Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · STATUTE-COMPILATIONS · James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 · Sec. 1514

Sec. 1514. OPERATIONAL TESTING FOR COMMERCIAL CYBERSECURITY CAPABILITIES

632 words·~3 min read·/statute-compilations/comps-17475/sec-1514

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

## SEC. 1514 OPERATIONAL TESTING FOR COMMERCIAL CYBERSECURITY CAPABILITIES **[**[10 U.S.C. 2224 note](/us/usc/t10/s2224)**]** ###
(a)Development and Submission of Plans Not later than February 1, 2024, the Chief Information Officer of the Department of Defense and the Chief Information Officers of the military departments shall develop and submit plans described in subsection
(b)to the Director of Operational Test and Evaluation who may approve the implementation of the plans pursuant to subsection (c). ###
(b)Plans Described The plans described in this subsection are plans that— ####
(1)ensure covered cybersecurity capabilities are appropriately tested, evaluated, and proven operationally effective, suitable, and survivable prior to operation on a Department of Defense network; and ####
(2)specify how test results will be expeditiously provided to the Director of Operational Test and Evaluation. ###
(c)Assessment In reviewing the plans submitted under subsection (a), the Director of Operational Test and Evaluation shall conduct an assessment that includes consideration of the following: ####
(1)Threat-realistic operational testing, including representative environments, variation of operational conditions, and inclusion of a realistic opposing force. ####
(2)The use of Department of Defense cyber red teams, as well as any enabling contract language required to permit threat-representative red team assessments. ####
(3)Collaboration with the personnel using the commercial cybersecurity capability regarding the results of the testing to improve operators’ ability to recognize and defend against cyberattacks. ####
(4)The extent to which additional resources may be needed to remediate any shortfalls in capability to make the commercial cybersecurity capability effective, suitable, and cyber survivable in an operational environment of the Department. ####
(5)Identification of training requirements, and changes to training, sustainment practices, or concepts of operation or employment that may be needed to ensure the effectiveness, suitability, and cyber survivability of the commercial cybersecurity capability. ###
(d)Policies and Regulations Not later than February 1, 2024, the Secretary of Defense shall issue such policies and guidance and prescribe such regulations as the Secretary determines necessary to carry out this section. ###
(e)Reports Not later than January 31, 2025, and not less frequently than annually thereafter until January 31, 2030, the Director shall include in each annual report required by section 139(h) of title 10, United States Code, the following: ####
(1)The status of the plans developed under subsection (a). ####
(2)The number and type of test and evaluation events completed in the past year for such plans, disaggregated by component of the Department, and including resources devoted to each event. ####
(3)The results from such test and evaluation events, including any resource shortfalls affecting the number of commercial cybersecurity capabilities that could be assessed. ####
(4)A summary of identified categories of common gaps and shortfalls found during testing. ####
(5)The extent to which entities responsible for developing and testing commercial cybersecurity capabilities have responded to recommendations made by the Director in an effort to gain favorable determinations. ####
(6)Any identified lessons learned that would impact training, sustainment, or concepts of operation or employment decisions relating to the assessed commercial cybersecurity capabilities. ###
(f)Definition In this section, the term “covered cybersecurity capabilities” means any of the following: ####
(1)Commercial products (as defined in section 103 of title 41, United States Code) acquired and deployed by the Department of Defense to satisfy the cybersecurity requirements of one or more Department components. ####
(2)Commercially available off-the-shelf items (as defined in section 104 of title 41, United States Code) acquired and deployed by the Department of Defense to satisfy the cybersecurity requirements of one or more Department components. ####
(3)Noncommercial items acquired through the Adaptive Acquisition Framework and deployed by the Department of Defense to satisfy the cybersecurity requirements of one or more Department components. ## Subtitle B Information Operations
Connectionstraces to 1
Citation graph
cites case law
Sec. 1514
OPERATIONAL TESTING FOR COMMERCIAL CYBERSECURITY CAPABILITIES
U.S.C.§ 2224
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.