PRIA Logo
Title 50War and National DefenseRelease 119-73not60

§3099 Vulnerability Assessments of Major Systems

Title 50 › Chapter 44— NATIONAL SECURITY › Subchapter III— ACCOUNTABILITY FOR INTELLIGENCE ACTIVITIES › § 3099

Last updated Apr 5, 2026|Official source

Summary

The Director of National Intelligence must do an initial vulnerability assessment for every major system and its important supply items. The assessment must happen before Milestone B (the decision to start major system development) unless Milestone B already occurred; for systems with Milestone B done before or shortly after October 7, 2010, the assessment is due by 1 year after October 7, 2010. The Director can delay that deadline up to 180 days only if the congressional intelligence committees are told and given a reason. Each assessment must use analysis (and testing when useful) to find weaknesses, show how the system could be exploited, check how well it would work, rate overall risk, and suggest ways to reduce risk. If the required initial assessment is not sent to the congressional intelligence committees, money for major contracts for that system cannot be obligated until the committees receive the assessment. The Director must do follow-up assessments during procurement or when circumstances change, may recertify or do a new assessment if a committee asks, must give each completed assessment to the congressional intelligence committees within 10 days, and must include a proposed schedule for future periodic assessments when sending the initial assessment. Definitions: item of supply — as defined in the Office of Federal Procurement Policy Act; major contract — one of the 6 largest prime, associate, or government-furnished equipment contracts over $40,000,000 that is not a firm, fixed-price contract; major system — as defined in section 3097(e); Milestone B — the decision to enter major system development and demonstration; vulnerability assessment — the process of identifying and measuring vulnerabilities in a major system and its key supply items.

Full Legal Text

Title 50, §3099

War and National Defense — Source: USLM XML via OLRC

(a)(1)(A)Except as provided in subparagraph (B), the Director of National Intelligence shall conduct and submit to the congressional intelligence committees an initial vulnerability assessment for each major system and its significant items of supply—
(i)except as provided in clause (ii), prior to the completion of Milestone B or an equivalent acquisition decision for the major system; or
(ii)prior to the date that is 1 year after October 7, 2010, in the case of a major system for which Milestone B or an equivalent acquisition decision—
(I)was completed prior to such date; or
(II)is completed on a date during the 180-day period following such date.
(B)The Director may submit to the congressional intelligence committees an initial vulnerability assessment required by clause (ii) of subparagraph (A) not later than 180 days after the date such assessment is required to be submitted under such clause if the Director notifies the congressional intelligence committees of the extension of the submission date under this subparagraph and provides a justification for such extension.
(C)The initial vulnerability assessment of a major system and its significant items of supply shall include use of an analysis-based approach to—
(i)identify vulnerabilities;
(ii)define exploitation potential;
(iii)examine the system’s potential effectiveness;
(iv)determine overall vulnerability; and
(v)make recommendations for risk reduction.
(2)If an initial vulnerability assessment for a major system is not submitted to the congressional intelligence committees as required by paragraph (1), funds appropriated for the acquisition of the major system may not be obligated for a major contract related to the major system. Such prohibition on the obligation of funds for the acquisition of the major system shall cease to apply on the date on which the congressional intelligence committees receive the initial vulnerability assessment.
(b)(1)The Director of National Intelligence shall, periodically throughout the procurement of a major system or if the Director determines that a change in circumstances warrants the issuance of a subsequent vulnerability assessment, conduct a subsequent vulnerability assessment of each major system and its significant items of supply within the National Intelligence Program.
(2)Upon the request of a congressional intelligence committee, the Director of National Intelligence may, if appropriate, recertify the previous vulnerability assessment or may conduct a subsequent vulnerability assessment of a particular major system and its significant items of supply within the National Intelligence Program.
(3)Any subsequent vulnerability assessment of a major system and its significant items of supply shall include use of an analysis-based approach and, if applicable, a testing-based approach, to monitor the exploitation potential of such system and reexamine the factors described in clauses (i) through (v) of subsection (a)(1)(C).
(c)The Director of National Intelligence shall give due consideration to the vulnerability assessments prepared for a given major system when developing and determining the National Intelligence Program budget.
(d)(1)The Director of National Intelligence shall provide to the congressional intelligence committees a copy of each vulnerability assessment conducted under subsection (a) or (b) not later than 10 days after the date of the completion of such assessment.
(2)The Director of National Intelligence shall provide the congressional intelligence committees with a proposed schedule for subsequent periodic vulnerability assessments of a major system under subsection (b)(1) when providing such committees with the initial vulnerability assessment under subsection (a) of such system as required by paragraph (1).
(e)In this section:
(1)The term “item of supply” has the meaning given that term in section 4(10) 11 See References in Text note below. of the Office of Federal Procurement Policy Act (41 U.S.C. 403(10)).
(2)The term “major contract” means each of the 6 largest prime, associate, or Government-furnished equipment contracts under a major system that is in excess of $40,000,000 and that is not a firm, fixed price contract.
(3)The term “major system” has the meaning given that term in section 3097(e) of this title.
(4)The term “Milestone B” means a decision to enter into major system development and demonstration pursuant to guidance prescribed by the Director of National Intelligence.
(5)The term “vulnerability assessment” means the process of identifying and quantifying vulnerabilities in a major system and its significant items of supply.

Legislative History

Notes & Related Subsidiaries

Editorial Notes

References in Text

section 4(10) of the Office of Federal Procurement Policy Act, referred to in subsec. (e)(1), which was classified to section 403(10) of former Title 41, Public Contracts, was repealed and reenacted as section 108 and 115 of Title 41, Public Contracts, by Pub. L. 111–350, §§ 3, 7(b), Jan. 4, 2011, 124 Stat. 3677, 3855. Codification Section was formerly classified to section 415a–5 of this title prior to editorial reclassification and renumbering as this section.

Reference

Citations & Metadata

Citation

50 U.S.C. § 3099

Title 50War and National Defense

Last Updated

Apr 5, 2026

Release point: 119-73not60