Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 4543 (Reported in Senate) — To authorize appropriations for fiscal year 2023 for military activities of the Department of Defense, for military c... · Sec. 1623

Sec. 1623. Operational testing for commercial cybersecurity capabilities

608 words·~3 min read·/bill/117/s/4543/rs/section-1623·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subject to subsection (c), the Secretary of Defense may not operate a commercial cybersecurity capability on a network of the Department of Defense until such capability has received a satisfactory determination from the Director of Operational Test and Evaluation in each of the following areas: Operational effectiveness. Operational suitability. Cyber survivability. In determining whether a commercial cybersecurity capability is satisfactory in each of the areas set forth under subsection (a), the Director of Operational Test and Evaluation shall conduct an assessment that includes consideration of the following:
Threat-realistic operational testing, including representative environments, variation of operational conditions, and inclusion of a realistic opposing force. The use of Department of Defense Cyber Red Teams, as well as any enabling contract language required to permit threat-representative Red Team assessments. Collaboration with the personnel using the commercial cybersecurity capability regarding the results of the testing to improve operators’ ability to recognize and defend against cyberattacks.
The extent to which additional resources may be needed to remediate any shortfalls in capability to make the commercial cybersecurity capability effective, suitable, and cyber survivable in an operational environment of the Department. Identification of training requirements, and changes to training, sustainment practices, or concepts of operation or employment that may be needed to ensure the effectiveness, suitability, and cyber survivability of the commercial cybersecurity capability.
An acquisition executive of a military service or a component of the Department may waive the requirement in subsection
(a)for a commercial cybersecurity capability for the military service or component of the acquisition executive if the acquisition executive determines that operational necessity does not allow for time to conduct an assessment under subsection
(b)in a timeframe to meet the needs of the military service or component. A waiver under paragraph
(1)may be issued for a period of up to three years before a new waiver is required, or a waiver is otherwise no longer required. Not later than February 1, 2024, the Secretary shall issue such policies and guidance and promulgate such regulations as the Secretary considers necessary to carry out this section. Not later than January 31, 2025, and not less frequently than once each year thereafter until January 31, 2030, the Director shall include in each annual report required by section 139(h) of title 10, United States Code, the status of the determinations required by subsection (a), including the following: A summary of such determinations and the associated assessments under subsection (b). The number and type of test and evaluation events completed in the past year for such assessments, disaggregated by component of the Department, and including resources devoted to each event. The results from such test and evaluation events, including any resource shortfalls affecting the number of commercial cybersecurity capabilities that could be assessed. A summary of identified categories of common gaps and shortfalls found during testing. The extent to which entities responsible for developing and testing commercial cybersecurity capabilities have responded to recommendations made by the Director in an effort to gain favorable determinations. Any identified lessons learned that would impact training, sustainment, or concepts of operation or employment decisions relating to the assessed commercial cybersecurity capabilities. In this section, the term commercial cybersecurity capabilities means either— commercial products (as defined in section 103 of title 41, United States Code) acquired and deployed by the Department of Defense to satisfy the cybersecurity requirements of one or more Department components; or commercially available off-the-shelf items (as defined in section 104 of title 41, United States Code) acquired and deployed by the Department of Defense to satisfy the cybersecurity requirements of one or more Department components. This section shall take effect on February 1, 2024.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.