Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 1605 (EAH) — 117 S1605 EAH: National Defense Authorization Act for Fiscal Year 2022 · Sec. 1505

Sec. 1505. Operational technology and mission-relevant terrain in cyberspace

1,679 words·~8 min read·/bill/117/s/1605/eah/section-1505

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Not later than January 1, 2025, the Secretary of Defense shall complete mapping of mission-relevant terrain in cyberspace for Defense Critical Assets and Task Critical Assets at sufficient granularity to enable mission thread analysis and situational awareness, including required— decomposition of missions reliant on such Assets; identification of access vectors; internal and external dependencies; topology of networks and network segments; cybersecurity defenses across information and operational technology on such Assets; and identification of associated or reliant weapon systems.
Not later than January 1, 2024, the Commanders of United States European Command, United States Indo-Pacific Command, United States Northern Command, United States Strategic Command, United States Space Command, United States Transportation Command, and other relevant Commands, in coordination with the Commander of United States Cyber Command, in order to enable effective mission thread analysis, cyber situational awareness, and effective cyber defense of Defense Critical Assets and Task Critical Assets under their control or in their areas of responsibility, shall develop, institute, and make necessary modifications to— internal combatant command processes, responsibilities, and functions; coordination with service components under their operational control, United States Cyber Command, Joint Forces Headquarters-Department of Defense Information Network, and the service cyber components; combatant command headquarters’ situational awareness posture to ensure an appropriate level of cyber situational awareness of the forces, facilities, installations, bases, critical infrastructure, and weapon systems under their control or in their areas of responsibility, including, in particular, Defense Critical Assets and Task Critical Assets; and documentation of their mission-relevant terrain in cyberspace.
Not later than November 1, 2023, the Chief Information Officer of the Department of Defense shall establish or make necessary changes to policy, control systems standards, risk management framework and authority to operate policies, and cybersecurity reference architectures to provide baseline cybersecurity requirements for operational technology in forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department of Defense Information Network.
The Chief Information Officer of the Department of Defense shall leverage acquisition guidance, concerted assessment of the Department’s operational technology enterprise, and coordination with the military department principal cyber advisors and chief information officers to drive necessary change and implementation of relevant policy across the Department’s forces, facilities, installations, bases, critical infrastructure, and weapon systems. The Chief Information Officer of the Department of Defense shall ensure that policies, control systems standards, and cybersecurity reference architectures— are implementable by components of the Department; limit adversaries’ ability to reach or manipulate control systems through cyberspace; appropriately balance non-connectivity and monitoring requirements; include data collection and flow requirements; interoperate with and are informed by the operational community’s workflows for defense of information and operational technology in the forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department; integrate and interoperate with Department mission assurance construct; and are implemented with respect to Defense Critical Assets and Task Critical Assets.
Not later than January 1, 2025, the Commander of United States Cyber Command shall make necessary modifications to the mission, scope, and posture of Joint Forces Headquarters-Department of Defense Information Network to ensure that Joint Forces Headquarters— has appropriate visibility of operational technology in the forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department of Defense Information Network, including, in particular, Defense Critical Assets and Task Critical Assets; can effectively command and control forces to defend such operational technology; and has established processes for— incident and compliance reporting; ensuring compliance with Department of Defense cybersecurity policy; and ensuring that cyber vulnerabilities, attack vectors, and security violations, including, in particular, those specific to Defense Critical Assets and Task Critical Assets, are appropriately managed.
Not later than January 1, 2025, the Commander of United States Cyber Command shall— ensure in its role of Joint Forces Trainer for the Cyberspace Operations Forces that operational technology cyber defense is appropriately incorporated into training for the Cyberspace Operations Forces; delineate the specific force composition requirements within the Cyberspace Operations Forces for specialized cyber defense of operational technology, including the number, size, scale, and responsibilities of defined Cyber Operations Forces elements; develop and maintain, or support the development and maintenance of, a joint training curriculum for operational technology-focused Cyberspace Operations Forces; support the Chief Information Officer of the Department of Defense as the Department’s senior official for the cybersecurity of operational technology under this section; develop and institutionalize, or support the development and institutionalization of, tradecraft for defense of operational technology across local defenders, cybersecurity service providers, cyber protection teams, and service-controlled forces; develop and institutionalize integrated concepts of operation, operational workflows, and cybersecurity architectures for defense of information and operational technology in the forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department of Defense Information Network, including, in particular, Defense Critical Assets and Task Critical Assets, including— deliberate and strategic sensoring of such Network and Assets; instituting policies governing connections across and between such Network and Assets; modelling of normal behavior across and between such Network and Assets; engineering data flows across and between such Network and Assets; developing local defenders, cybersecurity service providers, cyber protection teams, and service-controlled forces’ operational workflows and tactics, techniques, and procedures optimized for the designs, data flows, and policies of such Network and Assets; instituting of model defensive cyber operations and Department of Defense Information Network operations tradecraft; and integrating of such operations to ensure interoperability across echelons; and advance the integration of the Department of Defense’s mission assurance, cybersecurity compliance, cybersecurity operations, risk management framework, and authority to operate programs and policies.
Not later than January 1, 2025, the Secretaries of the military departments, through the service principal cyber advisors, chief information officers, the service cyber components, and relevant service commands, shall make necessary investments in operational technology in the forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department of Defense Information Network and the service-controlled forces responsible for defense of such operational technology to— ensure that relevant local network and cybersecurity forces are responsible for defending operational technology across the forces, facilities, installations, bases, critical infrastructure, and weapon systems, including, in particular, Defense Critical Assets and Task Critical Assets; ensure that relevant local operational technology-focused system operators, network and cybersecurity forces, mission defense teams and other service-retained forces, and cyber protection teams are appropriately trained, including through common training and use of cyber ranges, as appropriate, to execute the specific requirements of cybersecurity operations in operational technology; ensure that all Defense Critical Assets and Task Critical Assets are monitored and defended by Cybersecurity Service Providers; ensure that operational technology is appropriately sensored and appropriate cybersecurity defenses, including technologies associated with the More Situational Awareness for Industrial Control Systems Joint Capability Technology Demonstration, are employed to enable defense of Defense Critical Assets and Task Critical Assets; implement Department of Defense Chief Information Officer policy germane to operational technology, including, in particular, with respect to Defense Critical Assets and Task Critical Assets; plan for, designate, and train dedicated forces to be utilized in operational technology-centric roles across the military services and United States Cyber Command; and ensure that operational technology, as appropriate, is not easily accessible via the internet and that cybersecurity investments accord with mission risk to and relevant access vectors for Defense Critical Assets and Task Critical Assets.
Not later than January 1, 2023, the Secretary of Defense shall— assess and finalize Office of the Secretary of Defense components’ roles and responsibilities for the cybersecurity of operational technology in the forces, facilities, installations, bases, critical infrastructure, and weapon systems across the Department of Defense Information Network; assess the need to establish centralized or dedicated funding for remediation of cybersecurity gaps in operational technology across the Department of Defense Information Network; make relevant modifications to the Department of Defense’s mission assurance construct, Mission Assurance Coordination Board, and other relevant bodies to drive— prioritization of kinetic and non-kinetic threats to the Department’s missions and minimization of mission risk in the Department’s war plans; prioritization of relevant mitigations and investments to harden and assure the Department’s missions and minimize mission risk in the Department’s war plans; and completion of mission relevant terrain mapping of Defense Critical Assets and Task Critical Assets and population of associated assessment and mitigation data in authorized repositories; make relevant modifications to the Strategic Cybersecurity Program; and drive and provide oversight of the implementation of this section.
Beginning not later than 30 days after the date of the enactment of this Act, each of the Secretaries of the military departments, the Commander of United States Cyber Command, and the Chief Information Officer of the Department of Defense shall provide annual updates to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives on activities undertaken and progress made to carry out this section. Not later than one year after the date of the enactment of this Act and not less frequently than annually thereafter until January 1, 2024, the Under Secretary of Defense for Policy, the Under Secretary of Defense for Acquisition and Sustainment, the Chief Information Officer, and the Joint Staff J6, representing the combatant commands, shall individually or together provide briefings to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives on activities undertaken and progress made to carry out this section.
In implementing this section, the Secretary of Defense shall prioritize the cybersecurity and cyber defense of Defense Critical Assets and Task Critical Assets and shape cyber investments, policy, operations, and deployments to ensure cybersecurity and cyber defense. This section shall apply to assets owned and operated by the Department of Defense, as well as to applicable non-Department assets essential to the projection, support, and sustainment of military forces and operations worldwide.
In this section: mission-relevant terrain in cyberspace has the meaning given such term as specified in Joint Publication 6-0. The term operational technology means control systems or controllers, communication architectures, and user interfaces that monitor or control infrastructure and equipment operating in various environments, such as weapon systems, utility or energy production and distribution, or medical, logistics, nuclear, biological, chemical, or manufacturing facilities.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.