations made by the external review panels convened under this section.

(B) The responses of the heads of agencies that received recommendations from the external review panels.

(July 26, 1947, ch. 343, title XI, §1106, as added Pub. L. 116–92, div. E, title LIII, §5332(a)(1), Dec. 20, 2019, 133 Stat. 2137.)

§3237. Annual reports on influence operations and campaigns in the United States by the Chinese Communist Party

(a) Requirement

On an annual basis, consistent with the protection of intelligence sources and methods, the Director of the National Counterintelligence and Security Center shall submit to the congressional intelligence committees, the Committee on Foreign Affairs of the House of Representatives, and the Committee on Foreign Relations of the Senate a report on the influence operations and campaigns in the United States conducted by the Chinese Communist Party.

(b) Contents

Each report under subsection (a) shall include the following:

(1) A description of the organization of the United Front Work Department of the People's Republic of China, or the successors of the United Front Work Department, and the links between the United Front Work Department and the Central Committee of the Chinese Communist Party.

(2) An assessment of the degree to which organizations that are associated with or receive funding from the United Front Work Department, particularly such entities operating in the United States, are formally tasked by the Chinese Communist Party or the Government of China.

(3) A description of the efforts by the United Front Work Department and subsidiary organizations of the United Front Work Department to target, coerce, and influence foreign populations, particularly those of ethnic Chinese descent.

(4) An assessment of attempts by the Chinese Embassy, consulates, and organizations affiliated with the Chinese Communist Party (including, at a minimum, the United Front Work Department) to influence the United States-based Chinese Student Scholar Associations.

(5) A description of the evolution of the role of the United Front Work Department under the leadership of the President of China.

(6) An assessment of the activities of the United Front Work Department designed to influence the opinions of elected leaders of the United States, or candidates for elections in the United States, with respect to issues of importance to the Chinese Communist Party.

(7) A listing of all known organizations affiliated with the United Front Work Department that are operating in the United States as of the date of the report.

(8) An identification of influence activities and operations employed by the Chinese Communist Party against the United States science and technology sectors, specifically employees of the United States Government, researchers, scientists, and students in the science and technology sector in the United States.

(9) A listing of all known Chinese talent recruitment programs operating in the United States as of the date of the report.

(10) With respect to reports submitted after the first report, an assessment of the change in goals, tactics, techniques, and procedures of the influence operations and campaigns conducted by the Chinese Communist Party.

(c) Coordination

In carrying out subsection (a), the Director shall coordinate with the Director of the Federal Bureau of Investigation, the Director of the Central Intelligence Agency, the Director of the National Security Agency, and any other relevant head of an element of the intelligence community.

(d) Form

Each report submitted under subsection (a) shall be submitted in unclassified form, but may include a classified annex.

(July 26, 1947, ch. 343, title XI, §1107, as added Pub. L. 116–92, div. E, title LV, §5511(a), Dec. 20, 2019, 133 Stat. 2146; amended Pub. L. 116–260, div. W, title VI, §605(a), (d)(1), Dec. 27, 2020, 134 Stat. 2386, 2387; Pub. L. 117–103, div. X, title VII, §701, Mar. 15, 2022, 136 Stat. 999.)

Editorial Notes

Amendments

2022—Subsec. (b)(9), (10). Pub. L. 117–103 added par. (9) and redesignated former par. (9) as (10).

2020—Pub. L. 116–260, §605(d)(1)(A), substituted "Chinese Communist Party" for "Communist Party of China" in section catchline.

Subsecs. (a), (b)(1). Pub. L. 116–260, §605(d)(1)(B), substituted "Chinese Communist Party" for "Communist Party of China".

Subsec. (b)(8), (9). Pub. L. 116–260, §605(a), added par. (8) and redesignated former par. (8) as (9).

Statutory Notes and Related Subsidiaries

Initial Report

Pub. L. 116–92, div. E, title LV, §5511(c), Dec. 20, 2019, 133 Stat. 2147, provided that: "The Director of the National Counterintelligence and Security Center shall submit to the congressional intelligence committees [Select Committee on Intelligence and Committee on Appropriations of the Senate and Permanent Select Committee on Intelligence and Committee on Appropriations of the House of Representatives], the Committee on Foreign Affairs of the House of Representatives, and the Committee on Foreign Relations of the Senate the first report under section 1107 of the National Security Act of 1947 [50 U.S.C. 3237], as added by subsection (a), by not later than 180 days after the date of the enactment of this Act [Dec. 20, 2019]."

§3237a. Repealed. Pub. L. 117–263, div. F, title LXVIII, §6811(a), Dec. 23, 2022, 136 Stat. 3600

Section, act July 26, 1947, ch. 343, title XI, §1107A, as added Pub. L. 116–260, div. W, title VI, §611(b), Dec. 27, 2020, 134 Stat. 2393, related to annual reports on security services of the People's Republic of China in the Hong Kong Special Administrative Region.

§3238. Annual reports on influence operations and campaigns in the United States by the Russian Federation

(a) Requirement

On an annual basis, the Director of the National Counterintelligence and Security Center shall submit to the congressional intelligence committees a report on the influence operations and campaigns in the United States conducted by the Russian Federation.

(b) Contents

Each report under subsection (a) shall include the following:

(1) A description and listing of the Russian organizations and persons involved in influence operations and campaigns operating in the United States as of the date of the report.

(2) An assessment of organizations that are associated with or receive funding from organizations and persons identified in paragraph (1), particularly such entities operating in the United States.

(3) A description of the efforts by the organizations and persons identified in paragraph (1) to target, coerce, and influence populations within the United States.

(4) An assessment of the activities of the organizations and persons identified in paragraph (1) designed to influence the opinions of elected leaders of the United States or candidates for election in the United States.

(5) With respect to reports submitted after the first report, an assessment of the change in goals, tactics, techniques, and procedures of the influence operations and campaigns conducted by the organizations and persons identified in paragraph (1).

(c) Coordination

In carrying out subsection (a), the Director shall coordinate with the Director of the Federal Bureau of Investigation, the Director of the Central Intelligence Agency, the Director of the National Security Agency, and any other relevant head of an element of the intelligence community.

(d) Form

Each report submitted under subsection (a) shall be submitted in unclassified form, but may include a classified annex.

(July 26, 1947, ch. 343, title XI, §1108, as added Pub. L. 116–92, div. E, title LV, §5501(a), Dec. 20, 2019, 133 Stat. 2143.)

Statutory Notes and Related Subsidiaries

Initial Report

Pub. L. 116–92, div. E, title LV, §5501(c), Dec. 20, 2019, 133 Stat. 2144, provided that: "The Director of the National Counterintelligence and Security Center shall submit to the congressional intelligence committees the first report under section 1108 of the National Security Act of 1947 [50 U.S.C. 3238], as added by subsection (a), by not later than 180 days after the date of the enactment of this Act [Dec. 20, 2019]."

[For definition of "congressional intelligence committees" as used in section 5501(c) of Pub. L. 116–92, set out above, see section 5003 of div. E of Pub. L. 116–92, set out as a note under section 3003 of this title.]

§3239. Requirement to buy certain satellite component from American sources

(a) Definitions

In this section:

(1) Covered element of the intelligence community

The term "covered element of the intelligence community" means an element of the intelligence community that is not an element of the Department of Defense.

(2) National security satellite

The term "national security satellite" means a satellite weighing over 400 pounds whose principle purpose is to support the national security or intelligence needs of the United States Government.

(3) United States

The term "United States" means the several States, the District of Columbia, and the territories and possessions of the United States.

(b) Requirement

Beginning January 1, 2021, except as provided in subsection (c), a covered element of the intelligence community may not award a contract for a national security satellite if the satellite uses a star tracker that is not produced in the United States, including with respect to both the software and the hardware of the star tracker.

(c) Exception

The head of a covered element of the intelligence community may waive the requirement under subsection (b) if, on a case-by-case basis, the head certifies in writing to the congressional intelligence committees that—

(1) there is no available star tracker produced in the United States that meets the mission and design requirements of the national security satellite for which the star tracker will be used;

(2) the cost of a star tracker produced in the United States is unreasonable, based on a market survey; or

(3) such waiver is necessary for the national security interests of the United States based on an urgent and compelling need.

(July 26, 1947, ch. 343, title XI, §1109, as added Pub. L. 116–260, div. W, title III, §308(a), Dec. 27, 2020, 134 Stat. 2368.)

§3240. Report on best practices to protect privacy, civil liberties, and civil rights of Chinese Americans

(a) Sense of Congress

It is the sense of Congress that—

(1) the People's Republic of China appears to be specifically targeting the Chinese-American community for intelligence purposes;

(2) such targeting carries a substantial risk that the loyalty of such Americans may be generally questioned and lead to unacceptable stereotyping, targeting, and racial profiling;

(3) the United States Government has a duty to warn and protect all Americans including those of Chinese descent from these intelligence efforts by the People's Republic of China;

(4) the broad stereotyping, targeting, and racial profiling of Americans of Chinese descent is contrary to the values of the United States and reinforces the flawed narrative perpetuated by the People's Republic of China that ethnically Chinese individuals worldwide have a duty to support the People's Republic of China; and

(5) the United States efforts to combat the People's Republic of China's intelligence activities should actively safeguard and promote the constitutional rights of all Chinese Americans.

(b) Report

On an annual basis, the Director of National Intelligence, acting through the Office of Civil Liberties, Privacy, and Transparency, in coordination with the civil liberties and privacy officers of the elements of the intelligence community, shall submit a report to the congressional intelligence committees containing—

(1) a review of how the policies, procedures, and practices of the intelligence community that govern the intelligence activities and operations targeting the People's Republic of China affect policies, procedures, and practices relating to the privacy, civil liberties, and civil rights of Americans of Chinese descent who may be targets of espionage and influence operations by China; and

(2) recommendations to ensure that the privacy, civil liberties, and civil rights of Americans of Chinese descent are sufficiently protected.

(c) Form

The report under subsection (b) shall be submitted in unclassified form, but may include a classified annex.

(July 26, 1947, ch. 343, title XI, §1110, formerly Pub. L. 116–92, div. E, title LVII, §5712, Dec. 20, 2019, 133 Stat. 2171; renumbered §1110 of act July 26, 1947, and amended Pub. L. 116–260, div. W, title VI, §620(a), Dec. 27, 2020, 134 Stat. 2401.)

Editorial Notes

Amendments

2020—Pub. L. 116–260, §620(a)(4)(A), substituted ", civil liberties, and civil rights" for "and civil liberties" in section catchline.

Subsec. (b). Pub. L. 116–260, §620(a)(4)(B), substituted "On an annual basis," for "Not later than 180 days after the date of the enactment of this Act," in introductory provisions and ", civil liberties, and civil rights" for "and civil liberties" in pars. (1) and (2).

§3241. Biennial reports on foreign biological threats

(a) Reports

On a biennial basis until the date that is 10 years after March 15, 2022, the Director of National Intelligence shall submit to the congressional intelligence committees a comprehensive report on the activities, prioritization, and responsibilities of the intelligence community with respect to foreign biological threats emanating from the territory of, or sponsored by, a covered country.

(b) Matters included

Each report under subsection (a) shall include, with respect to foreign biological threats emanating from the territory of, or sponsored by, a covered country, the following:

(1) A detailed description of all activities relating to such threats undertaken by each element of the intelligence community, and an assessment of any gaps in such activities.

(2) A detailed description of all duties and responsibilities relating to such threats explicitly authorized or otherwise assigned, exclusively or jointly, to each element of the intelligence community, and an assessment of any identified gaps in such duties or responsibilities.

(3) A description of the coordination among the relevant elements of the intelligence community with respect to the activities specified in paragraph (1) and the duties and responsibilities specified in paragraph (2).

(4) An inventory of the strategies, plans, policies, and interagency agreements of the intelligence community relating to the collection, monitoring, analysis, mitigation, and attribution of such threats, and an assessment of any identified gaps therein.

(5) A description of the coordination and interactions among the relevant elements of the intelligence community and non-intelligence community partners.

(6) An assessment of foreign malign influence efforts relating to such threats, including any foreign academics engaged in such efforts, and a description of how the intelligence community contributes to efforts by non-intelligence community partners to counter such foreign malign influence.

(c) Form

Each report submitted under subsection (a) may be submitted in classified form, but if so submitted shall include an unclassified executive summary.

(d) Definitions

In this section:

(1) Covered country

The term "covered country" means—

(A) China;

(B) Iran;

(C) North Korea;

(D) Russia; and

(E) any other foreign country—

(i) from which the Director of National Intelligence determines a biological threat emanates; or

(ii) that the Director determines has a known history of, or has been assessed as having conditions present for, infectious disease outbreaks or epidemics.

(2) Foreign biological threat

The term "foreign biological threat" means biological warfare, bioterrorism, naturally occurring infectious diseases, or accidental exposures to biological materials, without regard to whether the threat originates from a state actor, a non-state actor, natural conditions, or an undetermined source.

(3) Foreign malign influence

The term "foreign malign influence" has the meaning given such term in section 3059(e) ¹ of this title.

(4) Non-intelligence community partner

The term "non-intelligence community partner" means a Federal department or agency that is not an element of the intelligence community.

(July 26, 1947, ch. 343, title XI, §1111, as added Pub. L. 117–103, div. X, title VIII, §821(a), Mar. 15, 2022, 136 Stat. 1019.)

Editorial Notes

References in Text

Section 3059(e) of this title, referred to in subsec. (d)(3), was redesignated as section 3059(f) of this title by Pub. L. 117–263, div. F, title LXIII, §6307(b)(1), Dec. 23, 2022, 136 Stat. 3505.

Statutory Notes and Related Subsidiaries

First Report

Pub. L. 117–103, div. X, title VIII, §821(b), Mar. 15, 2022, 136 Stat. 1020, provided that: "Not later than 120 days after the date of the enactment of this Act [Mar. 15, 2022], the Director of National Intelligence shall submit to the congressional intelligence committees the first report required under section 1111 of the National Security Act of 1947 [50 U.S.C. 3241], as added by subsection (a)."

[For definition of "congressional intelligence committees" as used in section 821(b) of div. X of Pub. L. 117–103, set out above, see section 2 of div. X of Pub. L. 117–103, set out as a note under section 3003 of this title.]

¹ See References in Text note below.

§3242. Annual reports on certain cyber vulnerabilities procured by intelligence community and foreign commercial providers of cyber vulnerabilities

(a) Annual reports

On an annual basis through 2026, the Director of the Central Intelligence Agency and the Director of the National Security Agency, in coordination with the Director of National Intelligence, shall jointly submit to the congressional intelligence committees a report containing information on foreign commercial providers and the cyber vulnerabilities procured by the intelligence community through foreign commercial providers.

(b) Elements

Each report under subsection (a) shall include, with respect to the period covered by the report, the following:

(1) A description of each cyber vulnerability procured through a foreign commercial provider, including—

(A) a description of the vulnerability;

(B) the date of the procurement;

(C) whether the procurement consisted of only that vulnerability or included other vulnerabilities;

(D) the cost of the procurement;

(E) the identity of the commercial provider and, if the commercial provider was not the original supplier of the vulnerability, a description of the original supplier;

(F) the country of origin of the vulnerability; and

(G) an assessment of the ability of the intelligence community to use the vulnerability, including whether such use will be operational or for research and development, and the approximate timeline for such use.

(2) An assessment of foreign commercial providers that—

(A) pose a significant threat to the national security of the United States; or

(B) have provided cyber vulnerabilities to any foreign government that—

(i) has used the cyber vulnerabilities to target United States persons, the United States Government, journalists, or dissidents; or

(ii) has an established pattern or practice of violating human rights or suppressing dissent.

(3) An assessment of whether the intelligence community has conducted business with the foreign commercial providers identified under paragraph (2) during the 5-year period preceding the date of the report.

(c) Form

Each report under subsection (a) may be submitted in classified form.

(d) Definitions

In this section:

(1) Commercial provider

The term "commercial provider" means any person that sells, or acts as a broker, for a cyber vulnerability.

(2) Cyber vulnerability

The term "cyber vulnerability" means any tool, exploit, vulnerability, or code that is intended to compromise a device, network, or system, including such a tool, exploit, vulnerability, or code procured by the intelligence community for purposes of research and development.

(July 26, 1947, ch. 343, title XI, §1112, as added Pub. L. 117–103, div. X, title VIII, §822(a), Mar. 15, 2022, 136 Stat. 1020.)

Statutory Notes and Related Subsidiaries

First Report

Pub. L. 117–103, div. X, title VIII, §822(b), Mar. 15, 2022, 136 Stat. 1021, provided that: "Not later than 90 days after the date of the enactment of this Act [Mar. 15, 2022], the Director of the Central Intelligence Agency and the Director of the National Security Agency shall jointly submit the first report required under section 1112 of the National Security Act of 1947 [50 U.S.C. 3242], as added by subsection (a)."

§3243. Periodic reports on technology strategy of intelligence community

(a) Reports

On a basis that is not less frequent than once every 4 years, the Director of National Intelligence, in coordination with the Director of the Office of Science and Technology Policy, the Secretary of Commerce, and the heads of such other agencies as the Director considers appropriate, shall submit to the congressional intelligence committees a comprehensive report on the technology strategy of the intelligence community, which shall be designed to support the maintenance of the leadership of the United States in critical and emerging technologies essential to the national security of the United States.

(b) Elements

Each report submitted under subsection (a) shall include the following:

(1) An assessment of technologies critical to the national security of the United States, particularly those technologies with respect to which foreign countries that are adversarial to the United States have or are poised to match or surpass the technology leadership of the United States.

(2) A review of current technology policies of the intelligence community, including long-term goals.

(3) An identification of sectors and supply chains the Director determines to be of the greatest strategic importance to national security.

(4) An identification of opportunities to protect the leadership of the United States, and the allies and partners of the United States, in critical technologies, including through targeted export controls, investment screening, and counterintelligence activities.

(5) An identification of research and development areas the Director determines critical to the national security of the United States, including areas in which the private sector does not focus.

(6) Recommendations for growing talent in key critical and emerging technologies and enhancing the ability of the intelligence community to recruit and retain individuals with critical skills relating to such technologies.

(7) An identification of opportunities to improve the leadership of the United States in critical technologies, including opportunities to develop international partnerships to reinforce domestic policy actions, develop new markets, engage in collaborative research, and maintain an international environment that reflects the values of the United States and protects the interests of the United States.

(8) A technology annex to establish an approach for the identification, prioritization, development, and fielding of emerging technologies critical to the mission of the intelligence community.

(9) Such other information as the Director determines may be necessary to inform Congress on matters relating to the technology strategy of the intelligence community and related implications for the national security of the United States.

(c) Form of annex

Each annex submitted under subsection (b)(8) may be submitted in classified form.

(July 26, 1947, ch. 343, title XI, §1113, as added Pub. L. 117–103, div. X, title VIII, §823(a), Mar. 15, 2022, 136 Stat. 1021.)

Statutory Notes and Related Subsidiaries

First Report

Pub. L. 117–103, div. X, title VIII, §823(b), Mar. 15, 2022, 136 Stat. 1022, provided that: "Not later than 1 year after the date of the enactment of this Act [Mar. 15, 2022], the Director of National Intelligence shall submit to the congressional intelligence committees the first report required under section 1113 of the National Security Act of 1947 [50 U.S.C. 3243], as added by subsection (a)."

[For definition of "congressional intelligence committees" as used in section 823(b) of div. X of Pub. L. 117–103, set out above, see section 2 of div. X of Pub. L. 117–103, set out as a note under section 3003 of this title.]

§3244. Annual report on reporting requirements

(a) Annual report required

Not later than March 1 of each fiscal year, the Director of National Intelligence shall submit to the congressional intelligence committees, the Committee on Appropriations of the Senate, and the Committee on Appropriations of the House of Representatives a report detailing all congressionally mandated reporting requirements applicable to Office ¹ of the Director of National Intelligence for the upcoming fiscal year.

(b) Contents

Each report submitted pursuant to subsection (a) shall include, for the fiscal year covered by the report and for each congressionally mandated reporting requirement detailed in the report:

(1) A description of the reporting requirement.

(2) A citation to the provision of law (or other source of congressional directive) imposing the reporting requirement.

(3) Whether the reporting requirement is recurring, conditional, or subject to a termination provision.

(4) Whether the Director recommends repealing or modifying the requirement.

(c) Form

Each report submitted pursuant to subsection (a) may be submitted in classified form.

(July 26, 1947, ch. 343, title XI, §1114, as added Pub. L. 118–31, div. G, title III, §7314(a), Dec. 22, 2023, 137 Stat. 1031.)

¹ So in original. Probably should be preceded by "the".