§3316a — Title 50 War and National Defense | U.S. Code

Summary

Requires the Director of National Intelligence to send reports to the congressional intelligence committees about how the intelligence community handles computer and system weaknesses under the Vulnerabilities Equities Process. The law names three terms: the "Vulnerabilities Equities Policy and Process" document (an executive-branch paper dated November 15, 2017), the "Vulnerabilities Equities Process" (the interagency review under that document), and "vulnerability" (a weakness in an information system that could be exploited or harm confidentiality, integrity, or availability). Within 90 days after December 20, 2019, the Director must report, for each part of the intelligence community, who decides whether a weakness should go to the review, how they make that decision, and what their role is during the review. If any part changes its decision rules or process, it must report that change within 30 days. Reports must be unclassified but can include a classified annex. Once each year the Director must send a classified report with counts: how many weaknesses were submitted, how many were disclosed to each vendor or to the public, and the total by category of those excluded from review (per paragraph 5.4). Each annual report must include an unclassified appendix with the totals disclosed and the totals known to have been patched. The Director may skip the annual report if an equivalent report under paragraph 4.3 has already been given to Congress, and must make the unclassified appendix public.

Title 50, §3316a

War and National Defense — Source: USLM XML via OLRC

(a)In this section:

(1)The term “Vulnerabilities Equities Policy and Process document” means the executive branch document entitled “Vulnerabilities Equities Policy and Process” dated November 15, 2017.

(2)The term “Vulnerabilities Equities Process” means the interagency review of vulnerabilities, pursuant to the Vulnerabilities Equities Policy and Process document or any successor document.

(3)The term “vulnerability” means a weakness in an information system or its components (for example, system security procedures, hardware design, and internal controls) that could be exploited or could affect confidentiality, integrity, or availability of information.

(b)(1)Not later than 90 days after December 20, 2019, the Director of National Intelligence shall submit to the congressional intelligence committees a written report describing—

(A)with respect to each element of the intelligence community—

(i)the title of the official or officials responsible for determining whether, pursuant to criteria contained in the Vulnerabilities Equities Policy and Process document or any successor document, a vulnerability must be submitted for review under the Vulnerabilities Equities Process; and

(ii)the process used by such element to make such determination; and

(B)the roles or responsibilities of that element during a review of a vulnerability submitted to the Vulnerabilities Equities Process.

(2)Not later than 30 days after any significant change is made to the process and criteria used by any element of the intelligence community for determining whether to submit a vulnerability for review under the Vulnerabilities Equities Process, such element shall submit to the congressional intelligence committees a report describing such change.

(3)Each report submitted under this subsection shall be submitted in unclassified form, but may include a classified annex.

(c)(1)Not less frequently than once each calendar year, the Director of National Intelligence shall submit to the congressional intelligence committees a classified report containing, with respect to the previous year—

(A)the number of vulnerabilities submitted for review under the Vulnerabilities Equities Process;

(B)the number of vulnerabilities described in subparagraph (A) disclosed to each vendor responsible for correcting the vulnerability, or to the public, pursuant to the Vulnerabilities Equities Process; and

(C)the aggregate number, by category, of the vulnerabilities excluded from review under the Vulnerabilities Equities Process, as described in paragraph 5.4 of the Vulnerabilities Equities Policy and Process document.

(2)Each report submitted under paragraph (1) shall include an unclassified appendix that contains—

(A)the aggregate number of vulnerabilities disclosed to vendors or the public pursuant to the Vulnerabilities Equities Process; and

(B)the aggregate number of vulnerabilities disclosed to vendors or the public pursuant to the Vulnerabilities Equities Process known to have been patched.

(3)The Director of National Intelligence may forgo submission of an annual report required under this subsection for a calendar year, if the Director notifies the intelligence committees in writing that, with respect to the same calendar year, an annual report required by paragraph 4.3 of the Vulnerabilities Equities Policy and Process document already has been submitted to Congress, and such annual report contains the information that would otherwise be required to be included in an annual report under this subsection.

(4)The Director of National Intelligence shall make available to the public each unclassified appendix submitted with a report under paragraph (1) pursuant to paragraph (2).

Notes & Related Subsidiaries

Editorial Notes

Amendments

2022—Subsec. (c)(4). Pub. L. 117–103 added par. (4).

Statutory Notes and Related Subsidiaries

Definitions For definitions of “congressional intelligence committees” and “intelligence community” as used in this section, see section 5003 of div. E of Pub. L. 116–92, set out as a note under section 3003 of this title.

§3316a Reports on intelligence community participation in vulnerabilities equities process of Federal Government