Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 116th Congress · H.R. 6395 (Placed on Calendar Senate) — To authorize appropriations for fiscal year 2021 for military activities of the Department of Defense, for military c... · Sec. 1634

Sec. 1634. Defense industrial base cybersecurity threat hunting and sensing, discovery, and mitigation

779 words·~4 min read·/bill/116/hr/6395/pcs/section-1634·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

In this section: The term defense industrial base means the worldwide industrial complex with capabilities to perform research and development, design, produce, deliver, and maintain military weapon systems, subsystems, components, or parts to meet military requirements. The term advanced defense industrial base means any entity in the defense industrial base holding a Department of Defense contract that requires a cybersecurity maturity model certification of level 4 or higher.
Not later than 120 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees a study of the feasibility and resourcing required to establish the Defense Industrial Base Cybersecurity Threat Hunting Program (in this section referred to as the Program ) described in subsection (c). The study required under paragraph
(1)shall— establish the resources necessary, governance structures, and responsibility for execution of the Program, as well as any other relevant considerations determined by the Secretary; include a conclusive determination of the Department of Defense’s capacity to establish the Program by the end of fiscal year 2021; and identify any barriers that would prevent such establishment. Upon a positive determination of the Program’s feasibility pursuant to the study required under subsection (b), the Secretary of Defense shall establish the Program to actively identify cybersecurity threats and vulnerabilities within the information systems, including covered defense networks containing controlled unclassified information, of entities in the defense industrial base. In establishing the Program in accordance with paragraph (1), the Secretary of Defense shall develop a tiered program that takes into account the following: The cybersecurity maturity of entities in the defense industrial base. The role of such entities. Whether each such entity possesses controlled unclassified information and covered defense networks. The covered defense information to which such an entity has access as a result of contracts with the Department of Defense. The Program shall— include requirements for mitigating any vulnerabilities identified pursuant to the Program; provide a mechanism for the Department of Defense to share with entities in the defense industrial base malicious code, indicators of compromise, and insights on the evolving threat landscape; provide incentives for entities in the defense industrial base to share with the Department of Defense, including the National Security Agency’s Cybersecurity Directorate, threat and vulnerability information collected pursuant to threat monitoring and hunt activities; and mandate a minimum level of program participation for any entity that is part of the advanced defense industrial base. If the Program is established pursuant to subsection (c), beginning on the date that is 1 year after the date of the enactment of this Act, the Secretary of Defense may not procure or obtain, or extend or renew a contract to procure or obtain, any item, equipment, system, or service from any entity in the defense industrial base that is not in compliance with the requirements of the Program. In implementing the prohibition under paragraph (1), the Secretary of Defense shall prioritize available funding and technical support to assist affected entities in the defense industrial base as is reasonably necessary for such affected entities to commence participation in the Program and satisfy Program requirements. The Secretary of Defense may waive the prohibition under paragraph (1)— with respect to an entity or class of entities in the defense industrial base, if the Secretary determines that the requirement to participate in the Program is unnecessary to protect the interests of the United States; or at the request of such an entity, if the Secretary determines there is a compelling justification for such waiver. The Secretary of Defense shall periodically reevaluate any waiver issued pursuant to subparagraph
(A)and revoke any such waiver the Secretary determines is no longer warranted. In carrying out the Program, the Secretary of Defense may— utilize Department of Defense personnel to hunt for threats and vulnerabilities within the information systems of entities in the defense industrial base that have an active contract with Department of Defense; certify third-party providers to hunt for threats and vulnerabilities on behalf of the Department of Defense; require the deployment of network sensing technologies capable of identifying and filtering malicious network traffic; or employ a combination of Department of Defense personnel and third-party providers and tools, as the Secretary determines necessary and appropriate, for the entity described in paragraph (1). Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall promulgate such rules and regulations as are necessary to carry out this section. In promulgating rules and regulations pursuant to paragraph (1), the Secretary of Defense shall consider how best to integrate the requirements of this section with the Department of Defense Cybersecurity Maturity Model Certification program.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.