10 U.S. Code § 391 - Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors

prev | next
(a) Designation of Department Component to Receive Reports.— The Secretary of Defense shall designate a component of the Department of Defense to receive reports of cyber incidents from contractors in accordance with this section and with section 941 of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note) or from other governmental entities.
(b) Procedures for Reporting Cyber Incidents.— The Secretary of Defense shall establish procedures that require an operationally critical contractor to report in a timely manner to component designated under subsection (a) each time a cyber incident occurs with respect to a network or information system of such operationally critical contractor.
(c) Procedure Requirements.—
(1) Designation and notification.— The procedures established pursuant to subsection (a) shall include a process for—
(A)designating operationally critical contractors; and
(B)notifying a contractor that it has been designated as an operationally critical contractor.
(2) Rapid reporting.— The procedures established pursuant to subsection (a) shall require each operationally critical contractor to rapidly report to the component of the Department designated pursuant to subsection (d)(2)(A) on each cyber incident with respect to any network or information systems of such contractor. Each such report shall include the following:
(A)An assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of the Department.
(B)The technique or method used in such cyber incident.
(C)A sample of any malicious software, if discovered and isolated by the contractor, involved in such cyber incident.
(D)A summary of information compromised by such cyber incident.
(3) Department assistance and access to equipment and information by department personnel.— The procedures established pursuant to subsection (a) shall—
(A)include mechanisms for Department personnel to, if requested, assist operationally critical contractors in detecting and mitigating penetrations; and
(B)provide that an operationally critical contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.
(4) Protection of trade secrets and other information.— The procedures established pursuant to subsection (a) shall provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
(5) Dissemination of information.— The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through the procedures to entities—
(A)with missions that may be affected by such information;
(B)that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C)that conduct counterintelligence or law enforcement investigations; or
(D)for national security purposes, including cyber situational awareness and defense purposes.
(d) Definitions.— In this section:
(1) Cyber incident.— The term “cyber incident” means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.
(2) Operationally critical contractor.— The term “operationally critical contractor” means a contractor designated by the Secretary for purposes of this section as a critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.

Source

(Added Pub. L. 113–291, div. A, title XVI, § 1632(a),Dec. 19, 2014, 128 Stat. 3639.)
Issuance of Procedures

Pub. L. 113–291, div. A, title XVI, § 1632(b),Dec. 19, 2014, 128 Stat. 3640, provided that: “The Secretary shall establish the procedures required by subsection (b) ofsection 391 of title 10, United States Code, as added by subsection (a) of this section, not later than 90 days after the date of the enactment of this Act [Dec. 19, 2014].”
Assessment of Department Policies

Pub. L. 113–291, div. A, title XVI, § 1632(c),Dec. 19, 2014, 128 Stat. 3640, provided that:
“(1) In general.—Not later than 90 days after the date of the enactment of the Act [Dec. 19, 2014], the Secretary of Defense shall complete an assessment of—
“(A) requirements that were in effect on the day before the date of the enactment of this Act for contractors to share information with Department components regarding cyber incidents (as defined in subsection (d) of such section 391 [10 U.S.C. 391]) with respect to networks or information systems of contractors; and
“(B) Department policies and systems for sharing information on cyber incidents with respect to networks or information systems of Department contractors.
“(2) Actions following assessment.—Upon completion of the assessment required by paragraph (1), the Secretary shall—
“(A) designate a Department component under subsection (a) of such section 391; and
“(B) issue or revise guidance applicable to Department components that ensures the rapid sharing by the component designated pursuant to such section 391 orsection 941 of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note) of information relating to cyber incidents with respect to networks or information systems of contractors with other appropriate Department components.”

This is a list of parts within the Code of Federal Regulations for which this US Code section provides rulemaking authority.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.


31 CFR - Money and Finance: Treasury

31 CFR Part 210 - FEDERAL GOVERNMENT PARTICIPATION IN THE AUTOMATED CLEARING HOUSE

 

LII has no control over and does not endorse any external Internet site that contains links to or references LII.