Sec. 1653. Plan for information security continuous monitoring capability and comply-to-connect policy; limitation on software licensing
471 words·~2 min read·
/bill/114/s/2943/enr/section-1653·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
The Chief Information Officer of the Department of Defense and the Commander of the United States Cyber Command shall jointly develop— a plan for a modernized, Department-wide automated information security continuous monitoring capability that includes— a proposed information security architecture for the capability; a concept of operations for the capability; and requirements with respect to the functionality and interoperability of the tools, sensors, systems, processes, and other components of the continuous monitoring capability; and a comply-to-connect policy that requires systems to automatically comply with the configurations of the networks of the Department as a condition of connecting to such networks.
In developing the plan and policy under paragraph (1), the Chief Information Officer and the Commander shall consult with the Principal Cyber Advisor to the Secretary of Defense. The Chief Information Officer and the Commander shall each issue such directives as they each consider appropriate to ensure compliance with the plan and policy developed under paragraph (1). The Secretary of Defense shall include funding and program plans relating to the plan and policy under paragraph
(1)in the budget materials submitted by the Secretary in support of the budget of the President for fiscal year 2019 (as submitted to Congress under section 1105(a) of title 31, United States Code). The Chief Information Officer and the Commander shall ensure that information generated through automated and automation-assisted processes for continuous monitoring, asset management, and comply-to-connect policies and processes shall be accessible and usable in machine-readable form to appropriate cyber protection teams and computer network defense service providers. The plan and policy required by paragraph
(1)shall comply with the software license inventory requirements of the plan issued pursuant to section 937 of the National Defense Authorization Act for Fiscal Year 2013 ( Public Law 112–239 ; 10 U.S.C. 2223 note) and updated pursuant to section 935 of the National Defense Authorization Act for Fiscal Year 2014 ( Public Law 113–66 ; 10 U.S.C. 2223 note). Subject to paragraph (2), none of the funds authorized to be appropriated by this Act or otherwise made available for fiscal year 2017 or any fiscal year thereafter for the Department of Defense may be obligated or expended on a contract for a software license with a cost of more than $5,000,000 in a fiscal year unless the Department is able, through automated means— to count the number of such licenses in use; and to determine the security status of each instance of use of the software licensed. Paragraph
(1)shall apply— beginning on January 1, 2018, with respect to any contract entered into by the Secretary of Defense on or after such date for the licensing of software; and beginning on January 1, 2020, with respect to any contract entered into by the Secretary for the licensing of software that was in effect on December 31, 2017.
Connectionstraces to 2
Traces to 2 documents
1 reference not yet in our index
- Pub. L. 112-239
Citation graph
cites case law
Sec. 1653
Plan for information security continuous monitoring capability and comply-to-connect policy; limitation on software licensing
Pub. L.Pub. L. 112-239
Cites 3Cited by 0 across 0 sources