Sec. 1648. FRAMEWORK TO ENHANCE CYBERSECURITY OF THE UNITED STATES DEFENSE INDUSTRIAL BASE
1,316 words·~6 min read·
/statute-compilations/comps-15772/sec-1648A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
## SEC. 1648 FRAMEWORK TO ENHANCE CYBERSECURITY OF THE UNITED STATES DEFENSE INDUSTRIAL BASE **[**[10 U.S.C. 2224 note](/us/usc/t10/s2224)**]** ###
(a)Framework Required Not later than 180 days after the date of the enactment of the National Defense Authorization Act for Fiscal Year 2022, the Secretary of Defense shall develop a consistent, comprehensive framework to enhance cybersecurity for the United States defense industrial base. ###
(b)Elements The framework developed pursuant to subsection
(a)shall include the following: ####
(1)Identification of unified cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements to be imposed on the defense industrial base for the purpose of assessing the cybersecurity of individual contractors. ####
(2)Roles and responsibilities of the Under Secretary of Defense for Acquisition and Sustainment, the Under Secretary of Defense for Intelligence and Security, the Chief Information Officer, the Director of the Protecting Critical Technologies Task Force, and the Secretaries of the military departments relating to the following: #####
(A)Establishing and ensuring compliance with cybersecurity standards, regulations, and policies. #####
(B)Deconflicting existing cybersecurity standards, regulations, and policies. #####
(C)Coordinating with and providing assistance to the defense industrial base for cybersecurity matters, particularly as relates to the programs and processes described in paragraphs
(8)and (9). #####
(D)Management and oversight of the acquisition process, including responsibility determination, solicitation, award, and contractor management, relating to cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements. ####
(3)The responsibilities of the prime contractors, and all subcontractors in the supply chain, for implementing the required cybersecurity standards, regulations, metrics, ratings, third-party certifications, and requirements identified under paragraph (1). ####
(4)Definitions for “Controlled Unclassified Information”
(CUI)and “For Official Use Only” (FOUO), policies regarding protecting information designated as either of such, and an explanation of the “DoD CUI Program” and Department of Defense compliance with the responsibilities specified in Department of Defense Instruction
(DoDI)5200.48, “Controlled Unclassified Information (CUI),” including the following: #####
(A)The extent to which the Department of Defense is identifying whether information is CUI via a contracting vehicle and marking documents, material, and media containing such information in a clear and consistent manner. #####
(B)Recommended regulatory or policy changes to ensure consistency and clarity in CUI identification and marking requirements. #####
(C)Circumstances under which commercial information is considered CUI, and any impacts to the commercial supply chain associated with security and marking requirements pursuant to this paragraph. #####
(D)Benefits and drawbacks of requiring all CUI to be marked with a unique CUI legend, versus requiring that all data marked with an appropriate restricted legend be handled as CUI. #####
(E)The extent to which the Department of Defense clearly delineates Federal Contract Information
(FCI)from CUI. #####
(F)Examples or scenarios to illustrate information that is and is not CUI. ####
(5)Methods and programs for managing controlled unclassified information, and for limiting the presence of unnecessary sensitive information on contractor networks. ####
(6)A plan to provide implementation guidance, education, manuals, and, as necessary, direct technical support or assistance, to contractors on matters relating to cybersecurity. ####
(7)Quantitative metrics for assessing the effectiveness of the overall framework over time, with respect to the exfiltration of controlled unclassified information from the defense industrial base. ####
(8)A comprehensive list of current and planned Department of Defense programs to assist the defense industrial base with cybersecurity compliance requirements of the Department, including those programs that provide training, expertise, and funding, and maintain approved security products lists and approved providers lists. ####
(9)Processes for enhanced threat information sharing between the Department of Defense and the defense industrial base. ###
(c)Matters for Consideration In developing the framework pursuant to subsection (a), the Secretary shall consider the following: ####
(1)Designating an official to be responsible for the cybersecurity of the defense industrial base. ####
(2)Risk-based methodologies, standards, metrics, and tiered cybersecurity requirements for the defense industrial base, including third-party certifications such as the Cybersecurity Maturity Model Certification pilot program, as the basis for a mandatory Department standard. ####
(3)Tailoring cybersecurity requirements for small- and medium-sized contractors based on a risk-based approach. ####
(4)Ensuring a consistent approach across the Department to cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements of the defense industrial base. ####
(5)Ensuring the Department’s traceability and visibility of cybersecurity compliance of suppliers to all levels of the supply chain. ####
(6)Evaluating incentives and penalties for cybersecurity performance of suppliers. ####
(7)Integrating cybersecurity and traditional counterintelligence measures, requirements, and programs. ####
(8)Establishing a secure software development environment (DevSecOps) in a cloud environment inside the perimeter of the Department for contractors to perform their development work. ####
(9)Establishing a secure cloud environment through which contractors may access the data of the Department needed for their contract work. ####
(10)An evaluation of the resources and utilization of Department programs to assist the defense industrial base in complying with cybersecurity compliance requirements referred to in subsection (b)(1). ####
(11)Technological means, operational concepts, reference architectures, offensive counterintelligence operation concepts, and plans for operationalization to complicate adversary espionage, including honeypotting and data obfuscation. ####
(12)Implementing enhanced security vulnerability assessments for contractors working on critical acquisition programs, technologies, manufacturing capabilities, and research areas. ####
(13)Identifying ways to better leverage technology and employ machine learning or artificial intelligence capabilities, such as Internet Protocol monitoring and data integrity capabilities, to be applied to contractor information systems that host, receive, or transmit controlled unclassified information. ####
(14)Developing tools to easily segregate program data to only allow subcontractors access to their specific information. ####
(15)Appropriate communications of threat assessments of the defense industrial base to the acquisition workforce at all classification levels. ####
(16)A single Sector Coordinating Council for the defense industrial base. ####
(17)Appropriate communications with the defense industrial base on the impact of cybersecurity requirements in contracting and procurement decisions. ###
(d)Consultation In developing the framework required pursuant to subsection (a), the Secretary shall consult with the following: ####
(1)Industry groups representing the defense industrial base. ####
(2)Contractors in the defense industrial base. ####
(3)The Director of the National Institute of Standards and Technology. ####
(4)The Secretary of Energy. ####
(5)The Director of National Intelligence. ####
(6)Relevant Federal regulatory agencies. ###
(e)Briefing ####
(1)In general Not later than March 11, 2020, the Secretary of Defense shall provide the congressional defense committees with a briefing on the framework developed pursuant to subsection (a). ####
(2)Contents The briefing required by paragraph
(1)shall include the following: #####
(A)An overview of the framework developed pursuant to subsection (a). #####
(B)Identification of such pilot programs as the Secretary considers may be required to improve the cybersecurity of the defense industrial base. #####
(C)Implementation timelines and identification of costs. #####
(D)Such recommendations as the Secretary may have for legislative action to improve the cybersecurity of the defense industrial base. ###
(f)Quarterly Briefings ####
(1)In general Not less frequently than once each quarter after the briefing provided pursuant to subsection
(e)until February 1, 2022, the Secretary of Defense shall brief the congressional defense committees on the status of development and implementation of the framework developed pursuant to subsection (a). ####
(2)Coordination with other briefings Each briefing under paragraph
(1)shall be conducted in conjunction with a quarterly briefing under section 484(a) of title 10, United States Code. ####
(3)Elements Each briefing under paragraph
(1)shall include the following: #####
(A)The current status of the development and implementation of the framework developed pursuant to subsection (a). #####
(B)A description of the efforts undertaken by the Secretary to evaluate the matters for consideration set forth in subsection (c). #####
(C)The current status of any pilot programs the Secretary is carrying out to develop the framework.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 1648
FRAMEWORK TO ENHANCE CYBERSECURITY OF THE UNITED STATES DEFENSE INDUSTRIAL BASE
Cites 1Cited by 0 across 0 sources