Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · STATUTE-COMPILATIONS · Intelligence Authorization Act for Fiscal Year 2010 · Sec. 336

Sec. 336. CYBERSECURITY OVERSIGHT

1,602 words·~7 min read·/statute-compilations/comps-9631/sec-336

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

## SEC. 336 CYBERSECURITY OVERSIGHT **[**[6 U.S.C. 121 note](/us/usc/t6/s121)**]** ###
(a)Notification of Cybersecurity Programs ####
(1)Requirement for notification #####
(A)Existing programs Not later than 30 days after the date of the enactment of this Act, the President shall submit to Congress a notification for each cybersecurity program in operation on such date that includes the documentation referred to in subparagraphs
(A)through
(F)of paragraph (2). #####
(B)New programs Not later than 30 days after the date of the commencement of operations of a new cybersecurity program, the President shall submit to Congress a notification of such commencement that includes the documentation referred to in subparagraphs
(A)through
(F)of paragraph (2). ####
(2)Documentation A notification required by paragraph
(1)for a cybersecurity program shall include— #####
(A)the legal basis for the cybersecurity program; #####
(B)the certification, if any, made pursuant to section 2511(2)(a)(ii)(B) of title 18, United States Code, or other statutory certification of legality for the cybersecurity program; #####
(C)the concept for the operation of the cybersecurity program that is approved by the head of the appropriate department or agency of the United States; #####
(D)the assessment, if any, of the privacy impact of the cybersecurity program prepared by the privacy or civil liberties protection officer or comparable officer of such department or agency; #####
(E)the plan, if any, for independent audit or review of the cybersecurity program to be carried out by the head of such department or agency, in conjunction with the appropriate inspector general; and #####
(F)recommendations, if any, for legislation to improve the capabilities of the United States Government to protect the cybersecurity of the United States. ###
(b)Program Reports ####
(1)Requirement for reports The head of a department or agency of the United States with responsibility for a cybersecurity program for which a notification was submitted under subsection (a), in consultation with the inspector general for that department or agency, shall submit to Congress and the President a report on such cybersecurity program that includes— #####
(A)the results of any audit or review of the cybersecurity program carried out under the plan referred to in subsection (a)(2)(E), if any; and #####
(B)an assessment of whether the implementation of the cybersecurity program— ######
(i)is in compliance with— ######
(I)the legal basis referred to in subsection (a)(2)(A); and ######
(II)an assessment referred to in subsection (a)(2)(D), if any; ######
(ii)is adequately described by the concept of operation referred to in subsection (a)(2)(C); and ######
(iii)includes an adequate independent audit or review system and whether improvements to such independent audit or review system are necessary. ####
(2)Schedule for submission of reports #####
(A)Existing programs Not later than 180 days after the date of the enactment of this Act, and annually thereafter, the head of a department or agency of the United States with responsibility for a cybersecurity program for which a notification is required to be submitted under subsection (a)(1)(A) shall submit a report required under paragraph (1). #####
(B)New programs Not later than 120 days after the date on which a certification is submitted under subsection (a)(1)(B), and annually thereafter, the head of a department or agency of the United States with responsibility for the cybersecurity program for which such certification is submitted shall submit a report required under paragraph (1). ####
(3)Cooperation and coordination #####
(A)Cooperation The head of each department or agency of the United States required to submit a report under paragraph
(1)for a particular cybersecurity program, and the inspector general of each such department or agency, shall, to the extent practicable, work in conjunction with any other such head or inspector general required to submit such a report for such cybersecurity program. #####
(B)Coordination The heads of all of the departments and agencies of the United States required to submit a report under paragraph
(1)for a particular cybersecurity program shall designate one such head to coordinate the conduct of the reports on such program. ###
(c)Information Sharing Report Not later than one year after the date of the enactment of this Act, the Inspector General of the Department of Homeland Security and the Inspector General of the Intelligence Community shall jointly submit to Congress and the President a report on the status of the sharing of cyber-threat information, including— ####
(1)a description of how cyber-threat intelligence information, including classified information, is shared among the agencies and departments of the United States and with persons responsible for critical infrastructure; ####
(2)a description of the mechanisms by which classified cyber-threat information is distributed; ####
(3)an assessment of the effectiveness of cyber-threat information sharing and distribution; and ####
(4)any other matters identified by either Inspector General that would help to fully inform Congress or the President regarding the effectiveness and legality of cybersecurity programs. ###
(d)Personnel Details ####
(1)Authority to detail Notwithstanding any other provision of law, the head of an element of the intelligence community that is funded through the National Intelligence Program may detail an officer or employee of such element to the National Cyber Investigative Joint Task Force or to the Department of Homeland Security to assist the Task Force or the Department with cybersecurity, as jointly agreed by the head of such element and the Task Force or the Department. ####
(2)Basis for detail A personnel detail made under paragraph
(1)may be made— #####
(A)for a period of not more than three years; and #####
(B)on a reimbursable or nonreimbursable basis. ###
(e)Additional Plan Not later than 180 days after the date of the enactment of this Act, the Director of National Intelligence shall submit to Congress a plan for recruiting, retaining, and training a highly-qualified cybersecurity intelligence community workforce to secure the networks of the intelligence community. Such plan shall include— ####
(1)an assessment of the capabilities of the current workforce; ####
(2)an examination of issues of recruiting, retention, and the professional development of such workforce, including the possibility of providing retention bonuses or other forms of compensation; ####
(3)an assessment of the benefits of outreach and training with both private industry and academic institutions with respect to such workforce; ####
(4)an assessment of the impact of the establishment of the Department of Defense Cyber Command on such workforce; ####
(5)an examination of best practices for making the intelligence community workforce aware of cybersecurity best practices and principles; and ####
(6)strategies for addressing such other matters as the Director of National Intelligence considers necessary to the cybersecurity of the intelligence community. ###
(f)Report on Guidelines and Legislation To Improve Cybersecurity of the United States ####
(1)Initial Not later than one year after the date of the enactment of this Act, the Director of National Intelligence, in coordination with the Attorney General, the Director of the National Security Agency, the White House Cybersecurity Coordinator, and any other officials the Director of National Intelligence considers appropriate, shall submit to Congress a report containing guidelines or legislative recommendations, if appropriate, to improve the capabilities of the intelligence community and law enforcement agencies to protect the cybersecurity of the United States. Such report shall include guidelines or legislative recommendations on— #####
(A)improving the ability of the intelligence community to detect hostile actions and attribute attacks to specific parties; #####
(B)the need for data retention requirements to assist the intelligence community and law enforcement agencies; #####
(C)improving the ability of the intelligence community to anticipate nontraditional targets of foreign intelligence services; and #####
(D)the adequacy of existing criminal statutes to successfully deter cyber attacks, including statutes criminalizing the facilitation of criminal acts, the scope of laws for which a cyber crime constitutes a predicate offense, trespassing statutes, data breach notification requirements, and victim restitution statutes. ####
(2)Subsequent Not later than one year after the date on which the initial report is submitted under paragraph (1), and annually thereafter for two years, the Director of National Intelligence, in consultation with the Attorney General, the Director of the National Security Agency, the White House Cybersecurity Coordinator, and any other officials the Director of National Intelligence considers appropriate, shall submit to Congress an update of the report required under paragraph (1). ###
(g)Sunset The requirements and authorities of subsections
(a)through
(e)shall terminate on December 31, 2013. ###
(h)Definitions In this section: ####
(1)Cybersecurity program The term “cybersecurity program” means a class or collection of similar cybersecurity operations of a department or agency of the United States that involves personally identifiable data that is— #####
(A)screened by a cybersecurity system outside of the department or agency of the United States that was the intended recipient of the personally identifiable data; #####
(B)transferred, for the purpose of cybersecurity, outside the department or agency of the United States that was the intended recipient of the personally identifiable data; or #####
(C)transferred, for the purpose of cybersecurity, to an element of the intelligence community. ####
(2)National cyber investigative joint task force The term “National Cyber Investigative Joint Task Force” means the multiagency cyber investigation coordination organization overseen by the Director of the Federal Bureau of Investigation known as the National Cyber Investigative Joint Task Force that coordinates, integrates, and provides pertinent information related to cybersecurity investigations. ####
(3)Critical infrastructure The term “critical infrastructure” has the meaning given that term in section 1016 of the USA PATRIOT Act (42 U.S.C. 5195c).
Connectionstraces to 2
Citation graph
cites case law
Sec. 336
CYBERSECURITY OVERSIGHT
U.S.C.§ 121
U.S.C.§ 5195c
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.