Sec. 1655. MITIGATION OF RISKS TO NATIONAL SECURITY POSED BY PROVIDERS OF INFORMATION TECHNOLOGY PRODUCTS AND SERVICES WHO HAVE OBLIGATIONS TO FOREIGN GOVERNMENTS
1,077 words·~5 min read·
/statute-compilations/comps-15483/sec-1655A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
## SEC. 1655 MITIGATION OF RISKS TO NATIONAL SECURITY POSED BY PROVIDERS OF INFORMATION TECHNOLOGY PRODUCTS AND SERVICES WHO HAVE OBLIGATIONS TO FOREIGN GOVERNMENTS **[**[10 U.S.C. 2224 note](/us/usc/t10/s2224)**]** ###
(a)Disclosure Required Subject to the regulations issued under subsection (b), the Department of Defense may not use a product, service, or system procured or acquired after the date of the enactment of this Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person unless that person discloses to the Secretary of Defense the following: ####
(1)Whether, and if so, when, within five years before or at any time after the date of the enactment of this Act, the person has allowed a foreign government to review the code of a non-commercial product, system, or service developed for the Department, or whether the person is under any obligation to allow a foreign person or government to review the code of a non-commercial product, system, or service developed for the Department as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government. ####
(2)Whether, and if so, when, within five years before or at any time after the date of the enactment of this Act, the person has allowed a foreign government listed in section 1654 to review the source code of a product, system, or service that the Department is using or intends to use, or is under any obligation to allow a foreign person or government to review the source code of a product, system, or service that the Department is using or intends to use as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government. ####
(3)Whether or not the person holds or has sought a license pursuant to the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations, or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the non-commercial product, system, or service the Department is using or intends to use. ###
(b)Regulations ####
(1)In general The Secretary of Defense shall issue regulations regarding the implementation of subsection (a). ####
(2)Uniform review process If information obtained from a person under subsection
(a)or the contents of the registry under subsection
(f)are the subject of a request under section 552 of title 5, United States Code (commonly referred to as the “Freedom of Information Act”), the Secretary of Defense shall conduct a uniform review process, without regard to the office holding the information, to determine if the information is exempt from disclosure under such section 552. ###
(c)Procurement Procurement contracts for covered products or systems shall include a clause requiring the information contained in subsection
(a)be disclosed during the period of the contract if an entity becomes aware of information requiring disclosure required pursuant to such subsection, including any mitigation measures taken or anticipated. ###
(d)Mitigation of Risks ####
(1)In general If, after reviewing a disclosure made by a person under subsection (a), the Secretary determines that the disclosure relating to a product, system, or service entails a risk to the national security infrastructure or data of the United States, or any national security system under the control of the Department, the Secretary shall take such measures as the Secretary considers appropriate to mitigate such risks, including, as the Secretary considers appropriate, by conditioning any agreement for the use, procurement, or acquisition of the product, system, or service on the inclusion of enforceable conditions or requirements that would mitigate such risks. ####
(2)Third-party testing standard Not later than two years after the date of the enactment of this Act the Secretary shall develop such third-party testing standard as the Secretary considers acceptable for commercial off the shelf
(COTS)products, systems, or services to use when dealing with foreign governments. ###
(e)Exemption of Open Source Software This section shall not apply to open source software. ###
(f)Establishment of Registry Not later than one year after the date of the enactment of this Act, the Secretary of Defense shall— ####
(1)establish within the operational capabilities of the Committee for National Security Systems
(CNSS)or within such other agency as the Secretary considers appropriate a registry containing the information disclosed under subsection (a); and ####
(2)upon request, make such information available to any agency conducting a procurement pursuant to the Federal Acquisition Regulations or the Defense Federal Acquisition Regulations. ###
(g)Annual Reports Not later than one year after the date of the enactment of this Act and not less frequently than once each year thereafter, the Secretary of Defense shall submit to the appropriate committees of Congress a report detailing the number, scope, product classifications, and mitigation agreements related to each product, system, and service for which a disclosure is made under subsection (a). ###
(h)Definitions In this section: ####
(1)Appropriate committees of congress defined The term “appropriate committees of Congress” means— #####
(A)the Committee on Armed Services, the Select Committee on Intelligence, and the Committee on Homeland Security and Governmental Affairs of the Senate; and #####
(B)the Committee on Armed Services, the Permanent Select Committee on Intelligence, the Committee on Homeland Security, and the Committee on Oversight and Government Reform of the House of Representatives. ####
(2)Commercial item The term “commercial item” has the meaning given such term in section 103 of title 41, United States Code. ####
(3)Information technology The term “information technology” has the meaning given such term in section 11101 of title 40, United States Code. ####
(4)National security system The term “national security system” has the meaning given such term in section 3552(b) of title 44, United States Code. ####
(5)Non-commercial product, system, or service The term “non-commercial product, system, or service” means a product, system, or service that does not meet the criteria of a commercial item. ####
(6)Open source software The term “open source software” means software for which the human-readable source code is available for use, study, re-use, modification, enhancement, and re-distribution by the users of such software.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 1655
MITIGATION OF RISKS TO NATIONAL SECURITY POSED BY PROVIDERS OF INFORMATION TECHNOLOGY PRODUCTS AND SERVICES WHO HAVE OBLIGATIONS TO FOREIGN GOVERNMENTS
Cites 1Cited by 0 across 0 sources