Reporting on penetrations of networks of contractors and subcontractors

50 U.S.C. § 2662

• Title: 50 — War and National Defense
• Chapter: SUBCHAPTER V—SAFEGUARDS AND SECURITY MATTERS
• Part: A
• Current through: Pub. L. 119-73

Text

(a) Procedures for reporting penetrations
The Administrator shall establish procedures that require each contractor and subcontractor to report to the Chief Information Officer when a covered network of the contractor or subcontractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.
(b) Establishment of criteria for covered networks
The Administrator shall, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting penetrations under subsection (a).
The officials specified in this paragraph are the following officials of the Administration:
(A) The Deputy Administrator for Defense Programs.
(B) The Associate Administrator for Acquisition and Project Management.
(C) The Chief Information Officer.
(D) Any other official of the Administration the Administrator considers necessary.
(c) Procedure requirements
The procedures established pursuant to subsection (a) shall require each contractor or subcontractor to submit to the Chief Information Officer a report on each successful penetration of a covered network of the contractor or subcontractor that meets the criteria established pursuant to subsection (b) not later than 60 days after the discovery of the successful penetration.
Subject to subparagraph (C), each report required by subparagraph (A) with respect to a successful penetration of a covered network of a contractor or subcontractor shall include the following:
(i) A description of the technique or method used in such penetration.
(ii) A sample of the malicious software, if discovered and isolated by the contractor or subcontractor, involved in such penetration.
(iii) A summary of information created by or for the Administration in connection with any program of the Administration that has been potentially compromised as a result of such penetration.
If a contractor or subcontractor is not able to obtain all of the information required by subparagraph (B) to be included in a report required by subparagraph (A) by the date that is 60 days after the discovery of a successful penetration of a covered network of the contractor or subcontractor, the contractor or subcontractor shall—
(i) include in the report all information available as of that date; and
(ii) provide to the Chief Information Officer the additional information required by subparagraph (B) as the information becomes available.
Concurrent with the establishment of the procedures pursuant to subsection (a), the Administrator shall establish procedures to be used if information owned by the Administration was in use during or at risk as a result of the successful penetration of a covered network—
(A) in order to—
(i) in the case of a penetration of a covered network of a management and operating contractor, enhance the access of personnel of the Administration to Government-owned equipment and information; and
(ii) in the case of a penetration of a covered network of a contractor or subcontractor that is not a management and operating contractor, facilitate the access of personnel of the Administration to the equipment and information of the contractor or subcontractor; and
(B) which shall—
(i) include mechanisms for personnel of the Administration to, upon request, obtain access to equipment or information of a contractor or subcontractor necessary to conduct forensic analysis in addition to any analysis conducted by the contractor or subcontractor;
(ii) provide that a contractor or subcontractor is only required to provide access to equipment or information as described in clause (i) to determine whether information created by or for the Administration in connection with any program of the Administration was successfully exfiltrated from a network of the contractor or subcontractor and, if so, what information was exfiltrated; and
(iii) provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
The procedures established pursuant to subsection (a) shall allow for limiting the dissemination of information obtained or derived through such procedures so that such information may be disseminated only to entities—
(A) with missions that may be affected by such information;
(B) that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(C) that conduct counterintelligence or law enforcement investigations; or
(D) for national security purposes, including cyber situational awareness and defense purposes.
(d) Definitions
In this section:
The term "Chief Information Officer" means the Associate Administrator for Information Management and Chief Information Officer of the Administration.
The term "contractor" means a private entity that has entered into a contract or contractual action of any kind with the Administration to furnish supplies, equipment, materials, or services of any kind.
The term "covered network" includes any network or information system that accesses, receives, or stores—
(A) classified information; or
(B) sensitive unclassified information germane to any program of the Administration, as determined by the Administrator.
The term "subcontractor" means a private entity that has entered into a contract or contractual action with a contractor or another subcontractor to furnish supplies, equipment, materials, or services of any kind in connection with another contract in support of any program of the Administration.

History

(Pub. L. 107–314, div. D, title XLV, §4511, as added Pub. L. 116–283, div. C, title XXXI, §3131(a), Jan. 1, 2021, 134 Stat. 4383.)