CHAPTER 19 —CYBER AND INFORMATION OPERATIONS MATTERS
Editorial Notes
Amendments
2023—
2022—
2019—
2018—
2015—
2014—
Statutory Notes and Related Subsidiaries
Alignment of Department of Defense Cyber International Strategy With National Defense Strategy and Department of Defense Cyber Strategy
"(a)
"(1) the national defense strategy published in 2022 pursuant to
"(2) the Cyber Strategy of the Department published during fiscal year 2023; and
"(3) the current International Cyberspace Security Cooperation Guidance of the Department, as of the date of the enactment of this Act.
"(b)
"(1) Efforts to build the internal capacity of the Department to support international strategy policy engagements with allies and partners of the United States.
"(2) Efforts to coordinate and align cyberspace operations with foreign partners of the United States, including alignment between hunt-forward missions and other cyber international strategy activities conducted by the Department, including identification of processes, working groups, and methods to facilitate coordination between geographic combatant commands and the United States Cyber Command.
"(3) Efforts to deliberately cultivate operational and intelligence-sharing partnerships with key allies and partners of the United States to advance the cyberspace operations objectives of the Department.
"(4) Efforts to identify key allied and partner networks, infrastructure, and systems that the Joint Force will rely upon for warfighting and to—
"(A) support the cybersecurity and cyber defense of those networks, infrastructure, and systems;
"(B) build partner capacity to actively defend those networks, infrastructure, and systems;
"(C) eradicate malicious cyber activity that has compromised those networks, infrastructure, and systems, such as when identified through hunt-forward operations; and
"(D) leverage the commercial and military cybersecurity technology and services of the United States to harden and defend those networks, infrastructure, and systems.
"(5) Efforts to secure the environments and networks of mission partners of the United States used to hold intelligence and information originated by the United States.
"(6) Prioritization schemas, funding requirements, and efficacy metrics to drive cyberspace security investments in the tools, technologies, and capacity-building efforts that will have the greatest positive impact on the resilience and ability of the Department to execute its operational plans and achieve integrated deterrence.
"(c)
"(d)
"(1)
"(2)
"(A) An overview of efforts undertaken pursuant to this section.
"(B) An accounting of all the security cooperation activities of the Department germane to cyberspace and changes made pursuant to implementation of this section.
"(C) A detailed schedule with target milestones and required expenditures for all planned activities related to the efforts described in subsection (b).
"(D) Interim and final metrics for building the cyberspace security cooperation enterprise of the Department.
"(E) Identification of such additional funding, authorities, and policies, as the Under Secretary determines may be required.
"(F) Such recommendations as the Under Secretary may have for legislative action to improve the effectiveness of cyberspace security cooperation of the Department with foreign partners and allies.
"(e)
Enhancement of Cyberspace Training and Security Cooperation
"(a)
"(1)
"(2)
"(A) by not later than one year after the date of the enactment of this Act [Dec. 23, 2022] with respect to the Joint Military Attaché School; and
"(B) by not later than September 30, 2025, with respect to the Defense Security Cooperation University.
"(3)
"(A) is tailored to the trainees' anticipated embassy role and functions; and
"(B) provides familiarity with—
"(i) the different purposes of cyberspace engagements with partners and allies of the United States, including threat awareness, cybersecurity, mission assurance, and operations;
"(ii) the types of cyberspace security cooperation programs and activities available for partners and allies of the United States, including bilateral and multilateral cyberspace engagements, information and intelligence sharing, training, and exercises;
"(iii) the United States Cyber Command cyberspace operations with partners, including an overview of the Hunt Forward mission and process;
"(iv) the roles and responsibilities of the United States Cyber Command, the geographic combatant commands, and the Defense Security Cooperation Agency for cybersecurity cooperation within the Department of Defense; and
"(v) such other matters as the Under Secretaries, in coordination with the Commander of United States Cyber Command, consider appropriate.
"(4)
"(b)
"(1) Sufficiency of the training provided in the Defense Security Cooperation University and the Joint Military Attaché School.
"(2) Additional training requirements, familiarization requirements, or both such requirements necessary for officers assigned to particular locations or positions.
"(3) Areas for increased cooperation.
"(4) A plan for completing the activities required by subsection (a).
"(5) Additional resources required to complete such activities.
"(c)
§391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors
(a)
(b)
(c)
(1)
(A) designating operationally critical contractors; and
(B) notifying a contractor that it has been designated as an operationally critical contractor.
(2)
(A) An assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of the Department.
(B) The technique or method used in such cyber incident.
(C) A sample of any malicious software, if discovered and isolated by the contractor, involved in such cyber incident.
(D) A summary of information compromised by such cyber incident.
(3)
(A) include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations; and
(B) provide that an operationally critical contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.
(4)
(5)
(A) with missions that may be affected by such information;
(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C) that conduct counterintelligence or law enforcement investigations; or
(D) for national security purposes, including cyber situational awareness and defense purposes.
(d)
(2)(A) Nothing in this section shall be construed—
(i) to require dismissal of a cause of action against an operationally critical contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (b); or
(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each operationally critical contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
(C) In this subsection, the term "willful misconduct" means an act or omission that is taken—
(i) intentionally to achieve a wrongful purpose;
(ii) knowingly without legal or factual justification; and
(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
(e)
(1)
(2)
(Added
Editorial Notes
Amendments
2021—Subsec. (d)(1).
2015—Subsec. (a).
Subsecs. (d), (e).
Statutory Notes and Related Subsidiaries
Senior Military Advisor for Cyber Policy and Deputy Principal Cyber Advisor
Cyber Governance Structures and Principal Cyber Advisors on Military Cyber Force Matters
Consortia of Universities To Advise Secretary of Defense on Cybersecurity Matters
"(a)
"(1) To provide the Secretary a formal mechanism to communicate with consortium members regarding the Department of Defense's cybersecurity strategic plans, cybersecurity requirements, and priorities for basic and applied cybersecurity research.
"(2) To advise the Secretary on the needs of academic institutions related to cybersecurity and research conducted on behalf of the Department and provide feedback to the Secretary from members of the consortium or consortia.
"(3) To serve as a focal point or focal points for the Secretary and the Department for the academic community on matters related to cybersecurity, cybersecurity research, conceptual and academic developments in cybersecurity, and opportunities for closer collaboration between academia and the Department.
"(4) To provide to the Secretary access to the expertise of the institutions of the consortium or consortia on matters relating to cybersecurity.
"(5) To align the efforts of such members in support of the Department.
"(b)
"(c)
"(1)
"(2)
"(A) act as the leader of the consortium;
"(B) be the liaison between the consortium and the Secretary;
"(C) distribute requests from the Secretary for advice and assistance to appropriate members of the consortium and coordinate responses back to the Secretary; and
"(D) act as a clearinghouse for Department of Defense requests relating to assistance on matters relating to cybersecurity and to provide feedback to the Secretary from members of the consortium.
"(3)
"(d)
"(e)
"(f)
"(1)
"(2)
"(A)
"(i) have been designated as centers of academic excellence by the Director of the National Security Agency or the Secretary of Homeland Security; and
"(ii) are eligible for access to classified information.
"(B)
"(3)
"(A) To promote the consortium established under subsection (a).
"(B) To distribute on behalf of the Department requests for information or assistance to members of the consortium.
"(C) To collect and assemble responses from requests distributed under subparagraph (B).
"(D) To provide additional administrative support for the consortium.
"(g)
Issuance of Procedures
Assessment of Department Policies
"(1)
"(A) requirements that were in effect on the day before the date of the enactment of this Act for contractors to share information with Department components regarding cyber incidents (as defined in subsection (d) [now (e)] of such section 391 [
"(B) Department policies and systems for sharing information on cyber incidents with respect to networks or information systems of Department contractors.
"(2)
"(A) designate a Department component under subsection (a) of such section 391; and
"(B) issue or revise guidance applicable to Department components that ensures the rapid sharing by the component designated pursuant to such section 391 or section 941 of the National Defense Authorization Act for Fiscal Year 2013 [
§391a. Annual reports on support by military departments for United States Cyber Command
(a)
(1) An evaluation of whether each military department is meeting the requirements established by the Commander and validated by the Office of the Secretary of Defense, and is effectively implementing the plan required by section 1534 of the National Defense Authorization Act for Fiscal Year 2023, and the requirements established pursuant to section 1533 of such Act.
(2) For each military department evaluated under paragraph (1)—
(A) a certification that the military department is meeting such requirements; or
(B) a detailed explanation regarding how the military department is not meeting such requirements.
(b)
(1) The adequacy of the policies, procedures, and execution of manning, training, and equipping personnel for employment within the Cyber Mission Force.
(2) The sufficiency and robustness of training curricula for personnel to be assigned to either the Cyber Mission Force or units within the cyberspace operations forces, and the compliance by the military department with training standards.
(3) The adequacy of the policies and procedures relating to the assignment and assignment length of members of the Army, Navy, Air Force, Marine Corps, or Space Force to the Cyber Mission Force.
(4) The efficacy of the military department in filling key work roles within the Cyber Mission Force, including the proper force mix of civilian, military, and contractor personnel, and the means necessary to meet requirements established by the Commander and validated by the Secretary of Defense.
(5) The adequacy of the investment to advance cyber-peculiar science and technology, particularly with respect to capability development for the Cyber Mission Force.
(6) The sufficiency of the policies, procedures, and investments relating to the establishment and management of military occupational specialty, designator, rating, or Air Force specialty code for personnel responsible for cyberspace operations, including an assessment of the effectiveness of the combination of policies determining availability and retention of sufficient numbers of proficient personnel in key work roles, including length of service commitment, the use of bonuses and special pays, alternative compensation mechanisms, and consecutive tours in preferred assignments.
(7) In coordination with the Principal Cyber Advisor of the Department of Defense, an evaluation of the use by the military department of the shared lexicon of the Department of Defense specific to cyberspace activities.
(8) The readiness of personnel serving in the Cyber Mission Force and the cyberspace operations forces to accomplish assigned missions.
(9) The adequacy of actions taken during the period of evaluation by the military department to respond to findings from any previous years' evaluations.
(10) Any other element determined relevant by the Commander.
(Added
Editorial Notes
References in Text
Sections 1533 and 1534 of the National Defense Authorization Act for Fiscal Year 2023, referred to in subsec. (a)(1), are sections 1533 and 1534 of
Statutory Notes and Related Subsidiaries
First Report
§391b. Strategic cybersecurity program
(a)
(2) The Secretary of Defense shall designate a principal staff assistant from within the Office of the Secretary of Defense whose office shall serve as the office of primary responsibility for the Program, and provide policy, direction, and oversight regarding the execution of the responsibilities of the program manager selected pursuant to subsection (c)(1).
(b)
(1) The Vice Chairman of the Joint Chiefs of Staff.
(2) The Commanders of the United States Cyber Command, United States European Command, United States Indo-Pacific Command, United States Northern Command, United States Strategic Command, United States Space Command, United States Transportation Command.
(3) The Under Secretary of Defense for Acquisition and Sustainment.
(4) The Under Secretary of Defense for Policy.
(5) The Chief Information Officer of the Department of Defense.
(6) The Chief Digital and Artificial Intelligence Officer of the Department of Defense.
(7) The chief information officers of the military departments.
(8) The Principal Cyber Advisor of the Department of Defense.
(9) The Principal Cyber Advisors of the military departments.
(10) Each senior official identified pursuant to subsection (i) of section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (
(11) Such other officials as may be determined necessary by the Secretary of Defense.
(c)
(2) The Chief Information Officer of the Department of Defense, in exercising authority, direction, and control over the Cybersecurity Directorate of the National Security Agency, shall ensure that the program office under paragraph (1) is responsive to the requirements and direction of the program manager selected pursuant to such paragraph.
(3) The Secretary may augment the personnel assigned to the program office under paragraph (1) by assigning personnel as appropriate from among members of any covered armed force (including the reserve components thereof), civilian employees of the Department of Defense (including the Defense Intelligence Agency), and personnel of the research laboratories of the Department of Defense, who have particular expertise in the areas of responsibility referred to in subsection (d).
(d)
(A) Nuclear deterrence and strike.
(B) Select long-range conventional strike missions germane to the warfighting plans of the United States European Command and the United States Indo-Pacific Command.
(C) Offensive cyber operations.
(D) Homeland missile defense.
(2) The Vice Chairman of the Joint Chiefs of Staff shall coordinate the identification and prioritization of the missions and mission components, and the development and approval of requirements relating to the cybersecurity of the missions and mission components, of the Program.
(e)
(1) for overseeing and providing direction on any covered statutory requirement that is ongoing, recurrent (including on an annual basis), or unfulfilled, including by—
(A) reviewing any materials required to be submitted to Congress under the covered statutory requirement prior to such submission; and
(B) ensuring such submissions occur by the applicable deadline under the covered statutory requirement: 1 and
(2) recording and monitoring the remediation of identified vulnerabilities in constituent systems, infrastructure, kill chains, and processes of the missions specified in subsection (d)(1).
(f)
(1) Conducting end-to-end vulnerability assessments of the constituent systems, infrastructure, kill chains, and processes of the missions specified in subsection (d)(1).
(2) Prioritizing and facilitating the remediation of identified vulnerabilities in such constituent systems, infrastructure, kill chains, and processes.
(3) Conducting, prior to the Milestone B approval for any proposed such system or infrastructure germane to the missions of the Program, appropriate reviews of the acquisition and system engineering plans for that proposed system or infrastructure, in accordance with the policy and guidance of the Under Secretary of Defense for Acquisition and Sustainment regarding the components of such reviews and the range of systems and infrastructure to be reviewed.
(4) Advising the Secretaries of the military departments, the commanders of the combatant commands, and the Joint Staff on the vulnerabilities and cyberattack vectors that pose substantial risk to the missions of the Program and their constituent systems, critical infrastructure, kill chains, or processes.
(5) Ensuring that the Program builds upon (including through the provision of oversight and direction by the head of the office of primary responsibility for the Program pursuant to subsection (e), as applicable), and does not duplicate, other efforts of the Department of Defense relating to cybersecurity, including the following:
(A) The evaluation of cyber vulnerabilities of major weapon systems of the Department of Defense required under section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (
(B) The evaluation of cyber vulnerabilities of critical infrastructure of the Department of Defense required under section 1650 of the National Defense Authorization Act for Fiscal Year 2017 (
(C) The activities of the cyber protection teams of the Department of Defense.
(g)
(1) the roles and responsibilities of the acquisition and sustainment organizations of the military departments in supporting and implementing remedial actions;
(2) the alignment of Cyber Protection Teams with the prioritized missions of the Program;
(3) the role of the Director of Operational Test and Evaluation in conducting periodic assessments, including through cyber red teams, of the cybersecurity of missions in the Program; and
(4) the role of the Principal Cyber Adviser in coordinating and monitoring the execution of the Program.
(h)
(1) the evaluation of cyber vulnerabilities of each major weapon system of the Department of Defense and related mitigation activities under section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (
(2) the evaluation of cyber vulnerabilities of the critical infrastructure of the Department of Defense under section 1650 of the National Defense Authorization Act for Fiscal Year 2017 (
(3) operational technology and the mapping of mission-relevant terrain in cyberspace under section 1505 of the National Defense Authorization Act for Fiscal Year 2022 (
(4) the assessments of the vulnerabilities to and mission risks presented by radio-frequency enabled cyber attacks with respect to the operational technology embedded in weapons systems, aircraft, ships, ground vehicles, space systems, sensors, and datalink networks of the Department of Defense under section 1559 of the National Defense Authorization Act for Fiscal Year 2023; and
(5) the work of the Program in general, including information relating to staffing and accomplishments.
(i)
(2) Each display under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.
(3) For the purpose of facilitating the annual budget display requirement under paragraph (1), the Chief Information Officer of the Department of Defense shall provide to the head of the office of primary responsibility for the Program and the appropriate members of the Program under subsection (b) fiscal guidance on the programming of funds in support of the Program.
(j)
(1) The term "covered armed force" means the Army, Navy, Air Force, Marine Corps, or Space Force.
(2) The term "covered statutory requirement" means a requirement under any covered provision of law.
(3) The term "covered provision of law" means the following:
(A) Section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (
(B) Section 1650 of the National Defense Authorization Act for Fiscal Year 2017 (
(C) Section 1505 of the National Defense Authorization Act for Fiscal Year 2022 (
(D) Section 1559 of the National Defense Authorization Act for Fiscal Year 2023.
(Added
Editorial Notes
References in Text
Section 1647 of the National Defense Authorization Act for Fiscal Year 2016, referred to in subsecs. (b)(10), (f)(5)(A), (h)(1), and (j)(3)(A), is section 1647 of
Section 1559 of the National Defense Authorization Act for Fiscal Year 2023, referred to in subsecs. (h)(4) and (j)(3)(D), is section 1559 of
1 So in original. The colon probably should be a semicolon.
§392. Executive agents for cyber test and training ranges
(a)
(1) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology test ranges; and
(2) designate a senior official from among the personnel of the Department of Defense to act as the executive agent for cyber and information technology training ranges.
(b)
(1)
(2)
(A) Developing and maintaining a comprehensive list of cyber and information technology ranges, test facilities, test beds, and other means of testing, training, and developing software, personnel, and tools for accommodating the mission of the Department. Such list shall include resources from both governmental and nongovernmental entities.
(B) Organizing and managing designated cyber and information technology test ranges, including—
(i) establishing the priorities for cyber and information technology ranges to meet Department objectives;
(ii) enforcing standards to meet requirements specified by the United States Cyber Command, the training community, and the research, development, testing, and evaluation community;
(iii) identifying and offering guidance on the opportunities for integration amongst the designated cyber and information technology ranges regarding test, training, and development functions;
(iv) finding opportunities for cost reduction, integration, and coordination improvements for the appropriate cyber and information technology ranges;
(v) adding or consolidating cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;
(vi) finding opportunities to continuously enhance the quality and technical expertise of the cyber and information technology test workforce through training and personnel policies; and
(vii) coordinating with interagency and industry partners on cyber and information technology range issues.
(C) Defining a cyber range architecture that—
(i) may add or consolidate cyber and information technology ranges in the future to better meet the evolving needs of the cyber strategy and resource requirements of the Department;
(ii) coordinates with interagency and industry partners on cyber and information technology range issues;
(iii) allows for integrated closed loop testing in a secure environment of cyber and electronic warfare capabilities;
(iv) supports science and technology development, experimentation, testing and training; and
(v) provides for interconnection with other existing cyber ranges and other kinetic range facilities in a distributed manner.
(D) Certifying all cyber range investments of the Department of Defense.
(E) Performing such other assessments or analyses as the Secretary considers appropriate.
(3)
(c)
(d)
(e)
(1) The term "designated cyber and information technology range" includes the National Cyber Range, the Joint Information Operations Range, the Defense Information Assurance Range, and the C4 Assessments Division of J6 of the Joint Staff.
(2) The term "Directive 5101.1" means Department of Defense Directive 5101.1, or any successor directive relating to the responsibilities of an executive agent of the Department of Defense.
(3) The term "executive agent" has the meaning given the term "DoD Executive Agent" in Directive 5101.1.
(Added
Statutory Notes and Related Subsidiaries
Designation and Roles and Responsibilities; Selection of Standard Language
"(b)
"(1) not later than 120 days after the date of the enactment of this Act [Dec. 19, 2014], designate the executive agents required under subsection (a) of
"(2) not later than one year after the date of the enactment of this Act, prescribe the roles, responsibilities, and authorities required under subsection (b) of such section 392.
"(c)
§392a. Principal Cyber Advisors
(a)
(1)
(2)
(A) Acting as the principal advisor to the Secretary on military cyber forces and activities.
(B) Overall integration of Cyber Operations Forces activities relating to cyberspace operations, including associated policy and operational considerations, resources, personnel, technology development and transition, and acquisition.
(C) Assessing and overseeing the implementation of the cyber strategy of the Department and execution of the cyber posture review of the Department on behalf of the Secretary.
(D) Coordinating activities pursuant to subparagraphs (A) and (B) of paragraph (3) with the Principal Information Operations Advisor, the Chief Information Officer of the Department, and other officials as determined by the Secretary of Defense, to ensure the integration of activities in support of cyber, information, and electromagnetic spectrum operations.
(E) Such other matters relating to the offensive military cyber forces of the Department as the Secretary shall specify for the purposes of this subsection.
(3)
(A) integrate the cyber expertise and perspectives of appropriate organizations within the Office of the Secretary of Defense, Joint Staff, military departments, the Defense Agencies and Field Activities, and combatant commands, by establishing and maintaining a full-time cross-functional team of subject matter experts from those organizations; and
(B) select team members, and designate a team leader, from among those personnel nominated by the heads of such organizations.
(4)
(B) The Principal Cyber Advisor shall review each proposed budget transmitted under subparagraph (A) and, not later than January 31 of the year preceding the fiscal year for which the budget is proposed, shall submit to the Secretary of Defense a report containing the comments of the Principal Cyber Advisor with respect to all such proposed budgets, together with the certification of the Principal Cyber Advisor regarding whether each proposed budget is adequate.
(C) Not later than March 31 of each year, the Secretary of Defense shall submit to Congress a report specifying each proposed budget that the Principal Cyber Advisor did not certify to be adequate. The report of the Secretary shall include the following matters:
(i) A discussion of the actions that the Secretary proposes to take, together with any recommended legislation that the Secretary considers appropriate, to address the inadequacy of the proposed budgets specified in the report.
(ii) Any additional comments that the Secretary considers appropriate regarding the inadequacy of the proposed budgets.
(b)
(1)
(A)
(B)
(C)
(2)
(A)
(i) The Senior Military Advisor for Cyber Policy to the Under Secretary of Defense for Policy.
(ii) The Deputy Principal Cyber Advisor to the Secretary of Defense.
(B)
(i) The Under Secretary with respect to Senior Military Advisor for Cyber Policy duties.
(ii) The Principal Cyber Advisor with respect to Deputy Principal Cyber Advisor duties.
(3)
(A)
(i) To serve as the principal uniformed military advisor on military cyber forces and activities to the Under Secretary of Defense for Policy.
(ii) To assess and advise the Under Secretary on aspects of policy relating to military cyberspace operations, resources, personnel, cyber force readiness, cyber workforce development, and defense of Department of Defense networks.
(iii) To advocate, in consultation with the Joint Staff, and senior officers of the Armed Forces and the combatant commands, for consideration of military issues within the Office of the Under Secretary of Defense for Policy, including coordination and synchronization of Department cyber forces and activities.
(iv) To maintain open lines of communication between the Chief Information Officer of the Department of Defense, senior civilian leaders within the Office of the Under Secretary, and senior officers on the Joint Staff, the Armed Forces, and the combatant commands on cyber matters, and to ensure that military leaders are informed on cyber policy decisions.
(B)
(i) To synchronize, coordinate, and oversee implementation of the Cyber Strategy of the Department of Defense and other relevant policy and planning.
(ii) To advise the Secretary of Defense on cyber programs, projects, and activities of the Department, including with respect to policy, training, resources, personnel, manpower, and acquisitions and technology.
(iii) To oversee implementation of Department policy and operational directives on cyber programs, projects, and activities, including with respect to resources, personnel, manpower, and acquisitions and technology.
(iv) To assist in the overall supervision of Department cyber activities relating to offensive missions.
(v) To assist in the overall supervision of Department defensive cyber operations, including activities of component-level cybersecurity service providers and the integration of such activities with activities of the Cyber Mission Force.
(vi) To advise senior leadership of the Department on, and advocate for, investment in capabilities to execute Department missions in and through cyberspace.
(vii) To identify shortfalls in capabilities to conduct Department missions in and through cyberspace, and make recommendations on addressing such shortfalls in the Program Budget Review process.
(viii) To coordinate and consult with stakeholders in the cyberspace domain across the Department in order to identify other issues on cyberspace for the attention of senior leadership of the Department.
(ix) On behalf of the Principal Cyber Advisor, to lead the cross-functional team established pursuant to 932(c)(3) 1 of the National Defense Authorization Act for Fiscal Year 2014 (
(c)
(1)
(A)
(B)
(i) be a senior civilian leadership position, filled by a senior member of the Senior Executive Service, not lower than the equivalent of a 3-star general officer, or by exception a comparable military officer with extensive cyber experience;
(ii) exclusively occupy the Principal Cyber Advisor position and not assume any other position or responsibility in the relevant military department;
(iii) be independent of the relevant service's chief information officer; and
(iv) report directly to and advise the secretary of the relevant military department and advise the relevant service's senior uniformed officer.
(C)
(2)
(A) The recruitment, resourcing, and training of military cyberspace operations forces, assessment of these forces against standardized readiness metrics, and maintenance of these forces at standardized readiness levels.
(B) Acquisition of offensive, defensive, and Department of Defense Information Networks cyber capabilities for military cyberspace operations.
(C) Cybersecurity management and operations.
(D) Acquisition of cybersecurity tools and capabilities, including those used by cybersecurity service providers.
(E) Evaluating, improving, and enforcing a culture of cybersecurity warfighting and accountability for cybersecurity and cyberspace operations.
(F) Cybersecurity and related supply chain risk management of the industrial base.
(G) Cybersecurity of Department of Defense information systems, information technology services, and weapon systems, including the incorporation of cybersecurity threat information as part of secure development processes, cybersecurity testing, and the mitigation of cybersecurity risks.
(3)
(A) Service chief information officers.
(B) Service cyber component commanders.
(C) Principal Cyber Advisor to the Secretary of Defense.
(D) Department of Defense Chief Information Officer.
(E) Defense Digital Service.
(4)
(A)
(B)
(C)
(5)
(Added and amended
Editorial Notes
References in Text
Section 911 of the National Defense Authorization Act for Fiscal Year 2017, referred to in subsec. (a)(3), is section 911 of
Section 932(c)(3) of the National Defense Authorization Act for Fiscal Year 2014, referred to in subsec. (b)(3)(B)(ix), is section 932(c)(3) of
The date of the enactment of this Act, referred to in subsec. (c)(1)(A), means the date of enactment of
Codification
The text of section 932(c) of
The text of section 905 of
The text of section 1657 of
Amendments
2023—Subsec. (b)(2)(B).
Subsec. (c)(4)(A).
2022—Subsec. (a).
Subsec. (a)(1).
Subsec. (b).
Subsec. (b)(1)(B), (C).
Subsec. (b)(2), (3).
Subsec. (c).
Subsec. (c)(1)(B).
Subsec. (c)(2), (3).
Subsec. (c)(4)(A).
Subsec. (c)(4)(B).
Subsec. (c)(4)(C).
Subsec. (c)(5).
Subsec. (c)(6).
Subsec. (c)(6)(B).
Subsec. (c)(6)(C).
1 So in original. Probably should be preceded by "section".
2 See References in Text note below.
§393. Reporting on penetrations of networks and information systems of certain contractors
(a)
(b)
(1)
(2)
(A) The Under Secretary of Defense for Policy.
(B) The Under Secretary of Defense for Acquisition and Sustainment.
(C) the Under Secretary of Defense for Research and Engineering.
(D) The Under Secretary of Defense for Intelligence and Security.
(E) The Chief Information Officer of the Department of Defense.
(F) The Commander of the United States Cyber Command.
(c)
(1)
(A) A description of the technique or method used in such penetration.
(B) A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration.
(C) A summary of information created by or for the Department in connection with any Department program that has been potentially compromised due to such penetration.
(2)
(A) include mechanisms for Department of Defense personnel to, upon request, obtain access to equipment or information of a cleared defense contractor necessary to conduct forensic analysis in addition to any analysis conducted by such contractor;
(B) provide that a cleared defense contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated; and
(C) provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
(3)
(A) with missions that may be affected by such information;
(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C) that conduct counterintelligence or law enforcement investigations; or
(D) for national security purposes, including cyber situational awareness and defense purposes.
(d)
(2)(A) Nothing in this section shall be construed—
(i) to require dismissal of a cause of action against a cleared defense contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (a); or
(ii) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
(B) In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each cleared defense contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
(C) In this subsection, the term "willful misconduct" means an act or omission that is taken—
(i) intentionally to achieve a wrongful purpose;
(ii) knowingly without legal or factual justification; and
(iii) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
(e)
(1)
(2)
(Added and amended
Editorial Notes
Codification
Section, as added and amended by
Amendments
2021—Subsec. (b)(2)(D).
2019—Subsec. (b)(2)(B).
Subsec. (b)(2)(C).
Subsec. (b)(2)(D) to (F).
2015—
Subsec. (c)(3).
Subsec. (d).
"(1)
"(A) the Secretary of Defense shall establish the procedures required under subsection (a); and
"(B) the senior official designated under subsection (b)(1) shall establish the criteria required under such subsection.
"(2)
§394. Authorities concerning military cyber operations
(a)
(b)
(c)
(d)
(e)
(f)
(1) The term "clandestine military activity or operation in cyberspace" means a military activity or military operation carried out in cyberspace, or associated preparatory actions, authorized by the President or the Secretary that—
(A) is marked by, held in, or conducted with secrecy, where the intent is that the activity or operation will not be apparent or acknowledged publicly; and
(B) is to be carried out—
(i) as part of a military operation plan approved by the President or the Secretary in anticipation of hostilities or as directed by the President or the Secretary;
(ii) to deter, safeguard, or defend against attacks or malicious cyber activities against the United States or Department of Defense information, networks, systems, installations, facilities, or other assets; or
(iii) in support of information related capabilities.
(2) The term "foreign power" has the meaning given such term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (
(3) The term "United States person" has the meaning given such term in such section.
(Added
Editorial Notes
References in Text
The War Powers Resolution, referred to in subsecs. (b) and (e), is
The Authorization for Use of Military Force, referred to in subsec. (e), is
Amendments
2018—
Statutory Notes and Related Subsidiaries
Authority for Countering Illegal Trafficking by Mexican Transnational Criminal Organizations in Cyberspace
"(a)
"(1) Smuggling of illegal drugs, controlled substances, or precursors thereof.
"(2) Human trafficking.
"(3) Weapons trafficking.
"(4) Other illegal activities.
"(b)
Management of Data Assets by Chief Digital and Artificial Intelligence Officer
"(a)
"(b)
"(1) develop a baseline of data assets exclusive to foreign key terrain and relational frameworks in cyberspace maintained by the intelligence agencies of the Department of Defense, the military departments, the combatant commands, and any other components of the Department of Defense;
"(2) develop and oversee the implementation of plans to enhance such data assets that the Chief Digital and Artificial Intelligence Officer determines are essential to support the purposes set forth in subsection (a); and
"(3) ensure that such activities and plans are undertaken in cooperation and in coordination with the Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency, to ensure that any data collection, procurement, acquisition, use, or retention measure conducted pursuant to this section is in compliance with applicable laws and regulations, including standards pertaining to data related to United States persons or any persons in the United States.
"(c)
"(1) designate or establish one or more Department of Defense executive agents for enhancing data assets and the acquisition of data analytic tools for users;
"(2) ensure that data assets referred to in subsection (b) that are in the possession of a component of the Department of Defense are accessible for the purposes described in subsection (a); and
"(3) ensure that advanced analytics, including artificial intelligence technology, are developed and applied to the analysis of the data assets referred to in subsection (b) in support of the purposes described in subsection (a).
"(d)
"(e)
"(f)
"(1) the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];
"(2) the Permanent Select Committee on Intelligence of the House of Representatives; and
"(3) the Select Committee on Intelligence of the Senate."
Protection of Critical Infrastructure
"(a)
"(b)
"(c)
Operational Technology and Mission-Relevant Terrain in Cyberspace
"(a)
"(1) decomposition of missions reliant on such Assets;
"(2) identification of access vectors;
"(3) internal and external dependencies;
"(4) topology of networks and network segments;
"(5) cybersecurity defenses across information and operational technology on such Assets; and
"(6) identification of associated or reliant weapon systems.
"(b)
"(1) internal combatant command processes, responsibilities, and functions;
"(2) coordination with service components under their operational control, United States Cyber Command, Joint Forces Headquarters-Department of Defense Information Network, and the service cyber components;
"(3) combatant command headquarters' situational awareness posture to ensure an appropriate level of cyber situational awareness of the forces, facilities, installations, bases, critical infrastructure, and weapon systems under their control or in their areas of responsibility, including, in particular, Defense Critical Assets and Task Critical Assets; and
"(4) documentation of their mission-relevant terrain in cyberspace.
"(c)
"(1)
"(2)
"(3)
"(A) are implementable by components of the Department;
"(B) limit adversaries' ability to reach or manipulate control systems through cyberspace;
"(C) appropriately balance non-connectivity and monitoring requirements;
"(D) include data collection and flow requirements;
"(E) interoperate with and are informed by the operational community's workflows for defense of information and operational technology in the forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department;
"(F) integrate and interoperate with Department mission assurance construct; and
"(G) are implemented with respect to Defense Critical Assets and Task Critical Assets.
"(d)
"(1) has appropriate visibility of operational technology in the forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department of Defense Information Network, including, in particular, Defense Critical Assets and Task Critical Assets;
"(2) can effectively command and control forces to defend such operational technology; and
"(3) has established processes for—
"(A) incident and compliance reporting;
"(B) ensuring compliance with Department of Defense cybersecurity policy; and
"(C) ensuring that cyber vulnerabilities, attack vectors, and security violations, including, in particular, those specific to Defense Critical Assets and Task Critical Assets, are appropriately managed.
"(e)
"(1) ensure in its role of Joint Forces Trainer for the Cyberspace Operations Forces that operational technology cyber defense is appropriately incorporated into training for the Cyberspace Operations Forces;
"(2) delineate the specific force composition requirements within the Cyberspace Operations Forces for specialized cyber defense of operational technology, including the number, size, scale, and responsibilities of defined Cyber Operations Forces elements;
"(3) develop and maintain, or support the development and maintenance of, a joint training curriculum for operational technology-focused Cyberspace Operations Forces;
"(4) support the Chief Information Officer of the Department of Defense as the Department's senior official for the cybersecurity of operational technology under this section;
"(5) develop and institutionalize, or support the development and institutionalization of, tradecraft for defense of operational technology across local defenders, cybersecurity service providers, cyber protection teams, and service-controlled forces;
"(6) develop and institutionalize integrated concepts of operation, operational workflows, and cybersecurity architectures for defense of information and operational technology in the forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department of Defense Information Network, including, in particular, Defense Critical Assets and Task Critical Assets, including—
"(A) deliberate and strategic sensoring of such Network and Assets;
"(B) instituting policies governing connections across and between such Network and Assets;
"(C) modelling of normal behavior across and between such Network and Assets;
"(D) engineering data flows across and between such Network and Assets;
"(E) developing local defenders, cybersecurity service providers, cyber protection teams, and service-controlled forces' operational workflows and tactics, techniques, and procedures optimized for the designs, data flows, and policies of such Network and Assets;
"(F) instituting of model defensive cyber operations and Department of Defense Information Network operations tradecraft; and
"(G) integrating of such operations to ensure interoperability across echelons; and
"(7) advance the integration of the Department of Defense's mission assurance, cybersecurity compliance, cybersecurity operations, risk management framework, and authority to operate programs and policies.
"(f)
"(1) ensure that relevant local network and cybersecurity forces are responsible for defending operational technology across the forces, facilities, installations, bases, critical infrastructure, and weapon systems, including, in particular, Defense Critical Assets and Task Critical Assets;
"(2) ensure that relevant local operational technology-focused system operators, network and cybersecurity forces, mission defense teams and other service-retained forces, and cyber protection teams are appropriately trained, including through common training and use of cyber ranges, as appropriate, to execute the specific requirements of cybersecurity operations in operational technology;
"(3) ensure that all Defense Critical Assets and Task Critical Assets are monitored and defended by Cybersecurity Service Providers;
"(4) ensure that operational technology is appropriately sensored and appropriate cybersecurity defenses, including technologies associated with the More Situational Awareness for Industrial Control Systems Joint Capability Technology Demonstration, are employed to enable defense of Defense Critical Assets and Task Critical Assets;
"(5) implement Department of Defense Chief Information Officer policy germane to operational technology, including, in particular, with respect to Defense Critical Assets and Task Critical Assets;
"(6) plan for, designate, and train dedicated forces to be utilized in operational technology-centric roles across the military services and United States Cyber Command; and
"(7) ensure that operational technology, as appropriate, is not easily accessible via the internet and that cybersecurity investments accord with mission risk to and relevant access vectors for Defense Critical Assets and Task Critical Assets.
"(g)
"(1) assess and finalize Office of the Secretary of Defense components' roles and responsibilities for the cybersecurity of operational technology in the forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department of Defense Information Network;
"(2) assess the need to establish centralized or dedicated funding for remediation of cybersecurity gaps in operational technology across the Department of Defense Information Network;
"(3) make relevant modifications to the Department of Defense's mission assurance construct, Mission Assurance Coordination Board, and other relevant bodies to drive—
"(A) prioritization of kinetic and non-kinetic threats to the Department's missions and minimization of mission risk in the Department's war plans;
"(B) prioritization of relevant mitigations and investments to harden and assure the Department's missions and minimize mission risk in the Department's war plans; and
"(C) completion of mission relevant terrain mapping of Defense Critical Assets and Task Critical Assets and population of associated assessment and mitigation data in authorized repositories;
"(4) make relevant modifications to the Strategic Cybersecurity Program; and
"(5) drive and provide oversight of the implementation of this section.
"(h)
"(1)
"(2)
"(i)
"(1)
"(2)
Framework for Cyber Hunt Forward Operations
"(a)
"(b)
"(1) Identification of the selection criteria for proposed cyber hunt forward operations, including specification of necessary thresholds for the justification of operations and thresholds for partner cooperation.
"(2) The roles and responsibilities of the following organizations in the support of the planning and execution of cyber hunt forward operations:
"(A) United States Cyber Command.
"(B) Service cyber components.
"(C) The Office of the Under Secretary of Defense for Policy.
"(D) Geographic combatant commands.
"(E) Cyber Operations-Integrated Planning Elements and Joint Cyber Centers.
"(F) Embassies and consulates of the United States.
"(3) Pre-deployment planning guidelines to maximize the operational success of each unique operation, including guidance that takes into account the highly variable nature of the following aspects at the tactical level:
"(A) Team composition, including necessary skillsets [sic], recommended training, and guidelines on team size and structure.
"(B) Relevant factors to determine mission duration in a country of interest.
"(C) Agreements with partner countries required pre-deployment.
"(D) Criteria for potential follow-on operations.
"(E) Equipment and infrastructure required to support the missions.
"(4) Metrics to measure the effectiveness of each operation, including means to evaluate the value of discovered malware and infrastructure, the effect on the adversary, and the potential for future engagements with the partner country.
"(5) Roles and responsibilities for United States Cyber Command and the National Security Agency in the analysis of relevant mission data.
"(6) A detailed description of counterintelligence support for cyber hunt forward operations.
"(7) A standardized force presentation model across service components and combatant commands.
"(8) Review of active and reserve component personnel policies to account for deployment and redeployment operations, including the following:
"(A) Global Force Management.
"(B) Contingency, Exercise, and Deployment orders to be considered for and applied towards deployment credit and benefits.
"(9) Such other matters as the Secretary determines relevant.
"(c)
"(1)
"(2)
"(A) An overview of the framework developed pursuant to subsection (a).
"(B) An explanation of the tradeoffs associated with the use of Department of Defense resources for cyber hunt forward missions in the context of competing priorities.
"(C) Such recommendations as the Secretary may have for legislative action to improve the effectiveness of cyber hunt forward missions."
Tailored Cyberspace Operations Organizations
"(a)
"(1)
"(2)
"(A) An examination of NCWDG's structure, manning, authorities, funding, and operations.
"(B) A review of organizational relationships—
"(i) within the Navy; and
"(ii) to other Department of Defense organizations, as well as non-Department of Defense organizations.
"(C) Recommendations for how the NCWDG can be strengthened and improved, without growth in size.
"(D) Such other information as determined necessary or appropriate by the Secretary of the Navy.
"(3)
"(A)
"(B)
"(b)
"(c)
"(d)
"(1) the utilization of the authority provided pursuant to subsection (c); and
"(2) if appropriate based on such utilization, details on how the military service, respectively, of each such secretary intends to establish tailored cyberspace operations organizations.
"(e)
"(1) the value of the study to the Navy Cyber Warfare Development Group and to the Navy;
"(2) any recommendations not considered or included as part of the study;
"(3) the implementation of subsection (b); and
"(4) other matters as determined by the Commanding Officer.
"(f)
"(g)
"(1) An assessment of whether such authorities shall be conferred on the 90th Cyberspace Operations Squadron of the Air Force.
"(2) A consideration of whether the 90th Cyberspace Operations Squadron should be designated a controlled tour, as defined by the Secretary."
Notification of Delegation of Authorities to the Secretary of Defense for Military Operations in Cyberspace
"(a)
"(1) Authorities delegated to the Secretary by the President for military operations in cyberspace that are otherwise held by the National Command Authority, not later than 15 days after any such delegation. A notification under this paragraph shall include a description of the authorities delegated to the Secretary.
"(2) Concepts of operations approved by the Secretary pursuant to delegated authorities described in paragraph (1), not later than 15 days after any such approval. A notification under this paragraph shall include the following:
"(A) A description of authorized activities to be conducted or planned to be conducted pursuant to such authorities.
"(B) The defined military objectives relating to such authorities.
"(C) A list of countries in which such authorities may be exercised.
"(D) A description of relevant orders issued by the Secretary in accordance with such authorities.
"(b)
"(1)
"(2)
"(3)
Annual Military Cyberspace Operations Report
"(a)
"(1) An identification of the objective and purpose.
"(2) Descriptions of the impacted countries, organizations, or forces, and nature of the impact.
"(3) A description of methodologies used for the cyber effects operation or cyber effects enabling operation.
"(4) An identification of the Cyber Mission Force teams, or other Department of Defense entity or units, that conducted such operation, and supporting teams, entities, or units.
"(5) An identification of the infrastructures on which such operations occurred.
"(6) A description of relevant legal, operational, and funding authorities.
"(7) Additional costs beyond baseline operations and maintenance and personnel costs directly associated with the conduct of the cyber effects operation or cyber effects enabling operation.
"(8) Any other matters the Secretary determines relevant.
"(b)
"(c)
Policy of the United States on Cyberspace, Cybersecurity, Cyber Warfare, and Cyber Deterrence
"(a)
"(1) cause casualties among United States persons or persons of United States allies;
"(2) significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government);
"(3) threaten the command and control of the Armed Forces, the freedom of maneuver of the Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or
"(4) achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.
"(b)
"(c)
"(d)
"(e)
"(f)
"(1)
"(2)
"(A) An assessment of the current posture in cyberspace, including assessments of—
"(i) whether past responses to major cyber attacks have had the desired deterrent effect; and
"(ii) how adversaries have responded to past United States responses.
"(B) Updates on the Administration's efforts in the development of—
"(i) cost imposition strategies;
"(ii) varying levels of cyber incursion and steps taken to date to prepare for the imposition of the consequences referred to in clause (i); and
"(iii) the Cyber Deterrence Initiative.
"(C) Information relating to the Administration's plans, including specific planned actions, regulations, and legislative action required, for—
"(i) advancing technologies in attribution, inherently secure technology, and artificial intelligence society-wide;
"(ii) improving cybersecurity in and cooperation with the private sector;
"(iii) improving international cybersecurity cooperation; and
"(iv) implementing the policy referred to in paragraph (1), including any realignment of government or government responsibilities required, writ large.
"(f) [probably should be "(g)"]
"(g) [probably should be "(h)"]
"(1)
"(A) the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];
"(B) the Permanent Select Committee on Intelligence of the House of Representatives;
"(C) the Select Committee on Intelligence of the Senate;
"(D) the Committee on Foreign Affairs, the Committee on Homeland Security, and the Committee on the Judiciary of the House of Representatives; and
"(E) the Committee on Foreign Relations, the Committee on Homeland Security and Governmental Affairs, and the Committee on the Judiciary of the Senate.
"(2)
"(a)
"(1) develop a national policy for the United States relating to cyberspace, cybersecurity, and cyber warfare; and
"(2) submit to the appropriate congressional committees a report on the policy.
"(b)
"(1) Delineation of the instruments of national power available to deter or respond to cyber attacks or other malicious cyber activities by a foreign power or actor that targets United States interests.
"(2) Available or planned response options to address the full range of potential cyber attacks on United States interests that could be conducted by potential adversaries of the United States.
"(3) Available or planned denial options that prioritize the defensibility and resiliency against cyber attacks and malicious cyber activities that are carried out against infrastructure critical to the political integrity, economic security, and national security of the United States.
"(4) Available or planned cyber capabilities that may be used to impose costs on any foreign power targeting the United States or United States persons with a cyber attack or malicious cyber activity.
"(5) Development of multi-prong response options, such as—
"(A) boosting the cyber resilience of critical United States strike systems (including cyber, nuclear, and non-nuclear systems) in order to ensure the United States can credibly threaten to impose unacceptable costs in response to even the most sophisticated large-scale cyber attack;
"(B) developing offensive cyber capabilities and specific plans and strategies to put at risk targets most valued by adversaries of the United States and their key decision makers; and
"(C) enhancing attribution capabilities and developing intelligence and offensive cyber capabilities to detect, disrupt, and potentially expose malicious cyber activities.
"(c)
"(1)
"(2)
"(A) the White House Communication Agency; and
"(B) the White House Situation Support Staff.
"(d)
"(1) The term 'foreign power' has the meaning given that term in section 101 of the Foreign Intelligence Surveillance Act of 1978 (
"(2) The term 'appropriate congressional committees' means—
"(A) the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];
"(B) the Committee on Foreign Affairs, the Committee on Homeland Security, and the Committee on the Judiciary of the House of Representatives; and
"(C) the Committee on Foreign Relations, the Committee on Homeland Security and Governmental Affairs, and the Committee on the Judiciary of the Senate."
Active Defense Against the Russian Federation, People's Republic of China, Democratic People's Republic of Korea, and Islamic Republic of Iran Attacks in Cyberspace
"(a)
"(1)
"(2)
"(A)
"(B)
"(i)
"(ii)
"(b)
"(c)
"(1) the scope and intensity of the information operations and attacks through cyberspace by the countries specified in subsection (a)(1) against the government or people of the United States observed by the cyber mission forces of the United States Cyber Command and the National Security Agency; and
"(2) adjustments of the Department of Defense in the response directed or recommended by the Secretary with respect to such operations and attacks.
"(d)
"(1) limit the authority of the Secretary to conduct military activities or operations in cyberspace, including clandestine activities or operations in cyberspace; or
"(2) affect the War Powers Resolution (
Pilot Program To Model Cyber Attacks on Critical Infrastructure
"(a)
"(1)
"(2)
"(b)
"(1) The development and demonstration of risk analysis methodologies, and the application of commercial simulation and modeling capabilities, based on artificial intelligence and hyperscale cloud computing technologies, as applicable—
"(A) to assess defense critical infrastructure vulnerabilities and interdependencies to improve military resiliency;
"(B) to determine the likely effectiveness of attacks described in subsection (a)(1), and countermeasures, tactics, and tools supporting responsive military homeland defense operations;
"(C) to train personnel in incident response;
"(D) to conduct exercises and test scenarios;
"(E) to foster collaboration and learning between and among departments and agencies of the Federal Government, State and local governments, and private entities responsible for critical infrastructure; and
"(F) improve intra-agency and inter-agency coordination for consideration and approval of requests for defense support to civil authorities.
"(2) The development and demonstration of the foundations for establishing and maintaining a program of record for a shared high-fidelity, interactive, affordable, cloud-based modeling and simulation of critical infrastructure systems and incident response capabilities that can simulate complex cyber and physical attacks and disruptions on individual and multiple sectors on national, regional, State, and local scales.
"(c)
"(1)
"(2)
"(A) A description of the results of the pilot program as of the date of the report.
"(B) A description of the risk analysis methodologies and modeling and simulation capabilities developed and demonstrated pursuant to the pilot program, and an assessment of the potential for future growth of commercial technology in support of the homeland defense mission of the Department of Defense.
"(C) Such recommendations as the Secretary considers appropriate regarding the establishment of a program of record for the Department on further development and sustainment of risk analysis methodologies and advanced, large-scale modeling and simulation on critical infrastructure and cyber warfare.
"(D) Lessons learned from the use of novel risk analysis methodologies and large-scale modeling and simulation carried out under the pilot program regarding vulnerabilities, required capabilities, and reconfigured force structure, coordination practices, and policy.
"(E) Planned steps for implementing the lessons described in subparagraph (D).
"(F) Any other matters the Secretary determines appropriate."
Identification of Countries of Concern Regarding Cybersecurity
"(a)
"(1) A foreign government's activities that pose force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.
"(2) A foreign government's willingness and record of providing financing, logistics, training or intelligence to other persons, countries or entities posing a force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.
"(3) A foreign government's engagement in foreign intelligence activities against the United States for the purpose of undermining United States national security.
"(4) A foreign government's knowing participation in transnational organized crime or criminal activity.
"(5) A foreign government's cyber activities and operations to affect the supply chain of the United States Government.
"(6) A foreign government's use of cyber means to unlawfully or inappropriately obtain intellectual property from the United States Government or United States persons.
"(b)
"(c)
Quadrennial Comprehensive Cyber Posture Review
"(a)
"(b)
"(c)
"(1) The assessment and definition of the role of cyber forces in the national defense and military strategies of the United States.
"(2) Review of the following:
"(A) The role of cyber operations in combatant commander warfighting plans.
"(B) The ability of combatant commanders to respond to adversary cyber attacks.
"(C) The international partner cyber capacity-building programs of the Department.
"(3) A review of the law, policies, and authorities relating to, and necessary for, the United States to maintain a safe, reliable, and credible cyber posture for defending against and responding to cyber attacks and for deterrence in cyberspace, including the following:
"(A) An assessment of the need for further delegation of cyber-related authorities, including those germane to information warfare, to the Commander of United States Cyber Command.
"(B) An evaluation of the adequacy of mission authorities for all cyber-related military components, defense agencies, directorates, centers, and commands.
"(4) A review of the need for or for updates to a declaratory policy relating to the responses of the United States to cyber attacks of significant consequence.
"(5) A review of norms for the conduct of offensive cyber operations for deterrence and in crisis and conflict.
"(6) A review of a strategy to deter, degrade, or defeat malicious cyber activity targeting the United States (which may include activities, capability development, and operations other than cyber activities, cyber capability development, and cyber operations), including—
"(A) a review and assessment of various approaches to competition and deterrence in cyberspace, determined in consultation with experts from Government, academia, and industry;
"(B) a comparison of the strengths and weaknesses of the approaches identified pursuant to subparagraph (A) relative to the threat of each other; and
"(C) an assessment as to how the cyber strategy will inform country-specific campaign plans focused on key leadership of Russia, China, Iran, North Korea, and any other country the Secretary considers appropriate.
"(7) Identification of the steps that should be taken to bolster stability in cyberspace and, more broadly, stability between major powers, taking into account—
"(A) the analysis and gaming of escalation dynamics in various scenarios; and
"(B) consideration of the spiral escalatory effects of countries developing increasingly potent offensive cyber capabilities.
"(8) A comprehensive force structure assessment of the Cyber Operations Forces of the Department for the posture review period, including the following:
"(A) A determination of the appropriate size and composition of the Cyber Mission Forces to accomplish the mission requirements of the Department.
"(B) An assessment of the Cyber Mission Forces' personnel, capabilities, equipment, funding, operational concepts, and ability to execute cyber operations in a timely fashion.
"(C) An assessment of the personnel, capabilities, equipment, funding, and operational concepts of Cybersecurity Service Providers and other elements of the Cyber Operations Forces.
"(9) An assessment of whether the Cyber Mission Force has the appropriate level of interoperability, integration, and interdependence with special operations and conventional forces.
"(10) An evaluation of the adequacy of mission authorities for the Joint Force Provider and Joint Force Trainer responsibilities of United States Cyber Command, including the adequacy of the units designated as Cyber Operations Forces to support such responsibilities.
"(11) An assessment of the missions and resourcing of the combat support agencies in support of cyber missions of the Department.
"(12) An assessment of the potential costs, benefits, and value, if any, of establishing a cyber force as a separate uniformed service.
"(13) Any recurrent problems or capability gaps that remain unaddressed since the previous posture review.
"(14) Such other matters as the Secretary considers appropriate.
"(d)
"(1)
"(2)
"(e)
§395. Notification requirements for sensitive military cyber operations
(a)
(b)
(2) The congressional defense committees shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to the committees pursuant to this section.
(3) In the event of an unauthorized disclosure of a sensitive military cyber operation covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the sensitive military cyber operation concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification, signed by the Secretary, or the Secretary's designee, shall be provided by not later than 48 hours after the provision of the verbal notification.
(c)
(A) is carried out by the armed forces of the United States;
(B) is intended to achieve a cyber effect against a foreign terrorist organization or a country, including its armed forces and the proxy forces of that country located elsewhere—
(i) with which the armed forces of the United States are not involved in hostilities (as that term is used in section 4 of the War Powers Resolution (
(ii) with respect to which the involvement of the armed forces of the United States in hostilities has not been acknowledged publicly by the United States; and
(C)(i) is determined to—
(I) have a medium or high collateral effects estimate;
(II) have a medium or high intelligence gain or loss;
(III) have a medium or high probability of political retaliation, as determined by the political military assessment contained within the associated concept of operations;
(IV) have a medium or high probability of detection when detection is not intended; or
(V) result in medium or high collateral effects; or
(ii) is a matter the Secretary determines to be appropriate.
(2) The actions described in this paragraph are the following:
(A) An offensive cyber operation.
(B) A defensive cyber operation.
(d)
(1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or
(2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 (
(e)
(Added
Editorial Notes
References in Text
The War Powers Resolution, referred to in subsec. (e), is
The Authorization for Use of Military Force, referred to in subsec. (e), is
The National Security Act of 1947, referred to in subsec. (e), is act July 26, 1947, ch. 343,
Amendments
2021—Subsec. (c).
2019—Subsec. (b)(3).
Subsec. (c)(1)(B), (C).
Subsec. (c)(2)(B).
2018—
Subsec. (d)(2).
§396. Notification requirements for cyber weapons
(a)
(1) With respect to a cyber capability that is intended for use as a weapon, on a quarterly basis, the aggregated results of all reviews of the capability for legality under international law pursuant to Department of Defense Directive 5000.01 carried out by any military department concerned.
(2) The use as a weapon of any cyber capability that has been approved for such use under international law by a military department no later than 48 hours following such use.
(b)
(2) The congressional defense committees shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to the committees pursuant to this section.
(3) In the event of an unauthorized disclosure of a cyber capability covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the cyber capability concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification shall be provided by not later than 48 hours after the provision of the verbal notification.
(c)
(1) to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or
(2) to a covert action (as that term is defined in section 503 of the National Security Act of 1947 (
(d)
(Added
Editorial Notes
References in Text
The War Powers Resolution, referred to in subsec. (d), is
The Authorization for Use of Military Force, referred to in subsec. (d), is
The National Security Act of 1947, referred to in subsec. (d), is act July 26, 1947, ch. 343,
Amendments
2018—
Subsec. (c)(2).
§397. Principal Information Operations Advisor
(a)
(b)
(1) Oversight of policy, strategy, planning, resource management, operational considerations, personnel, and technology development across all the elements of information operations of the Department.
(2) Overall integration and supervision of the deterrence of, conduct of, and defense against information operations.
(3) Promulgation of policies to ensure adequate coordination and deconfliction with the Department of State, the intelligence community (as such term is defined in section 3 of the National Security Act of 1947 (
(4) Coordination with the head of the Global Engagement Center to support the purpose of the Center (as set forth by section 1287(a)(2) of the National Defense Authorization Act for Fiscal Year 2017 (
(5) Establishing and supervising a rigorous risk management process to mitigate the risk of potential exposure of United States persons to information intended exclusively for foreign audiences.
(6) Promulgation of standards for the attribution or public acknowledgment, if any, of operations in the information environment.
(7) Development of guidance for, and promotion of, the capability of the Department to liaison with the private sector and academia on matters relating to the influence activities of malign actors.
(8) Such other matters relating to information operations as the Secretary shall specify for purposes of this subsection.
(Added
Editorial Notes
References in Text
The enactment of this Act, referred to in subsec. (a), probably means the date of enactment of
Amendments
2021—Subsec. (b)(5).
Statutory Notes and Related Subsidiaries
Assessment and Optimization of Department of Defense Information and Influence Operations Conducted Through Cyberspace
"(a)
"(b)
"(1) An inventory of the components of the Department of Defense conducting information and influence operations conducted through cyberspace.
"(2) An examination of sufficiency of resources allocated for information and influence operations conducted through cyberspace.
"(3) An evaluation of the command and control, oversight, and management of matters related to information and influence operations conducted through cyberspace across the Office of the Secretary of Defense and the Joint Staff.
"(4) An evaluation of the existing execution, coordination, synchronization, deconfliction, and consultative procedures and mechanisms for information and influence operations conducted through cyberspace.
"(5) Any other matters determined relevant by the Principal Information Operations Advisor and the Principal Cyber Advisor to the Secretary of Defense.
"(c)
"(1) Actions that the Department will implement to improve the execution, coordination, synchronization, deconfliction, and consultative procedures and mechanisms for information and influence operations conducted through cyberspace.
"(2) An evaluation of potential organizational changes required to optimize information and influence operations conducted through cyberspace.
"(3) Any other matters determined relevant by the Principal Information Operations Advisor and the Principal Cyber Advisor to the Secretary of Defense.
"(d)
"(e)
Conducting of Military Operations in the Information Environment
"(b)
"(2) The military operations referred to in paragraph (1), when appropriately authorized include the conduct of military operations short of hostilities and in areas outside of areas of active hostilities for the purpose of preparation of the environment, influence, force protection, and deterrence of hostilities.
"(c)
"(d)
"(2) Each briefing under paragraph (1) shall include, with respect to the military operations in the information environment described in such paragraph, the following:
"(A) An update, disaggregated by geographic and functional command, that describes the operations carried out by the commands.
"(B) An overview of authorities and legal issues applicable to the operations, including any relevant legal limitations.
"(C) An outline of any interagency activities and initiatives relating to the operations.
"(D) Such other matters as the Secretary considers appropriate.
"(e)
"(f)
"(1)
"(2)
"(g)
"(1)
"(A) develop or update, as appropriate, a strategy for operations in the information environment, including how such operations will be synchronized across the Department of Defense and the global, regional, and functional interests of the combatant commands;
"(B) conduct an information operations posture review, including an analysis of capability gaps that inhibit the Department's ability to successfully execute the strategy developed or updated pursuant to subparagraph (A);
"(C) designate Information Operations Force Providers and Information Operations Joint Force Trainers for the Department of Defense;
"(D) develop and persistently manage a joint lexicon for terms related to information operations, including 'information operations', 'information environment', 'operations in the information environment', and 'information related capabilities'[;] and [sic]
"(E) determine the collective set of combat capabilities that will be treated as part of operations in the information environment, including cyber warfare, space warfare, military information support operations, electronic warfare, public affairs, and civil affairs; and
"(F) designate a Department of Defense entity to develop, apply, and continually refine an assessment capability for defining and measuring the impact of Department information operations, which entity shall be organizationally independent of Department components performing or otherwise engaged in operational support to Department information operations.
"(2)
"(3)
"(A) The establishment of lines of effort, objectives, and tasks that are necessary to implement such strategy and eliminate the capability gaps identified under paragraph (1)(B).
"(B) In partnership with the Principal Cyber Advisor to the Secretary of Defense and in coordination with any other component or Department of Defense entity as selected by the Secretary of Defense, an evaluation of any organizational changes that may be required within the Office of the Secretary of Defense, including potential changes to Under Secretary or Assistant Secretary-level positions to comprehensively conduct oversight of policy development, capabilities, and other aspects of operations in the information environment as determined pursuant to the information operations posture review under paragraph (1)(B).
"(C) An assessment of various models for operationalizing information operations, including the feasibility and advisability of establishing an Army Information Warfare Command.
"(D) A review of the role of information operations in combatant commander operational planning, the ability of combatant commanders to respond to hostile acts by adversaries, and the ability of combatant commanders to engage and build capacity with allies.
"(E) A review of the law, policies, and authorities relating to, and necessary for, the United States to conduct military operations, including clandestine military operations, in the information environment.
"(4)
"(h)
"(1)
"(2)
"(A) How the Department of Defense will organize to develop a combined information operations strategy and posture review under subsection (g).
"(B) How the Department will fulfill the roles and responsibilities of the Principal Information Operations Advisor under
"(C) How the Department will establish the information operations cross-functional team under subsection (f)(1).
"(D) How the Department will utilize boards and working groups involving senior-level Department representatives on information operations.
"(E) Such other matters as the Secretary of Defense considers appropriate.
"(i)
"(1) The terms 'foreign power' and 'United States person' have the meanings given such terms in section 101 of the Foreign Intelligence Surveillance Act of 1978 (
"(2) The term 'hostilities' has the same meaning as such term is used in the War Powers Resolution (
"(3) The term 'clandestine military operation in the information environment' means an operation or activity, or associated preparatory actions, authorized by the President or the Secretary of Defense, that—
"(A) is marked by, held in, or conducted with secrecy, where the intent is that the operation or activity will not be apparent or acknowledged publicly; and
"(B) is to be carried out—
"(i) as part of a military operation plan approved by the President or the Secretary of Defense;
"(ii) to deter, safeguard, or defend against attacks or malicious influence activities against the United States, allies of the United States, and interests of the United States;
"(iii) in support of hostilities or military operations involving the United States armed forces; or
"(iv) in support of military operations short of hostilities and in areas where hostilities are not occurring for the purpose of preparation of the environment, influence, force protection, and deterrence."
[Amendment by
[
§398. Military information support operations in information environment
(a)
(2) A notification under paragraph (1) with respect to a MISO plan shall include each of the following:
(A) A description of the military information support operation program (in this section referred to as a "MISO program") supported by the MISO plan.
(B) A description of the objectives of the MISO plan.
(C) A description of the intended target audience for military information support operation activities under the MISO plan.
(D) A description of the tactics, techniques, and procedures to be used in executing the MISO plan.
(E) A description of the personnel engaged in supporting or facilitating the operation.
(F) The amount of funding anticipated to be obligated and expended to execute the MISO plan during the current and subsequent fiscal years.
(G) The expected duration and desired outcome of the MISO plan.
(H) Any other elements the Secretary determines appropriate.
(3) To the maximum extent practicable, the Secretary shall ensure that the congressional defense committees are notified promptly of any unauthorized disclosure of a clandestine military support operation covered by this section. A notification under this subsection may be verbal or written, but in the event of a verbal notification, the Secretary shall provide a written notification by not later than 48 hours after the provision of the verbal notification.
(b)
(1) A list of each MISO program and the combatant command responsible for the program.
(2) For each MISO plan—
(A) a description of the plan and any supporting plans, including the objectives for the plan;
(B) a description of the intended target audience for the activities carried out under the plan and the means of distribution; and
(C) the cost of executing the plan.
(c)
(1) any political process taking place in the United States;
(2) the opinions of United States persons;
(3) United States policies; or
(4) media produced by United States entities for United States persons.
(Added
Editorial Notes
Codification
Another section 398 was renumbered
§398a. Pilot program for sharing cyber capabilities and related information with foreign operational partners
(a)
(b)
(1) establish—
(A) a list of foreign countries that the Secretary of Defense considers suitable for sharing of cyber capabilities and related information under the authority established under subsection (a); and
(B) criteria for establishing the list under subparagraph (A);
(2) not later than 14 days after establishing the list required by paragraph (1), submit to the appropriate committees of Congress such list; and
(3) notify the appropriate committees of Congress in writing of any changes to the list established under paragraph (1) at least 14 days prior to the adoption of any such changes.
(c)
(1) establish and submit to the appropriate committees of Congress procedures for a coordination process for subsection (a) that is consistent with the operational timelines required to support the national security of the United States; and
(2) notify the appropriate committees of Congress in writing of any changes to the procedures established under paragraph (1) at least 14 days prior to the adoption of any such changes.
(d)
(2) Notification under paragraph (1) shall include a certification that the provision of the cyber capabilities was in the national security interests of the United States.
(3) The notification under paragraph (1) shall include an analysis of whether the transfer and the underlying operational imperative could have been met using another authority.
(e)
(f)
(2) The performance metrics under paragraph (1) shall include the following:
(A) Whom the cyber capability was used against.
(B) The effect of the cyber capability, including whether and how the transfer of the cyber capability improved the operational cyber posture of the United States and achieved operational objectives of the United States, or had no effect.
(C) Such other outcome-based or appropriate performance metrics as the Secretary considers appropriate for evaluating the effectiveness of a pilot program carried out under subsection (a).
(g)
(1) The term "appropriate committees of Congress" means—
(A) the congressional defense committees;
(B) the Committee on Foreign Relations of the Senate; and
(C) Committee on Foreign Affairs of the House of Representatives.
(2) The term "cyber capability" means a device or computer program, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace.
(h)
(Added
Editorial Notes
References in Text
The War Powers Resolution, referred to in subsec. (h), is
Amendments
2023—
Subsec. (b)(1)(A).
Subsec. (b)(2).
Subsec. (b)(3).
Subsec. (e).
Subsecs. (f) to (h).
§399. Notifications relating to military operations in the information environment: requirement to notify Chief of Mission
The Secretary may not authorize a military operation in the information environment under this title intended to cause an effect in a country unless the Secretary fully informs the chief of mission for that country under section 207 of the Foreign Service Act of 1980 (
(Added