Sec. 866. Cybersecurity regulatory harmonization
438 words·~2 min read·
/bill/119/s/1071/eah/section-866A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than June 1, 2026, the Secretary of Defense, in coordination with the Chief Information Officer of the Department of Defense, the Chief Information Officer of each military department, and representatives from the service acquisition executives of each military department, shall— harmonize the cybersecurity requirements applicable to the defense industrial base across the Department of Defense; reduce the number of such requirements that are unique to a specific contract or other agreement of the Department; and submit to the congressional defense committees a report on the actions taken to carry out the harmonization described in paragraph
(1)and the reduction described in paragraph (2). The harmonization required by subsection (a)(1) shall ensure that processes and governance structures exist and are sufficient to identify and eliminate duplicative and inconsistent cybersecurity requirements and cybersecurity requirements unique to single contracts, including— a process and governance structure for assessing whether future proposed cybersecurity contractual requirements for contracts or other agreements of the Department of Defense are duplicative of other applicable requirements of the Department of Defense that are published in the Federal Register; a process for coordinating, centralizing, approving, and publishing any proposed cybersecurity requirement not published in the Federal Register; and a mechanism included in the process described in paragraph
(2)for ensuring the visibility to and input from internal and external stakeholders. Not later than December 31, 2026, and annually thereafter for three years, the Chief Information Officer of the Department of Defense shall submit to the congressional defense committees a report describing the actions taken to implement subsections
(a)and (b), including the status of the harmonization of contractual cybersecurity requirements and of reducing cybersecurity requirements unique to single contracts required by such sections. Each report required by paragraph
(1)shall cover the most recently completed fiscal year prior to the submission of the report and include— a description of any changes made during the period covered by the report to the processes and governance structures described in subsection (b); a list of each contract or other agreement of the Department of Defense entered into during the period covered by the report for which the Department sought to include a cybersecurity requirement not published in the Federal Register; for each contract or other agreement included on the list required by subparagraph (B), whether the Secretary of Defense approved the inclusion of the cybersecurity requirement for which such contract or other agreement was included on such list and an explanation of the reasoning of the Secretary for approving or denying such inclusion; and such other matters as determined necessary by the Chief Information Officer of the Department of Defense.