22 U.S. Code § 10301 - United States international cyberspace policy

(a) In general

It is the policy of the United States—

(1) to work internationally to promote an open, interoperable, reliable, and secure internet governed by the multi-stakeholder model, which—

(A) promotes democracy, the rule of law, and human rights, including freedom of expression;

(B) supports the ability to innovate, communicate, and promote economic prosperity; and

(C) is designed to protect privacy and guard against deception, malign influence, incitement to violence, harassment and abuse, fraud, and theft;

(2) to encourage and aid United States allies and partners in improving their own technological capabilities and resiliency to pursue, defend, and protect shared interests and values, free from coercion and external pressure; and

(3) in furtherance of the efforts described in paragraphs (1) and (2)—

(A) to provide incentives to the private sector to accelerate the development of the technologies referred to in such paragraphs;

(B) to modernize and harmonize with allies and partners export controls and investment screening regimes and associated policies and regulations; and

(C) to enhance United States leadership in technical standards-setting bodies and avenues for developing norms regarding the use of digital tools.

(b) Implementation

In implementing the policy described in subsection (a), the President, in consultation with outside actors, as appropriate, including private sector companies, nongovernmental organizations, security researchers, and other relevant stakeholders, in the conduct of bilateral and multilateral relations, shall strive—

(1) to clarify the applicability of international laws and norms to the use of information and communications technology (referred to in this subsection as “ICT”);

(2) to reduce and limit the risk of escalation and retaliation in cyberspace, damage to critical infrastructure, and other malicious cyber activity that impairs the use and operation of critical infrastructure that provides services to the public;

(3) to cooperate with like-minded countries that share common values and cyberspace policies with the United States, including respect for human rights, democracy, and the rule of law, to advance such values and policies internationally;

(4) to encourage the responsible development of new, innovative technologies and ICT products that strengthen a secure internet architecture that is accessible to all;

(5) to secure and implement commitments on responsible country behavior in cyberspace, including commitments by countries—

(A) not to conduct, or knowingly support, cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors;

(B) to take all appropriate and reasonable efforts to keep their territories clear of intentionally wrongful acts using ICT in violation of international commitments;

(C) not to conduct or knowingly support ICT activity that intentionally damages or otherwise impairs the use and operation of critical infrastructure providing services to the public, in violation of international law;

(D) to take appropriate measures to protect the country’s critical infrastructure from ICT threats;

(E) not to conduct or knowingly support malicious international activity that harms the information systems of authorized international emergency response teams (also known as “computer emergency response teams” or “cybersecurity incident response teams”) of another country or authorize emergency response teams to engage in malicious international activity, in violation of international law;

(F) to respond to appropriate requests for assistance to mitigate malicious ICT activity emanating from their territory and aimed at the critical infrastructure of another country;

(G) not to restrict cross-border data flows or require local storage or processing of data; and

(H) to protect the exercise of human rights and fundamental freedoms on the internet, while recognizing that the human rights that people have offline also need to be protected online; and

(6) to advance, encourage, and support the development and adoption of internationally recognized technical standards and best practices.

(Pub. L. 117–263, div. I, title XCV, § 9501, Dec. 23, 2022, 136 Stat. 3897.)

Statutory Notes and Related Subsidiaries

Authorization To Use Commercial Cloud Enclaves Overseas

Pub. L. 119–60, div. E, title III, § 5302, Dec. 18, 2025, 139 Stat. 1593, provided that:

“(a) In General.—

Not later than 180 days after the date of the enactment of this Act [Dec. 18, 2025], the Department [of State] shall issue internal guidelines that authorize and track the use of enclaves deployed in overseas commercial cloud regions for OCONUS systems categorized at the Federal Information Security Modernization Act [of 2014, Pub. L. 113–283, see Tables for classification] (FISMA) high baseline.

“(b) Consistency With Federal Cybersecurity Regulations.—

The enclave deployments shall be consistent with existing Federal cybersecurity regulations as well as best practices established across National Institute of Standards and Technology standards and ISO 27000 security controls.

“(c) Briefing.—

Not later than 90 days after the enactment of the Act, and before issuing the new internal guidelines required under subsection (a), the Secretary [of State] shall brief the appropriate congressional committees on the proposed new guidelines, including—

“(1) relevant risk assessments; and

“(2) any security challenges regarding implementation.

“(d) Appropriate Congressional Defined.—

In this section, the term ‘appropriate congressional committees’ means—

“(1) the Committee on Foreign Affairs and the Permanent Select Committee on Intelligence of the House of Representatives; and

“(2) the Committee on Foreign Relations and the Select Committee on Intelligence of the Senate.”

Reports on Technology Transformation Projects at the Department

Pub. L. 119–60, div. E, title III, § 5303, Dec. 18, 2025, 139 Stat. 1593, provided that:

“(a) Definitions.—

In this section:

“(1) Appropriate congressional committees.—

The term ‘appropriate congressional committees’ means—

“(A) the Committee on Foreign Affairs and the Committee on Appropriations of the House of Representatives; and

“(B) the Committee on Foreign Relations and the Committee on Appropriations of the Senate.

“(2) Technology.—

The term ‘technology’ includes—

“(A) artificial intelligence and machine learning systems;

“(B) cybersecurity modernization tools or platforms;

“(C) cloud computing services and infrastructure;

“(D) enterprise data platforms and analytics tools;

“(E) customer experience platforms for public-facing services; and

“(F) internal workflow automation or modernization systems.

“(3) Technology transformation project.—

“(A) In general.—

The term ‘technology transformation project’ means any new or significantly modified technology deployed by the Department [of State] with the purpose of improving diplomatic, consular, administrative, or security operations.

“(B) Exclusions.—

The term ‘technology transformation project’ does not include a routine software update or version upgrade, a security patch or maintenance of an existing system, a minor configuration change, a business-as-usual information technology operation, a support activity, or a project that costs less than $1,000,000.

“(b) Annual Report.—

“(1) In general.—

Not later than 180 days after the date of the enactment of this Act [Dec. 18, 2025], and annually thereafter for five years, the Secretary [of State] shall submit to the appropriate congressional committees a report on all technology transformation projects completed during the preceding two fiscal years.

“(2) Elements.—

Each report required by paragraph (1) shall include the following elements:

“(A) For each project, the following:

“(i) A summary of the objective, scope, and operational context of the project.

“(ii) An identification of the primary technologies and vendors used, including artificial intelligence models, cloud providers, cybersecurity platforms, and major software components.

“(iii) A report on baseline and post-implementation performance and adoption metrics for the project, including (if applicable) with respect to—

     “(I) operational efficiency, such as reductions in processing time, staff hours, or error rates;

     “(II) user impact, such as improvements in end-user satisfaction scores and reliability;

     “(III) security posture, such as enhancements in threat detection, incident response time;

     “(IV) cost performance, including budgeted costs versus actual costs and projected cost savings or cost avoidance;

     “(V) interoperability and integration, including level of integration achieved with existing systems of the Department;

     “(VI) artificial intelligence, if applicable; and

     “(VII) adoption, including, if applicable—

“(aa) an estimate of the percentage of eligible end-users actively using the system within the first three, six, and 12 months of deployment;

“(bb) the proportion of staff trained to use the system;

“(cc) the frequency and duration of use, disaggregated by bureau or geographic region if relevant;

“(dd) summarized user feedback, including pain points and satisfaction ratings; and

“(ee) a description of the status of deprecation or reduction in use of legacy systems, if applicable.

“(iv) A description of key challenges encountered during implementation and any mitigation strategies employed.

“(v) A summary of contracting or acquisition strategies used, including information on how the vendor or development team supported change management and adoption, including user testing, stakeholder engagement, and phased rollout.

“(B) For any project where adoption metrics fell below 50 percent of estimated usage within six months of launch, the following:

“(i) A remediation plan with specific steps to improve adoption, including retraining, user experience improvements, or outreach.

“(ii) An assessment of whether rollout should be paused or modified.

“(iii) Any plans for iterative development based on feedback from employees.

“(3) Public summary.—

Not later than 60 days after submitting a report required by paragraph (1) to the appropriate congressional committees, the Secretary shall publish an unclassified summary of the report on the publicly accessible website of the Department, consistent with national security interests.

“(c) Government Accountability Office Evaluation.—

Not later than 18 months after the date of the enactment of this Act, and biennially thereafter, the Comptroller General of the United States shall submit to the appropriate congressional committees a report—

“(1) evaluating—

“(A) the extent to which the Department has implemented and reported on technology transformation projects in accordance with the requirements under this section;

“(B) the effectiveness and reliability of the Department’s performance and adoption metrics for such projects;

“(C) whether such projects have met intended goals related to operational efficiency, security, cost-effectiveness, user adoption, and modernization of legacy systems; and

“(D) the adequacy of oversight mechanisms in place to ensure the responsible deployment of artificial intelligence and other emerging technologies; and

“(2) including any recommendations to improve the Department’s management, implementation, or evaluation of technology transformation efforts.”

Statement of Policy

Pub. L. 119–60, div. E, title III, § 5304(b), Dec. 18, 2025, 139 Stat. 1596, provided that:

“It is the policy of the United States—

“(1) to oppose the misuse of commercial spyware to target individuals, including journalists, defenders of internationally recognized human rights, and members of civil society groups, members of ethnic or religious minority groups, and others for exercising their internationally recognized human rights and fundamental freedoms, or the family members of these targeted individuals;

“(2) to coordinate with allies and partners to prevent the export of commercial spyware tools to end-users likely to use them for malicious activities;

“(3) to maintain robust information-sharing with trusted allies and partners on commercial spyware proliferation and misuse, including to better identify and track these tools;

“(4) to work with private industry to identify and counter the abuse and misuse of commercial spyware technology; and

“(5) to work with allies and partners to establish robust guardrails to ensure that the use of commercial spyware tools are consistent with respect for internationally recognized human rights, and the rule of law.”

Support of Policy in United Nations

Pub. L. 117–263, div. I, title XCV, § 9502(c), Dec. 23, 2022, 136 Stat. 3902, provided that:

“The Permanent Representative of the United States to the United Nations should use the voice, vote, and influence of the United States to oppose any measure that is inconsistent with the policy described in section 9501(a) [22 U.S.C. 10301(a)].”