Sec. 1712. MODIFICATION OF REQUIREMENTS RELATING TO THE STRATEGIC CYBERSECURITY PROGRAM AND THE EVALUATION OF CYBER VULNERABILITIES OF MAJOR WEAPON SYSTEMS OF THE DEPARTMENT OF DEFENSE
1,408 words·~6 min read·
/statute-compilations/comps-16736/sec-1712A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
## SEC. 1712 MODIFICATION OF REQUIREMENTS RELATING TO THE STRATEGIC CYBERSECURITY PROGRAM AND THE EVALUATION OF CYBER VULNERABILITIES OF MAJOR WEAPON SYSTEMS OF THE DEPARTMENT OF DEFENSE ###
(a)Evaluation of Cyber Vulnerabilities of Major Weapon Systems of the Department of Defense ####
(1)In general Section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (Public Law 114-92; 10 U.S.C. 2224 note), as amended by section 1633 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116-92), is further amended by adding at the end the following new subsections: > > ### “(i) Establishing Requirements for Periodicity of Vulnerability Reviews > > The Secretary of Defense shall establish policies and requirements for each major weapon system, and the priority critical infrastructure essential to the proper functioning of major weapon systems in broader mission areas, to be re-assessed for cyber vulnerabilities, taking into account upgrades or other modifications to systems and changes in the threat landscape. > > > ### “(j) Identification of Senior Official > > Each secretary of a military department shall identify a senior official who shall be responsible for ensuring that cyber vulnerability assessments and mitigations for weapon systems and critical infrastructure are planned, funded, and carried out.” > . ####
(2)Technical correction Such section 1647 of the National Defense Authorization Act for Fiscal Year 2016 is further amended— #####
(A)by redesignating subsection
(g)as subsection (h); and #####
(B)by redesignating the second subsection (f), as added by section 1633 of the National Defense Authorization Act for Fiscal Year 2020, as subsection (g). ###
(b)Strategic Cybersecurity Program Section 1640 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91; 10 U.S.C. 2224 note), is amended by striking subsections
(a)through
(e)and inserting the following new subsections: > > ### “(a) In General > > Not later than August 1, 2021, the Secretary of Defense shall, acting through the Under Secretary of Defense for Acquisition and Sustainment, the Chief Information Officer, the Vice Chairman of the Joint Chiefs of Staff, the Commander of United States Cyber Command, and the Director of the National Security Agency, establish a program to be known as the ‘Strategic Cybersecurity Program’ (in this section referred to as the ‘Program’) to ensure that the Department of Defense is always able to conduct the most important military missions of the Department. > > > ### “(b) Personnel Support to the Program > > > #### “(1) In general > > The Director of the National Security Agency shall establish a program office within the Cybersecurity Directorate to support the Program by identifying threats to, vulnerabilities in, and remediations for the missions and mission elements described in paragraph
(1)of subsection (c). Such program office shall be headed by a program manager selected by the Director. > > > #### “(2) National security agency program office staff augmentation > > The Secretary may augment the personnel assigned to the program office required under paragraph
(1)by assigning personnel as appropriate from among regular and reserve members of the Armed Forces, civilian employees of the Department of Defense (including the Defense intelligence agencies), and personnel of the research laboratories of the Department and the Department of Energy, who have particular expertise in the areas of responsibility described in subsection (c). > > > #### “(3) Department of energy personnel > > Any personnel assigned to the program office from among personnel of the Department of Energy shall be so assigned with the concurrence of the Secretary of Energy. > > > ### “(c) Responsibilities > > > #### “(1) Designation of mission elements of the program > > The Under Secretary of Defense for Policy, the Under Secretary of Defense for Acquisition and Sustainment, and the Vice Chairman of the Joint Chiefs of Staff shall identify and designate for inclusion in the Program all of the systems, critical infrastructure, kill chains, and processes, including systems and components in development, that comprise the following military missions of the Department of Defense: > > > ##### “(A) > > Nuclear deterrence and strike. > > > ##### “(B) > > Select long-range conventional strike missions germane to the warfighting plans of United States European Command and United States Indo-Pacific Command. > > > ##### “(C) > > Offensive cyber operations. > > > ##### “(D) > > Homeland missile defense. > > > #### “(2) Office of the under secretary of defense for acquisition and sustainment > > The Office of the Under Secretary of Defense for Acquisition and Sustainment shall serve as the office of primary responsibility for the Program, providing policy, direction, and oversight regarding the execution of the National Security Agency program manager’s responsibilities described in paragraph (5). > > > #### “(3) Vice chairman of the joint chiefs of staff > > The Vice Chairman of the Joint Chiefs of Staff shall coordinate the identification and prioritization of the missions and mission components, and the development and approval of requirements relating to the cybersecurity of the missions and mission components, of the Program. > > > #### “(4) Chief information officer > > The Chief Information Officer, in exercising authority, direction, and control over the Cybersecurity Directorate of the National Security Agency, shall ensure that the National Security Agency program office is responsive to the requirements and direction of the Under Secretary of Defense for Acquisition and Sustainment. > > > #### “(5) Program manager > > The program manager shall be responsible for— > > > ##### “(A) > > Conducting end-to-end vulnerability assessments of the missions of the Program and their constituent systems, infrastructure, kill chains, and processes. > > > ##### “(B) > > Prioritizing and facilitating the remediation of identified vulnerabilities in the constituent systems, infrastructure, kill chains, and processes of the missions of the Program. > > > ##### “(C) > > Conducting, prior to the Milestone B approval for any such system or infrastructure, appropriate reviews of acquisition and system engineering plans for proposed systems and infrastructure germane to the missions of the Program, in accordance with the Under Secretary of Defense for Acquisition and Sustainment’s policy and guidance regarding the components of such reviews and the range of systems and infrastructure to be reviewed. > > > ##### “(D) > > Advising the military departments, combatant commands, and Joint Staff on the vulnerabilities and cyberattack vectors that pose substantial risk to the missions of the Program and their constituent systems, critical infrastructure, kill chains, or processes. > > > #### “(6) Secretary of defense directive > > The Secretary of Defense shall define and issue guidance on the roles and responsibilities for other components with respect to the Program, including— > > > ##### “(A) > > the military departments’ acquisition and sustainment organizations in supporting and implementing remedial actions; > > > ##### “(B) > > the alignment of Cyber Protection Teams with the prioritized missions of the Program; > > > ##### “(C) > > the role of the Director of Operational Test and Evaluation in conducting periodic assessments, including through red teams, of the cybersecurity of missions in the Program; and > > > ##### “(D) > > the role of the Principal Cyber Adviser in coordinating and monitoring the Department’s execution of the Program. > > > ### “(d) Integration With Other Efforts > > The Under Secretary of Defense for Acquisition and Sustainment shall ensure that the Program builds upon, and does not duplicate, other efforts of the Department of Defense relating to cybersecurity, including the following: > > > #### “(1) > > The evaluation of cyber vulnerabilities of major weapon systems of the Department of Defense required under section 1647 of the National Defense Authorization Act for Fiscal Year 2016 (Public Law 114-92). > > > #### “(2) > > The evaluation of cyber vulnerabilities of Department of Defense critical infrastructure required under section 1650 of the National Defense Authorization Act for Fiscal year 2017 (Public Law 114-328; 10 U.S.C. 2224 note). > > > #### “(3) > > The activities of the cyber protection teams of the Department of Defense. > > > ### “(e) Briefing > > Not later than December 1, 2021, the Secretary of Defense shall provide to the congressional defense committees a briefing on the establishment of the Program, and the plans, funding, and staffing of the Program.” > .
Connectionstraces to 5
Traces to 5 documents
public-private-law
Citation graph
cites case law
Sec. 1712
MODIFICATION OF REQUIREMENTS RELATING TO THE STRATEGIC CYBERSECURITY PROGRAM AND THE EVALUATION OF CYBER VULNERABILITIES OF MAJOR WEAPON SYSTEMS OF THE DEPARTMENT OF DEFENSE
Cites 5Cited by 0 across 0 sources