§393 — Title 10 Armed Forces | U.S. Code

Summary

Require cleared defense contractors to quickly tell a DoD office chosen by the Secretary when a covered contractor network or system is successfully breached. A senior official will set rules for which contractor systems are covered, working with top DoD officials in policy, acquisition, research, intelligence, the DoD Chief Information Officer, and U.S. Cyber Command. Reports must say how the breach happened, include any isolated sample of malicious software, and summarize any DoD-created information that might have been affected. A cleared defense contractor is a private company allowed to handle classified DoD work. A covered network is a contractor system that holds or processes DoD-created data that needs extra protection. The rules let DoD ask for access to contractor equipment or data so DoD can do its own forensic checks, but access is only to find out whether DoD information was taken and what was taken. The rules must protect trade secrets, business or financial data, and personal identifying information. Information from these reports can only be shared with groups that need it because their work may be affected, those who help respond to cyber incidents, law enforcement or counterintelligence, or for national security and cyber defense. Contractors who follow these rules cannot be sued for doing so, unless a plaintiff proves by clear and convincing evidence that the contractor committed willful misconduct — meaning an intentional, unjustified act or omission done while knowingly ignoring a very large risk that likely caused the harm.

Title 10, §393

Armed Forces — Source: USLM XML via OLRC

(a)The Secretary of Defense shall establish procedures that require each cleared defense contractor to report to a component of the Department of Defense designated by the Secretary for purposes of such procedures when a network or information system of such contractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.

(b)(1)The Secretary of Defense shall designate a senior official to, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting system penetrations under subsection (a).

(2)The officials specified in this subsection are the following:

(A)The Under Secretary of Defense for Policy.

(B)The Under Secretary of Defense for Acquisition and Sustainment.

(C)the Under Secretary of Defense for Research and Engineering.

(D)The Under Secretary of Defense for Intelligence and Security.

(E)The Chief Information Officer of the Department of Defense.

(F)The Commander of the United States Cyber Command.

(c)(1)The procedures established pursuant to subsection (a) shall require each cleared defense contractor to rapidly report to a component of the Department of Defense designated pursuant to subsection (a) of each successful penetration of the network or information systems of such contractor that meet the criteria established pursuant to subsection (b). Each such report shall include the following:

(A)A description of the technique or method used in such penetration.

(B)A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration.

(C)A summary of information created by or for the Department in connection with any Department program that has been potentially compromised due to such penetration.

(2)The procedures established pursuant to subsection (a) shall—

(A)include mechanisms for Department of Defense personnel to, upon request, obtain access to equipment or information of a cleared defense contractor necessary to conduct forensic analysis in addition to any analysis conducted by such contractor;

(B)provide that a cleared defense contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated; and

(C)provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.

(3)The procedures established pursuant to subsection (a) shall limit the dissemination of information obtained or derived through such procedures to entities—

(A)with missions that may be affected by such information;

(B)that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(C)that conduct counterintelligence or law enforcement investigations; or

(D)for national security purposes, including cyber situational awareness and defense purposes.

(d)(1)No cause of action shall lie or be maintained in any court against any cleared defense contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the procedures established pursuant to subsection (a).

(2)(A)Nothing in this section shall be construed—

(i)to require dismissal of a cause of action against a cleared defense contractor that has engaged in willful misconduct in the course of complying with the procedures established pursuant to subsection (a); or

(ii)to undermine or limit the availability of otherwise applicable common law or statutory defenses.

(B)In any action claiming that paragraph (1) does not apply due to willful misconduct described in subparagraph (A), the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by each cleared defense contractor subject to such claim and that such willful misconduct proximately caused injury to the plaintiff.

(C)In this subsection, the term “willful misconduct” means an act or omission that is taken—

(i)intentionally to achieve a wrongful purpose;

(ii)knowingly without legal or factual justification; and

(iii)in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.

(e)In this section:

(1)The term “cleared defense contractor” means a private entity granted clearance by the Department of Defense to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense.

(2)The term “covered network” means a network or information system of a cleared defense contractor that contains or processes information created by or for the Department of Defense with respect to which such contractor is required to apply enhanced protection.

Notes & Related Subsidiaries

Editorial Notes

Codification Section, as added and amended by Pub. L. 114–92, is based on Pub. L. 112–239, div. A, title IX, § 941, Jan. 2, 2013, 126 Stat. 1889, which was formerly set out as a note under section 2224 of this title before being transferred to this chapter and renumbered as this section.

Amendments

2021—Subsec. (b)(2)(D). Pub. L. 117–81 inserted period at end. Pub. L. 116–283 substituted “of Defense for Intelligence and Security” for “of Defense for Intelligence.” 2019—Subsec. (b)(2)(B). Pub. L. 116–92, § 902(8)(A), substituted “Under Secretary of Defense for Acquisition and Sustainment” for “Under Secretary of Defense for Acquisition, Technology, and Logistics”. Subsec. (b)(2)(C). Pub. L. 116–92, § 1621(e)(1)(A)(vi), which directed amendment of subpar. (C) by substituting “Under Secretary of Defense for Intelligence and Security” for “Under Secretary of Defense for Intelligence”, could not be executed because the words “Under Secretary of Defense for Intelligence” did not appear. Similar amendment was subsequently directed to subpar. (D) by Pub. L. 116–283, see 2021 Amendment note above. Pub. L. 116–92, § 902(8)(B), added subpar. (C). Former subpar. (C) redesignated (D). Subsec. (b)(2)(D) to (F). Pub. L. 116–92, § 902(8)(C), redesignated subpars. (C) to (E) as (D) to (F), respectively. 2015—Pub. L. 114–92, § 1641(a)(1), substituted “Reporting on penetrations of networks and information systems of certain contractors” for “Reports to Department of Defense on penetrations of networks and information systems of certain contractors” in section catchline. Pub. L. 114–92, § 1641(a), transferred section 941 of Pub. L. 112–239 to this chapter and renumbered it as this section. See Codification note above. Subsec. (c)(3). Pub. L. 114–92, § 1641(a)(2), added par. (3) and struck out former par. (3). Prior to amendment, text read as follows: “The procedures established pursuant to subsection (a) shall prohibit the dissemination outside the Department of Defense of information obtained or derived through such procedures that is not created by or for the Department except with the approval of the contractor providing such information.” Subsec. (d). Pub. L. 114–92, § 1641(a)(3), added subsec. (d) and struck out former subsec. (d). Prior to amendment, text read as follows: “(1) In general.—Not later than 90 days after the date of the enactment of this Act— “(A) the Secretary of Defense shall establish the procedures required under subsection (a); and “(B) the senior official designated under subsection (b)(1) shall establish the criteria required under such subsection. “(2) Applicability date.—The requirements of this section shall apply on the date on which the Secretary of Defense establishes the procedures required under this section.”

§393 Reporting on penetrations of networks and information systems of certain contractors

Summary

Title 10, §393

Notes & Related Subsidiaries

Editorial Notes

Amendments

Citations & Metadata