PRIA Logo
Take the PRIA Score
Title 10Armed ForcesRelease 119-73

§395 Notification requirements for sensitive military cyber operations

Title 10 › Subtitle Subtitle A— - General Military Law › Part PART I— - ORGANIZATION AND GENERAL MILITARY POWERS › Chapter CHAPTER 19— - CYBER AND INFORMATION OPERATIONS MATTERS › § 395

Last updated Apr 6, 2026|Official source

Summary

The Secretary of Defense must tell the congressional defense committees in writing about any sensitive military cyber operation no later than 48 hours after it happens. The Secretary must create written procedures for how to make these notifications and give those procedures to the committees. The Secretary must also tell the committees in writing at least 14 days before changing those procedures. The committees must protect the classified information they get. If the information is leaked without authorization, the Secretary must notify the committees right away; a verbal notice is allowed, but a signed written notice must follow within 48 hours. Sensitive military cyber operation: a U.S. military offensive or defensive cyber action against a foreign terrorist group or a foreign country (or its forces or proxies) where the U.S. is not openly at war or has not publicly said it is involved, and that meets certain risk or impact thresholds or that the Secretary finds appropriate. The notification rule does not apply to multinational training exercises with consent or to covert actions under law. Nothing here changes the War Powers Resolution, the Authorization for Use of Military Force, or the National Security Act.

Full Legal Text

Title 10, §395

Armed Forces — Source: USLM XML via OLRC

(a)Except as provided in subsection (d), the Secretary of Defense shall promptly submit to the congressional defense committees notice in writing of any sensitive military cyber operation conducted under this title no later than 48 hours following such operation.
(b)(1)The Secretary of Defense shall establish and submit to the congressional defense committees procedures for complying with the requirements of subsection (a) consistent with the national security of the United States and the protection of operational integrity. The Secretary shall promptly notify the congressional defense committees in writing of any changes to such procedures at least 14 days prior to the adoption of any such changes.
(2)The congressional defense committees shall ensure that committee procedures designed to protect from unauthorized disclosure classified information relating to national security of the United States are sufficient to protect the information that is submitted to the committees pursuant to this section.
(3)In the event of an unauthorized disclosure of a sensitive military cyber operation covered by this section, the Secretary shall ensure, to the maximum extent practicable, that the congressional defense committees are notified immediately of the sensitive military cyber operation concerned. The notification under this paragraph may be verbal or written, but in the event of a verbal notification a written notification, signed by the Secretary, or the Secretary’s designee, shall be provided by not later than 48 hours after the provision of the verbal notification.
(c)(1)In this section, the term “sensitive military cyber operation” means an action described in paragraph (2) that—
(A)is carried out by the armed forces of the United States;
(B)is intended to achieve a cyber effect against a foreign terrorist organization or a country, including its armed forces and the proxy forces of that country located elsewhere—
(i)with which the armed forces of the United States are not involved in hostilities (as that term is used in section 4 of the War Powers Resolution (50 U.S.C. 1543)); or
(ii)with respect to which the involvement of the armed forces of the United States in hostilities has not been acknowledged publicly by the United States; and
(C)(i)is determined to—
(I)have a medium or high collateral effects estimate;
(II)have a medium or high intelligence gain or loss;
(III)have a medium or high probability of political retaliation, as determined by the political military assessment contained within the associated concept of operations;
(IV)have a medium or high probability of detection when detection is not intended; or
(V)result in medium or high collateral effects; or
(ii)is a matter the Secretary determines to be appropriate.
(2)The actions described in this paragraph are the following:
(A)An offensive cyber operation.
(B)A defensive cyber operation.
(d)The notification requirement under subsection (a) does not apply—
(1)to a training exercise conducted with the consent of all nations where the intended effects of the exercise will occur; or
(2)to a covert action (as that term is defined in section 503 of the National Security Act of 1947 (50 U.S.C. 3093)).
(e)Nothing in this section shall be construed to provide any new authority or to alter or otherwise affect the War Powers Resolution (50 U.S.C. 1541 et seq.), the Authorization for Use of Military Force (Public Law 107–40; 50 U.S.C. 1541 note), or any requirement under the National Security Act of 1947 (50 U.S.C. 3001 et seq.).

Legislative History

Notes & Related Subsidiaries

Editorial Notes

References in Text

The War Powers Resolution, referred to in subsec. (e), is Pub. L. 93–148, Nov. 7, 1973, 87 Stat. 555, which is classified generally to chapter 33 (§ 1541 et seq.) of Title 50, War and National Defense. For complete classification of this Resolution to the Code, see

Short Title

note set out under section 1541 of Title 50 and Tables. The Authorization for Use of Military Force, referred to in subsec. (e), is Pub. L. 107–40, Sept. 18, 2001, 115 Stat. 224, which is set out as a note under section 1541 of Title 50, War and National Defense. The National Security Act of 1947, referred to in subsec. (e), is act July 26, 1947, ch. 343, 61 Stat. 495, which is classified principally to chapter 44 (§ 3001 et seq.) of Title 50, War and National Defense. For complete classification of this Act to the Code, see Tables.

Amendments

2021—Subsec. (c). Pub. L. 116–283 amended subsec. (c) generally. Prior to amendment, subsec. (c) defined “sensitive military cyber operation” as used in this section. 2019—Subsec. (b)(3). Pub. L. 116–92, § 1632(1), inserted “, signed by the Secretary, or the Secretary’s designee,” after “written notification”. Subsec. (c)(1)(B), (C). Pub. L. 116–92, § 1632(2)(A), added subpar. (B) and redesignated former subpar. (B) as (C). Subsec. (c)(2)(B). Pub. L. 116–92, § 1632(2)(B), struck out “outside the Department of Defense Information Networks to defeat an ongoing or imminent threat” after “A defensive cyber operation”. 2018—Pub. L. 115–232, § 1631(a), renumbered section 130j of this title as this section. Subsec. (d)(2). Pub. L. 115–232, § 1081(a)(1), substituted “section 503 of the National Security Act of 1947 (50 U.S.C. 3093)” for “section 3093 of title 50, United States Code”.

Reference

Citations & Metadata

Citation

10 U.S.C. § 395

Title 10Armed Forces

Last Updated

Apr 6, 2026

Release point: 119-73