Title 50 — War and National DefenseRelease 119-73not60

§2662 Reporting on Penetrations of Networks of Contractors and Subcontractors

Title 50 › Chapter 42— ATOMIC ENERGY DEFENSE PROVISIONS › Subchapter V— SAFEGUARDS AND SECURITY MATTERS › Part A— Safeguards and Security › § 2662

Last updated Apr 5, 2026|Official source

Summary

The Administrator must make rules that force contractors and subcontractors to tell the Chief Information Officer when a covered network they run is successfully hacked. The Administrator will decide what counts as a covered network after talking with key agency officials, including the Deputy Administrator for Defense Programs, the Associate Administrator for Acquisition and Project Management, the Chief Information Officer, and any others needed. Contractors and subcontractors must send a report no later than 60 days after they discover a successful penetration. The report must say how the break-in was done, include a sample of any malware if they found one, and summarize any agency-created information that might have been affected. If they cannot gather everything in 60 days, they must send what they have and give the rest as it becomes available. The Administrator must also make rules to let agency staff get access to government or contractor equipment and information for forensic checks when agency-owned data was used or at risk. Those rules must let the agency ask for access, limit access to figuring out whether agency information was taken and what was taken, and protect trade secrets, business or financial records, and personal-identifying information. The rules can limit who sees the incident information to people or groups whose work is affected, those who help with cyber response, counterintelligence or law enforcement, or for national security and cyber defense. Definitions: Chief Information Officer = the Associate Administrator for Information Management and Chief Information Officer; contractor = a private entity with a contract to provide goods or services to the agency; covered network = any network that stores or handles classified or sensitive unclassified agency information; subcontractor = a private entity hired under a contractor to help with an agency program.

Full Legal Text

Title 50, §2662

War and National Defense — Source: USLM XML via OLRC

(a)The Administrator shall establish procedures that require each contractor and subcontractor to report to the Chief Information Officer when a covered network of the contractor or subcontractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.

(b)(1)The Administrator shall, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting penetrations under subsection (a).

(2)The officials specified in this paragraph are the following officials of the Administration:

(A)The Deputy Administrator for Defense Programs.

(B)The Associate Administrator for Acquisition and Project Management.

(C)The Chief Information Officer.

(D)Any other official of the Administration the Administrator considers necessary.

(c)(1)(A)The procedures established pursuant to subsection (a) shall require each contractor or subcontractor to submit to the Chief Information Officer a report on each successful penetration of a covered network of the contractor or subcontractor that meets the criteria established pursuant to subsection (b) not later than 60 days after the discovery of the successful penetration.

(B)Subject to subparagraph (C), each report required by subparagraph (A) with respect to a successful penetration of a covered network of a contractor or subcontractor shall include the following:

(i)A description of the technique or method used in such penetration.

(ii)A sample of the malicious software, if discovered and isolated by the contractor or subcontractor, involved in such penetration.

(iii)A summary of information created by or for the Administration in connection with any program of the Administration that has been potentially compromised as a result of such penetration.

(C)If a contractor or subcontractor is not able to obtain all of the information required by subparagraph (B) to be included in a report required by subparagraph (A) by the date that is 60 days after the discovery of a successful penetration of a covered network of the contractor or subcontractor, the contractor or subcontractor shall—

(i)include in the report all information available as of that date; and

(ii)provide to the Chief Information Officer the additional information required by subparagraph (B) as the information becomes available.

(2)Concurrent with the establishment of the procedures pursuant to subsection (a), the Administrator shall establish procedures to be used if information owned by the Administration was in use during or at risk as a result of the successful penetration of a covered network—

(A)in order to—

(i)in the case of a penetration of a covered network of a management and operating contractor, enhance the access of personnel of the Administration to Government-owned equipment and information; and

(ii)in the case of a penetration of a covered network of a contractor or subcontractor that is not a management and operating contractor, facilitate the access of personnel of the Administration to the equipment and information of the contractor or subcontractor; and

(B)which shall—

(i)include mechanisms for personnel of the Administration to, upon request, obtain access to equipment or information of a contractor or subcontractor necessary to conduct forensic analysis in addition to any analysis conducted by the contractor or subcontractor;

(ii)provide that a contractor or subcontractor is only required to provide access to equipment or information as described in clause (i) to determine whether information created by or for the Administration in connection with any program of the Administration was successfully exfiltrated from a network of the contractor or subcontractor and, if so, what information was exfiltrated; and

(iii)provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.

(3)The procedures established pursuant to subsection (a) shall allow for limiting the dissemination of information obtained or derived through such procedures so that such information may be disseminated only to entities—

(A)with missions that may be affected by such information;

(B)that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(C)that conduct counterintelligence or law enforcement investigations; or

(D)for national security purposes, including cyber situational awareness and defense purposes.

(d)In this section:

(1)The term “Chief Information Officer” means the Associate Administrator for Information Management and Chief Information Officer of the Administration.

(2)The term “contractor” means a private entity that has entered into a contract or contractual action of any kind with the Administration to furnish supplies, equipment, materials, or services of any kind.

(3)The term “covered network” includes any network or information system that accesses, receives, or stores—

(A)classified information; or

(B)sensitive unclassified information germane to any program of the Administration, as determined by the Administrator.

(4)The term “subcontractor” means a private entity that has entered into a contract or contractual action with a contractor or another subcontractor to furnish supplies, equipment, materials, or services of any kind in connection with another contract in support of any program of the Administration.

Reference

Citations & Metadata

Citation

50 U.S.C. § 2662

Title 50 — War and National Defense

Last Updated

Apr 5, 2026

Release point: 119-73not60