Sec. 1632. Defense industrial base participation in a threat intelligence sharing program
700 words·~3 min read·
/bill/116/hr/6395/eh/section-1632A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section, the term defense industrial base means the worldwide industrial complex with capabilities to perform research and development, design, produce, deliver, and maintain military weapon systems, subsystems, components, or parts to meet military requirements. The Secretary of Defense shall establish a threat intelligence program to share with and obtain from the defense industrial base information and intelligence on threats to national security. At a minimum, the Secretary of Defense shall ensure the threat intelligence sharing program established pursuant to paragraph
(1)includes the following: Cybersecurity incident reporting requirements that— extend beyond current mandatory incident reporting requirements; set specific timeframes for all categories of such mandatory incident reporting; and create a single clearinghouse for all such mandatory incident reporting to the Department of Defense, including covered unclassified information, covered defense information, and classified information. A mechanism for developing a shared and real-time picture of the threat environment. Joint, collaborative, and co-located analytics. Investments in technology and capabilities to support automated detection and analysis across the defense industrial base. Coordinated intelligence sharing with relevant domestic law enforcement and counterintelligence agencies, in coordination, respectively, with the Director of the Federal Bureau of Investigation and the Director of National Intelligence. A process for direct sharing of threat intelligence related to a specific defense industrial base entity with such entity. The Secretary of Defense may utilize an existing Department of Defense information sharing program to satisfy the requirement under paragraph
(1)if such existing program includes, or is modified to include, two-way sharing of threat information that is specifically relevant to the defense industrial base, including satisfying the requirements specified in paragraph (2). As part of a threat intelligence sharing program under this subsection, the Secretary of Defense shall require defense industrial base entities holding a Department of Defense contract to consent to queries of foreign intelligence collection databases related to such entity as a condition of such contract. Beginning on the date that is than 1 year after the date of the enactment of this Act, the Secretary of Defense may not procure or acquire, or extend or renew a contract to procure or acquire, any item, equipment, system, or service from any entity that is not a participant in— the threat intelligence sharing program established pursuant paragraph
(1)of subsection (b); or a comparably widely-utilized threat intelligence sharing program described in paragraph
(3)of such subsection. No entity holding a Department of Defense contract may subcontract any portion of such contract to another entity unless that second entity— is a participant in a threat intelligence sharing program under this section; or has received a waiver pursuant to subsection (d). In implementing the prohibition under paragraph (1), the Secretary of Defense— may create tiers of requirements and participation within the applicable threat intelligence sharing program referred to in such paragraph based on— an evaluation of the role of and relative threats related to entities within the defense industrial base; and cybersecurity maturity model certification level; and shall prioritize available funding and technical support to assist entities as is reasonably necessary for such entities to participate in a threat intelligence sharing program under this section. The Secretary of Defense may waive the prohibition under subsection (b)— with respect to an entity or class of entities, if the Secretary determines that the requirement to participate in a threat intelligence sharing program under this section is unnecessary to protect the interests of the United States; or at the request of an entity, if the Secretary determines there is compelling justification for such waiver. The Secretary of Defense shall periodically reevaluate any waiver issued pursuant to paragraph
(1)and promptly revoke any waiver the Secretary determines is no longer warranted. Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall promulgate such rules and regulations as are necessary to carry out this section. The Secretary of Defense shall ensure that the threat intelligence sharing program requirements set forth in the rules and regulations promulgated pursuant to paragraph
(1)consider an entity’s maturity and role within the defense industrial base, in accordance with the maturity certification levels established in the Department of Defense Cybersecurity Maturity Model Certification program.