§ 391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors
2,171 words·~10 min read·
/usc/title-10/section-391A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
(a)Designation of Department Component to Receive Reports.— The Secretary of Defense shall designate a component of the Department of Defense to receive reports of cyber incidents from contractors in accordance with this section and section 393 of this title or from other governmental entities.
(b)Procedures for Reporting Cyber Incidents.— The Secretary of Defense shall establish procedures that require an operationally critical contractor to report in a timely manner to component designated under subsection
(a)each time a cyber incident occurs with respect to a network or information system of such operationally critical contractor.
(c)Procedure Requirements.—
(1)Designation and notification.— The procedures established pursuant to subsection
(a)shall include a process for—
(A)designating operationally critical contractors; and
(B)notifying a contractor that it has been designated as an operationally critical contractor.
(2)Rapid reporting.— The procedures established pursuant to subsection
(a)shall require each operationally critical contractor to rapidly report to the component of the Department designated pursuant to subsection (d)(2)(A) on each cyber incident with respect to any network or information systems of such contractor. Each such report shall include the following:
(A)An assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of the Department.
(B)The technique or method used in such cyber incident.
(C)A sample of any malicious software, if discovered and isolated by the contractor, involved in such cyber incident.
(D)A summary of information compromised by such cyber incident.
(3)Department assistance and access to equipment and information by department personnel.— The procedures established pursuant to subsection
(a)shall—
(A)include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations; and
(B)provide that an operationally critical contractor is only required to provide access to equipment or information as described in subparagraph
(A)to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.
(4)Protection of trade secrets and other information.— The procedures established pursuant to subsection
(a)shall provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
(5)Dissemination of information.— The procedures established pursuant to subsection
(a)shall limit the dissemination of information obtained or derived through the procedures to entities—
(A)with missions that may be affected by such information;
(B)that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C)that conduct counterintelligence or law enforcement investigations; or
(D)for national security purposes, including cyber situational awareness and defense purposes.
(d)Protection From Liability of Operationally Critical Contractors.—
(1)No cause of action shall lie or be maintained in any court against any operationally critical contractor, and such action shall be promptly dismissed, for compliance with this section and contract requirements established pursuant to Defense Federal Acquisition Regulation Supplement clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, that is conducted in accordance with procedures established pursuant to subsection
(b)and such contract requirements.
(A)Nothing in this section shall be construed—
(i)to require dismissal of a cause of action against an operationally critical contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (b); or
(ii)to undermine or limit the availability of otherwise applicable common law or statutory defenses.
(B)In any action claiming that paragraph
(1)does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each operationally critical contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.
(C)In this subsection, the term “willful misconduct” means an act or omission that is taken—
(i)intentionally to achieve a wrongful purpose;
(ii)knowingly without legal or factual justification; and
(iii)in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.
(e)Definitions.— In this section:
(1)Cyber incident.— The term “cyber incident” means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.
(2)Operationally critical contractor.— The term “operationally critical contractor” means a contractor designated by the Secretary for purposes of this section as a critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.
(Added Pub. L. 113–291, div. A, title XVI, § 1632(a), Dec. 19, 2014, 128 Stat. 3639; amended Pub. L. 114–92, div. A, title XVI, § 1641(b), (c)(1), Nov. 25, 2015, 129 Stat. 1115, 1116; Pub. L. 116–283, div. A, title XVII, § 1704, Jan. 1, 2021, 134 Stat. 4082.)
Connections141 cite this · traces to 11
Cited by 141 sections · top 60
public-private-law
- Public Law 115-232John S. McCain National Defense Authorization Act for Fiscal Year 2019
- Public Law 116-283William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021
- Public Law 116-92National Defense Authorization Act for Fiscal Year 2020
- Public Law 117-263James M. Inhofe National Defense Authorization Act for Fiscal Year 2023
- Public Law 113-291Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015
- Public Law 114-92National Defense Authorization Act for Fiscal Year 2016
- Public Law 117-81National Defense Authorization Act for Fiscal Year 2022
- Public Law 118-31National Defense Authorization Act for Fiscal Year 2024
U.S. Code
register
- NoticesProposed rule
- Rules and RegulationsFinal rule
- Rules and RegulationsFinal rule
- Presidential DocumentsIntroduction to the Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions
- NoticesNotice
- Presidential DocumentsIntroduction to the Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions
- NoticesInformation collection notice
- Rules and RegulationsFinal rule
- NoticesNotice of a modified system of records
- Rules and RegulationsInterim final rule
- Proposed RulesFinal rule
- Notices30-Day information collection notice
- Rules and RegulationsFinal rule with request for comment
- Presidential DocumentsIntroduction to the Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions
- Notices30-Day information collection notice
- Presidential DocumentsIntroduction to the Unified Agenda of Federal Regulatory and Deregulatory Actions
- Notices60-Day information collection notice
- Notices60-Day information collection notice
- NoticesNotice
statute-compilations
- Sec. 1632REPORTING ON CYBER INCIDENTS WITH RESPECT TO NETWORKS AND INFORMATION SYSTEMS OF OPERATIONALLY CRITICAL CONTRACTORS
- Sec. 1713MODIFICATION OF POSITION OF PRINCIPAL CYBER ADVISOR
- Sec. 1631REORGANIZATION AND CONSOLIDATION OF CERTAIN CYBER PROVISIONS
- Sec. 1532STUDY REGARDING ESTABLISHMENT WITHIN THE DEPARTMENT OF DEFENSE OF A DESIGNATED CENTRAL PROGRAM OFFICE TO OVERSEE ACADEMIC ENGAGEMENT PROGRAMS RELATING TO ESTABLISHING CYBER TALENT ACROSS THE DEPARTMENT
- Sec. 1503MODIFICATION OF THE PRINCIPAL CYBER ADVISOR
- Sec. 1081TECHNICAL AND CONFORMING AMENDMENTS
- Sec. 1631MATTERS RELATING TO MILITARY OPERATIONS IN THE INFORMATION ENVIRONMENT
- Sec. 1501IMPROVEMENTS TO PRINCIPAL CYBER ADVISORS
- Sec. 1505ESTABLISHMENT OF SUPPORT CENTER FOR CONSORTIUM OF UNIVERSITIES THAT ADVISE SECRETARY OF DEFENSE ON CYBERSECURITY MATTERS
- Sec. 1530IMPROVEMENTS TO CONSORTIUM OF UNIVERSITIES TO ADVISE SECRETARY OF DEFENSE ON CYBERSECURITY MATTERS
- Sec. 1081TECHNICAL AND CLERICAL AMENDMENTS
- Sec. 1659CONSORTIA OF UNIVERSITIES TO ADVISE SECRETARY OF DEFENSE ON CYBERSECURITY MATTERS
- Sec. 1641CODIFICATION AND ADDITION OF LIABILITY PROTECTIONS RELATING TO REPORTING ON CYBER INCIDENTS OR PENETRATIONS OF NETWORKS AND INFORMATION SYSTEMS OF CERTAIN CONTRACTORS
- Sec. 1531OFFICE FOR ACADEMIC ENGAGEMENT RELATING TO CYBER ACTIVITIES
statutes-at-large
- Public Law 117–263To authorize appropriations for fiscal year 2023 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes
- Public Law 114–92To authorize appropriations for fiscal year 2016 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes
- Public Law 118–31To authorize appropriations for fiscal year 2024 for military activities of the Department of Defense and for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes
- Public Law 116–283To authorize appropriations for fiscal year 2021 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes
- Public Law 116–92To authorize appropriations for fiscal year 2020 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes
- Public Law 117–81To authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes
bill
- Sec. 1531Feasibility study regarding establishment within the Department of Defense a designated central program office, headed by a senior Department official, responsible for overseeing all academic engagement programs focusing on creating cyber talent across the Department
- Sec. 1531Feasibility study regarding establishment within the Department of Defense a designated central program office, headed by a senior Department official, responsible for overseeing all academic engagement programs focusing on creating cyber talent across the Department
- Sec. 1531Feasibility study regarding establishment within the Department of Defense a designated central program office, headed by a senior Department official, responsible for overseeing all academic engagement programs focusing on creating cyber talent across the Department
- Sec. 2Feasibility study regarding establishment within the Department of Defense of a designated central program office, headed by a senior Department official, responsible for overseeing all academic engagement programs focusing on creating cyber talent across the Department
- Sec. 1503Modification of the Principal Cyber Advisor
- Sec. 1528Zero trust strategy, principles, model architecture, and implementation plans
- Sec. 1530Improvements to consortium of universities to advise Secretary of Defense on cybersecurity matters
- Sec. 1532Study regarding establishment within the Department of Defense of a designated central program office to oversee academic engagement programs relating to establishing cyber talent across the Department
Traces to 11 documents
U.S. Code
- Reporting on penetrations of networks and information systems of certain contractors§ 393
- Defense Information Assurance Program§ 2224
- Office for academic engagement relating to cyber activities§ 2192c
- Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors§ 391
public-private-law
- Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015Public Law 113-291
- National Defense Authorization Act for Fiscal Year 2016Public Law 114-92
- William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021Public Law 116-283
- National Defense Authorization Act for Fiscal Year 2020Public Law 116-92
- National Defense Authorization Act for Fiscal Year 2022Public Law 117-81
- James M. Inhofe National Defense Authorization Act for Fiscal Year 2023Public Law 117-263
- National Defense Authorization Act for Fiscal Year 2024Public Law 118-31
15 references not yet in our index
- 128 Stat. 3639
- 129 Stat. 1115
- 134 Stat. 4082
- 133 Stat. 1557
- 134 Stat. 4090
- 135 Stat. 2021
- 136 Stat. 2797
- 136 Stat. 2878
- 133 Stat. 1767
- 133 Stat. 1770
- 135 Stat. 2049
- 136 Stat. 2881
- 137 Stat. 562
- 128 Stat. 3640
- Pub. L. 112–239
Citation graph
cites case law
§ 391
Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors
Bills×42
Fed. Reg.×34
Pub. L.×21
Stat. Comp.×18
Stat.×18
U.S.C.×5
C.F.R.×3
Stat.128 Stat. 3639
Stat.129 Stat. 1115
Stat.134 Stat. 4082
Cites 26 · showing 12Cited by 141 across 7 sources