Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · STATUTE-COMPILATIONS · William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 · Sec. 1737

Sec. 1737. ASSESSMENT ON DEFENSE INDUSTRIAL BASE PARTICIPATION IN A THREAT INFORMATION SHARING PROGRAM

915 words·~4 min read·/statute-compilations/comps-16736/sec-1737

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

## SEC. 1737 ASSESSMENT ON DEFENSE INDUSTRIAL BASE PARTICIPATION IN A THREAT INFORMATION SHARING PROGRAM **[**[10 U.S.C. 2224 note](/us/usc/t10/s2224)**]** ###
(a)Defense Industrial Base Threat Information Program Assessment Not later than 270 days after the date of the enactment of this Act, the Secretary of Defense shall complete an assessment of the feasibility, suitability, and definition of, and resourcing required to establish, a defense industrial base threat information sharing program to collaborate and share threat information with, and obtain threat information from, the defense industrial base. ###
(b)Elements The assessment regarding the establishment of a defense industrial base threat information sharing program under subsection
(a)shall include evaluation of the following: ####
(1)The feasibility and suitability of, and requirements for, the establishment of a defense industrial base threat information sharing program, including cybersecurity incident reporting requirements applicable to the defense industrial base that— #####
(A)extend beyond mandatory cybersecurity incident reporting requirements as in effect on the day before the date of the enactment of this Act; #####
(B)set specific, consistent timeframes for all categories of cybersecurity incident reporting; #####
(C)establish a single clearinghouse for all mandatory cybersecurity incident reporting to the Department of Defense, including incidents involving covered unclassified information, and classified information; and #####
(D)provide that, unless authorized or required by another provision of law or the element of the defense industrial base making the report consents, nonpublic information of which the Department becomes aware only because of a report provided pursuant to the program shall be disseminated and used only for a cybersecurity purpose (as such term is defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)) and in support of national defense activities. ####
(2)A mechanism for developing a shared and real-time picture of the threat environment. ####
(3)Options for joint, collaborative, and co-located analytics. ####
(4)Possible investments in technology and capabilities to support automated detection and analysis across the defense industrial base. ####
(5)Coordinated information tipping, sharing, and deconfliction, as necessary, with relevant Federal Government agencies with similar information sharing programs. ####
(6)Processes for direct sharing of threat information related to a specific defense industrial base entity with such entity. ####
(7)Mechanisms for providing defense industrial base entities with clearances for national security information access, as appropriate. ####
(8)Requirements to consent to queries of foreign intelligence collection databases related to a specific defense industrial base entity as a condition of participation in the threat information sharing program. ####
(9)Recommendations with respect to threat information sharing program participation, including the following: #####
(A)Incentives for defense industrial base entities to participate in the threat information sharing program. #####
(B)Mandating minimum levels of threat information sharing program participation for any entity that is part of the defense industrial base. #####
(C)Procurement prohibitions on any defense industrial base entity that are not in compliance with the requirements of the threat information sharing program. #####
(D)Waiver authority and criteria. #####
(E)Adopting tiers of requirements for participation within the threat information sharing program based on— ######
(i)the role of and relative threats related to defense industrial base entities; and ######
(ii)Cybersecurity Maturity Model Certification level. ####
(10)Options to utilize an existing federally recognized information sharing program to satisfy the requirement for a threat information sharing program if— #####
(A)the existing program includes, or is modified to include, two-way sharing of threat information that is specifically relevant to the defense industrial base; and #####
(B)such a program is coordinated with other Federal Government agencies with existing information sharing programs where overlap occurs. ####
(11)Methods to encourage participation of defense industrial base entities in appropriate private sector information sharing and analysis centers (ISACs). ####
(12)Methods to coordinate collectively with defense industrial base entities to consider methods for mitigating compliance costs. ####
(13)The resources needed, governance roles and structures required, and changes in regulation or law needed for execution of a threat information sharing program, as well as any other considerations determined relevant by the Secretary. ####
(14)Identification of any barriers that would prevent the establishment of a defense industrial base threat information sharing program. ###
(c)Consultation In conducting the assessment required under subsection (a), the Secretary of Defense shall consult with and solicit recommendations from representative industry stakeholders across the defense industrial base regarding the elements described in subsection
(b)and potential stakeholder costs of compliance. ###
(d)Determination and Briefing Upon completion of the assessment required under subsection (a), the Secretary of Defense shall make a determination regarding the establishment by the end of fiscal year 2021 of a defense industrial base threat information sharing program and provide a briefing to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives on— ####
(1)the findings of the Secretary with respect to such assessment and such determination; and ####
(2)such implementation plans as the Secretary may have arising from such findings. ###
(e)Implementation If the Secretary of Defense makes a positive determination pursuant to subsection
(d)of the feasibility and suitability of establishing a defense industrial base threat information sharing program, the Secretary shall establish such program. Not later than 180 days after a positive determination, the Secretary of Defense shall promulgate such rules and regulations as are necessary to establish the defense industrial base threat information sharing program under this section.
Connectionstraces to 2
Citation graph
cites case law
Sec. 1737
ASSESSMENT ON DEFENSE INDUSTRIAL BASE PARTICIPATION IN A THREAT INFORMATION SHARING PROGRAM
U.S.C.§ 2224
U.S.C.§ 1501
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.