§2224. Defense Information Assurance Program

(a) Defense Information Assurance Program.-The Secretary of Defense shall carry out a program, to be known as the "Defense Information Assurance Program", to protect and defend Department of Defense information, information systems, and information networks that are critical to the Department and the armed forces during day-to-day operations and operations in times of crisis.

(b) Objectives of the Program.-The objectives of the program shall be to provide continuously for the availability, integrity, authentication, confidentiality, nonrepudiation, and rapid restitution of information and information systems that are essential elements of the Defense Information Infrastructure.

(c) Program Strategy.-In carrying out the program, the Secretary shall develop a program strategy that encompasses those actions necessary to assure the readiness, reliability, continuity, and integrity of Defense information systems, networks, and infrastructure, including through compliance with subchapter II of chapter 35 of title 44, including through compliance with subchapter III of chapter 35 of title 44. The program strategy shall include the following:

(1) A vulnerability and threat assessment of elements of the defense and supporting nondefense information infrastructures that are essential to the operations of the Department and the armed forces.

(2) Development of essential information assurances technologies and programs.

(3) Organization of the Department, the armed forces, and supporting activities to defend against information warfare.

(4) Joint activities of the Department with other departments and agencies of the Government, State and local agencies, and elements of the national information infrastructure.

(5) The conduct of exercises, war games, simulations, experiments, and other activities designed to prepare the Department to respond to information warfare threats.

(6) Development of proposed legislation that the Secretary considers necessary for implementing the program or for otherwise responding to the information warfare threat.

(d) Coordination.-In carrying out the program, the Secretary shall coordinate, as appropriate, with the head of any relevant Federal agency and with representatives of those national critical information infrastructure systems that are essential to the operations of the Department and the armed forces on information assurance measures necessary to the protection of these systems.

[(e) Repealed. Pub. L. 108–136, div. A, title X, §1031(a)(12), Nov. 24, 2003, 117 Stat. 1597 .]

(f) Information Assurance Test Bed.-The Secretary shall develop an information assurance test bed within the Department of Defense to provide-

(1) an integrated organization structure to plan and facilitate the conduct of simulations, war games, exercises, experiments, and other activities to prepare and inform the Department regarding information warfare threats; and

(2) organization and planning means for the conduct by the Department of the integrated or joint exercises and experiments with elements of the national information systems infrastructure and other non-Department of Defense organizations that are responsible for the oversight and management of critical information systems and infrastructures on which the Department, the armed forces, and supporting activities depend for the conduct of daily operations and operations during crisis.

(Added Pub. L. 106–65, div. A, title X, §1043(a), Oct. 5, 1999, 113 Stat. 760 ; amended Pub. L. 106–398, §1 [[div. A], title X, §1063], Oct. 30, 2000, 114 Stat. 1654 , 1654A-274; Pub. L. 107–296, title X, §1001(c)(1)(B), Nov. 25, 2002, 116 Stat. 2267 ; Pub. L. 107–347, title III, §301(c)(1)(B), Dec. 17, 2002, 116 Stat. 2955 ; Pub. L. 108–136, div. A, title X, §1031(a)(12), Nov. 24, 2003, 117 Stat. 1597 ; Pub. L. 108–375, div. A, title X, §1084(d)(17), Oct. 28, 2004, 118 Stat. 2062 .)

Amendments

2004-Subsec. (c). Pub. L. 108–375 substituted "subchapter II" for "subtitle II" in introductory provisions.

2003-Subsec. (e). Pub. L. 108–136 struck out subsec. (e) which directed the Secretary of Defense to annually submit to Congress a report on the Defense Information Assurance Program.

2002-Subsec. (b). Pub. L. 107–296, §1001(c)(1)(B)(i), and Pub. L. 107–347, §301(c)(1)(B)(i), amended subsec. (b) identically, substituting "Objectives of the Program" for "Objectives and Minimum Requirements" in heading and striking out par. (1) designation before "The objectives".

Subsec. (b)(2). Pub. L. 107–347, §301(c)(1)(B)(ii), struck out par. (2) which read as follows: "The program shall at a minimum meet the requirements of sections 3534 and 3535 of title 44."

Pub. L. 107–296, §1001(c)(1)(B)(ii), which directed the striking out of "(2) the program shall at a minimum meet the requirements of section 3534 and 3535 of title 44, United States Code." could not be executed. See above par.

Subsec. (c). Pub. L. 107–347, §301(c)(1)(B)(iii), inserted ", including through compliance with subchapter III of chapter 35 of title 44" after "infrastructure" in introductory provisions.

Pub. L. 107–296, §1001(c)(1)(B)(iii), inserted ", including through compliance with subtitle II of chapter 35 of title 44" after "infrastructure" in introductory provisions.

2000-Subsec. (b). Pub. L. 106–398, §1 [[div. A], title X, §1063(a)], substituted "Objectives and Minimum Requirements" for "Objectives of the Program" in heading, designated existing provisions as par. (1), and added par. (2).

Subsec. (e)(7). Pub. L. 106–398, §1 [[div. A], title X, §1063(b)], added par. (7).

Effective Date of 2002 Amendment

Amendment by Pub. L. 107–296 effective 60 days after Nov. 25, 2002, see section 4 of Pub. L. 107–296, set out as an Effective Date note under section 101 of Title 6, Domestic Security.

Effective Date of 2000 Amendment

Amendment by Pub. L. 106–398 effective 30 days after Oct. 30, 2000, see section 1 [[div. A], title X, §1065] of Pub. L. 106–398, set out as an Effective Date note under section 3531 of Title 44, Public Printing and Documents.

Strategy on Computer Software Assurance

Pub. L. 111–383, div. A, title IX, §932, Jan. 7, 2011, 124 Stat. 4335 , provided that:

"(a) Strategy Required.-The Secretary of Defense shall develop and implement, by not later than October 1, 2011, a strategy for assuring the security of software and software-based applications for all covered systems.

"(b) Covered Systems.-For purposes of this section, a covered system is any critical information system or weapon system of the Department of Defense, including the following:

"(1) A major system, as that term is defined in section 2302(5) of title 10, United States Code.

"(2) A national security system, as that term is defined in section 3542(b)(2) of title 44, United States Code.

"(3) Any Department of Defense information system categorized as Mission Assurance Category I.

"(4) Any Department of Defense information system categorized as Mission Assurance Category II in accordance with Department of Defense Directive 8500.01E.

"(c) Elements.-The strategy required by subsection (a) shall include the following:

"(1) Policy and regulations on the following:

"(A) Software assurance generally.

"(B) Contract requirements for software assurance for covered systems in development and production.

"(C) Inclusion of software assurance in milestone reviews and milestone approvals.

"(D) Rigorous test and evaluation of software assurance in development, acceptance, and operational tests.

"(E) Certification and accreditation requirements for software assurance for new systems and for updates for legacy systems, including mechanisms to monitor and enforce reciprocity of certification and accreditation processes among the military departments and Defense Agencies.

"(F) Remediation in legacy systems of critical software assurance deficiencies that are defined as critical in accordance with the Application Security Technical Implementation Guide of the Defense Information Systems Agency.

"(2) Allocation of adequate facilities and other resources for test and evaluation and certification and accreditation of software to meet applicable requirements for research and development, systems acquisition, and operations.

"(3) Mechanisms for protection against compromise of information systems through the supply chain or cyber attack by acquiring and improving automated tools for-

"(A) assuring the security of software and software applications during software development;

"(B) detecting vulnerabilities during testing of software; and

"(C) detecting intrusions during real-time monitoring of software applications.

"(4) Mechanisms providing the Department of Defense with the capabilities-

"(A) to monitor systems and applications in order to detect and defeat attempts to penetrate or disable such systems and applications; and

"(B) to ensure that such monitoring capabilities are integrated into the Department of Defense system of cyber defense-in-depth capabilities.

"(5) An update to Committee for National Security Systems Instruction No. 4009, entitled 'National Information Assurance Glossary', to include a standard definition for software security assurance.

"(6) Either-

"(A) mechanisms to ensure that vulnerable Mission Assurance Category III information systems, if penetrated, cannot be used as a foundation for penetration of protected covered systems, and means for assessing the effectiveness of such mechanisms; or

"(B) plans to address critical vulnerabilities in Mission Assurance Category III information systems to prevent their use for intrusions of Mission Assurance Category I systems and Mission Assurance Category II systems.

"(7) A funding mechanism for remediation of critical software assurance vulnerabilities in legacy systems.

"(d) Report.-Not later than October 1, 2011, the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the strategy required by subsection (a). The report shall include the following:

"(1) A description of the current status of the strategy required by subsection (a) and of the implementation of the strategy, including a description of the role of the strategy in the risk management by the Department regarding the supply chain and in operational planning for cyber security.

"(2) A description of the risks, if any, that the Department will accept in the strategy due to limitations on funds or other applicable constraints."

Institute for Defense Computer Security and Information Protection

Pub. L. 106–398, §1 [[div. A], title IX, §921], Oct. 30, 2000, 114 Stat. 1654 , 1654A-233, provided that:

"(a) Establishment.-The Secretary of Defense shall establish an Institute for Defense Computer Security and Information Protection.

"(b) Mission.-The Secretary shall require the institute-

"(1) to conduct research and technology development that is relevant to foreseeable computer and network security requirements and information assurance requirements of the Department of Defense with a principal focus on areas not being carried out by other organizations in the private or public sector; and

"(2) to facilitate the exchange of information regarding cyberthreats, technology, tools, and other relevant issues.

"(c) Contractor Operation.-The Secretary shall enter into a contract with a not-for-profit entity, or a consortium of not-for-profit entities, to organize and operate the institute. The Secretary shall use competitive procedures for the selection of the contractor to the extent determined necessary by the Secretary.

"(d) Funding.-Of the amount authorized to be appropriated by section 301(5) [114 Stat. 1654A–52], $5,000,000 shall be available for the Institute for Defense Computer Security and Information Protection.

"(e) Report.-Not later than April 1, 2001, the Secretary shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] the Secretary's plan for implementing this section."