Sec. 1631. Defense industrial base participation in a cybersecurity threat intelligence sharing program
714 words·~3 min read·
/bill/116/s/4049/rs/section-1631·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
The Secretary of Defense shall establish a threat intelligence sharing program to share threat intelligence with, and obtain threat intelligence from, the defense industrial base. At a minimum, the Secretary shall ensure that the program established pursuant to paragraph
(1)includes the following: Cybersecurity incident reporting requirements applicable to the defense industrial base that— extend beyond mandatory incident reporting requirements in effect on the day before the date of the enactment of this Act; set specific timeframes for all categories of incident reporting; establishes a single clearinghouse for all mandatory incident reporting to the Department of Defense, including incidents involving covered unclassified information, and classified information; and provide that, unless authorized or required by another provision of law or the element of the defense industrial base making the report consents, nonpublic information of which the Department becomes aware only because of a report provided pursuant to the program shall be disseminated and used only for a cybersecurity purpose, as defined in section 102 of the Cybersecurity Information Sharing Act of 2015 ( 6 U.S.C. 1501 ). A mechanism for developing a shared and real-time picture of the threat environment. Joint, collaborative, and co-located analytics. Investments in technology and capabilities to support automated detection and analysis across the defense industrial base. Coordinated intelligence tipping, sharing, and deconfliction, as necessary, with relevant government agencies with similar intelligence sharing programs. The Secretary either may require or shall encourage and provide incentive for companies to participate in the threat intelligence sharing program required by subsection (a). In implementing paragraph (1), the Secretary shall— create tiers of requirements for participation within the program based on— the role of and relative threats related to entities within the defense industrial base; and Cybersecurity Maturity Model Certification level; and prioritize available funding and technical support to assist affected businesses, institutions, and organizations as is reasonably necessary for those affected entities to commence participation in the threat intelligence sharing program and to meet any applicable program requirements. The Secretary may utilize an existing Department information sharing program to satisfy the requirement in subsection
(a)if— the existing program includes, or is modified to include, two-way sharing of threat information that is specifically relevant to the defense industrial base; and such a program is coordinated with other government agencies with existing intelligence sharing programs where overlap occurs. Not later than December 15, 2021, the Secretary shall promulgate such rules and regulations as are necessary to carry out this section. The Secretary shall ensure that any intelligence sharing requirements set forth in the rules and regulations promulgated pursuant to paragraph
(1)consider an entity’s maturity and role within the defense industrial base, consistent with the maturity certification levels established in the Cybersecurity Maturity Model Certification program of the Department. As part of the program established pursuant to subsection (a), the Secretary either may require through contractual mechanisms or shall encourage entities in the defense industrial base to consent to queries of foreign intelligence collection databases related to the entities, provided that intelligence information provided to companies is handled in a manner that protects sources and methods. Nothing in this subsection shall be construed to require that the elements of the intelligence community conduct queries on defense industrial base companies to detect cybersecurity threats to such companies or to require that information resulting from such queries be provided to such companies. Not later than March 1, 2022, the Secretary shall submit to the congressional defense committees a report that includes a description of— mandatory requirements levied on defense industrial base entities regarding cyber incidents; Department procedures for ensuring the confidentiality and security of data provided by such entities to the Department on either a voluntary or mandatory basis; and any other matters regarding the program established under subsection
(a)the Secretary considers significant. In this section: The term defense industrial base means the Department of Defense, Federal Government, and private sector worldwide industrial complex with capabilities to perform research and development, design, produce, and maintain military weapon systems, subsystems, components, or parts to satisfy military requirements. The term intelligence community has the meaning given such term in section 3 of the National Security Act of 1947 ( 50 U.S.C. 3003 ). The term threat intelligence means cybersecurity information collected and shared amongst the defense industrial base.
Connectionstraces to 2
Traces to 2 documents
U.S. Code
Citation graph
cites case law
Sec. 1631
Defense industrial base participation in a cybersecurity threat intelligence sharing program
Cites 2Cited by 0 across 0 sources