10 U.S. Code Chapter 19 - CYBER AND INFORMATION OPERATIONS MATTERS

1. § 391. Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors
2. § 391a. Annual reports on support by military departments for United States Cyber Command
3. § 392. Executive agents for cyber test and training ranges
4. § 392a. Principal Cyber Advisors
5. § 393. Reporting on penetrations of networks and information systems of certain contractors
6. § 394. Authorities concerning military cyber operations
7. § 395. Notification requirements for sensitive military cyber operations
8. § 396. Notification requirements for cyber weapons
9. § 397. Principal Information Operations Advisor
10. § 398.11 Another section 398 is set out after this section. Military information support operations in information environment
11. § 398.11 Another section 398 is set out preceding this section. Pilot program for sharing cyber capabilities and related information with foreign operational partners
12. § 399. Notifications relating to military operations in the information environment: requirement to notify Chief of Mission

Editorial Notes

Amendments

2022—Pub. L. 117–263, div. A, title X, § 1052(b), title XV, §§ 1501(b)(1), 1502(a), 1521, 1551(b), Dec. 23, 2022, 136 Stat. 2777, 2877, 2879, 2897, 2919, added items 391a, 392a, and 399 and two items 398.

2019—Pub. L. 116–92, div. A, title XVI, § 1631(a)(2)(A), Dec. 20, 2019, 133 Stat. 1742, substituted “CYBER AND INFORMATION OPERATIONS MATTERS” for “CYBER MATTERS” in chapter heading and added item 397.

2018—Pub. L. 115–232, div. A, title XVI, § 1631(c)(2), Aug. 13, 2018, 132 Stat. 2123, added items 394 to 396.

2015—Pub. L. 114–92, div. A, title X, § 1081(a)(4), title XVI, § 1641(c)(2), Nov. 25, 2015, 129 Stat. 1001, 1116, substituted “Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors” for “Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors” in item 391 and added item 393.

2014—Pub. L. 113–291, div. A, title XVI, § 1633(d), Dec. 19, 2014, 128 Stat. 3643, added item 392.

Statutory Notes and Related Subsidiaries

Alignment of Department of Defense Cyber International Strategy With National Defense Strategy and Department of Defense Cyber Strategy

Pub. L. 117–263, div. A, title XV, § 1506, Dec. 23, 2022, 136 Stat. 2882, provided that:

“(a) Alignment Required.—

Not later than 270 days after the date of the enactment of this Act [Dec. 23, 2022], the Secretary of Defense, acting through the Under Secretary of Defense for Policy and in coordination with the commanders of the combatant commands and the Director of the Joint Staff, shall undertake efforts to align the cybersecurity cooperation enterprise of the Department of Defense and the cyberspace operational partnerships of the Department with—

“(1) the national defense strategy published in 2022 pursuant to section 113(g) of title 10, United States Code;

“(2) the Cyber Strategy of the Department published during fiscal year 2023; and

“(3) the current International Cyberspace Security Cooperation Guidance of the Department, as of the date of the enactment of this Act.

“(b) Elements.—

The alignment efforts under subsection (a) shall include the following efforts within the Department of Defense:

“(1) Efforts to build the internal capacity of the Department to support international strategy policy engagements with allies and partners of the United States.

“(2) Efforts to coordinate and align cyberspace operations with foreign partners of the United States, including alignment between hunt-forward missions and other cyber international strategy activities conducted by the Department, including identification of processes, working groups, and methods to facilitate coordination between geographic combatant commands and the United States Cyber Command.

“(3) Efforts to deliberately cultivate operational and intelligence-sharing partnerships with key allies and partners of the United States to advance the cyberspace operations objectives of the Department.

“(4) Efforts to identify key allied and partner networks, infrastructure, and systems that the Joint Force will rely upon for warfighting and to—

“(A) support the cybersecurity and cyber defense of those networks, infrastructure, and systems;

“(B) build partner capacity to actively defend those networks, infrastructure, and systems;

“(C) eradicate malicious cyber activity that has compromised those networks, infrastructure, and systems, such as when identified through hunt-forward operations; and

“(D) leverage the commercial and military cybersecurity technology and services of the United States to harden and defend those networks, infrastructure, and systems.

“(5) Efforts to secure the environments and networks of mission partners of the United States used to hold intelligence and information originated by the United States.

“(6) Prioritization schemas, funding requirements, and efficacy metrics to drive cyberspace security investments in the tools, technologies, and capacity-building efforts that will have the greatest positive impact on the resilience and ability of the Department to execute its operational plans and achieve integrated deterrence.

“(c) Organization.—

The Under Secretary of Defense for Policy shall lead efforts to implement this section. In doing so, the Under Secretary shall consult with the Secretary of State, the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency, and the Director of the Federal Bureau of Investigation, to align plans and programs as appropriate.

“(d) Annual Briefings.—

“(1) Requirement.—

Not later than 180 days after the date of the enactment of this Act, and not less frequently than once each fiscal year until September 30, 2025, the Under Secretary of Defense for Policy shall provide to the Committees on Armed Services of the Senate and the House of Representatives a briefing on the implementation of this section.

“(2) Contents.—

Each briefing under paragraph (1) shall include the following:

“(A) An overview of efforts undertaken pursuant to this section.

“(B) An accounting of all the security cooperation activities of the Department germane to cyberspace and changes made pursuant to implementation of this section.

“(C) A detailed schedule with target milestones and required expenditures for all planned activities related to the efforts described in subsection (b).

“(D) Interim and final metrics for building the cyberspace security cooperation enterprise of the Department.

“(E) Identification of such additional funding, authorities, and policies, as the Under Secretary determines may be required.

“(F) Such recommendations as the Under Secretary may have for legislative action to improve the effectiveness of cyberspace security cooperation of the Department with foreign partners and allies.

“(e) Annual Report.—

Not later than 90 days after the date of the enactment of this Act and not less frequently than once each year thereafter until January 1, 2025, the Under Secretary of Defense for Policy shall submit to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives a report summarizing the cyber international strategy activities of the Department, including within the cybersecurity cooperation enterprise of the Department and the cyber operational partnerships of the Department.”

Enhancement of Cyberspace Training and Security Cooperation

Pub. L. 117–263, div. A, title XV, § 1507, Dec. 23, 2022, 136 Stat. 2883, provided that:

“(a) Enhanced Training.—

“(1) Requirement.—

The Under Secretary of Defense for Intelligence and Security and the Under Secretary of Defense for Policy, in coordination with the Commander of United States Cyber Command, the Director of the Defense Security Cooperation Agency, and the Director of the Defense Intelligence Agency, shall develop enhanced guidance for and implement training on cyberspace security cooperation at the Defense Security Cooperation University and the Joint Military Attaché School.

“(2) Timing.—

The Under Secretaries shall develop the enhanced guidance and implement the training under paragraph (1)—

“(A) by not later than one year after the date of the enactment of this Act [Dec. 23, 2022] with respect to the Joint Military Attaché School; and

“(B) by not later than September 30, 2025, with respect to the Defense Security Cooperation University.

“(3) Elements.—

The Under Secretaries shall ensure that the training on cyberspace security cooperation under paragraph (1)—

“(A) is tailored to the trainees’ anticipated embassy role and functions; and

“(B) provides familiarity with—

“(i) the different purposes of cyberspace engagements with partners and allies of the United States, including threat awareness, cybersecurity, mission assurance, and operations;

“(ii) the types of cyberspace security cooperation programs and activities available for partners and allies of the United States, including bilateral and multilateral cyberspace engagements, information and intelligence sharing, training, and exercises;

“(iii) the United States Cyber Command cyberspace operations with partners, including an overview of the Hunt Forward mission and process;

“(iv) the roles and responsibilities of the United States Cyber Command, the geographic combatant commands, and the Defense Security Cooperation Agency for cybersecurity cooperation within the Department of Defense; and

“(v) such other matters as the Under Secretaries, in coordination with the Commander of United States Cyber Command, consider appropriate.

“(4) Requirements.—

The baseline familiarization training developed under subsection (a) shall be a required element for all participants in the Defense Security Cooperation University, the Attaché Training Program, and the Attaché Staff Training Program of the Joint Military Attaché School.

“(b) Report.—

Not later than 180 days after the date of the enactment of this Act, the Under Secretary of Defense for Intelligence and Security and the Under Secretary of Defense for Policy, in coordination with the Commander of the United States Cyber Command, the Director of the Defense Security Cooperation Agency, and the Director of the Defense Intelligence Agency, shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the requirements and considerations to implement enhanced training and coordination to advance cyberspace security cooperation with foreign partners. The study may consider such areas as the following:

“(1) Sufficiency of the training provided in the Defense Security Cooperation University and the Joint Military Attaché School.

“(2) Additional training requirements, familiarization requirements, or both such requirements necessary for officers assigned to particular locations or positions.

“(3) Areas for increased cooperation.

“(4) A plan for completing the activities required by subsection (a).

“(5) Additional resources required to complete such activities.

“(c) Briefing.—

Not later than 30 days after the date on which the Under Secretary of Defense for Intelligence and Security and the Under Secretary of Defense for Policy submit the report under subsection (b), the Under Secretaries, in coordination with the Commander of the United States Cyber Command, the Director of the Defense Security Cooperation Agency, and the Director of the Defense Intelligence Agency, shall provide to the Committees on Armed Services of the Senate and the House of Representatives a briefing on the findings from the report on enhancing training and coordination to advance cyberspace security cooperation described in such subsection. Such briefing shall include a discussion on the enhanced training meeting the elements under subsection (a)(3) and a plan for future updates and sustainment of such training.”