Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 116th Congress · S. 1790 (Engrossed in Senate) — To authorize appropriations for fiscal year 2020 for military activities of the Department of Defense, for military c... · Sec. 1634

Sec. 1634. Framework to enhance cybersecurity of the United States defense industrial base

796 words·~4 min read·/bill/116/s/1790/es/section-1634·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Not later than February 1, 2020, the Secretary of Defense shall develop a consistent, comprehensive framework to enhance cybersecurity for the United States defense industrial base. The framework developed pursuant to subsection
(a)shall include the following: Identification of unified cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements to be imposed on the defense industrial base for the purpose of assessing the cybersecurity of individual contractors. The roles and responsibilities of various activities within the Department of Defense, across the entire acquisition process, beginning with market research, including responsibility determination, solicitation, and award, and continuing with contractor management and oversight on matters relating to cybersecurity. The responsibilities of the prime contractors, and all subcontractors in the supply chain, for implementing the required cybersecurity standards, regulations, metrics, ratings, third-party certifications, and requirements identified under paragraph (1). A plan to provide implementation guidance, education, manuals, and, as necessary, direct technical support or assistance to such contractors on matters relating to cybersecurity. Methods and programs for defining and managing controlled unclassified information, and for limiting the presence of unnecessary sensitive information on contractor networks. Quantitative metrics for assessing the effectiveness of the overall framework over time, with respect to the exfiltration of controlled unclassified information from the defense industrial base. In developing the framework required by subsection (a), the Secretary shall consider the following: Designating an official to be responsible for the cybersecurity of the defense industrial base. Evaluating methods, standards, metrics, and third-party certifications for assessing the cybersecurity of individual contractors. Ensuring a consistent approach across the Department to matters relating to the cybersecurity of the defense industrial base. Tailoring cybersecurity requirements for small- and medium-sized contractors based on a risk-based approach. Ensuring the Department’s traceability and visibility of cybersecurity compliance of suppliers to all levels of the supply chain. Evaluating incentives and penalties for cybersecurity performance of suppliers. Integrating cybersecurity and traditional counterintelligence measures, requirements, and programs. Establishing a secure software development environment (DevSecOps) in a cloud environment inside the perimeter of the Department for contractors to do their development work. Establishing a secure cloud environment where contractors could access the data of the Department needed for their contract work. Establishing a Cybersecurity Maturity Model Certification for defense industrial base companies, scoring companies on a rating scale, and requiring certain ratings for contract awards. Providing additional assistance to small companies in the form of training, mentoring, approved security product lists, and approved lists of security-as-a-service providers. Technological means, operational concepts, reference architectures, offensive counterintelligence operation concepts, and plans for operationalization to complicate adversary espionage, including honeypotting and data obfuscation. Implementing enhanced security vulnerability assessments for contractors working on critical acquisition programs, technologies, manufacturing capabilities, and research areas. Identifying ways to better leverage technology and employ machine learning or artificial intelligence capabilities, such as Internet Protocol monitoring and data integrity capabilities to be applied to contractor information systems that host, receive, or transmit controlled unclassified information. Developing tools to easily segregate program data to only allow subcontractors access to their specific information. Appropriate communications of threat assessments of the defense industrial base to the acquisition workforce at all classification levels. Appropriate communications with industry on the impact of cybersecurity considerations in contracting and procurement decisions. In developing the framework required by subsection (a), the Secretary shall consult with the following: Industry groups representing the defense industrial base. Contractors in the defense industrial base. The Director of the National Institute of Standards and Technology. The Secretary of Energy and the Nuclear Regulatory Commission. The Director of National Intelligence. Not later than March 11, 2020, the Secretary of Defense shall provide the congressional defense committees with a briefing on the framework developed pursuant to subsection (a). The briefing required by paragraph
(1)shall include the following: An overview of the framework developed in subsection (a). Identification of such pilot programs as the Secretary considers may be required to improve the cybersecurity of the defense industrial base. Implementation timelines and identification of costs. Such recommendations as the Secretary may have for legislative action to improve the cybersecurity of the defense industrial base. Not less frequently than once each quarter until February 1, 2022, the Secretary of Defense shall brief the congressional defense committees on the status of development and implementation of the framework required by subsection (a). Each briefing under paragraph
(1)shall be conducted in conjunction with a quarterly briefing under section 484(a) of title 10, United States Code. Each briefing under paragraph
(1)shall include the following: The current status of the development and implementation of the framework required by subsection (a). A description of the efforts undertaken by the Secretary to evaluate the matters for consideration set forth in subsection (c). The current status of any pilot programs the Secretary is carrying out to develop the framework.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.