CHAPTER 345—ACQUISITION OF INFORMATION TECHNOLOGY

        

Editorial Notes

Prior Provisions

A prior chapter 345 "ACQUISITION OF INFORMATION TECHNOLOGY", consisting of reserved section 4571, was repealed by Pub. L. 116–283, div. A, title XVIII, §1857(a), Jan. 1, 2021, 134 Stat. 4276.

Another prior chapter 345 was renumbered chapter 725 of this title.

Statutory Notes and Related Subsidiaries

Guidance on Acquisition of Business Systems

Pub. L. 114–92, div. A, title VIII, §883(e), Nov. 25, 2015, 129 Stat. 947, provided that: "The Secretary of Defense shall issue guidance for major automated information systems acquisition programs to promote the use of best acquisition, contracting, requirement development, systems engineering, program management, and sustainment practices, including—

"(1) ensuring that an acquisition program baseline has been established within two years after program initiation;

"(2) ensuring that program requirements have not changed in a manner that increases acquisition costs or delays the schedule, without sufficient cause and only after maximum efforts to reengineer business processes prior to changing requirements;

"(3) policies to evaluate commercial off-the-shelf business systems for security, resilience, reliability, interoperability, and integration with existing interrelated systems where such system integration and interoperability are essential to Department of Defense operations;

"(4) policies to work with commercial off-the-shelf business system developers and owners in adapting systems for Department of Defense use;

"(5) policies to perform Department of Defense legacy system audits to determine which systems are related to or rely upon the system to be replaced or integrated with commercial off-the-shelf business systems;

"(6) policies to perform full backup of systems that will be changed or replaced by the installation of commercial off-the-shelf business systems prior to installation and deployment to ensure reconstitution of the system to a functioning state should it become necessary;

"(7) policies to engage the research and development activities and laboratories of the Department of Defense to improve acquisition outcomes; and

"(8) policies to refine and improve developmental and operational testing of business processes that are supported by the major automated information systems."

Designation of Military Department Entity Responsible for Acquisition of Critical Cyber Capabilities

Pub. L. 114–92, div. A, title XVI, §1645, Nov. 25, 2015, 129 Stat. 1117, which required the Secretary of Defense to designate an entity within a military department to be responsible for the acquisition of certain critical cyber capabilities, was repealed by Pub. L. 117–263, div. A, title XV, §1509(j), Dec. 23, 2022, 136 Stat. 2890.

Supervision of the Acquisition of Cloud Computing Capabilities

Pub. L. 113–66, div. A, title IX, §938, Dec. 26, 2013, 127 Stat. 835, provided that:

"(a) Supervision.—

"(1) In general.—The Secretary of Defense shall, acting through the Under Secretary of Defense for Acquisition, Technology, and Logistics, the Under Secretary of Defense for Intelligence [now Under Secretary of Defense for Intelligence and Security], the Chief Information Officer of the Department of Defense, and the Chairman of the Joint Requirements Oversight Council, supervise the following:

"(A) Review, development, modification, and approval of requirements for cloud computing solutions for data analysis and storage by the Armed Forces and the Defense Agencies, including requirements for cross-domain, enterprise-wide discovery and correlation of data stored in cloud and non-cloud computing databases, relational and non-relational databases, and hybrid databases.

"(B) Review, development, modification, approval, and implementation of plans for the competitive acquisition of cloud computing systems or services to meet requirements described in subparagraph (A), including plans for the transition from current computing systems to systems or services acquired.

"(C) Development and implementation of plans to ensure that the cloud systems or services acquired pursuant to subparagraph (B) are interoperable and universally accessible and usable through attribute-based access controls.

"(D) Integration of plans under subparagraphs (B) and (C) with enterprise-wide plans of the Armed Forces and the Department of Defense for the Joint Information Environment and the Defense Intelligence Information Environment.

"(2) Direction.—The Secretary shall provide direction to the Armed Forces and the Defense Agencies on the matters covered by paragraph (1) by not later than March 15, 2014.

"(b) Integration With Intelligence Community Efforts.—The Secretary shall coordinate with the Director of National Intelligence to ensure that activities under this section are integrated with the Intelligence Community Information Technology Enterprise in order to achieve interoperability, information sharing, and other efficiencies.

"(c) Limitation.—The requirements of subparagraphs (B), (C), and (D) of subsection (a)(1) shall not apply to a contract for the acquisition of cloud computing capabilities in an amount less than $1,000,000.

"(d) Rule of Construction.—Nothing in this section shall be construed to alter or affect the authorities or responsibilities of the Director of National Intelligence under section 102A of the National Security Act of 1947 (50 U.S.C. 3024)."

§4571. Information technology acquisition: planning and oversight processes

(a) Establishment of Program.—The Secretary of Defense shall establish a program to improve the planning and oversight processes for the acquisition of major automated information systems by the Department of Defense.

(b) Program Components.—The program established under subsection (a) shall include—

(1) a documented process for information technology acquisition planning, requirements development and management, project management and oversight, earned value management, and risk management;

(2) the development of appropriate metrics that can be implemented and monitored on a real-time basis for performance measurement of—

(A) processes and development status of investments in major automated information system programs;

(B) continuous process improvement of such programs; and

(C) achievement of program and investment outcomes;

(3) a process to ensure that key program personnel have an appropriate level of experience, training, and education in the planning, acquisition, execution, management, and oversight of information technology systems;

(4) a process to ensure sufficient resources and infrastructure capacity for test and evaluation of information technology systems;

(5) a process to ensure that military departments and Defense Agencies adhere to established processes and requirements relating to the planning, acquisition, execution, management, and oversight of information technology programs and developments; and

(6) a process under which an appropriate Department of Defense official may intervene or terminate the funding of an information technology investment if the investment is at risk of not achieving major project milestones.

(Added Pub. L. 111–383, div. A, title VIII, §805(a)(1), Jan. 7, 2011, 124 Stat. 4259, §2223a; renumbered §4571 and amended Pub. L. 116–283, div. A, title XVIII, §1857(b), Jan. 1, 2021, 134 Stat. 4276.)

Editorial Notes

Amendments

2021—Pub. L. 116–283, §1857(b)(2), amended section catchline generally. Prior to amendment, section catchline read as follows: "Information technology acquisition planning and oversight requirements".

Pub. L. 116–283, §1857(b)(1), renumbered section 2223a of this title as this section.

Statutory Notes and Related Subsidiaries

Effective Date of 2021 Amendment

Amendment by Pub. L. 116–283 effective Jan. 1, 2022, with additional provisions for delayed implementation and applicability of existing law, see section 1801(d) of Pub. L. 116–283, set out as a note preceding section 3001 of this title.

Policies for Management and Certification of Link 16 Military Tactical Data Link Network

Pub. L. 118–31, div. A, title II, §228, Dec. 22, 2023, 137 Stat. 199, provided that:

"(a) Policies Required.—The Secretary of Defense shall develop and implement policies to adapt Link 16 system management and certification to align with agile development practices.

"(b) Elements.—The policies required by subsection (a) shall include the following:

"(1) A standardized process through a Chairman, Joint Chiefs of Staff Manual, to allow Link 16 frequency use within approved special use airspaces for the purpose of testing radio systems and associated software that have not completed electromagnetic compatibility features certification. Such process—

"(A) shall, at a minimum, ensure routine and continued approval for test operations of developmental systems in the Nevada Test and Training Range, Restricted Area 2508, Warning Area 151/470, Warning Area 386, and the Joint Pacific Alaska Range Complex; and

"(B) may incorporate standardized mitigations that enable routine approval including effective radiated power settings and coordination for rapid test termination.

"(2) Processes to streamline approval or denial of temporary frequency assignment for Link 16 operations to not more than 15 days for test, training, and large-scale exercises. In developing such processes, the Secretary of Defense—

"(A) shall ensure that the processes cover operations in excess of uncoordinated operations time slot duty factor limits, inclusion of foreign participants, and participation of non-stage 4 approved terminals or platforms; and

"(B) consider delegating sole authority for temporary frequency assignment to the Department of Defense and the automation of decision-making processes relating to such assignments.

"(3) Delegation of authority to the system manager for Link 16 to determine when new software within Department of Defense Link 16 terminals affects electromagnetic compatibility features and requires recertification.

"(4) The self-certification by the Department of Defense of the compliance of the Department's radios with electromagnetic compatibility features.

"(5) Processes to internally manage Link 16 uncoordinated operations that enable approval for test, training, and exercises that does not exceed 15 days for systems holding an active radio frequency authorization or temporary frequency assignment.

"(c) Information to Congress.—Not later than 180 days after the date of the enactment of this Act [Dec. 22, 2023], the Secretary of Defense shall provide to the congressional defense committees—

"(1) a briefing on the policies developed under subsection (a), along with a timeline for implementation of such policies; and

"(2) a list of such additional resources or authorities as the Secretary determines may be required to implement such policies.

"(d) Testing Required.—

"(1) In general.—In conjunction with the development of the policies required under subsection (a), the Secretary of Defense shall conduct, sponsor, or review testing and analysis that determines if any effects on air traffic systems are possible due to Link 16 terminals which have not completed electromagnetic compatibility features certification and quantifies any such effects. Such testing shall evaluate Link 16 transmission within plus or minus 7 megahertz of the 1030 and 1090 megahertz frequency bands to determine if effects on air traffic systems are possible, under what conditions such effects could occur, and the impact of such effects.

"(2) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the results of the testing conducted under paragraph (1), with an emphasis on procedures that the Secretary intends to implement to negate harmful effects on air traffic from the use of Link 16 terminals or platforms that have not completed electromagnetic compatibility features certification, within special use airspace."

Requirements for Deployment of Fifth Generation Information and Communications Capabilities to Military Installations and Other Department Facilities

Pub. L. 118–31, div. A, title XV, §1526, Dec. 22, 2023, 137 Stat. 557, provided that:

"(a) Requirements.—

"(1) Strategy for private wireless networks.—Not later than 120 days after the date of the enactment of this Act [Dec. 22, 2023], the Secretary of Defense shall develop and implement a strategy for deploying to military installations and other facilities of the Department of Defense private wireless networks that are—

"(A) based on fifth generation information and communications capabilities and Open Radio Access Network architecture; and

"(B) tailored to the mission, security, and performance requirements of the respective military installation or other facility.

"(2) Process for public wireless network service providers.—

"(A) Establishment.—The Secretary shall establish a Department-wide process under which a public wireless network service provider of fifth generation information and communications capabilities may gain access to a military installation or other facility of the Department to provide commercial subscriber services to military and civilian personnel of the Department (including contractor personnel) located at, and organizational elements of the Department maintained at, such installation or facility.

"(B) Design requirements.—In establishing the process under subparagraph (A), the Secretary shall ensure relevant system architectures and supporting infrastructure are designed to support modular upgrades to future generation technologies.

"(3) Determination relating to contract authority.—The Secretary shall determine, on a contract-by-contract basis or as a determination with uniform applicability to contracts across military installations and other facilities of the Department, whether to enter into a contract for—

"(A) neutral hosting, under which infrastructure and services would be provided to companies deploying private wireless networks and public wireless network services to such installation or other facility through multi-operator core network architectures; or

"(B) separate private wireless network and public wireless network infrastructure at such installation or other facility (which shall include a determination by the Secretary on how to establish roaming agreements and policies between such networks).

"(4) Briefing.—Not later than 150 days after the date of the enactment of this Act, the Secretary shall provide to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a briefing on the strategy developed under paragraph (1) and any other activity carried out pursuant to this subsection.

"(b) International Cooperation Activities.—The Secretary, using existing authorities available to the Secretary, may engage in cooperation activities with foreign allies and partners of the United States to—

"(1) improve the implementation of the strategy under subsection (a)(1); and

"(2) inform the deployment of private wireless networks to military installations and other facilities of the Department pursuant to such strategy.

"(c) Open Radio Access Network Architecture Defined.—In this section, the term 'Open Radio Access Network architecture' means a network architecture that is modular, uses open interfaces, and virtualizes functionality on commodity hardware through software."

Target Date for Deployment of 5G Wireless Broadband Infrastructure at All Military Installations

Pub. L. 117–263, div. A, title II, §221, Dec. 23, 2022, 136 Stat. 2478, provided that:

"(a) Target Required.—Not later than July 30, 2023, the Secretary of Defense shall—

"(1) establish a target date by which the Secretary plans to deploy 5G wireless broadband infrastructure at all military installations; and

"(2) establish metrics, which shall be identical for each of the military departments, to measure progress toward reaching the target required by paragraph (1).

"(b) Annual Report.—Not later than December 31, 2023, and on an annual basis thereafter until the date specified in subsection (c), the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report that includes—

"(1) the metrics in use pursuant to subsection (a)(2); and

"(2) the progress of the Secretary in reaching the target required by subsection (a)(1).

"(c) Termination.—The requirement to submit annual reports under subsection (b) shall terminate on the date that is five years after the date of the enactment of this Act [Dec. 23, 2022]."

Pilot Programs for Deployment of Telecommunications Infrastructure To Facilitate 5G Deployment on Military Installations

Pub. L. 117–81, div. A, title II, §233, Dec. 27, 2021, 135 Stat. 1614, provided that:

"(a) Plans.—

"(1) In general.—Not later than 180 days after enactment of this Act [Dec. 27, 2021], each Secretary of a military department shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a plan for a pilot program for the deployment of telecommunications infrastructure to facilitate the availability of fifth-generation wireless telecommunications services on military installations under the jurisdiction of the Secretary.

"(2) Plan elements.—Each plan submitted under paragraph (1) by a Secretary of a military department shall include, with respect to such military department, the following:

"(A) A list of military installations at which the pilot program will be carried out, including at least one military installation of the department.

"(B) A description of authorities that will be used to execute the pilot program.

"(C) A timeline for the implementation and duration of the pilot program.

"(D) The identity of each telecommunication carrier that intends to use the telecommunications infrastructure deployed pursuant to the pilot to provide fifth-generation wireless telecommunication services at each of the military installations listed under subparagraph (A).

"(E) An assessment of need for centralized processes and points of contacts to facilitate deployment of the telecommunications infrastructure.

"(b) Pilot Programs Required.—Not later than one year after the date of the enactment of this Act, each Secretary of a military department shall establish a pilot program in accordance with the plan submitted by the Secretary under subsection (a)(1).

"(c) Reports.—

"(1) In general.—Not later than 180 days after the date on which a Secretary of a military department commences a pilot program under subsection (b), and not less frequently than once every 180 days thereafter until the completion of the pilot program, the Secretary shall submit to the congressional defense committees a report on the pilot program.

"(2) Contents.—Each report submitted under paragraph (1) for a pilot program shall include the following:

"(A) A description of the status of the pilot program at each military installation at which the pilot program is carried out.

"(B) A description of the use of, and services provided by, telecommunications carriers of the telecommunications infrastructure at each military installation under the pilot program.

"(C) Such additional information as the Secretary of the military department considers appropriate.

"(d) Telecommunications Infrastructure Defined.—In this section, the term 'telecommunications infrastructure' includes, at a minimum, the following:

"(1) Macro towers.

"(2) Small cell poles.

"(3) Distributed antenna systems.

"(4) Dark fiber.

"(5) Power solutions."

Legacy Information Technologies and Systems Accountability

Pub. L. 117–81, div. A, title XV, §1522, Dec. 27, 2021, 135 Stat. 2041, provided that:

"(a) In General.—Not later than 270 days after the date of the enactment of this Act [Dec. 27, 2021], the Secretaries of the Army, Navy, and Air Force shall each initiate efforts to identify legacy applications, software, and information technology within their respective Departments and eliminate any such application, software, or information technology that is no longer required.

"(b) Specifications.—To carry out subsection (a), that Secretaries of the Army, Navy, and Air Force shall each document the following:

"(1) An identification of the applications, software, and information technologies that are considered active or operational, but which are judged to no longer be required by the respective Department.

"(2) Information relating to the sources of funding for the applications, software, and information technologies identified pursuant to paragraph (1).

"(3) An identification of the senior official responsible for each such application, software, or information technology.

"(4) A plan to discontinue use and funding for each such application, software, or information technology.

"(c) Exemption.—Any effort substantially similar to that described in subsections (a) and (b) that is being carried out by the Secretary of the Army, Navy, or Air Force as of the date of the enactment of this Act and completed not later 180 days after such date shall be treated as satisfying the requirements under such subsections.

"(d) Report.—Not later than 270 days after the date of the enactment of this Act, the Secretaries of the Army, Navy, and Air Force shall each submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] the documentation required under subsection (b)."

Governance of Fifth-Generation Wireless Networking in the Department of Defense

Pub. L. 116–283, div. A, title II, §224, Jan. 1, 2021, 134 Stat. 3472, provided that:

"(a) Transition of 5G Wireless Networking to Operational Use.—

"(1) Transition plan required.—The Under Secretary of Defense for Research and Engineering, in consultation with the cross functional team established under subsection (c), shall develop a plan to transition fifth-generation (commonly known as '5G') wireless technology to operational use within the Department of Defense.

"(2) Elements.—The transition plan under paragraph (1) shall include the following:

"(A) A timeline for the transition of responsibility for 5G wireless networking to the Chief Information Officer, as required under subsection (b)(1).

"(B) A description of the roles and responsibilities of the organizations and elements of the Department of Defense with respect to the acquisition, sustainment, and operation of 5G wireless networking for the Department, as determined by the Secretary of Defense in accordance with subsection (d).

"(3) Interim briefing.—Not later than March 31, 2021[,] the Secretary of Defense shall provide to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a briefing on the status of the plan required under paragraph (1).

"(4) Final report.—Not later than September 30, 2021, the Secretary of Defense shall submit to the congressional defense committees a report that includes the plan developed under paragraph (1).

"(b) Senior Official for 5G Wireless Networking.—

"(1) Designation of chief information officer.—Not later than October 1, 2023, the Secretary of Defense shall designate the Chief Information Officer as the senior official within Department of Defense with primary responsibility for—

"(A) policy, oversight, guidance, research, and coordination on matters relating to 5G wireless networking; and

"(B) making proposals to the Secretary on governance, management, and organizational policy for 5G wireless networking.

"(2) Role of under secretary of defense for research and engineering.—The Under Secretary of Defense for Research and Engineering shall carry out the responsibilities specified in paragraph (1) until the date on which the Secretary of Defense designates the Chief Information Officer as the senior official responsible for 5G wireless networking under such paragraph.

"(c) Cross-functional Team for 5G Wireless Networking.—

"(1) Establishment.—Using the authority provided under section 911(c) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 10 U.S.C. 111 note), the Secretary of Defense shall establish a cross-functional team for 5G wireless networking.

"(2) Duties.—The duties of the cross-functional team established under paragraph (1) shall be—

"(A) to assist the Secretary of Defense in determining the roles and responsibilities of the organizations and elements of the Department of Defense with respect to the acquisition, sustainment, and operation of 5G wireless networking, as required under subsection (d);

"(B) to assist the senior official responsible for 5G wireless networking in carrying out the responsibilities assigned to such official under subsection (b);

"(C) to oversee the implementation of the strategy developed under section 254 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116–92; 10 U.S.C. 2223a note [now 10 U.S.C. 4571 note]) for harnessing 5G wireless networking technologies, coordinated across all relevant elements of the Department;

"(D) to advance the adoption of commercially available, next-generation wireless communication technologies, capabilities, security, and applications by the Department and the defense industrial base; and

"(E) to support public-private partnerships between the Department and industry on matters relating to 5G wireless networking;

"(F) to coordinate research and development, implementation and acquisition activities, warfighting concept development, spectrum policy, industrial policy and commercial outreach and partnership relating to 5G wireless networking in the Department, and interagency and international engagement;

"(G) to integrate the Department's 5G wireless networking programs and policies with major initiatives, programs, and policies of the Department relating to secure microelectronics and command and control; and

"(H) to oversee, coordinate, execute, and lead initiatives to advance 5G wireless network technologies and associated applications developed for the Department.

"(3) Team leader.—The Under Secretary of Defense for Research and Engineering shall lead the cross-functional team established under paragraph (1) until the date on which the Secretary of Defense designates the Chief Information Officer as the senior official responsible for 5G wireless networking as required under subsection (b)(1). Beginning on the date of such designation, the Chief Information Officer shall lead the cross functional team.

"(d) Determination of Organizational Roles and Responsibilities.—The Secretary of Defense, acting through the cross-functional team established under subsection (c), shall determine the roles and responsibilities of the organizations and elements of the Department of Defense with respect to the acquisition, sustainment, and operation of 5G wireless networking for the Department, including the roles and responsibilities of the Office of the Secretary of Defense, the intelligence components of the Department, Defense Agencies and Department of Defense Field Activities, the Armed Forces, combatant commands, and the Joint Staff.

"(e) Briefing.—Not later than 90 days after the date of the enactment of this Act [Jan. 1, 2021], the Secretary of Defense shall submit to the congressional defense committees a briefing on the progress of the Secretary in—

"(1) establishing the cross-functional team under subsection (c); and

"(2) determining the roles and responsibilities of the organizations and elements of the Department of Defense with respect to 5G wireless networking as required under subsection (d).

"(f) 5G Procurement Decisions.—Each Secretary of a military department shall be responsible for decisions relating to the procurement of 5G wireless technology for that department.

"(g) Telecommunications Security Program.—

"(1) Program required.—The Secretary of Defense shall carry out a program to identify and mitigate vulnerabilities in the 5G telecommunications infrastructure of the Department of Defense.

"(2) Elements.—In carrying out the program under paragraph (1), the Secretary shall—

"(A) develop a capability to communicate clearly and authoritatively about threats by foreign adversaries;

"(B) conduct independent red-team security analysis of systems, subsystems, devices, and components of the Department of Defense including no-knowledge testing and testing with limited or full knowledge of expected functionalities;

"(C) verify the integrity of personnel who are tasked with design fabrication, integration, configuration, storage, test, and documentation of noncommercial 5G technology to be used by the Department;

"(D) verify the efficacy of the physical security measures used at Department locations where system design, fabrication, integration, configuration, storage, test, and documentation of 5G technology occurs;

"(E) direct the Chief Information Officer to assess, using existing government evaluation models and schema where applicable, 5G core service providers whose services will be used by the Department through the Department's provisional authorization process; and

"(F) direct the Defense Information Systems Agency and the United States Cyber Command to develop a capability for continuous, independent monitoring of non-commercial, government-transiting packet streams for 5G data on frequencies assigned to the Department to validate the availability, confidentiality, and integrity of the Department's communications systems.

"(3) Implementation plan.—Not later than 90 days after the date of the enactment of this Act [Jan. 1, 2021], the Secretary of Defense shall submit to Congress a plan for the implementation of the program under paragraph (1).

"(4) Report.—Not later than 270 days after submitting the plan under paragraph (3), the Secretary of Defense shall submit to Congress a report that includes—

"(A) a comprehensive assessment of the findings and conclusions of the program under paragraph (1);

"(B) recommendations on how to mitigate vulnerabilities in the telecommunications infrastructure of the Department of Defense; and

"(C) an explanation of how the Department plans to implement such recommendations.

"(h) Rule of Construction.—

"(1) In general.—Nothing in this section shall be construed as providing the Chief Information Officer immediate responsibility for the activities of the Department of Defense in fifth-generation wireless networking experimentation and science and technology development.

"(2) Purview of experimentation and science and technology development.—The activities described in paragraph (1) shall remain within the purview of the Under Secretary of Defense for Research and Engineering, but shall inform and be informed by the activities of the cross-functional team established pursuant to subsection (c)."

Demonstration Project on Use of Certain Technologies for Fifth-Generation Wireless Networking Services

Pub. L. 116–283, div. A, title II, §225, Jan. 1, 2021, 134 Stat. 3475, provided that:

"(a) Demonstration Project.—The Secretary of Defense shall carry out a demonstration project to evaluate the maturity, performance, and cost of covered technologies to provide additional options for providers of fifth-generation wireless network services.

"(b) Location.—The Secretary of Defense shall carry out the demonstration project under subsection (a) in at least one location where the Secretary plans to deploy a fifth-generation wireless network.

"(c) Coordination.—The Secretary shall carry out the demonstration project under subsection (a) in coordination with at least one major wireless network service provider based in the United States.

"(d) Covered Technologies Defined.—In this section, the term 'covered technologies' means—

"(1) a disaggregated or virtualized radio access network and core in which components can be provided by different vendors and interoperate through open protocols and interfaces, including those protocols and interfaces utilizing the Open Radio Access Network (commonly known as 'Open RAN' or 'oRAN') approach; and

"(2) one or more massive multiple-input, multiple-output radio arrays, provided by one or more companies based in the United States, that have the potential to compete favorably with radios produced by foreign companies in terms of cost, performance, and efficiency."

Pilot Program on the Use of Consumption-Based Solutions To Address Software-Intensive Warfighting Capability

Pub. L. 116–283, div. A, title VIII, §834, Jan. 1, 2021, 134 Stat. 3754, provided that:

"(a) In General.—Subject to the availability of appropriations, the Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability.

"(b) Selection of Initiatives.—Each Secretary of a military department and each commander of a combatant command with acquisition authority shall propose for selection by the Secretary of Defense for the pilot program at least one and not more than three initiatives that are well-suited to explore consumption-based solutions, to include addressing software-intensive warfighting capability. The initiatives may be new or existing programs of record, and may include applications that—

"(1) rapidly analyze sensor data;

"(2) secure warfighter networks, including multilevel security;

"(3) swiftly transport information across various networks and network modalities;

"(4) enable joint all-domain operational concepts, including in a contested environment; or

"(5) advance military capabilities and effectiveness.

"(c) Requirements.—A contract or other agreement for consumption-based solutions entered into under the pilot program shall require—

"(1) the effectiveness of the solution to be measurable at regular intervals customary for the type of solution provided under contract or other agreement; and

"(2) that the awardee notify the Secretary of Defense when consumption under the contract or other agreement reaches 75 percent and 90 percent of the funded amount, respectively, of the contract or other agreement.

"(d) Exemption.—A modification to a contract or other agreement entered into under this section to add new features or capabilities in an amount less than or equal to 25 percent of the total value of such contract or other agreement shall be exempt from the requirements of full and open competition (as defined in section 2302 of title 10, United States Code [see 10 U.S.C. 3011]).

"(e) Duration.—The duration of a contract or other agreement entered into under this section may not exceed three years.

"(f) Monitoring and Evaluation of Pilot Program.—The Director of Cost Assessment and Program Evaluation shall continuously monitor and evaluate the pilot program, including by collecting data on cost, schedule, and performance from the program office, the user community, and the awardees involved in the program.

"(g) Reports.—

"(1) Initial report.—Not later than May 15, 2021, the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on initiatives selected for the pilot program, roles, and responsibilities for implementing the program, and the monitoring and evaluation approach that will be used for the program.

"(2) Progress report.—Not later than October 15, 2021, the Secretary of Defense shall submit to the congressional defense committees a report on the progress of the initiatives selected for the pilot program.

"(3) Final report.—Not later than 3 years after the date of the enactment of this Act [Jan. 1, 2021], the Secretary of Defense shall submit to the congressional defense committees a report on the cost, schedule, and performance outcomes of the initiatives carried out under the pilot program. The report shall also include lessons learned about the use of consumption-based solutions for software-intensive capabilities and any recommendations for statutory or regulatory changes to facilitate the use of such solutions.

"(h) Consumption-based Solution Defined.—In this section, the term 'consumption-based solution' means any combination of software, hardware or equipment, and labor or services that provides a seamless capability that is metered and billed based on actual usage and predetermined pricing per resource unit, and includes the ability to rapidly scale capacity up or down."

Balancing Security and Innovation in Software Development and Acquisition

Pub. L. 116–283, div. A, title VIII, §835, Jan. 1, 2021, 134 Stat. 3755, provided that:

"(a) Requirements for Solicitations of Commercial and Developmental Solutions.—The Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop requirements for appropriate software security criteria to be included in solicitations for commercial and developmental solutions and the evaluation of bids submitted in response to such solicitations, including a delineation of what processes were or will be used for a secure software development life cycle. Such requirements shall include—

"(1) establishment and enforcement of secure coding practices;

"(2) management of supply chain risks and third-party software sources and component risks;

"(3) security of the software development environment;

"(4) secure deployment, configuration, and installation processes; and

"(5) an associated vulnerability management plan and identification of tools that will be applied to achieve an appropriate level of security.

"(b) Security Review of Code.—The Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop—

"(1) procedures for the security review of code; and

"(2) other procedures necessary to fully implement the pilot program required under section 875 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 10 U.S.C. 2223 note).

"(c) Coordination With Cybersecurity Acquisition Policy Efforts.—The Under Secretary of Defense for Acquisition and Sustainment shall develop the requirements and procedures described under subsections (a) and (b) in coordination with the efforts of the Department of Defense to develop new cybersecurity and program protection policies and guidance that are focused on cybersecurity in the context of acquisition and program management and on safeguarding information."

Establishment of Secure Next-Generation Wireless Network (5G) Infrastructure for the Nevada Test and Training Range and Base Infrastructure

Pub. L. 116–92, div. A, title II, §226, Dec. 20, 2019, 133 Stat. 1269, provided that:

"(a) Establishment Required.—Not later than one year after the date of the enactment of this Act [Dec. 20, 2019], the Secretary of Defense shall establish secure fifth-generation wireless network components and capabilities at no fewer than two Department of Defense installations in accordance with this section.

"(b) Installations.—

"(1) Locations.—The Secretary shall establish components and capabilities under subsection (a) at the following:

"(A) The Nevada Test and Training Range, which shall serve as a Major Range and Test Facility Base (MRTFB) for fifth-generation wireless networking.

"(B) Such Department installations or other installations as the Secretary considers appropriate for the purpose set forth in paragraph (2).

"(2) Purpose.—The purpose of the establishment of components and capabilities under subsection (a) at the locations described in paragraph (1) of this subsection is to demonstrate the following:

"(A) The potential military utility of high bandwidth, scalable, and low latency fifth-generation wireless networking technology.

"(B) Advanced security technology that is applicable to fifth-generation networks as well as legacy Department command and control networks.

"(C) Secure interoperability with fixed and wireless systems (legacy and future systems).

"(D) Enhancements such as spectrum and waveform diversity, frequency hopping and spreading, and beam forming for military requirements.

"(E) Technology for dynamic network slicing for specific use cases and applications requiring varying levels of latency, scale, and throughput.

"(F) Technology for dynamic spectrum sharing and network isolation.

"(G) Base infrastructure installation of high bandwidth, scalable, and low latency fifth-generation wireless networking technology.

"(H) Applications for secure fifth-generation wireless network capabilities for the Department, such as the following:

"(i) Interactive augmented reality or synthetic training environments.

"(ii) Internet of things devices.

"(iii) Autonomous systems.

"(iv) Advanced manufacturing through the following:

     "(I) Department-sponsored centers for manufacturing innovation (as defined in section 34(c) of the National Institute of Standards and Technology Act (15 U.S.C. 278s(c))).

     "(II) Department research and development organizations.

     "(III) Manufacturers in the defense industrial base of the United States."

Digital Engineering Capability To Automate Testing and Evaluation

Pub. L. 116–92, div. A, title II, §231, Dec. 20, 2019, 133 Stat. 1274, provided that:

"(a) Digital Engineering Capability.—

"(1) In general.—The Secretary of Defense shall establish a digital engineering capability to be used—

"(A) for the development and deployment of digital engineering models for use in the defense acquisition process; and

"(B) to provide testing infrastructure and software to support automated approaches for testing, evaluation, and deployment throughout the defense acquisition process.

"(2) Requirements.—The capability developed under subsection (a) shall meet the following requirements:

"(A) The capability will be accessible to, and useable by, individuals throughout the Department of Defense who have responsibilities relating to capability design, development, testing, evaluation, and operation.

"(B) The capability will provide for the development, validation, use, curation, and maintenance of technically accurate digital systems, models of systems, subsystems, and their components, at the appropriate level of fidelity to ensure that test activities adequately simulate the environment in which a system will be deployed.

"(C) The capability will include software to automate testing throughout the program life cycle, including to satisfy developmental test requirements and operational test requirements. Such software may be developed in accordance with the authorities provided under section 800 [of Pub. L. 116–92, set out as a note below], and shall support—

"(i) security testing that includes vulnerability scanning and penetration testing performed by individuals, including threat-based red team exploitations and assessments with zero-trust assumptions; and

"(ii) high-confidence distribution of software to the field on a time-bound, repeatable, frequent, and iterative basis.

"(b) Demonstration Activities.—

"(1) In general.—In developing the capability required under subsection (a), the Secretary of Defense shall carry out activities to demonstrate digital engineering approaches to automated testing that—

"(A) enable continuous software development and delivery;

"(B) satisfy developmental test requirements for the software-intensive programs of the Department of Defense; and

"(C) satisfy operational test and evaluation requirements for such programs.

"(2) Program selection.—Not later than 180 days after the date of the enactment of this Act [Dec. 20, 2019], the Secretary of Defense shall assess and select not fewer than four and not more than ten programs of the Department of Defense to participate in the demonstration activities under paragraph (1), including—

"(A) at least one program participating in the pilot program authorized under section 873 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 10 U.S.C. 2223a note [now former 10 U.S.C. 4571 note]);

"(B) at least one program participating in the pilot program authorized under section 874 of such Act (Public Law 115–91; 10 U.S.C. 2302 note);

"(C) at least one major defense acquisition program (as defined in section 2430 of title 10, United States Code [now 10 U.S.C. 4201]);

"(D) at least one command and control program;

"(E) at least one defense business system (as defined in section 2222(i) of title 10, United States Code); and

"(F) at least one program from each military service.

"(3) Additional requirements.—As part of the demonstration activities under paragraph (1), the Secretary shall—

"(A) conduct a comparative analysis that assesses the risks and benefits of the digital engineering supported automated testing approaches of the programs participating in the demonstration activities relative to traditional testing approaches that are not supported by digital engineering;

"(B) ensure that the intellectual property strategy for each of the programs participating in the demonstration activities is best aligned to meet the goals of the program; and

"(C) develop a workforce and infrastructure plan to support any new policies and guidance implemented in connection with the demonstration activities, including any policies and guidance implemented after the completion of such activities.

"(c) Policies and Guidance Required.—Not later than one year after the date of the enactment of this Act [Dec. 20, 2019], based on the results of the demonstration activities carried out under subsection (b), the Secretary of Defense shall issue or modify policies and guidance to—

"(1) promote the use of digital engineering capabilities for development and for automated testing; and

"(2) address roles, responsibilities, and procedures relating to such capabilities.

"(d) Steering Committee.—

"(1) In general.—The Secretary of Defense shall establish a steering committee to assist the Secretary in carrying out subsections (a) through (c).

"(2) Membership.—The steering committee shall be composed of the following members or their designees:

"(A) The Under Secretary of Defense for Research and Engineering.

"(B) The Under Secretary of Defense for Acquisition and Sustainment.

"(C) The Chief Information Officer.

"(D) The Director of Operational Test and Evaluation.

"(E) The Director of Cost Assessment and Program Evaluation.

"(F) The Service Acquisition Executives.

"(G) The Service testing commands.

"(H) The Director of the Defense Digital Service.

"(e) Reports Required.—

"(1) Implementation.—Not later than March 15, 2020, the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the progress of the Secretary in implementing subsections (a) through (c). The report shall include an explanation of how the results of the demonstration activities carried out under subsection (b) will be incorporated into the policy and guidance required under subsection (c), particularly the policy and guidance of the members of the steering committee established under subsection (d).

"(2) Legislative recommendations.—Not later than October 15, 2020, the Secretary of Defense shall provide to the congressional defense committees a briefing that identifies any changes to existing law that may be necessary to facilitate the implementation of subsections (a) through (c).

"(f) Independent Assessment.—

"(1) In general.—Not later than March 15, 2021, the Defense Innovation Board and the Defense Science Board shall jointly complete an independent assessment of the progress of the Secretary in implementing subsections (a) through (c). The Secretary of Defense shall ensure that the Defense Innovation Board and the Defense Science Board have access to the resources, data, and information necessary to complete the assessment.

"(2) Information to congress.—Not later than 30 days after the date on which the assessment under paragraph (1) is completed, the Defense Innovation Board and the Defense Science Board shall jointly provide to the congressional defense committees—

"(A) a report summarizing the assessment; and

"(B) a briefing on the findings of the assessment."

Strategy and Implementation Plan for Fifth Generation Information and Communications Technologies

Pub. L. 116–92, div. A, title II, §254, Dec. 20, 2019, 133 Stat. 1287, as amended by Pub. L. 117–263, div. A, title II, §232, Dec. 23, 2022, 136 Stat. 2486, provided that:

"(a) In General.—Not later than 270 days after the date of the enactment of this Act [Dec. 20, 2019], the Secretary of Defense shall develop—

"(1) a strategy for harnessing fifth generation (commonly known as '5G') information and communications technologies to enhance military capabilities, maintain a technological advantage on the battlefield, and accelerate the deployment of new commercial products and services enabled by 5G networks throughout the Department of Defense; and

"(2) a plan for implementing the strategy developed under paragraph (1).

"(b) Elements.—The strategy required under subsection (a) shall include the following elements:

"(1) Adoption and use of secure fourth generation (commonly known as '4G') communications technologies and the transition to advanced and secure 5G communications technologies for military applications and for military infrastructure.

"(2) Science, technology, research, and development efforts to facilitate the advancement and adoption of 5G technology and new uses of 5G systems, subsystems, and components, including—

"(A) 5G testbeds for developing military and dual-use applications; and

"(B) spectrum-sharing technologies and frameworks.

"(3) Strengthening engagement and outreach with industry, academia, international partners, and other departments and agencies of the Federal Government on issues relating to 5G technology and the deployment of such technology, including development of a common industrial base for secure microelectronics.

"(4) Defense industrial base supply chain risk, management, and opportunities.

"(5) Preserving the ability of the Joint Force to achieve objectives in a contested and congested spectrum environment.

"(6) Strengthening the ability of the Joint Force to conduct full spectrum operations that enhance the military advantages of the United States.

"(7) Securing the information technology and weapon systems of the Department against malicious activity.

"(8) Advancing the deployment of secure 5G networks nationwide.

"(9) Such other matters as the Secretary of Defense determines to be relevant.

"(c) Consultation.—In developing the strategy and implementation plan required under subsection (a), the Secretary of Defense shall consult with the following:

"(1) The Chief Information Officer of the Department of Defense.

"(2) The Under Secretary of Defense for Research and Engineering.

"(3) The Under Secretary of Defense for Acquisition and Sustainment.

"(4) The Under Secretary of Defense for Intelligence [now Under Secretary of Defense for Intelligence and Security].

"(5) Service Acquisition Executives of each military service.

"(d) Periodic Briefings.—

"(1) In general.—Not later than March 15, 2020, and not less frequently than once every three months thereafter through December 1, 2026, the Secretary of Defense shall provide to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a briefing on the development and implementation of the strategy required under subsection (a), including an explanation of how the Department of Defense—

"(A) is using secure 5G wireless network technology;

"(B) is reshaping the Department's policy for producing and procuring secure microelectronics; and

"(C) is working in the interagency and internationally to develop common policies and approaches.

"(2) Elements.—Each briefing under paragraph (1) shall include information on—

"(A) efforts to ensure a secure supply chain for 5G wireless network equipment and microelectronics;

"(B) the continued availability of electromagnetic spectrum for warfighting needs;

"(C) planned implementation of 5G wireless network infrastructure in warfighting networks, base infrastructure, defense-related manufacturing, and logistics;

"(D) steps taken to work with allied and partner countries to protect critical networks and supply chains; and

"(E) such other topics as the Secretary of Defense considers relevant."

Department-Wide Software Science and Technology Strategy

Pub. L. 116–92, div. A, title II, §255, Dec. 20, 2019, 133 Stat. 1288, as amended by Pub. L. 117–81, div. A, title II, §§212(c)(1), 215(d)(10), Dec. 27, 2021, 135 Stat. 1588, 1594, provided that:

"(a) Designation of Senior Official.—Not later than 180 days after the date of the enactment of this Act [Dec. 20, 2019], the Secretary of Defense, acting through the Under Secretary of Defense for Research and Engineering and in consultation with the Under Secretary of Defense for Acquisition and Sustainment and appropriate public and private sector organizations, shall designate a single official or existing entity within the Department of Defense as the official or entity (as the case may be) with principal responsibility for guiding the development of science and technology activities related to next generation software and software reliant systems for the Department, including—

"(1) research and development activities on new technologies for the creation of highly secure, scalable, reliable, time-sensitive, and mission-critical software;

"(2) research and development activities on new approaches and tools to software development and deployment, testing, integration, and next generation software management tools to support the rapid insertion of such software into defense systems;

"(3) foundational scientific research activities to support advances in software;

"(4) technical workforce and infrastructure to support defense science and technology and software needs and mission requirements;

"(5) providing capabilities, including technologies, systems, and technical expertise to support improved acquisition of software reliant business and warfighting systems; and

"(6) providing capabilities, including technologies, systems, and technical expertise to support defense operational missions which are reliant on software.

"(b) Development of Strategy.—The official or entity designated under subsection (a) shall develop a Department-wide strategy for the research and development of next generation software and software reliant systems for the Department of Defense, including strategies for—

"(1) types of software-related activities within the science and technology portfolio of the Department;

"(2) investment in new approaches to software development and deployment, and next generation management tools;

"(3) ongoing research and other support of academic, commercial, and development community efforts to innovate the software development, engineering, and testing process, automated testing, assurance and certification for safety and mission critical systems, large scale deployment, and sustainment;

"(4) to the extent practicable, implementing or continuing the implementation of the recommendations set forth in—

"(A) the final report of the Defense Innovation Board submitted to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] under section 872 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 131 Stat. 1497);

"(B) the final report of the Defense Science Board Task Force on the Design and Acquisition of Software for Defense Systems described in section 868 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232; 10 U.S.C. 2223[a] note [now 10 U.S.C. 4571 note]); and

"(C) other relevant studies on software research, development, and acquisition activities of the Department of Defense.

"(5) supporting the acquisition, technology development, testing, assurance, and certification and operational needs of the Department through the development of capabilities, including personnel and research and production infrastructure, and programs in—

"(A) the science and technology reinvention laboratories (as designated under section 4121(b) of title 10, United States Code);

"(B) the facilities of the Major Range and Test Facility Base (as defined in section 2358a(g) of title 10, United States Code [now 10 U.S.C. 4091(f)]);

"(C) the Defense Advanced Research Projects Agency; and

"(D) universities, federally funded research and development centers, and service organizations with activities in software engineering; and

"(6) the transition of relevant capabilities and technologies to relevant programs of the Department, including software-reliant cyber-physical systems, tactical systems, enterprise systems, and business systems.

"(c) Submittal to Congress.—Not later than one year after the date of the enactment of this Act [Dec. 20, 2019], the official or entity designated under subsection (a) shall submit to the congressional defense committees the strategy developed under subsection (b)."

Authority for Continuous Integration and Delivery of Software Applications and Upgrades to Embedded Systems

Pub. L. 116–92, div. A, title VIII, §800, Dec. 20, 2019, 133 Stat. 1478, provided that:

"(a) Software Acquisition and Development Pathways.—The Secretary of Defense shall establish pathways as described under subsection (b) to provide for the efficient and effective acquisition, development, integration, and timely delivery of secure software. Such a pathway shall include the following:

"(1) Use of proven technologies and solutions.—A pathway established under this section shall provide for the use of proven technologies and solutions to continuously engineer and deliver capabilities in software.

"(2) Use of authority.—In using the authority under this section, the Secretary shall consider how such use will—

"(A) initiate the engineering of new software capabilities quickly;

"(B) demonstrate the viability and effectiveness of such capabilities for operational use not later than one year after the date on which funds are first obligated to acquire or develop software; and

"(C) allow for the continuous updating and delivery of new capabilities not less frequently than annually to iteratively meet a requirement.

"(3) Treatment not as major defense acquisition program.—Software acquired or developed using the authority under this section shall not be treated as a major defense acquisition program for purposes of section 2430 of title 10, United States Code [now 10 U.S.C. 4201], or Department of Defense Directive 5000.01 without the specific direction of the Under Secretary of Defense for Acquisition and Sustainment or a Senior Acquisition Executive.

"(4) Risk-based approach.—The Secretary of Defense shall use a risk-based approach for the consideration of innovative technologies and new capabilities for software to be acquired or developed under this authority to meet needs communicated by the Joint Chiefs of Staff and the combatant commanders.

"(b) Pathways.—The Secretary of Defense may establish as many pathways as the Secretary determines appropriate and shall establish the following pathways:

"(1) Applications.—The applications software acquisition pathway shall provide for the use of rapid development and implementation of applications and other software or software improvements operated by the Department of Defense, which may include applications running on commercial commodity hardware (including modified hardware) and commercially available cloud computing platforms.

"(2) Embedded systems.—The embedded systems software acquisition pathway shall provide for the rapid development and insertion of upgrades and improvements for software embedded in weapon systems and other military-unique hardware systems.

"(c) Expedited Process.—

"(1) In general.—A pathway established under subsection (a) shall provide for—

"(A) a streamlined and coordinated requirements, budget, and acquisition process to support rapid fielding of software applications and of software upgrades to embedded systems for operational use in a period of not more than one year from the time that the process is initiated;

"(B) the collection of data on software fielded; and

"(C) continuous engagement with the users of software to support engineering activities, and to support delivery of software for operational use in periods of not more than one year.

"(2) Expedited software requirements process.—

"(A) Inapplicability of joint capabilities integration and development system (jcids) manual.—Software acquisition or development conducted under the authority of this section shall not be subject to the Joint Capabilities Integration and Development System Manual, except pursuant to a modified process specifically provided for the acquisition or development of software by the Vice Chairman of the Joint Chiefs of Staff, in consultation with Under Secretary of Defense for Acquisition and Sustainment and each service acquisition executive (as defined in section 101(a)(10) of title 10, United States Code).

"(B) Inapplicability of defense acquisition system directive.—Software acquisition or development conducted under the authority of this section shall not be subject to Department of Defense Directive 5000.01, except when specifically provided for the acquisition or development of software by the Under Secretary of Defense for Acquisition and Sustainment, in consultation with the Vice Chairman of the Joint Chiefs of Staff and each service acquisition executive.

"(d) Elements.—In implementing a pathway established under the authority of this section, the Secretary shall tailor requirements relating to—

"(1) iterative development of requirements for software to be acquired or developed under the authority of this section through engagement with the user community and through the use of operational user feedback, in order to continuously define and update priorities for such requirements;

"(2) early identification of the warfighter or user need, including the rationale for how software capabilities will support increased lethality and efficiency, and identification of a relevant user community;

"(3) initial contract requirements and format, including the use of summary-level lists of problems and shortcomings in existing software and desired features or capabilities of new or upgraded software;

"(4) continuous refinement and prioritization of contract requirements through use of evolutionary processes, informed by continuous engagement with operational users throughout the development and implementation period;

"(5) continuous consideration of issues related to lifecycle costs, technical data rights, and systems interoperability;

"(6) planning for support of software capabilities in cases where the software developer may stop supporting the software;

"(7) rapid contracting procedures, including expedited timeframes for making awards, selecting contract types, defining teaming arrangements, and defining options;

"(8) program execution processes, including supporting development and test infrastructure, automation and tools, digital engineering, data collection and sharing with Department of Defense oversight organizations and with Congress, the role of developmental and operational testing activities, key decision making and oversight events, and supporting processes and activities (such as independent costing activity, operational demonstration, and performance metrics);

"(9) assurances that cybersecurity metrics of the software to be acquired or developed, such as metrics relating to the density of vulnerabilities within the code of such software, the time from vulnerability identification to patch availability, the existence of common weaknesses within such code, and other cybersecurity metrics based on widely-recognized standards and industry best practices, are generated and made available to the Department of Defense and the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives];

"(10) administrative procedures, including procedures related to who may initiate and approve an acquisition under this authority, the roles and responsibilities of the implementing project or product teams and supporting activities, team selection and staffing process, governance and oversight roles and responsibilities, and appropriate independent technology assessments, testing, and cost estimation (including relevant thresholds or designation criteria);

"(11) mechanisms and waivers designed to ensure flexibility in the implementation of a pathway under this section, including the use of other transaction authority, broad agency announcements, and other procedures; and

"(12) mechanisms the Secretary will use for appropriate reporting to Congress on the use of this authority, including notice of initiation of the use of a pathway and data regarding individual programs or acquisition activities, how acquisition activities are reflected in budget justification materials or requests to reprogram appropriated funds, and compliance with other reporting requirements.

"(e) Guidance Required.—

"(1) In general.—Not later than 90 days after the date of the enactment of this Act [Dec. 20, 2019], the Secretary of Defense shall issue initial guidance to implement the requirements of this section.

"(2) Limitation.—If the Secretary of Defense has not issued final guidance to implement the requirements of this section before October 1, 2021, the Secretary may not use the authority under this section—

"(A) to establish a new pathway to acquire or develop software; or

"(B) to continue activities to acquire or develop software using a pathway established under initial guidance described in paragraph (1).

"(f) Report.—

"(1) In general.—Not later than October 15, 2020, the Under Secretary of Defense for Acquisition and Sustainment, in consultation with the secretaries of the military departments and other appropriate officials, shall report on the use of the authority under this section using the initial guidance issued under subsection (d).

"(2) Elements.—The report required under paragraph (1) shall include the following elements:

"(A) The final guidance required by subsection (d)(2), including a description of the treatment of use of the authority that was initiated before such final guidance was issued.

"(B) A summary of how the authority under this section has been used, including a list of the cost estimate, schedule for development, testing and delivery, and key management risks for each initiative conducted pursuant to such authority.

"(C) Accomplishments from and challenges to using the authority under this section, including organizational, cultural, talent, infrastructure, testing, and training considerations.

"(D) Recommendations for legislative changes to the authority under this section.

"(E) Recommendations for regulatory changes to the authority under this section to promote effective development and deployment of software acquired or developed under this section."

Reorientation of Big Data Platform Program

Pub. L. 116–92, div. A, title XVI, §1651, Dec. 20, 2019, 133 Stat. 1759, as amended by Pub. L. 116–283, div. A, title XVII, §1709(a), Jan. 1, 2021, 134 Stat. 4086, provided that:

"(a) Reorientation of Program.—

"(1) In general.—Not later than January 1, 2021, the Secretary of Defense shall—

"(A) reorient the Big Data Platform program as specified in this section; and

"(B) align the reorientation effort under an existing line of effort of the Cyber Strategy of the Department of Defense.

"(2) Oversight of implementation.—The Secretary shall act through the Principal Cyber Advisor and the supporting Cross Functional Team in the oversight of the implementation of paragraph (1).

"(b) Common Baseline and Security Classification Scheme.—

"(1) In general.—Not later than January 1, 2021, the Secretary shall establish a common baseline and security classification scheme for the collection, storage, processing, querying, analysis, and accessibility of a common and comprehensive set of metadata from sensors, applications, appliances, products, and systems deployed across the Department of Defense Information Network (DODIN) to enable the discovery, tracking, and remediation of cybersecurity threats.

"(2) Requirements.—In carrying out paragraph (1), the Secretary shall—

"(A) take such actions as the Secretary considers necessary to standardize deployed infrastructure, including the Department of Defense's perimeter capabilities at the Internet Access Points, the Joint Regional Security Stacks, or other approved solutions, and the routing of data laterally and vertically from Department of Defense Information Network segments and tiers, to enable standard and comprehensive metadata collection;

"(B) take such actions as the Secretary considers necessary to standardize deployed cybersecurity applications, products, and sensors and the routing of data laterally and vertically from Department of Defense Information Network segments and tiers, to enable standard and comprehensive metadata collection;

"(C) develop an enterprise-wide architecture and strategy for—

"(i) where to place sensors or extract data from network information technology, operational technology, and cybersecurity appliances, applications, products, and systems for cybersecurity purposes;

"(ii) which metadata data records should be universally sent to Big Data Platform instances and which metadata data records, if any, should be locally retained; and

"(iii) expeditiously and efficiently transmitting metadata records to the Big Data Platform instances, including the acquisition and installation of further data bandwidth;

"(D) determine the appropriate number, organization, and functions of separate Big Data Platform instances, and whether the Big Data Platform instances that are currently managed by Department of Defense components, including the military services, should instead be jointly and regionally organized, or terminated;

"(E) determine the appropriate roles of the Defense Information Systems Agency's Acropolis, United States Cyber Command's Scarif, and any similar Big Data Platforms as enterprise-wide real-time cybersecurity situational awareness capabilities or as complements or replacements for component level Big Data Platform instances;

"(F) ensure that all Big Data Platform instances are engineered and approved to enable standard access and expeditious query capabilities by the Unified Platform, the network defense service providers, and the Cyber Mission Forces, with centrally managed authentication and authorization services;

"(G) prohibit and remove barriers to information sharing, distributed query, data analysis, and collaboration across Big Data Platform instances, such as incompatible interfaces, interconnection service agreements, and the imposition of accreditation boundaries;

"(H) transition all Big Data Platform instances to a cloud computing environment in alignment with the cloud strategy of the Chief Information Officer of the Department of Defense;

"(I) consider whether packet capture databases should continue to be maintained separately from the Big Data Platform instances, managed at the secret level of classification, and treated as malware-infected when the packet data are copies of packets extant in the Department of Defense Information Network;

"(J) in the case that the Secretary decides to sustain the status quo on packet capture databases, ensure that analysts operating on or from the Unified Platform, the Big Data Platform instances, the network defense services providers, and the Cyber Mission Forces can directly access packets and query the database; and

"(K) consider whether the Joint Artificial Intelligence Center's cybersecurity artificial intelligence national mission initiative, and any other similar initiatives, should include an application for the metadata residing in the Big Data Platform instances.

"(c) Limit on Data and Data Indexing Schema.—The Secretary shall ensure that the Unified Platform and the Big Data Platform programs achieve data and data indexing schema standardization and integration to ensure interoperability, access, and sharing by and between Big Data Platform and other data sources and stores.

"(d) Analytics and Application Sourcing and Collaboration.—The Secretary shall ensure that the services, U.S. Cyber Command, and Defense Information Systems Agency—

"(1) seek advanced analytics and applications from Government and commercial sources that can be executed on the deployed Big Data Platform architecture; and

"(2) collaborate with vendors offering commercial analytics and applications, including support to refactoring commercial capabilities to the Government platform where industry can still own the intellectual property embedded in the analytics and applications.

"(e) Briefing Required.—Not later than 180 days after the date of the enactment of this Act [Dec. 20, 2019] and not less frequently than once every 180 days thereafter until the activities required by subsection (a)(1) are completed, the Secretary shall brief the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] on the activities of the Secretary in carrying out subsection (b).

"(f) Applicability.—The requirements of this section shall apply in full to the Department of the Navy, including the Sharkcage and associated programs."

[Reference to Joint Artificial Intelligence Center, referred to in subsec. (b)(2)(K) of section 1651 of Pub. L. 116–92, set out above, deemed to refer to the office of the official designated under section 238(b) of Pub. L. 115–232, see section 212(m) of Pub. L. 117–263, set out as a note preceding section 4061 of this title (in a bracketed note following section 238 of Pub. L. 115–232).]

Policy Regarding the Transition of Data and Applications to the Cloud

Pub. L. 116–92, div. A, title XVII, §1755, Dec. 20, 2019, 133 Stat. 1854, provided that:

"(a) Policy Required.—Not later than 180 days after the date of the enactment of this Act [Dec. 20, 2019], the Chief Information Officer of the Department of Defense and the Chief Data Officer of the Department shall, in consultation with the J6 of the Joint Staff and the Chief Management Officer, develop and issue enterprise-wide policy and implementing instructions regarding the transition of data and applications to the cloud under the Department cloud strategy in accordance with subsection (b).

"(b) Design.—The policy required by subsection (a) shall be designed to dramatically improve support to operational missions and management processes, including by the use of artificial intelligence and machine learning technologies, by—

"(1) making the data of the Department available to support new types of analyses;

"(2) preventing, to the maximum extent practicable, the replication in the cloud of data stores that cannot readily be accessed by applications for which the data stores were not originally engineered;

"(3) ensuring that data sets can be readily discovered and combined with others to enable new insights and capabilities; and

"(4) ensuring that data and applications are readily portable and not tightly coupled to a specific cloud infrastructure or platform."

Implementation of Recommendations of the Final Report of the Defense Science Board Task Force on the Design and Acquisition of Software for Defense Systems

Pub. L. 115–232, div. A, title VIII, §868, Aug. 13, 2018, 132 Stat. 1902, provided that:

"(a) Implementation Required.—Not later than 18 months after the date of the enactment of this Act [Aug. 13, 2018], the Secretary of Defense shall, except as provided under subsection (b), commence implementation of each recommendation submitted as part of the final report of the Defense Science Board Task Force on the Design and Acquisition of Software for Defense Systems.

"(b) Exceptions.—

"(1) Delayed implementation.—The Secretary of Defense may commence implementation of a recommendation described under subsection (a) later than the date required under such subsection if the Secretary provides the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] with a specific justification for the delay in implementation of such recommendation.

"(2) Nonimplementation.—The Secretary of Defense may opt not to implement a recommendation described under subsection (a) if the Secretary provides to the congressional defense committees—

"(A) the reasons for the decision not to implement the recommendation; and

"(B) a summary of the alternative actions the Secretary plans to take to address the purposes underlying the recommendation.

"(c) Implementation Plans.—For each recommendation that the Secretary is implementing, or that the Secretary plans to implement, the Secretary shall submit to the congressional defense committees—

"(1) a summary of actions that have been taken to implement the recommendation; and

"(2) a schedule, with specific milestones, for completing the implementation of the recommendation."

Activities and Reporting Relating to Department of Defense's Cloud Initiative

Pub. L. 115–232, div. A, title X, §1064, Aug. 13, 2018, 132 Stat. 1971, provided that:

"(a) Activities Required.—Commencing not later than 90 days after the date of the enactment of this Act [Aug. 13, 2018], the Chief Information Officer of the Department of Defense, acting through the Cloud Executive Steering Group established by the Deputy Secretary of Defense in a directive memorandum dated September 13, 2017, in order to support its Joint Enterprise Defense Infrastructure initiative to procure commercial cloud services, shall conduct certain key enabling activities as follows:

"(1) Develop an approach to rapidly acquire advanced commercial network capabilities, including software-defined networking, on-demand bandwidth, and aggregated cloud access gateways, through commercial service providers in order—

"(A) to support the migration of applications and systems to commercial cloud platforms;

"(B) to increase visibility of end-to-end performance to enable and enforce service level agreements for cloud services;

"(C) to ensure efficient and common cloud access;

"(D) to facilitate shifting data and applications from one cloud platform to another;

"(E) to improve cybersecurity; and

"(F) to consolidate networks and achieve efficiencies and improved performance;

"(2) Conduct an analysis of existing workloads that would be migrated to the Joint Enterprise Defense Infrastructure, including—

"(A) identifying all of the cloud initiatives across the Department of Defense, and determining the objectives of such initiatives in connection with the intended scope of the Infrastructure;

"(B) identifying all the systems and applications that the Department would intend to migrate to the Infrastructure;

"(C) conducting rationalization of applications to identify applications and systems that may duplicate the processing of workloads in connection with the Infrastructure; and

"(D) as result of such actions, arriving at dispositions about migration or termination of systems and applications in connection with the Infrastructure.

"(b) Report Required.—The Chief Information Officer shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the Department of Defense's Cloud Initiative to manage networks, data centers, and clouds at the enterprise level. Such report shall include each of the following:

"(1) A description [of] the status of completion of the activities required under subsection (a).

"(2) Information relating to the current composition of the Cloud Executive Steering Group and the stakeholders relating to the Department of Defense's Cloud Initiative and associated mission, objectives, goals, and strategy.

"(3) A description of the characteristics and considerations for accelerating the cloud architecture and services required for a global, resilient, and secure information environment.

"(4) Information relating to acquisition strategies and timeline for efforts associated with the Department of Defense's Cloud Initiative, including the Joint Enterprise Defense Infrastructure.

"(5) A description of how the acquisition strategies referred to in paragraph (4) provides [sic] for a full and open competition, enable the Department of Defense to continuously leverage and acquire new cloud computing capabilities, maintain the ability of the Department to leverage other cloud computing vendor products and services, incorporate elements to maintain security, and provide for the best performance, cost, and schedule to meet the cloud architecture and services requirements of the Department for the duration of such contract.

"(6) A detailed description of existing workloads that will be migrated to enterprise-wide cloud infrastructure or platforms as a result of the Department of Defense's Cloud Initiative, including estimated migration costs and timelines, based on the analysis required under subsection (a)(2).

"(7) A description of the program management and program office of the Department of Defense's Cloud Initiative, including the number of personnel, overhead costs, and organizational structure.

"(8) A description of the effect of the Joint Enterprise Defense Infrastructure on and the relationship of such Infrastructure to existing cloud computing infrastructure, platform, and service contracts across the Department of Defense, specifically the effect and relationship to the private cloud infrastructure of the Department, MilCloud 2.0 run by the Defense Information Systems Agency based on the analysis required under subsection (a)(2).

"(9) Information relating to the most recent Department of Defense Cloud Computing Strategy and description of any initiatives to update such Strategy.

"(10) Information relating to Department of Defense guidance pertaining to cloud computing capability or platform acquisition and standards, and a description of any initiatives to update such guidance.

"(11) Any other matters the Secretary of Defense determines relevant.

"(c) Limitation on Use of Funds.—Of the amounts authorized to be appropriated or otherwise made available by this Act [see Tables for classification] for fiscal year 2019 for the Department of Defense's Cloud Initiative, not more than 85 percent may be obligated or expended until the Secretary of Defense submits to the congressional defense committees the report required by subsection (b).

"(d) Limitation on New Systems and Applications.—

"(1) In general.—Except as provided in paragraph (2), the Deputy Secretary shall require that no new system or application will be approved for development or modernization without an assessment that such system or application is already, or can and would be, cloud-hosted.

"(2) Waiver.—The Deputy Secretary may issue a national waiver to the requirement under paragraph (1) if the Deputy Secretary determines, pursuant to the assessment described in such paragraph, that the requirement would adversely affect the national security of the United States. If the Deputy Secretary issues a waiver under this paragraph, the Deputy Secretary shall provide to the congressional defense committees a written notification of such waiver, justification for the waiver, and identification of the system or application to which the waiver applies by not later than 15 days after the date on which the waiver is issued.

"(e) Transparency and Competition.—The Deputy Secretary shall ensure that the acquisition approach of the Department continues to follow the Federal Acquisition Regulation with respect to competition."

Pilot Program To Use Agile or Iterative Development Methods To Tailor Major Software-Intensive Warfighting Systems and Defense Business Systems

Pub. L. 115–232, div. A, title VIII, §869(a)–(d), Aug. 13, 2018, 132 Stat. 1902, 1903, provided that the Secretary of Defense was to include certain systems in the pilot program to use agile or iterative development methods pursuant to section 873 of Pub. L. 115–91, formerly set out below.

Pub. L. 115–91, div. A, title VIII, §873, Dec. 12, 2017, 131 Stat. 1498, as amended by Pub. L. 115–232, div. A, title VIII, §869(e), Aug. 13, 2018, 132 Stat. 1903, provided that the Secretary of Defense was to establish a pilot program to tailor and simplify software development requirements and methods for major software-intensive warfighting systems and defense business systems, and that such pilot program would terminate on Sept. 30, 2023.

Global Theater Security Cooperation Management Information System

Pub. L. 115–91, div. A, title XII, §1272, Dec. 12, 2017, 131 Stat. 1695, provided that:

"(a) Update of Guidance.—

"(1) In general.—Not later than 180 days after the date of the enactment of this Act [Dec. 12, 2017], the Secretary of Defense shall—

"(A) update relevant security cooperation guidance issued by the Secretary for use of the Global Theater Security Cooperation Management Information System (in this section referred to as 'G-TSCMIS'), including guidance relating to the matters described in paragraph (3); and

"(B) submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report that contains such guidance.

"(2) Successor system.—Not later than 180 days after the date of the adoption of any security cooperation information system that is a successor to G-TSCMIS, the Secretary of Defense shall—

"(A) update relevant security cooperation guidance issued by the Secretary for use of such system, including guidance relating to the matters described in paragraph (3); and

"(B) submit to the congressional defense committees a report that contains such guidance.

"(3) Matters described.—The matters described in this paragraph are the following:

"(A) Designation of an authoritative data repository for security cooperation information, with enforceable data standards and data controls.

"(B) Responsibilities for entry of data relating to programs and activities into the system.

"(C) Oversight and accountability measures to ensure the full scope of activities are entered into the system consistently and in a timely manner.

"(D) Such other matters as the Secretary considers appropriate.

"(b) Report.—

"(1) In general.—Not later than 270 days after the adoption of any security cooperation information system that is the successor to G-TSCMIS, the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report setting forth a review of measures for evaluating the system in order to comply with guidance required by subsection (a).

"(2) Elements.—The review required by paragraph (1) shall include the following:

"(A) An evaluation of the impacts of inconsistent information on the system's functionality as a tool for planning, resource allocation, and adjustment.

"(B) An evaluation of the effectiveness of oversight and accountability measures.

"(C) An evaluation of feedback from the operational community to inform future requirements.

"(D) Such other matters as the Secretary considers appropriate.

"(3) Form.—The report required under paragraph (1) shall be submitted in unclassified form, but may include a classified annex."

Operational Metrics for Joint Information Environment and Supporting Activities

Pub. L. 113–291, div. A, title VIII, §854, Dec. 19, 2014, 128 Stat. 3459, provided that:

"(a) Guidance.—Not later than 180 days after the date of the enactment of this Act [Dec. 19, 2014], the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense, shall issue guidance for measuring the operational effectiveness and efficiency of the Joint Information Environment within the military departments, Defense Agencies, and combatant commands. The guidance shall include a definition of specific metrics for data collection, and a requirement for each military department, Defense Agency, and combatant command to regularly collect and assess data on such operational effectiveness and efficiency and report the results to such Chief Information Officer on a regular basis.

"(b) Baseline Architecture.—The Chief Information Officer of the Department of Defense shall identify a baseline architecture for the Joint Information Environment by identifying and reporting to the Secretary of Defense any information technology programs or other investments that support that architecture.

"(c) Joint Information Environment Defined.—In this section, the term 'Joint Information Environment' means the initiative of the Department of Defense to modernize the information technology networks and systems within the Department."

Data Servers and Centers

Pub. L. 112–81, div. B, title XXVIII, §2867, Dec. 31, 2011, 125 Stat. 1704, as amended by Pub. L. 112–239, div. B, title XXVIII, §2853, Jan. 2, 2013, 126 Stat. 2161; Pub. L. 115–91, div. A, title X, §1051(q)(3), Dec. 12, 2017, 131 Stat. 1565, provided that:

"(a) Limitations on Obligation of Funds.—

"(1) Limitations.—

"(A) Before performance plan.—During the period beginning on the date of the enactment of this Act [Dec. 31, 2011] and ending on May 1, 2012, a department, agency, or component of the Department of Defense may not obligate funds for a data server farm or data center unless approved by the Chief Information Officer of the Department of Defense or the Chief Information Officer of a component of the Department to whom the Chief Information Officer of the Department has specifically delegated such approval authority.

"(B) Under performance plan.—After May 1, 2012, a department, agency, or component of the Department may not obligate funds for a data center, or any information systems technology used therein, unless that obligation is in accordance with the performance plan required by subsection (b) and is approved as described in subparagraph (A).

"(2) Requirements for approvals.—

"(A) Before performance plan.—An approval of the obligation of funds may not be granted under paragraph (1)(A) unless the official granting the approval determines, in writing, that existing resources of the agency, component, or element concerned cannot affordably or practically be used or modified to meet the requirements to be met through the obligation of funds.

"(B) Under performance plan.—An approval of the obligation of funds may not be granted under paragraph (1)(B) unless the official granting the approval determines that—

"(i) existing resources of the Department do not meet the operation requirements to be met through the obligation of funds; and

"(ii) the proposed obligation is in accordance with the performance standards and measures established by the Chief Information Officer of the Department under subsection (b).

"(3) Reports.—Not later than 30 days after the end of each calendar quarter, each Chief Information Officer of a component of the Department who grants an approval under paragraph (1) during such calendar quarter shall submit to the Chief Information Officer of the Department a report on the approval or approvals so granted during such calendar quarter.

"(b) Performance Plan for Reduction of Resources Required for Data Servers and Centers.—

"(1) Component plans.—

"(A) In general.—Not later than January 15, 2012, the Secretaries of the military departments and the heads of the Defense Agencies shall each submit to the Chief Information Officer of the Department a plan for the department or agency concerned to achieve the following:

"(i) A reduction in the square feet of floor space devoted to information systems technologies, attendant support technologies, and operations within data centers.

"(ii) A reduction in the use of all utilities necessary to power and cool information systems technologies and data centers.

"(iii) An increase in multi-organizational utilization of data centers, information systems technologies, and associated resources.

"(iv) A reduction in the investment for capital infrastructure or equipment required to support data centers as measured in cost per megawatt of data storage.

"(v) A reduction in the number of commercial and government developed applications running on data servers and within data centers.

"(vi) A reduction in the number of government and vendor provided full-time equivalent personnel, and in the cost of labor, associated with the operation of data servers and data centers.

"(B) Specification of required elements.—The Chief Information Officer of the Department shall specify the particular performance standards and measures and implementation elements to be included in the plans submitted under this paragraph, including specific goals and schedules for achieving the matters specified in subparagraph (A).

"(2) Defense-wide plan.—

"(A) In general.—Not later than April 1, 2012, the Chief Information Officer of the Department shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a performance plan for a reduction in the resources required for data centers and information systems technologies Department-wide. The plan shall be based upon and incorporate appropriate elements of the plans submitted under paragraph (1).

"(B) Elements.—The performance plan required under this paragraph shall include the following:

"(i) A Department-wide performance plan for achieving the matters specified in paragraph (1)(A), including performance standards and measures for data centers and information systems technologies, goals and schedules for achieving such matters, and an estimate of cost savings anticipated through implementation of the plan.

"(ii) A Department-wide strategy for each of the following:

     "(I) Desktop, laptop, and mobile device virtualization.

     "(II) Transitioning to cloud computing.

     "(III) Migration of Defense data and government-provided services from Department-owned and operated data centers to cloud computing services generally available within the private sector that provide a better capability at a lower cost with the same or greater degree of security.

     "(IV) Utilization of private sector-managed security services for data centers and cloud computing services.

     "(V) A finite set of metrics to accurately and transparently report on data center infrastructure (space, power and cooling): age, cost, capacity, usage, energy efficiency and utilization, accompanied with the aggregate data for each data center site in use by the Department in excess of 100 kilowatts of information technology power demand.

     "(VI) Transitioning to just-in-time delivery of Department-owned data center infrastructure (space, power and cooling) through use of modular data center technology and integrated data center infrastructure management software.

"(3) Responsibility.—The Chief Information Officer of the Department shall discharge the responsibility for establishing performance standards and measures for data centers and information systems technologies for purposes of this subsection. Such responsibility may not be delegated.

"(c) Exceptions.—

"(1) Intelligence components.—The Chief Information Officer of the Department and the Chief Information Officer of the Intelligence Community may jointly exempt from the applicability of this section such intelligence components of the Department of Defense (and the programs and activities thereof) that are funded through the National Intelligence Program (NIP) as the Chief Information Officers consider appropriate.

"(2) Research, development, test, and evaluation programs.—The Chief Information Officer of the Department may exempt from the applicability of this section research, development, test, and evaluation programs that use authorization of appropriations for the High Performance Computing Modernization Program (Program Element 0603461A) if the Chief Information Officer determines that the exemption is in the best interest of national security."

Demonstration and Pilot Projects on Cybersecurity

Pub. L. 111–383, div. A, title II, §215, Jan. 7, 2011, 124 Stat. 4165, provided that:

"(a) Demonstration Projects on Processes for Application of Commercial Technologies to Cybersecurity Requirements.—

"(1) Projects required.—The Secretary of Defense and the Secretaries of the military departments shall jointly carry out demonstration projects to assess the feasibility and advisability of using various business models and processes to rapidly and effectively identify innovative commercial technologies and apply such technologies to Department of Defense and other cybersecurity requirements.

"(2) Scope of projects.—Any demonstration project under paragraph (1) shall be carried out in such a manner as to contribute to the cyber policy review of the President and the Comprehensive National Cybersecurity Initiative.

"(b) Pilot Programs on Cybersecurity Required.—The Secretary of Defense shall support or conduct pilot programs on cybersecurity with respect to the following areas:

"(1) Threat sensing and warning for information networks worldwide.

"(2) Managed security services for cybersecurity within the defense industrial base, military departments, and combatant commands.

"(3) Use of private processes and infrastructure to address threats, problems, vulnerabilities, or opportunities in cybersecurity.

"(4) Processes for securing the global supply chain.

"(5) Processes for threat sensing and security of cloud computing infrastructure.

"(c) Reports.—

"(1) Reports required.—Not later than 240 days after the date of the enactment of this Act [Jan. 7, 2011], and annually thereafter at or about the time of the submittal to Congress of the budget of the President for a fiscal year (as submitted pursuant to section 1105(a) of title 31, United States Code), the Secretary of Defense shall, in coordination with the Secretary of Homeland Security, submit to Congress a report on any demonstration projects carried out under subsection (a), and on the pilot projects carried out under subsection (b), during the preceding year.

"(2) Elements.—Each report under this subsection shall include the following:

"(A) A description and assessment of any activities under the demonstration projects and pilot projects referred to in paragraph (1) during the preceding year.

"(B) For the pilot projects supported or conducted under subsection (b)(2)—

"(i) a quantitative and qualitative assessment of the extent to which managed security services covered by the pilot project could provide effective and affordable cybersecurity capabilities for components of the Department of Defense and for entities in the defense industrial base, and an assessment whether such services could be expanded rapidly to a large scale without exceeding the ability of the Federal Government to manage such expansion; and

"(ii) an assessment of whether managed security services are compatible with the cybersecurity strategy of the Department of Defense with respect to conducting an active, in-depth defense under the direction of United States Cyber Command.

"(C) For the pilot projects supported or conducted under subsection (b)(3)—

"(i) a description of any performance metrics established for purposes of the pilot project, and a description of any processes developed for purposes of accountability and governance under any partnership under the pilot project; and

"(ii) an assessment of the role a partnership such as a partnership under the pilot project would play in the acquisition of cyberspace capabilities by the Department of Defense, including a role with respect to the development and approval of requirements, approval and oversight of acquiring capabilities, test and evaluation of new capabilities, and budgeting for new capabilities.

"(D) For the pilot projects supported or conducted under subsection (b)(4)—

"(i) a framework and taxonomy for evaluating practices that secure the global supply chain, as well as practices for securely operating in an uncertain or compromised supply chain;

"(ii) an assessment of the viability of applying commercial practices for securing the global supply chain; and

"(iii) an assessment of the viability of applying commercial practices for securely operating in an uncertain or compromised supply chain.

"(E) For the pilot projects supported or conducted under subsection (b)(5)—

"(i) an assessment of the capabilities of Federal Government providers to offer secure cloud computing environments; and

"(ii) an assessment of the capabilities of commercial providers to offer secure cloud computing environments to the Federal Government.

"(3) Form.—Each report under this subsection shall be submitted in unclassified form, but may include a classified annex."

Implementation of New Acquisition Process for Information Technology Systems

Pub. L. 111–84, div. A, title VIII, §804, Oct. 28, 2009, 123 Stat. 2402, which provided for development and implementation of a new acquisition process for information technology systems, was repealed by Pub. L. 115–232, div. A, title VIII, §812(b)(2), Aug. 13, 2018, 132 Stat. 1848.

Clearinghouse for Rapid Identification and Dissemination of Commercial Information Technologies

Pub. L. 110–181, div. A, title VIII, §881, Jan. 28, 2008, 122 Stat. 262, provided that:

"(a) Requirement to Establish Clearinghouse.—Not later than 180 days after the date of the enactment of this Act [Jan. 28, 2008], the Secretary of Defense, acting through the Assistant Secretary of Defense for Networks and Information Integration, shall establish a clearinghouse for identifying, assessing, and disseminating knowledge about readily available information technologies (with an emphasis on commercial off-the-shelf information technologies) that could support the warfighting mission of the Department of Defense.

"(b) Responsibilities.—The clearinghouse established pursuant to subsection (a) shall be responsible for the following:

"(1) Developing a process to rapidly assess and set priorities and needs for significant information technology needs of the Department of Defense that could be met by commercial technologies, including a process for—

"(A) aligning priorities and needs with the requirements of the commanders of the combatant command; and

"(B) proposing recommendations to the commanders of the combatant command of feasible technical solutions for further evaluation.

"(2) Identifying and assessing emerging commercial technologies (including commercial off-the-shelf technologies) that could support the warfighting mission of the Department of Defense, including the priorities and needs identified pursuant to paragraph (1).

"(3) Disseminating information about commercial technologies identified pursuant to paragraph (2) to commanders of combatant commands and other potential users of such technologies.

"(4) Identifying gaps in commercial technologies and working to stimulate investment in research and development in the public and private sectors to address those gaps.

"(5) Enhancing internal data and communications systems of the Department of Defense for sharing and retaining information regarding commercial technology priorities and needs, technologies available to meet such priorities and needs, and ongoing research and development directed toward gaps in such technologies.

"(6) Developing mechanisms, including web-based mechanisms, to facilitate communications with industry regarding the priorities and needs of the Department of Defense identified pursuant to paragraph (1) and commercial technologies available to address such priorities and needs.

"(7) Assisting in the development of guides to help small information technology companies with promising technologies to understand and navigate the funding and acquisition processes of the Department of Defense.

"(8) Developing methods to measure how well processes developed by the clearinghouse are being utilized and to collect data on an ongoing basis to assess the benefits of commercial technologies that are procured on the recommendation of the clearinghouse.

"(c) Personnel.—The Secretary of Defense, acting through the Assistant Secretary of Defense for Networks and Information Integration, shall provide for the hiring and support of employees (including detailees from other components of the Department of Defense and from other Federal departments or agencies) to assist in identifying, assessing, and disseminating information regarding commercial technologies under this section.

"(d) Report to Congress.—Not later than one year after the date of the enactment of this Act [Jan. 28, 2008], the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the implementation of this section."

Improvement of Software Acquisition Processes

Pub. L. 107–314, div. A, title VIII, §804, Dec. 2, 2002, 116 Stat. 2604, provided that:

"(a) Establishment of Programs.—(1) The Secretary of each military department shall establish a program to improve the software acquisition processes of that military department.

"(2) The head of each Defense Agency that manages a major defense acquisition program with a substantial software component shall establish a program to improve the software acquisition processes of that Defense Agency.

"(3) The programs required by this subsection shall be established not later than 120 days after the date of the enactment of this Act [Dec. 2, 2002].

"(b) Program Requirements.—A program to improve software acquisition processes under this section shall, at a minimum, include the following:

"(1) A documented process for software acquisition planning, requirements development and management, project management and oversight, and risk management.

"(2) Efforts to develop appropriate metrics for performance measurement and continual process improvement.

"(3) A process to ensure that key program personnel have an appropriate level of experience or training in software acquisition.

"(4) A process to ensure that each military department and Defense Agency implements and adheres to established processes and requirements relating to the acquisition of software.

"(c) Department of Defense Guidance.—The Assistant Secretary of Defense for Command, Control, Communications, and Intelligence, in consultation with the Under Secretary of Defense for Acquisition, Technology, and Logistics, shall—

"(1) prescribe uniformly applicable guidance for the administration of all of the programs established under subsection (a) and take such actions as are necessary to ensure that the military departments and Defense Agencies comply with the guidance; and

"(2) assist the Secretaries of the military departments and the heads of the Defense Agencies to carry out such programs effectively by—

"(A) ensuring that the criteria applicable to the selection of sources provides added emphasis on past performance of potential sources, as well as on the maturity of the software products offered by the potential sources; and

"(B) identifying, and serving as a clearinghouse for information regarding, best practices in software development and acquisition in both the public and private sectors.

"(d) Definitions.—In this section:

"(1) The term 'Defense Agency' has the meaning given the term in section 101(a)(11) of title 10, United States Code.

"(2) The term 'major defense acquisition program' has the meaning given such term in section 139(a)(2)(B) of title 10, United States Code."

§4576. Requirement for consideration of certain matters during acquisition of noncommercial computer software

(a) Consideration Required.—As part of any negotiation for the acquisition of noncommercial computer software, the Secretary of Defense shall ensure that such negotiations consider, to the maximum extent practicable, acquisition, at the appropriate time in the life cycle of the noncommercial computer software, of all software and related materials necessary—

(1) to reproduce, build, or recompile the software from original source code and required libraries;

(2) to conduct required computer software testing; and

(3) to deploy working computer software system binary files on relevant system hardware.

(b) Delivery of Software and Related Materials.—Any noncommercial computer software or related materials required to be delivered as a result of considerations in subsection (a) shall, to the extent appropriate as determined by the Secretary—

(1) include computer software delivered in a useable, digital format;

(2) not rely on external or additional software code or data, unless such software code or data is included in the items to be delivered; and

(3) in the case of negotiated terms that do not allow for the inclusion of dependent software code or data, sufficient documentation to support maintenance and understanding of interfaces and software revision history.

(Added Pub. L. 115–91, div. A, title VIII, §871(a)(1), Dec. 12, 2017, 131 Stat. 1496, §2322a; renumbered §4576, Pub. L. 116–283, div. A, title XVIII, §1857(c), Jan. 1, 2021, 134 Stat. 4276.)

Editorial Notes

Prior Provisions

Prior sections 4591 to 4595 were renumbered sections 7591 to 7595 of this title, respectively.

Amendments

2021—Pub. L. 116–283 renumbered section 2322a of this title as this section.

Statutory Notes and Related Subsidiaries

Effective Date of 2021 Amendment

Amendment by Pub. L. 116–283 effective Jan. 1, 2022, with additional provisions for delayed implementation and applicability of existing law, see section 1801(d) of Pub. L. 116–283, set out as a note preceding section 3001 of this title.

Guidance

Pub. L. 115–91, div. A, title VIII, §871(b), Dec. 12, 2017, 131 Stat. 1497, provided that: "Not later than 180 days after the date of the enactment of this Act [Dec. 12, 2017], the Secretary of Defense shall issue updated guidance to implement section 2322a of title 10, United States Code [now 10 U.S.C. 4576], as added by subsection (a)."