PRIA Logo
Title 22Foreign Relations and IntercourseRelease 119-73not60

§10308 Cyber Protection Support for Personnel of the Department of State in Positions Highly Vulnerable to Cyber Attack

Title 22 › Chapter 110— INFORMATION SECURITY AND CYBER DIPLOMACY › § 10308

Last updated Apr 5, 2026|Official source

Summary

The Secretary of State must offer cyber protection to Department staff who are judged to be highly vulnerable to cyber attacks or hostile actors trying to steal information because of their jobs or because their personal devices or accounts are at high risk. "At-risk personnel" means those staff. "Personal accounts" means online or phone services used outside work (for example email, social media, banking, or health portals). "Personal technology devices" means devices and the networks they use when used outside work. The Secretary will work with the Secretary of Homeland Security and the Director of National Intelligence. The Department may also give this help to any employee who asks. Help can include training, advice, technical assistance, and other services, depending on available resources. The Department cannot access a personal device or account unless doing so is needed to provide the protection and the employee gives clear permission each time before access. The program is not meant to encourage staff to use personal devices for official work, and it does not allow protection for senior Department personnel when they use personal devices for official duties. Within 180 days after December 22, 2023, the Secretary must send a report to the appropriate congressional committees, including the Senate Select Committee on Intelligence, the Senate Committee on Homeland Security and Governmental Affairs, the House Permanent Select Committee on Intelligence, and the House Committee on Oversight and Accountability, describing how at-risk staff were identified and how the protection and request tracking will work.

Full Legal Text

Title 22, §10308

Foreign Relations and Intercourse — Source: USLM XML via OLRC

(a)In this section:
(1)The term “at-risk personnel” means personnel of the Department—
(A)whom the Secretary determines to be highly vulnerable to cyber attacks and hostile information collection activities because of their positions in the Department; and
(B)whose personal technology devices or personal accounts are highly vulnerable to cyber attacks and hostile information collection activities.
(2)The term “personal accounts” means accounts for online and telecommunications services, including telephone, residential internet access, email, text and multimedia messaging, cloud computing, social media, health care, and financial services, used by Department personnel outside of the scope of their employment with the Department.
(3)The term “personal technology devices” means technology devices used by personnel of the Department outside of the scope of their employment with the Department, including networks to which such devices connect.
(b)The Secretary, in consultation with the Secretary of Homeland Security and the Director of National Intelligence, as appropriate—
(1)shall offer cyber protection support for the personal technology devices and personal accounts of at-risk personnel; and
(2)may provide the support described in paragraph (1) to any Department personnel who request such support.
(c)Subject to the availability of resources, the cyber protection support provided to personnel pursuant to subsection (b) may include training, advice, assistance, and other services relating to protection against cyber attacks and hostile information collection activities.
(d)The Department is prohibited pursuant to this section from accessing or retrieving any information from any personal technology device or personal account of Department employees unless—
(1)access or information retrieval is necessary for carrying out the cyber protection support specified in this section; and
(2)the Department has received explicit consent from the employee to access a personal technology device or personal account prior to each time such device or account is accessed.
(e)Nothing in this section may be construed—
(1)to encourage Department personnel to use personal technology devices for official business; or
(2)to authorize cyber protection support for senior Department personnel using personal devices, networks, and personal accounts in an official capacity.
(f)(1)Not later than 180 days after December 22, 2023, the Secretary shall submit to the appropriate committees of Congress a report regarding the provision of cyber protection support pursuant to subsection (b), which shall include—
(A)a description of the methodology used to make the determination under subsection (a)(1); and
(B)guidance for the use of cyber protection support and tracking of support requests for personnel receiving cyber protection support pursuant to subsection (b).
(2)In this subsection, the term “appropriate committees of Congress” means—
(A)the appropriate congressional committees;
(B)the Select Committee on Intelligence and the Committee on Homeland Security and Governmental Affairs of the Senate; and
(C)the Permanent Select Committee on Intelligence and the Committee on Oversight and Accountability of the House of Representatives.

Legislative History

Notes & Related Subsidiaries

Statutory Notes and Related Subsidiaries

Measures To Protect Department Devices From the Proliferation and Use of Foreign Commercial Spyware Pub. L. 118–159, div. G, title LXXIII, § 7302, Dec. 23, 2024, 138 Stat. 2541, provided that: “(a) Definitions.—In this section:“(1) Appropriate committees of congress.—The term ‘appropriate committees of Congress’ means—“(A) the Committee on Foreign Relations, the Select Committee on Intelligence, the Committee on Homeland Security and Governmental Affairs, and the Committee on Armed Services of the Senate; and “(B) the Committee on Foreign Affairs, the Permanent Select Committee on Intelligence, the Committee on Homeland Security, and the Committee on Armed Services of the House of Representatives. “(2) Covered device.—The term ‘covered device’ means any electronic mobile device, including smartphones, tablet computing devices, or laptop computing device, that is issued by the Department for official use. “(3) Foreign commercial spyware; spyware.—The terms ‘foreign commercial spyware’ and ‘spyware’ have the meanings given those terms in section 1102A of the National Security Act of 1947 (50 U.S.C. 3232a). “(b) Protection of Covered Devices.—“(1) Requirement.—Not later than 120 days after the date of the enactment of this Act [Dec. 23, 2024], the Secretary [of State] shall, in consultation with the relevant agencies—“(A) issue standards, guidance, best practices, and policies for Department [of State] and USAID [United States Agency for International Development] personnel to protect covered devices from being compromised by foreign commercial spyware; “(B) survey the processes used by the Department and USAID to identify and catalog instances where a covered device was compromised by foreign commercial spyware over the prior 2 years and it is reasonably expected to have resulted in an unauthorized disclosure of sensitive information; and “(C) submit to the appropriate committees of Congress a report on the measures in place to identify and catalog instances of such compromises for covered devices by foreign commercial spyware, which may be submitted in classified form. “(2) Notifications.—Not later than 60 days after the date on which the Department becomes aware that a covered device was seriously compromised by foreign commercial spyware, the Secretary, in coordination with relevant agencies, shall notify the appropriate committees of Congress of the facts concerning such targeting or compromise, including—“(A) the location of the personnel whose covered device was compromised; “(B) the number of covered devices compromised; “(C) an assessment by the Secretary of the damage to the national security of the United States resulting from any loss of data or sensitive information; and “(D) an assessment by the Secretary of any foreign government or foreign organization or entity, and, to the extent possible, the foreign individuals, who directed and benefitted from any information acquired from the compromise. “(3) Annual report.—Not later than one year after the date of the enactment of this Act, and annually thereafter for 5 years, the Secretary, in coordination with relevant agencies, shall submit to the appropriate committees of Congress, the Committee on the Judiciary of the Senate, and the Committee on the Judiciary of the House of Representatives a report regarding any covered device that was compromised by foreign commercial spyware, including the information described in subparagraphs (A) through (D) of paragraph (2).” Definitions For definitions of “Department”, “Secretary”, and “appropriate congressional committees” as used in this section, see section 6002 of Pub. L. 118–31, set out as a note under section 2651 of this title.

Reference

Citations & Metadata

Citation

22 U.S.C. § 10308

Title 22Foreign Relations and Intercourse

Last Updated

Apr 5, 2026

Release point: 119-73not60