Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 119th Congress · S. 2296 (Engrossed in Senate) — To authorize appropriations for fiscal year 2026 for military activities of the Department of Defense, for military c... · Sec. 6612

Sec. 6612. Secure and interoperable defense collaboration technology

2,063 words·~9 min read·/bill/119/s/2296/es/section-6612·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

In this section: The term Chief Information Officer means the Chief Information Officer of the Department of Defense. The term collaboration technology means a software system or application that offers 1 or more primary collaboration technology features. The term Department means the Department of Defense. The term end-to-end encryption means communications encryption in which data is encrypted when being passed through a network such that no party, other than the sender and each intended recipient of the communication, can access the decrypted communication, regardless of the transport technology used and the intermediaries or intermediate steps along the sending path.
The term identified standards means the standard, or set of standards, identified under subsection (b)(2). The term interoperability has the meaning given the term in section 3601 of title 44, United States Code. The term open standard means a standard, or a set of standards, that— is available for any individual to read and implement; does not impose any royalty or other fee for use; and can be certified for low or no cost to users of the standard or set of standards. The term primary collaboration technology feature means a technology feature or function that— facilitates remote work or collaboration within the Department; facilitates the work or collaboration described in subparagraph
(A)by providing functionality that is core or essential, rather than ancillary or secondary; and is identified by the Chief Information Officer under subsection (b)(1). The term standards-compatible collaboration technology means collaboration technology— each primary collaboration technology feature of which is compatible with the identified standards for such a primary collaboration technology feature; and that has demonstrated compliance under subsection (d)(2). The term voluntary consensus standard has the meaning given such term in Circular A–119 of the Office of Management and Budget entitled Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities , issued in revised form on January 27, 2016. Not later than 180 days after the date of the enactment of this Act, the Chief Information Officer shall, in consultation with such others as the Chief Information Officer considers relevant, identify a list of primary collaboration technology features, including— voice and video calling, including— calling between 2 individuals; and calling between not less than 3 individuals; text-based messaging; file sharing; live document editing; scheduling and calendaring; and any other technology feature or function that the Chief Information Officer considers appropriate. Not later than 2 years after the date of the enactment of this Act, the Chief Information Officer shall identify a standard, or set of standards, for collaboration technology used by the Department that— for each primary collaboration technology feature, specifies interoperability protocols, and any other protocol, format, requirement, or guidance required to create interoperable implementations of that feature, including— protocols for applications to specify and standardize security, including systems for— identifying and authenticating the individuals who are party to a communication or collaboration task; controlling the attendance and security settings of voice and video calls; and controlling access and editing rights for shared documents; and protocols for any ancillary feature the Chief Information Officer identifies to support the core primary collaboration technology feature, including participation features available within video meetings; to the extent possible, is based on open standards; to the extent possible, is based on standards planned, developed, established, or coordinated using procedures consistent with those for voluntary consensus standards; subject to paragraph (3), uses end-to-end encryption technology; incorporates protocols, guidance, and requirements based on best practices for the cybersecurity of collaboration technology and collaboration technology features; to the extent practicable, integrates cybersecurity technology designed to protect communications from surveillance by foreign adversaries, including technology to protect communications metadata from traffic analysis, with requirements developed in consultation with such others as the Chief Information Officer considers relevant; to the extent practicable, is usable by, or offers options for, users with internet connections that have low-bandwidth or high-latency; and subject to paragraph (5), with respect to the use of primary collaboration technology features, enables compliance with record retention and disclosure obligations. The end-to-end encryption technology selected as part of the identified standards under paragraph (2), to the extent practicable, shall ensure that collaboration and communications content data cannot be compromised if a hosting server is compromised. Subject to subparagraph (C), if the Chief Information Officer has identified an ancillary feature or function for a primary collaboration technology feature and is unable to identify a standard, or set of standards, that uses end-to-end encryption and that is compatible with such ancillary feature or function, the Chief Information Officer may identify a standard or set of standards that does not utilize end-to-end encryption that may be used to support the ancillary feature or function. Subject to clause (ii), the Chief Information Officer shall ensure that, with respect to the use of standards-compatible collaboration technology that offers an ancillary technology feature or function described in subparagraph (B)— the ancillary feature or function is disabled by default; and the primary collaboration technology feature uses end-to-end encryption. Clause
(i)shall not apply to the use of a primary collaboration technology feature with an ancillary feature or function described in subparagraph
(B)if— the Chief Information Officer has enabled the use of the ancillary feature or function within the Department; each user of the ancillary feature or function has been notified of the additional cybersecurity and surveillance risks accompanying the use of the ancillary feature or function; each user of the ancillary feature or function has explicitly opted into the use of the ancillary feature or function; and the primary collaboration technology feature offers a means for the Chief Information Officer to collect aggregate statistics about the use of the options that are not end-to-end encrypted. To the extent practicable, the Chief Information Officer shall identify protocols, guidance, or requirements to ensure that standards-compatible collaboration technology provides users the ability to easily see the encryption status of any collaboration feature in use. In identifying the identified standards, the Chief Information Officer shall consider secure, standards-based technologies adopted by a component or element of the Department, allies of the United States, State and local governments, and the private sector. The Chief Information Officer shall ensure that requirements added to the identified standards to achieve compliance with record retention and disclosure obligations to the greatest extent practicable— preserve the security benefits of end-to-end encryption; avoid storing information, like plaintext messages or decryption keys, that would compromise the security of communications content data if a hosting server were compromised; minimize other cybersecurity risks; and require that all users party to a communication be notified that the communications content data is being saved for archival purposes. If the Chief Information Officer determines that it is infeasible to identify a standard for a particular primary collaboration technology feature not later than 2 years after the date of enactment of this Act, the Chief Information Officer may issue a waiver to extend the deadline for the identification of such standard for the particular primary collaboration technology feature. A waiver described in subparagraph
(A)shall include— the particular primary collaboration technology feature for which the waiver is issued; and an explanation of the reason for which it is currently infeasible to identify a standard meeting the requirements under paragraph (2). A waiver issued by the Chief Information Officer under subparagraph
(A)shall be valid for 1 year. The Chief Information Officer may re-issue a waiver under paragraph
(1)for a primary collaboration technology feature not more than 10 times. On and after the date that is 4 years after the date on which the Chief Information Officer identifies the identified standards, the head of a component or element of the Department may only procure collaboration technology if the collaboration technology is standards-compatible collaboration technology. The following collaboration systems shall not be subject to the requirements under paragraph (1): Email. Voice services, as defined in section 227(e) of the Communications Act of 1934 ( 47 U.S.C. 227(e) ). National security systems, as defined in section 11103(a) of title 40, United States Code. If a software product or a device with a software operating system has built-in primary collaboration technology features that are not compatible with the identified standards, and the Chief Information Officer cannot procure the product or device with those primary collaboration technology features disabled before purchase, the Chief Information Officer may comply with this subsection by disabling the primary collaboration technology features that are not compatible with the identified standards before provisioning the software product or device to an employee of the Department. The Chief Information Officer may issue a certification for waiver of the prohibition under paragraph
(1)with respect to a particular collaboration technology. A certification under subparagraph
(A)shall cite not less than 1 specific reason for which the Department is unable to procure standards-compatible collaboration technology that meets the needs of the Department. The Chief Information Officer shall submit to the congressional defense committees a copy of each certification issued under subparagraph (A). The Chief Information Officer shall post a copy of each certification issued under subparagraph
(A)on the Department’s website. A certification with respect to a particular collaboration technology under this paragraph shall result in a waiver of the prohibition for that particular collaboration technology under paragraph (1)(B) that— shall be valid for a 4-year period; and may be renewed by the Chief Information Officer. Not later than 1 year after the date on which the Chief Information Officer identifies the identified standards, the Chief Information Officer shall identify third-party online interoperability test suites, including not less than 1 free test suite, or develop a free online interoperability test suite if no suitable third-party test suite can be identified, which shall— enable any entity to test whether an implementation of a primary collaboration technology feature has interoperability with the identified standards; and offer an externally-shareable version of the interoperability test results that can be provided as part of a demonstration of compliance under paragraph (2). In order to demonstrate that a collaboration technology is a standards-compatible collaboration technology, the provider of the collaboration technology shall provide to the Chief Information Officer— an attestation that includes an affirmation that— each primary collaboration technology feature of the collaboration technology, by default— uses the relevant standard or standards from the identified standards for the primary collaboration technology feature to interoperate with other instances of standards-compatible collaboration technology; and follows all guidance and requirements from the identified standards that is applicable to the primary collaboration technology feature; and the collaboration technology enables the Chief Information Officer to disable the ability of users to use modes of the collaboration technology that are not compatible with the identified standards; and interoperability test results described in paragraph (1)(B) that demonstrate interoperability with the identified standards for each primary collaboration technology feature the collaboration technology offers. Upon a review of the materials submitted under paragraph (2), the Chief Information Officer shall publish on the website of the Department a list of each collaboration technology that the Chief Information Officer has determined to be a standards-compatible collaboration technology. Nothing in this subsection shall be construed to require a collaboration technology vendor to directly test the interoperability of a primary collaboration technology feature with the product of another collaboration technology vendor. Not later than 4 years after the date on which the Chief Information Officer identifies the identified standards, the Chief Information Officer shall conduct security reviews of collaboration technology products used within the Department, to identify any cybersecurity vulnerability or threat relating to those collaboration technology products. With respect to collaboration technology products selected for security reviews under paragraph (1), the Chief Information Officer shall determine the number of products, the specific products, and the prioritization of products for security review, considering factors including— the total number of users across the Department using a collaboration technology product; and an estimation of the likelihood of a collaboration technology product being targeted for hacking. Not later than 30 days after the date on which the Chief Information Officer conducts security reviews under paragraph (1), the Chief Information Officer shall submit to the congressional defense committees a report on the results of the security reviews. Nothing in this section shall be construed to limit the ability of— the Department to communicate with other entities using standards-compatible collaboration technology; or other entities to use the identified standards or standards-compatible collaboration technology.
Connectionstraces to 1
Citation graph
cites case law
Sec. 6612
Secure and interoperable defense collaboration technology
U.S.C.§ 227
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.