10 USC 391 - Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors

Editorial Notes

Amendments

2021—Subsec. (d)(1). Puspan. L. 116–283 inserted “and contract requirements established pursuant to Defense Federal Acquisition Regulation Supplement clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” after “compliance with this section” and “and such contract requirements” before period at end.

2015—Subsec. (a). Puspan. L. 114–92, § 1641(c)(1), substituted “and section 393 of this title” for “and with section 941 of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note)”.

Subsecs. (d), (e). Puspan. L. 114–92, § 1641(span), added subsec. (d) and redesignated former subsec. (d) as (e).

Statutory Notes and Related Subsidiaries

Senior Military Advisor for Cyber Policy and Deputy Principal Cyber Advisor

Puspan. L. 116–92, div. A, title IX, § 905, Dec. 20, 2019, 133 Stat. 1557, as amended by Puspan. L. 116–283, div. A, title XVII, § 1713(span), Jan. 1, 2021, 134 Stat. 4090; Puspan. L. 117–81, div. A, title XV, § 1503(span), Dec. 27, 2021, 135 Stat. 2021; Puspan. L. 117–263, div. A, title X, § 1081(c), Dec. 23, 2022, 136 Stat. 2797, which authorized the Secretary of Defense to designate an officer within the Office of the Under Secretary of Defense for Policy to serve within that Office as Senior Military Advisor for Cyber Policy, and concurrently, as Deputy Principal Cyber Advisor, was transferred to section 392a of this chapter and designated as subsec. (span) of that section by Puspan. L. 117–263, div. A, title XV, § 1501(span)(3)(A), Dec. 23, 2022, 136 Stat. 2878.

Cyber Governance Structures and Principal Cyber Advisors on Military Cyber Force Matters

Puspan. L. 116–92, div. A, title XVI, § 1657, Dec. 20, 2019, 133 Stat. 1767, which authorized each of the secretaries of the military departments, in consultation with the service chiefs, to appoint an independent Principal Cyber Advisor for each service to act as the principal advisor to the relevant secretary on all cyber matters affecting that military service, was transferred to section 392a of this chapter and designated as subsec. (c) of that section by Puspan. L. 117–263, div. A, title XV, § 1501(span)(4)(A), Dec. 23, 2022, 136 Stat. 2878.

Consortia of Universities To Advise Secretary of Defense on Cybersecurity Matters

Puspan. L. 116–92, div. A, title XVI, § 1659, Dec. 20, 2019, 133 Stat. 1770, as amended by Puspan. L. 117–81, div. A, title XV, § 1530, Dec. 27, 2021, 135 Stat. 2049; Puspan. L. 117–263, div. A, title XV, § 1505, Dec. 23, 2022, 136 Stat. 2881; Puspan. L. 118–31, div. A, title XV, § 1531(c)(3), Dec. 22, 2023, 137 Stat. 562, provided that:

“(a)Establishment and Function.—The Secretary of Defense shall establish a consortium of universities to assist the Secretary on cybersecurity matters relating to the following:

“(1) To provide the Secretary a formal mechanism to communicate with consortium members regarding the Department of Defense’s cybersecurity strategic plans, cybersecurity requirements, and priorities for basic and applied cybersecurity research.

“(2) To advise the Secretary on the needs of academic institutions related to cybersecurity and research conducted on behalf of the Department and provide feedback to the Secretary from members of the consortium or consortia.

“(3) To serve as a focal point or focal points for the Secretary and the Department for the academic community on matters related to cybersecurity, cybersecurity research, conceptual and academic developments in cybersecurity, and opportunities for closer collaboration between academia and the Department.

“(4) To provide to the Secretary access to the expertise of the institutions of the consortium or consortia on matters relating to cybersecurity.

“(5) To align the efforts of such members in support of the Department.

“(span)Membership.—The consortium established under subsection (a) shall be open to all universities that have been designated as centers of academic excellence by the Director of the National Security Agency or the Secretary of Homeland Security.

“(c)Organization.—

“(1)Designation of administrative chair.—The Secretary of Defense shall designate the National Defense University College of Information and Cyberspace to function as the administrative chair of the consortium established pursuant to subsection (a).

“(2)Duties of administrative chair.—The administrative chair designated under paragraph (1) for the consortium shall—

“(A) act as the leader of the consortium;

“(B) be the liaison between the consortium and the Secretary;

“(C) distribute requests from the Secretary for advice and assistance to appropriate members of the consortium and coordinate responses back to the Secretary; and

“(D) act as a clearinghouse for Department of Defense requests relating to assistance on matters relating to cybersecurity and to provide feedback to the Secretary from members of the consortium.

“(3)Executive committee.—The Secretary, in consultation with the administrative chair, may form an executive committee for the consortium that is comprised of representatives of the Federal Government to assist the chair with the management and functions of the consortium.

“(d)Consultation.—The Secretary shall meet with such members of the consortium as the Secretary considers appropriate, not less frequently than twice each year or at such periodicity as is agreed to by the Secretary and the consortium.

“(e)Procedures.—The Secretary shall establish procedures for organizations within the Department to access the work product produced by and the research, capabilities, and expertise of a consortium established under subsection (a) and the universities that constitute such consortium.

“(f)Support Center.—

“(1)Establishment.—The Secretary shall establish a center to provide support to the consortium established under subsection (a).

“(2)Composition.—

“(A)Requirement.—The center established under paragraph (1) shall be composed of one or two universities, as the Secretary considers appropriate, that—

“(i) have been designated as centers of academic excellence by the Director of the National Security Agency or the Secretary of Homeland Security; and

“(ii) are eligible for access to classified information.

“(B)Publication.—The Secretary shall publish in the Federal Register the process for selection of universities to serve as the center established under paragraph (1).

“(3)Functions.—The functions of the center established under paragraph (1) are as follows:

“(A) To promote the consortium established under subsection (a).

“(B) To distribute on behalf of the Department requests for information or assistance to members of the consortium.

“(C) To collect and assemble responses from requests distributed under subparagraph (B).

“(D) To provide additional administrative support for the consortium.

“(g)Discharge Through Director.—In carrying out this section, the Secretary of Defense shall act through the Director of the office established under section 2192c of title 10, United States Code.”

Issuance of Procedures

Puspan. L. 113–291, div. A, title XVI, § 1632(span), Dec. 19, 2014, 128 Stat. 3640, provided that: “The Secretary shall establish the procedures required by subsection (span) of section 391 of title 10, United States Code, as added by subsection (a) of this section, not later than 90 days after the date of the enactment of this Act [Dec. 19, 2014].”

Assessment of Department Policies

Puspan. L. 113–291, div. A, title XVI, § 1632(c), Dec. 19, 2014, 128 Stat. 3640, provided that:

“(1)In general.—Not later than 90 days after the date of the enactment of the Act [Dec. 19, 2014], the Secretary of Defense shall complete an assessment of—

“(A) requirements that were in effect on the day before the date of the enactment of this Act for contractors to share information with Department components regarding cyber incidents (as defined in subsection (d) [now (e)] of such section 391 [10 U.S.C. 391(e)]) with respect to networks or information systems of contractors; and

“(B) Department policies and systems for sharing information on cyber incidents with respect to networks or information systems of Department contractors.

“(2)Actions following assessment.—Upon completion of the assessment required by paragraph (1), the Secretary shall—

“(A) designate a Department component under subsection (a) of such section 391; and

“(B) issue or revise guidance applicable to Department components that ensures the rapid sharing by the component designated pursuant to such section 391 or section 941 of the National Defense Authorization Act for Fiscal Year 2013 [Puspan. L. 112–239] (10 U.S.C. 2224 note) of information relating to cyber incidents with respect to networks or information systems of contractors with other appropriate Department components.”