§6228 — Title 10 Armed Forces | U.S. Code

§6228 Reporting on penetrations of networks of contractors and subcontractors

Title 10 › Subtitle Subtitle A— - General Military Law › Part PART VI— - ELEMENTS OF DEPARTMENT OF DEFENSE AND OTHER MATTERS › Subpart Subpart B— - Atomic Energy Defense › Chapter CHAPTER 605— - SAFEGUARDS AND SECURITY MATTERS › Subchapter SUBCHAPTER I— - SAFEGUARDS AND SECURITY › § 6228

Last updated Apr 6, 2026|Official source

Summary

The Administrator must make rules that force contractors and subcontractors to tell the Chief Information Officer when a contractor’s or subcontractor’s covered network is breached. The Administrator will first set rules deciding which networks are covered after talking with senior officials (including the Deputy Administrator for Defense Programs, the Associate Administrator for Acquisition and Project Management, the Chief Information Officer, and others as needed). Contractors must report each breach to the Chief Information Officer within 60 days of finding it. Reports must say how the breach happened, include any isolated malicious software if found, and summarize any Administration-created program information that might have been exposed. If everything is not known in 60 days, they must send what they have and give the rest later. The Administrator must also set rules letting Administration staff get access to contractor equipment or data for forensic checks when Administration-owned information was at risk, while protecting trade secrets, business or financial data, and personal identifiers. Information from these reports may only be shared with parties who need it for response, investigations, or national security. Chief Information Officer: the Administration’s Associate Administrator for Information Management and CIO. Contractor: a private entity that has a contract with the Administration. Covered network: any network that stores or accesses classified information or sensitive unclassified information for the Administration. Subcontractor: a private entity that has a contract with a contractor or another subcontractor to support an Administration contract.

Title 10, §6228

Armed Forces — Source: USLM XML via OLRC

(a)The Administrator shall establish procedures that require each contractor and subcontractor to report to the Chief Information Officer when a covered network of the contractor or subcontractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.

(b)(1)The Administrator shall, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting penetrations under subsection (a).

(2)The officials specified in this paragraph are the following officials of the Administration:

(A)The Deputy Administrator for Defense Programs.

(B)The Associate Administrator for Acquisition and Project Management.

(C)The Chief Information Officer.

(D)Any other official of the Administration the Administrator considers necessary.

(c)(1)(A)The procedures established pursuant to subsection (a) shall require each contractor or subcontractor to submit to the Chief Information Officer a report on each successful penetration of a covered network of the contractor or subcontractor that meets the criteria established pursuant to subsection (b) not later than 60 days after the discovery of the successful penetration.

(B)Subject to subparagraph (C), each report required by subparagraph (A) with respect to a successful penetration of a covered network of a contractor or subcontractor shall include the following:

(i)A description of the technique or method used in such penetration.

(ii)A sample of the malicious software, if discovered and isolated by the contractor or subcontractor, involved in such penetration.

(iii)A summary of information created by or for the Administration in connection with any program of the Administration that has been potentially compromised as a result of such penetration.

(C)If a contractor or subcontractor is not able to obtain all of the information required by subparagraph (B) to be included in a report required by subparagraph (A) by the date that is 60 days after the discovery of a successful penetration of a covered network of the contractor or subcontractor, the contractor or subcontractor shall—

(i)include in the report all information available as of that date; and

(ii)provide to the Chief Information Officer the additional information required by subparagraph (B) as the information becomes available.

(2)Concurrent with the establishment of the procedures pursuant to subsection (a), the Administrator shall establish procedures to be used if information owned by the Administration was in use during or at risk as a result of the successful penetration of a covered network—

(A)in order to—

(i)in the case of a penetration of a covered network of a management and operating contractor, enhance the access of personnel of the Administration to Government-owned equipment and information; and

(ii)in the case of a penetration of a covered network of a contractor or subcontractor that is not a management and operating contractor, facilitate the access of personnel of the Administration to the equipment and information of the contractor or subcontractor; and

(B)which shall—

(i)include mechanisms for personnel of the Administration to, upon request, obtain access to equipment or information of a contractor or subcontractor necessary to conduct forensic analysis in addition to any analysis conducted by the contractor or subcontractor;

(ii)provide that a contractor or subcontractor is only required to provide access to equipment or information as described in clause (i) to determine whether information created by or for the Administration in connection with any program of the Administration was successfully exfiltrated from a network of the contractor or subcontractor and, if so, what information was exfiltrated; and

(iii)provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.

(3)The procedures established pursuant to subsection (a) shall allow for limiting the dissemination of information obtained or derived through such procedures so that such information may be disseminated only to entities—

(A)with missions that may be affected by such information;

(B)that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(C)that conduct counterintelligence or law enforcement investigations; or

(D)for national security purposes, including cyber situational awareness and defense purposes.

(d)In this section:

(1)The term “Chief Information Officer” means the Associate Administrator for Information Management and Chief Information Officer of the Administration.

(2)The term “contractor” means a private entity that has entered into a contract or contractual action of any kind with the Administration to furnish supplies, equipment, materials, or services of any kind.

(3)The term “covered network” includes any network or information system that accesses, receives, or stores—

(A)classified information; or

(B)sensitive unclassified information germane to any program of the Administration, as determined by the Administrator.

(4)The term “subcontractor” means a private entity that has entered into a contract or contractual action with a contractor or another subcontractor to furnish supplies, equipment, materials, or services of any kind in connection with another contract in support of any program of the Administration.

Notes & Related Subsidiaries

Editorial Notes

Prior Provisions

Provisions similar to those in this section were contained in section 2662 of Title 50, War and National Defense, prior to repeal by Pub. L. 119–60, § 3111(b)(1).

Amendments

2025—Pub. L. 119–60, § 3111(d)(2)(B), realigned margins. Subsec. (b). Pub. L. 119–60, § 3111(d)(2)(A), struck out pars. (1) and (2) headings which read as follows: “In general” and “Officials specified”, respectively. Subsec. (c)(1). Pub. L. 119–60, § 3111(d)(2)(A), struck out headings for par. (1) “Rapid reporting” and subpars. (A) to (C) “In general”, “Elements”, and “Avoidance of delays in reporting”, respectively. Subsec. (c)(2), (3). Pub. L. 119–60, § 3111(d)(2)(A), struck out pars. (2) and (3) headings which read as follows: “Access to equipment and information by administration personnel” and “Dissemination of information”, respectively. Subsec. (d). Pub. L. 119–60, § 3111(d)(2)(A), struck out pars. (1) to (4) headings which corresponded to the defined term in each par.