Editorial Notes

Amendments

2015—Subsec. (c)(3). Pub. L. 114–92 substituted "section 3552(b)(6)" for "section 3552(b)(5)".

2014—Subsec. (c)(3). Pub. L. 113–283 substituted "section 3552(b)(5)" for "section 3542(b)(2)".

2006—Subsec. (c)(3). Pub. L. 109–364 substituted "section 3542(b)(2) of title 44" for "section 11103 of title 40".

2002—Subsecs. (a), (b). Pub. L. 107–217, §3(b)(1)(A), (B), substituted "section 11315 of title 40" for "section 5125 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1425)" in introductory provisions.

Subsec. (c)(2). Pub. L. 107–217, §3(b)(1)(C), substituted "section 11101 of title 40" for "section 5002 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1401)".

Subsec. (c)(3). Pub. L. 107–217, §3(b)(1)(D), substituted "section 11103 of title 40" for "section 5142 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1452)".

2000—Subsec. (a)(5). Pub. L. 106–398 added par. (5).

Statutory Notes and Related Subsidiaries

Effective Date

Pub. L. 105–261, div. A, title III, §331(b), Oct. 17, 1998, 112 Stat. 1968, provided that: "Section 2223 of title 10, United States Code, as added by subsection (a), shall take effect on October 1, 1998."

Enhanced Security Strategy for Procurement of Private Fifth-Generation Wireless Technology

Pub. L. 119–60, div. A, title VIII, §877, Dec. 18, 2025, 139 Stat. 1005, provided that:

"(a) In General.—Not later than 90 days after the date of the enactment of this Act [Dec. 18, 2025], the Secretary of Defense shall require a contractor for a procurement related to fifth-generation wireless technology for private networks on military installations to provide the information described in subsection (b) to promote enhanced wireless network security requirements, including supply chain risk management.

"(b) Information Described.—The information described in this subsection is as follows:

"(1) A hardware bill of materials for such procurement described in subsection (a).

"(2) A description of the implementation and operational use of zero trust principles and capabilities for such procurement.

"(c) Prioritization.—With respect to a procurement described in subsection (a), the Secretary shall prioritize the use of private networks that employ Open-RAN approaches, including cloud-native capabilities whenever possible.

"(d) Definitions.—In this section:

"(1) The term 'military installation' has the meaning given in section 2801 of title 10, United States Code.

"(2) The term 'Open-RAN' has the meaning given in section 9202 of title XCII of the National Defense Authorization Act for Fiscal Year 2021 (Public Law 116–283) [47 U.S.C. 906]."

Plan for Deploying Private Fifth Generation and Future Generation Open Radio Access Network Architecture on Department of Defense Military Installations

Pub. L. 119–60, div. B, title XXVIII, §2853, Dec. 18, 2025, 139 Stat. 1323, provided that:

"(a) Requirement for Prioritized List of Military Installations.—Pursuant to section 1526 of the National Defense Authorization Act for Fiscal Year 2024 (Public Law 118–31; 10 U.S.C. 4571 note) and the Department of Defense Private 5G Deployment Strategy (dated October 2024), each Secretary of a military department shall develop a prioritized list of military installations that merit investment in private fifth generation and future generation information and communications networks.

"(b) Considerations.—In developing a list under subsection (a), a Secretary of a military department shall consider matters relating to the following:

"(1) Connection density.

"(2) Latency requirements.

"(3) Capacity requirements.

"(4) Geographic coverage requirements.

"(5) Enhanced security within wireless network services.

"(6) Military installation physical security and force protection requirements, including perimeter monitoring and detection and tracking of uncrewed aircraft systems.

"(7) Requirements with respect to large-scale warehousing and logistics operations.

"(8) The potential use of augmented or virtual reality technology, including for maintenance and training.

"(9) Requirements with respect to large-scale and high-tempo flight line operations.

"(c) Informing Future Procurements.—The Secretary of the Air Force shall use the prioritized list developed under subsection (a) to inform task orders issued under the Enterprise Information Technology as a Service Base Infrastructure Modernization program of the Department of the Air Force and future related contracts. To the maximum extent possible, task orders issued after the date of the enactment of this Act [Dec. 18, 2025] shall specify where existing networking technologies are fully adequate to meet requirements and where private fifth generation and future generation information and communications network performance or characteristics are needed.

"(d) Coordination Required.—In developing prioritized lists under subsection (a), each Secretary of a military department shall, to the extent each such Secretary determines appropriate, coordinate with the following officials:

"(1) The Under Secretary of Defense for Research and Engineering, [sic]

"(2) The Under Secretary of Defense for Acquisition and Sustainment.

"(3) The Chief Information Officer of the Department of Defense.

"(4) The service acquisition executive of the military department concerned.

"(5) Combatant commanders.

"(6) The heads of the Defense Agencies.

"(7) Installation and environment executives.

"(e) Plan for Private 5G Open Radio Access Network Architecture Deployments.—Not later than March 1, 2026, the Secretary of Defense shall—

"(1) consolidate the prioritized military installation lists developed by the Secretaries of the military departments under subsection (a), and determine an optimal investment, deployment, and resourcing plan for private fifth generation and future generation networks across the Department that are based on Open Radio Access Network architecture; and

"(2) submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and House of Representatives] a report on the lists consolidated under paragraph (1) and the determinations made pursuant to such paragraph.

"(f) Definitions.—In this section:

"(1) The term 'military installation' has the meaning given such term in section 2801 of title 10, United States Code.

"(2) The term 'Open Radio Access Network architecture' has the meaning given such term in section 1526 of the National Defense Authorization Act for Fiscal Year 2024 (Public Law 118–31).

"(3) The term 'service acquisition executive' has the meaning given such term in section 101 of title 10, United States Code."

Modernization of the Department of Defense's Authorization To Operate Processes

Pub. L. 118–159, div. A, title XV, §1522, Dec. 23, 2024, 138 Stat. 2140, as amended by Pub. L. 119–60, div. A, title XV, §1521, Dec. 18, 2025, 139 Stat. 1154, provided that:

"(a) Active Directory of Authorizing Officials.—

"(1) In general.—Not later than 270 days after the date of the enactment of this Act [Dec. 23, 2024], the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense and in coordination with the Chief Information Officers of the military departments, shall establish and regularly update a digital directory of all authorizing officials in the military departments.

"(2) Contents.—The directory established under paragraph (1) shall include—

"(A) the most current contact information for such authorizing official; and

"(B) a list of each training required to perform the duties and responsibilities of an authorizing official completed by such authorizing official.

"(b) Presumption of Reciprocal Software Accrediting Standards.—

"(1) Policy required.—Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense, shall implement a policy that requires authorizing officials to adopt the security analysis and artifacts, as appropriate, of a cloud-hosted platform, service, or application that has already been authorized by another authorizing official in the Department of Defense in order to more rapidly adopt and use such cloud-hosted platforms, services, and applications, at the corresponding classification level and in accordance with the existing authorization conditions, without additional authorizations or reviews.

"(2) Elements.—The Secretary shall ensure that the policy implemented under paragraph (1)—

"(A) ensures the development of standardized and transparent documentation of the security, accreditation, performance, and operational capabilities of cloud-hosted platforms, services, and applications to enable decision making by mission owners of such cloud-hosted platforms, services, and applications;

"(B) provides for an intuitive and digital workflow to document acknowledgments among mission owners and system owners of use of the operational capabilities of cloud-hosted platforms, services, and applications;

"(C) directs a review by mission owners of existing authorization information, at the appropriate classification level, regarding the status of the operational capabilities of cloud-hosted platforms, services, and applications, including through management dashboards or other management analytic capabilities;

"(D) defines a process, including required timelines, to allow authorizing officials that disagree with the security analysis of a cloud-hosted platform, service, or application that such official would be required to adopt under such policy to present such disagreement to the Chief Information Officer of the Department of Defense, or such other individual or entity designated by the Chief Information Officer, for adjudication; and

"(E) defines Department of Defense-wide, mandatory timelines for activities performed by authorizing officials with respect to an Authorization to Operate for cloud-hosted platforms, services, and applications.

"(3) Applicability.—The policy implemented pursuant to paragraph (1) shall apply to—

"(A) all authorizing officials in the Department of Defense, including in each military department, component, and agency of the Department; and

"(B) all operational capabilities of cloud-hosted platforms, services, and applications, including capabilities on public cloud infrastructure, as authorized through the Federal Risk and Authorization Management Program established under section 3608 of title 44, United States Code, and the Defense Information Systems Agency, and capabilities on private cloud landing zones managed by the Department of Defense that are authorized by Department accrediting officials.

"(c) Expedited Processing.—

"(1) Processes required.—Not later than 180 days after the date of the enactment of this subsection [Dec. 18, 2025], the Chief Information Officer of the Department of Defense, in coordination with the Chief Information Officers of the military departments, shall provide to each element of the Department of Defense with Authorization to Operate responsibilities guidance on, and direct each such element to develop and implement, one or more processes to expedite the granting of Authorizations to Operate and, where applicable, related appeals.

"(2) Criteria for expedited review.—The processes implemented by an element of the Department of Defense under paragraph (1) shall provide for expedited review of a request for an Authorization to Operate if—

"(A) such Authorization to Operate is for an information system of such element; and

"(B) the request for such Authorization to Operate was appropriately submitted to the authorizing official for such Authorization to Operate and—

"(i) the final determination whether to grant such Authorization to Operate as [sic] has been pending before such authorizing official for not fewer than 180 days without resolution;

"(ii) if a mechanism for appealing a determination by an authorizing official with respect to such Authorization to Operate exists, such an appeal has been pending before such authorizing official for not fewer than 90 days without response; or

"(iii) any other circumstances identified by the Chief Information Officer of the Department of Defense in the policy established under paragraph (1) that demonstrate unreasonable delay or impediment to the Authorization to Operate process.

"(3) Elements.—The process for expedited appeals developed under paragraph (1) shall include—

"(A) clearly defined timelines for resolution of the expedited review of the appeal, not to exceed 45 days from the date the expedited review is requested;

"(B) requirements for a written justification when such timelines cannot be met; and

"(C) tracking and reporting mechanisms to monitor compliance with such timelines.

"(d)[sic; two subsecs. (d) have been enacted] Reports.—

"(1) Implementation status.—

"(A) Secretary report.—Not later than 120 days after the date of the enactment of this Act [Dec. 23, 2024], the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and House of Representatives] a report on the status of the implementation of subsections (a) and (b).

"(B) Chief information officer report.—Not later than July 1, 2026, the Chief Information Officer of the Department of Defense shall submit to the congressional defense committees a report on the status of the implementation of subsections (c).

"(2) Biannual report.—

"(A) In general.—Not later than six months after the date of the enactment of this subsection [Dec. 18, 2025], and every six months thereafter under October 1, 2031, the Secretary of Defense, in coordination with the Chief Information Officer of the Department of Defense and the Chief Information Officers of the military departments, shall submit to the congressional defense committees a report on the activities under this section in the six-month period ending on the date of the submission of such report.

"(B) Contents.—Each report required under subparagraph (A) shall include, for the period covered by such report—

"(i) the number of new Authorizations to Operate issued;

"(ii) the number of requests for an Authorization to Operate that were submitted with complete and sufficient documentation to the appropriate authorizing official;

"(iii) the number of requests for Authorizations to Operate that were denied;

"(iv) the number of requests for Authorizations to Operate that were escalated to the process implemented under subsection (c), disaggregated by escalations—

     "(I) to the Chief Information Officer of the Department of Defense; and

     "(II) to the Chief Information Officer of each military department;

"(v) the number of requests described in clause (iv) that were resolved, disaggregated by resolutions—

     "(I) by the Chief Information Officer of the Department of Defense; and

     "(II) by the Chief Information Officer of each military department;

"(vi) the average time required for a capability to receive an Authorization to Operate, disaggregated each element of the Department responsible for evaluating the request for the Authorization to Operate;

"(vii) the number of Authorizations to Operate issued pursuant to the policy required by subsection (b);

"(viii) the number of requested reciprocal Authorizations to Operate denied due to insufficiency of supporting evidence, along with a narrative summary of the primary reasons for such denials;

"(ix) a narrative summary of any recurring deficiencies in the materials required for system authorization under the Risk Management Framework;

"(x) recommendations to refine the Risk Management Framework and the Authority to Operate process, including opportunities to define, implement, and validate security controls at a higher organizational level so that subordinate systems may rely on those controls without duplicative implementation or assessment; and

"(xi) an evaluation of the training, standards, and qualification requirements for authorizing officials.

"(d)[sic] Definitions.—In this section—

"(1) the term 'Authorization to Operate' has the meaning given such term in the Office of Management and Budget Circular A-130;

"(2) the term 'authorizing official' means an officer who is authorized to assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the United States;

"(3) the term 'military departments' has the meaning given such term in section 101(a) of title 10, United States Code;

"(4) the term 'mission owner' means the user of a cloud-based platform, service, or application; and

"(5) the term 'system owner' means the element of the Department of Defense responsible for acquiring a cloud-based platform, service, or application, but which is not a mission owner of such cloud-based platform, service, or application."

Required Policies To Establish Datalink Strategy of Department of Defense

Pub. L. 118–31, div. A, title XV, §1527, Dec. 22, 2023, 137 Stat. 559, as amended by Pub. L. 119–60, div. A, title XV, §1522, Dec. 18, 2025, 139 Stat. 1156, provided that:

"(a) Policies Required.—

"(1) In general.—The Secretary of Defense shall develop and implement policies to establish a unified datalink strategy of the Department of Defense (in this section referred to as the 'strategy').

"(2) Elements.—The policies under paragraph (1) shall provide for, at a minimum, the following:

"(A) The designation of an organization to serve as the lead coordinator of datalink activities throughout the Department of Defense.

"(B) The prioritization and coordination across the military departments with respect to the strategy within the requirements generation process of the Department.

"(C) The use throughout the Department of a common standardized datalink network or transport protocol that ensures interoperability between independently developed datalinks, regardless of physical medium used, and ensures mesh routing. In developing such policy, the Secretary of Defense shall consider the use of a subset of Internet Protocol.

"(D) A programmatic decoupling of the physical method used to transmit data, the network or transport protocols used in the transmission and reception of data, and the applications used to process and use data.

"(E) Coordination of the strategy with respect to weapon systems executing the same mission types across the military departments, including through the use of a common set of datalink waveforms. In developing such policy, the Secretary shall evaluate the use of redundant datalinks for line-of-sight and beyond-line-of-sight information exchange for each weapon systems platform.

"(F) Coordination between the Department and the intelligence community (as such term is defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)) to leverage any efficiencies and overlap with existing datalink waveforms of the intelligence community.

"(G) Methods to support the rapid integration of common datalinks across the military departments.

"(H) Support for modularity of specific datalink waveforms to enable rapid integration of future datalinks, including the use of software defined radios compliant with modular open system architecture and sensor open system architecture.

"(b) Information to Congress.—Not later than June 1, 2024, the Secretary of Defense shall—

"(1) provide to the appropriate congressional committees a briefing on the proposed policies under subsection (a)(1), including timelines for the implementation of such policies; and

"(2) submit to the appropriate congressional committees—

"(A) an estimated timeline for the implementations of datalinks;

"(B) a list of any additional resources and authorities necessary to implement the strategy; and

"(C) a determination of whether a common set of datalinks can and should be implemented across all major weapon systems (as such term is defined in [former] section 3455 of title 10, United States Code) of the Department of Defense.

"(c) Annual Reports.—Not later than 180 days after the date of the enactment of the National Defense Authorization Act for Fiscal Year 2026 [Dec. 18, 2025], and not less frequently than once each year thereafter through December 31, 2032, the Secretary of Defense shall submit to the appropriate congressional committees an annual report on the implementation of the strategy.

"(d) Appropriate Congressional Committees Defined.—In this section, the term 'appropriate congressional committees' means the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] and the congressional intelligence committees, as such term is defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)."

Demonstration Program for Component Content Management Systems

Pub. L. 117–263, div. A, title IX, §917, Dec. 23, 2022, 136 Stat. 2756, provided that:

"(a) In General.—Not later than July 1, 2023, the Chief Information Officer of the Department of Defense, in coordination with the official designated under section 238(b) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232; 10 U.S.C. note prec. 4061), shall complete a pilot program to demonstrate the application of component content management systems to a distinct set of data of the Department.

"(b) Selection of Data Set.—In selecting a distinct set of data of the Department for purposes of the pilot program required by subsection (a), the Chief Information Officer shall consult with, at a minimum, the following:

"(1) The Office of the Secretary of Defense, with respect to directives, instructions, and other regulatory documents of the Department.

"(2) The Office of the Secretary of Defense and the Joint Staff, with respect to execution orders.

"(3) The Office of the Under Secretary of Defense for Research and Engineering and the military departments, with respect to technical manuals.

"(4) The Office of the Under Secretary of Defense for Acquisition and Sustainment, with respect to Contract Data Requirements List documents.

"(c) Authority to Enter Into Contracts.—Subject to the availability of appropriations, the Secretary of Defense may enter into contracts or other agreements with public or private entities to conduct studies and demonstration projects under the pilot program required by subsection (a).

"(c) [sic] Briefing Required.—Not later than 60 days after the date of the enactment of this Act [Dec. 23, 2022], the Chief Information Officer shall provide to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a briefing on plans to implement the pilot program required by subsection (a).

"(d) Component Content Management System Defined.—In this section, the term 'component content management system' means any content management system that enables the management of content at a component level instead of at the document level."

Legacy Information Technologies and Systems Accountability

Pub. L. 117–81, div. A, title XV, §1522, Dec. 27, 2021, 135 Stat. 2041, provided that:

"(a) In General.—Not later than 270 days after the date of the enactment of this Act [Dec. 27, 2021], the Secretaries of the Army, Navy, and Air Force shall each initiate efforts to identify legacy applications, software, and information technology within their respective Departments and eliminate any such application, software, or information technology that is no longer required.

"(b) Specifications.—To carry out subsection (a), that Secretaries of the Army, Navy, and Air Force shall each document the following:

"(1) An identification of the applications, software, and information technologies that are considered active or operational, but which are judged to no longer be required by the respective Department.

"(2) Information relating to the sources of funding for the applications, software, and information technologies identified pursuant to paragraph (1).

"(3) An identification of the senior official responsible for each such application, software, or information technology.

"(4) A plan to discontinue use and funding for each such application, software, or information technology.

"(c) Exemption.—Any effort substantially similar to that described in subsections (a) and (b) that is being carried out by the Secretary of the Army, Navy, or Air Force as of the date of the enactment of this Act and completed not later 180 days after such date shall be treated as satisfying the requirements under such subsections.

"(d) Report.—Not later than 270 days after the date of the enactment of this Act, the Secretaries of the Army, Navy, and Air Force shall each submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] the documentation required under subsection (b)."

Governance of Fifth-Generation Wireless Networking in the Department of Defense

Pub. L. 116–283, div. A, title II, §224, Jan. 1, 2021, 134 Stat. 3472, provided that:

"(a) Transition of 5G Wireless Networking to Operational Use.—

"(1) Transition plan required.—The Under Secretary of Defense for Research and Engineering, in consultation with the cross functional team established under subsection (c), shall develop a plan to transition fifth-generation (commonly known as '5G') wireless technology to operational use within the Department of Defense.

"(2) Elements.—The transition plan under paragraph (1) shall include the following:

"(A) A timeline for the transition of responsibility for 5G wireless networking to the Chief Information Officer, as required under subsection (b)(1).

"(B) A description of the roles and responsibilities of the organizations and elements of the Department of Defense with respect to the acquisition, sustainment, and operation of 5G wireless networking for the Department, as determined by the Secretary of Defense in accordance with subsection (d).

"(3) Interim briefing.—Not later than March 31, 2021[,] the Secretary of Defense shall provide to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a briefing on the status of the plan required under paragraph (1).

"(4) Final report.—Not later than September 30, 2021, the Secretary of Defense shall submit to the congressional defense committees a report that includes the plan developed under paragraph (1).

"(b) Senior Official for 5G Wireless Networking.—

"(1) Designation of chief information officer.—Not later than October 1, 2023, the Secretary of Defense shall designate the Chief Information Officer as the senior official within Department of Defense with primary responsibility for—

"(A) policy, oversight, guidance, research, and coordination on matters relating to 5G wireless networking; and

"(B) making proposals to the Secretary on governance, management, and organizational policy for 5G wireless networking.

"(2) Role of under secretary of defense for research and engineering.—The Under Secretary of Defense for Research and Engineering shall carry out the responsibilities specified in paragraph (1) until the date on which the Secretary of Defense designates the Chief Information Officer as the senior official responsible for 5G wireless networking under such paragraph.

"(c) Cross-functional Team for 5G Wireless Networking.—

"(1) Establishment.—Using the authority provided under section 911(c) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328; 10 U.S.C. 111 note), the Secretary of Defense shall establish a cross-functional team for 5G wireless networking.

"(2) Duties.—The duties of the cross-functional team established under paragraph (1) shall be—

"(A) to assist the Secretary of Defense in determining the roles and responsibilities of the organizations and elements of the Department of Defense with respect to the acquisition, sustainment, and operation of 5G wireless networking, as required under subsection (d);

"(B) to assist the senior official responsible for 5G wireless networking in carrying out the responsibilities assigned to such official under subsection (b);

"(C) to oversee the implementation of the strategy developed under section 254 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116–92; 10 U.S.C. 2223a note [now 10 U.S.C. 2223 note]) for harnessing 5G wireless networking technologies, coordinated across all relevant elements of the Department;

"(D) to advance the adoption of commercially available, next-generation wireless communication technologies, capabilities, security, and applications by the Department and the defense industrial base; and

"(E) to support public-private partnerships between the Department and industry on matters relating to 5G wireless networking;

"(F) to coordinate research and development, implementation and acquisition activities, warfighting concept development, spectrum policy, industrial policy and commercial outreach and partnership relating to 5G wireless networking in the Department, and interagency and international engagement;

"(G) to integrate the Department's 5G wireless networking programs and policies with major initiatives, programs, and policies of the Department relating to secure microelectronics and command and control; and

"(H) to oversee, coordinate, execute, and lead initiatives to advance 5G wireless network technologies and associated applications developed for the Department.

"(3) Team leader.—The Under Secretary of Defense for Research and Engineering shall lead the cross-functional team established under paragraph (1) until the date on which the Secretary of Defense designates the Chief Information Officer as the senior official responsible for 5G wireless networking as required under subsection (b)(1). Beginning on the date of such designation, the Chief Information Officer shall lead the cross functional team.

"(d) Determination of Organizational Roles and Responsibilities.—The Secretary of Defense, acting through the cross-functional team established under subsection (c), shall determine the roles and responsibilities of the organizations and elements of the Department of Defense with respect to the acquisition, sustainment, and operation of 5G wireless networking for the Department, including the roles and responsibilities of the Office of the Secretary of Defense, the intelligence components of the Department, Defense Agencies and Department of Defense Field Activities, the Armed Forces, combatant commands, and the Joint Staff.

"(e) Briefing.—Not later than 90 days after the date of the enactment of this Act [Jan. 1, 2021], the Secretary of Defense shall submit to the congressional defense committees a briefing on the progress of the Secretary in—

"(1) establishing the cross-functional team under subsection (c); and

"(2) determining the roles and responsibilities of the organizations and elements of the Department of Defense with respect to 5G wireless networking as required under subsection (d).

"(f) 5G Procurement Decisions.—Each Secretary of a military department shall be responsible for decisions relating to the procurement of 5G wireless technology for that department.

"(g) Telecommunications Security Program.—

"(1) Program required.—The Secretary of Defense shall carry out a program to identify and mitigate vulnerabilities in the 5G telecommunications infrastructure of the Department of Defense.

"(2) Elements.—In carrying out the program under paragraph (1), the Secretary shall—

"(A) develop a capability to communicate clearly and authoritatively about threats by foreign adversaries;

"(B) conduct independent red-team security analysis of systems, subsystems, devices, and components of the Department of Defense including no-knowledge testing and testing with limited or full knowledge of expected functionalities;

"(C) verify the integrity of personnel who are tasked with design fabrication, integration, configuration, storage, test, and documentation of noncommercial 5G technology to be used by the Department;

"(D) verify the efficacy of the physical security measures used at Department locations where system design, fabrication, integration, configuration, storage, test, and documentation of 5G technology occurs;

"(E) direct the Chief Information Officer to assess, using existing government evaluation models and schema where applicable, 5G core service providers whose services will be used by the Department through the Department's provisional authorization process; and

"(F) direct the Defense Information Systems Agency and the United States Cyber Command to develop a capability for continuous, independent monitoring of non-commercial, government-transiting packet streams for 5G data on frequencies assigned to the Department to validate the availability, confidentiality, and integrity of the Department's communications systems.

"(3) Implementation plan.—Not later than 90 days after the date of the enactment of this Act [Jan. 1, 2021], the Secretary of Defense shall submit to Congress a plan for the implementation of the program under paragraph (1).

"(4) Report.—Not later than 270 days after submitting the plan under paragraph (3), the Secretary of Defense shall submit to Congress a report that includes—

"(A) a comprehensive assessment of the findings and conclusions of the program under paragraph (1);

"(B) recommendations on how to mitigate vulnerabilities in the telecommunications infrastructure of the Department of Defense; and

"(C) an explanation of how the Department plans to implement such recommendations.

"(h) Rule of Construction.—

"(1) In general.—Nothing in this section shall be construed as providing the Chief Information Officer immediate responsibility for the activities of the Department of Defense in fifth-generation wireless networking experimentation and science and technology development.

"(2) Purview of experimentation and science and technology development.—The activities described in paragraph (1) shall remain within the purview of the Under Secretary of Defense for Research and Engineering, but shall inform and be informed by the activities of the cross-functional team established pursuant to subsection (c)."

Demonstration Project on Use of Certain Technologies for Fifth-Generation Wireless Networking Services

Pub. L. 116–283, div. A, title II, §225, Jan. 1, 2021, 134 Stat. 3475, provided that:

"(a) Demonstration Project.—The Secretary of Defense shall carry out a demonstration project to evaluate the maturity, performance, and cost of covered technologies to provide additional options for providers of fifth-generation wireless network services.

"(b) Location.—The Secretary of Defense shall carry out the demonstration project under subsection (a) in at least one location where the Secretary plans to deploy a fifth-generation wireless network.

"(c) Coordination.—The Secretary shall carry out the demonstration project under subsection (a) in coordination with at least one major wireless network service provider based in the United States.

"(d) Covered Technologies Defined.—In this section, the term 'covered technologies' means—

"(1) a disaggregated or virtualized radio access network and core in which components can be provided by different vendors and interoperate through open protocols and interfaces, including those protocols and interfaces utilizing the Open Radio Access Network (commonly known as 'Open RAN' or 'oRAN') approach; and

"(2) one or more massive multiple-input, multiple-output radio arrays, provided by one or more companies based in the United States, that have the potential to compete favorably with radios produced by foreign companies in terms of cost, performance, and efficiency."

Strategy and Implementation Plan for Fifth Generation Information and Communications Technologies

Pub. L. 116–92, div. A, title II, §254, Dec. 20, 2019, 133 Stat. 1287, as amended by Pub. L. 117–263, div. A, title II, §232, Dec. 23, 2022, 136 Stat. 2486, provided that:

"(a) In General.—Not later than 270 days after the date of the enactment of this Act [Dec. 20, 2019], the Secretary of Defense shall develop—

"(1) a strategy for harnessing fifth generation (commonly known as '5G') information and communications technologies to enhance military capabilities, maintain a technological advantage on the battlefield, and accelerate the deployment of new commercial products and services enabled by 5G networks throughout the Department of Defense; and

"(2) a plan for implementing the strategy developed under paragraph (1).

"(b) Elements.—The strategy required under subsection (a) shall include the following elements:

"(1) Adoption and use of secure fourth generation (commonly known as '4G') communications technologies and the transition to advanced and secure 5G communications technologies for military applications and for military infrastructure.

"(2) Science, technology, research, and development efforts to facilitate the advancement and adoption of 5G technology and new uses of 5G systems, subsystems, and components, including—

"(A) 5G testbeds for developing military and dual-use applications; and

"(B) spectrum-sharing technologies and frameworks.

"(3) Strengthening engagement and outreach with industry, academia, international partners, and other departments and agencies of the Federal Government on issues relating to 5G technology and the deployment of such technology, including development of a common industrial base for secure microelectronics.

"(4) Defense industrial base supply chain risk, management, and opportunities.

"(5) Preserving the ability of the Joint Force to achieve objectives in a contested and congested spectrum environment.

"(6) Strengthening the ability of the Joint Force to conduct full spectrum operations that enhance the military advantages of the United States.

"(7) Securing the information technology and weapon systems of the Department against malicious activity.

"(8) Advancing the deployment of secure 5G networks nationwide.

"(9) Such other matters as the Secretary of Defense determines to be relevant.

"(c) Consultation.—In developing the strategy and implementation plan required under subsection (a), the Secretary of Defense shall consult with the following:

"(1) The Chief Information Officer of the Department of Defense.

"(2) The Under Secretary of Defense for Research and Engineering.

"(3) The Under Secretary of Defense for Acquisition and Sustainment.

"(4) The Under Secretary of Defense for Intelligence [now Under Secretary of Defense for Intelligence and Security].

"(5) Service Acquisition Executives of each military service.

"(d) Periodic Briefings.—

"(1) In general.—Not later than March 15, 2020, and not less frequently than once every three months thereafter through December 1, 2026, the Secretary of Defense shall provide to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a briefing on the development and implementation of the strategy required under subsection (a), including an explanation of how the Department of Defense—

"(A) is using secure 5G wireless network technology;

"(B) is reshaping the Department's policy for producing and procuring secure microelectronics; and

"(C) is working in the interagency and internationally to develop common policies and approaches.

"(2) Elements.—Each briefing under paragraph (1) shall include information on—

"(A) efforts to ensure a secure supply chain for 5G wireless network equipment and microelectronics;

"(B) the continued availability of electromagnetic spectrum for warfighting needs;

"(C) planned implementation of 5G wireless network infrastructure in warfighting networks, base infrastructure, defense-related manufacturing, and logistics;

"(D) steps taken to work with allied and partner countries to protect critical networks and supply chains; and

"(E) such other topics as the Secretary of Defense considers relevant."

Improved Management of Information Technology and Cyberspace Investments

Pub. L. 116–92, div. A, title VIII, §892, Dec. 20, 2019, 133 Stat. 1539, provided that:

"(a) Improved Management.—

"(1) In general.—The Chief Information Officer of the Department of Defense shall work with the Chief Data Officer of the Department of Defense to optimize the Department's process for accounting for, managing, and reporting its information technology and cyberspace investments. The optimization should include alternative methods of presenting budget justification materials to the public and congressional staff to more accurately communicate when, how, and with what frequency capability is delivered to end users, in accordance with best practices for managing and reporting on information technology investments.

"(2) Briefing.—Not later than February 3, 2020, the Chief Information Officer of the Department of Defense shall brief the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] on the process optimization undertaken pursuant to paragraph (1), including any recommendations for legislation.

"(b) Delivery of Information Technology Budget.—The Secretary of Defense shall submit to the congressional defense committees the Department of Defense budget request for information technology not later than 15 days after the submittal to Congress of the budget of the President for a fiscal year pursuant to section 1105 of title 31, United States Code."

Chief Data Officer Responsibility for DoD Data Sets

Pub. L. 116–92, div. A, title IX, §903(b), Dec. 20, 2019, 133 Stat. 1555, as amended by Pub. L. 117–263, div. A, title II, §212(k), Dec. 23, 2022, 136 Stat. 2470, provided that:

"(1) In general.—In addition to any other functions and responsibilities specified in section 3520(c) of title 44, United States, Code, the Chief Data Officer of the Department of Defense shall also be the official in the Department of Defense with principal responsibility for providing for the availability of common, usable, Defense-wide data sets.

"(2) Access to all dod data.—In order to carry out the responsibility specified in paragraph (1), the Chief Data Officer shall have access to all Department of Defense data, including data in connection with warfighting missions and back-office data.

"(3) Report.—Not later than December 1, 2019, the Secretary of Defense shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report setting forth such recommendations for legislative or administrative action as the Secretary considers appropriate to carry out this subsection."

Policy Regarding the Transition of Data and Applications to the Cloud

Pub. L. 116–92, div. A, title XVII, §1755, Dec. 20, 2019, 133 Stat. 1854, provided that:

"(a) Policy Required.—Not later than 180 days after the date of the enactment of this Act [Dec. 20, 2019], the Chief Information Officer of the Department of Defense and the Chief Data Officer of the Department shall, in consultation with the J6 of the Joint Staff and the Chief Management Officer, develop and issue enterprise-wide policy and implementing instructions regarding the transition of data and applications to the cloud under the Department cloud strategy in accordance with subsection (b).

"(b) Design.—The policy required by subsection (a) shall be designed to dramatically improve support to operational missions and management processes, including by the use of artificial intelligence and machine learning technologies, by—

"(1) making the data of the Department available to support new types of analyses;

"(2) preventing, to the maximum extent practicable, the replication in the cloud of data stores that cannot readily be accessed by applications for which the data stores were not originally engineered;

"(3) ensuring that data sets can be readily discovered and combined with others to enable new insights and capabilities; and

"(4) ensuring that data and applications are readily portable and not tightly coupled to a specific cloud infrastructure or platform."

Activities and Reporting Relating to Department of Defense's Cloud Initiative

Pub. L. 115–232, div. A, title X, §1064, Aug. 13, 2018, 132 Stat. 1971, provided that:

"(a) Activities Required.—Commencing not later than 90 days after the date of the enactment of this Act [Aug. 13, 2018], the Chief Information Officer of the Department of Defense, acting through the Cloud Executive Steering Group established by the Deputy Secretary of Defense in a directive memorandum dated September 13, 2017, in order to support its Joint Enterprise Defense Infrastructure initiative to procure commercial cloud services, shall conduct certain key enabling activities as follows:

"(1) Develop an approach to rapidly acquire advanced commercial network capabilities, including software-defined networking, on-demand bandwidth, and aggregated cloud access gateways, through commercial service providers in order—

"(A) to support the migration of applications and systems to commercial cloud platforms;

"(B) to increase visibility of end-to-end performance to enable and enforce service level agreements for cloud services;

"(C) to ensure efficient and common cloud access;

"(D) to facilitate shifting data and applications from one cloud platform to another;

"(E) to improve cybersecurity; and

"(F) to consolidate networks and achieve efficiencies and improved performance;

"(2) Conduct an analysis of existing workloads that would be migrated to the Joint Enterprise Defense Infrastructure, including—

"(A) identifying all of the cloud initiatives across the Department of Defense, and determining the objectives of such initiatives in connection with the intended scope of the Infrastructure;

"(B) identifying all the systems and applications that the Department would intend to migrate to the Infrastructure;

"(C) conducting rationalization of applications to identify applications and systems that may duplicate the processing of workloads in connection with the Infrastructure; and

"(D) as result of such actions, arriving at dispositions about migration or termination of systems and applications in connection with the Infrastructure.

"(b) Report Required.—The Chief Information Officer shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the Department of Defense's Cloud Initiative to manage networks, data centers, and clouds at the enterprise level. Such report shall include each of the following:

"(1) A description [of] the status of completion of the activities required under subsection (a).

"(2) Information relating to the current composition of the Cloud Executive Steering Group and the stakeholders relating to the Department of Defense's Cloud Initiative and associated mission, objectives, goals, and strategy.

"(3) A description of the characteristics and considerations for accelerating the cloud architecture and services required for a global, resilient, and secure information environment.

"(4) Information relating to acquisition strategies and timeline for efforts associated with the Department of Defense's Cloud Initiative, including the Joint Enterprise Defense Infrastructure.

"(5) A description of how the acquisition strategies referred to in paragraph (4) provides [sic] for a full and open competition, enable the Department of Defense to continuously leverage and acquire new cloud computing capabilities, maintain the ability of the Department to leverage other cloud computing vendor products and services, incorporate elements to maintain security, and provide for the best performance, cost, and schedule to meet the cloud architecture and services requirements of the Department for the duration of such contract.

"(6) A detailed description of existing workloads that will be migrated to enterprise-wide cloud infrastructure or platforms as a result of the Department of Defense's Cloud Initiative, including estimated migration costs and timelines, based on the analysis required under subsection (a)(2).

"(7) A description of the program management and program office of the Department of Defense's Cloud Initiative, including the number of personnel, overhead costs, and organizational structure.

"(8) A description of the effect of the Joint Enterprise Defense Infrastructure on and the relationship of such Infrastructure to existing cloud computing infrastructure, platform, and service contracts across the Department of Defense, specifically the effect and relationship to the private cloud infrastructure of the Department, MilCloud 2.0 run by the Defense Information Systems Agency based on the analysis required under subsection (a)(2).

"(9) Information relating to the most recent Department of Defense Cloud Computing Strategy and description of any initiatives to update such Strategy.

"(10) Information relating to Department of Defense guidance pertaining to cloud computing capability or platform acquisition and standards, and a description of any initiatives to update such guidance.

"(11) Any other matters the Secretary of Defense determines relevant.

"(c) Limitation on Use of Funds.—Of the amounts authorized to be appropriated or otherwise made available by this Act [see Tables for classification] for fiscal year 2019 for the Department of Defense's Cloud Initiative, not more than 85 percent may be obligated or expended until the Secretary of Defense submits to the congressional defense committees the report required by subsection (b).

"(d) Limitation on New Systems and Applications.—

"(1) In general.—Except as provided in paragraph (2), the Deputy Secretary shall require that no new system or application will be approved for development or modernization without an assessment that such system or application is already, or can and would be, cloud-hosted.

"(2) Waiver.—The Deputy Secretary may issue a national waiver to the requirement under paragraph (1) if the Deputy Secretary determines, pursuant to the assessment described in such paragraph, that the requirement would adversely affect the national security of the United States. If the Deputy Secretary issues a waiver under this paragraph, the Deputy Secretary shall provide to the congressional defense committees a written notification of such waiver, justification for the waiver, and identification of the system or application to which the waiver applies by not later than 15 days after the date on which the waiver is issued.

"(e) Transparency and Competition.—The Deputy Secretary shall ensure that the acquisition approach of the Department continues to follow the Federal Acquisition Regulation with respect to competition."

Pilot Program for Open Source Software

Pub. L. 115–91, div. A, title VIII, §875, Dec. 12, 2017, 131 Stat. 1503, provided that:

"(a) In General.—Not later than 180 days after the date of the enactment of this Act [Dec. 12, 2017], the Secretary of Defense shall initiate for the Department of Defense the open source software pilot program established by the Office of Management and Budget Memorandum M-16-21 titled 'Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software' and dated August 8, 2016.

"(b) Report to Congress.—Not later than 60 days after the date of the enactment of this Act, the Secretary of Defense shall provide a report to Congress with details of the plan of the Department of Defense to implement the pilot program required by subsection (a). Such plan shall include identifying candidate software programs, selection criteria, intellectual property and licensing issues, and other matters determined by the Secretary.

"(c) Comptroller General Report.—Not later than June 1, 2019, the Comptroller General of the United States shall provide a report to Congress on the implementation of the pilot program required by subsection (a) by the Secretary of Defense. The report shall address, at a minimum, the compliance of the Secretary with the requirements of the Office of Management and Budget Memorandum M-16-21, the views of various software and information technology stakeholders in the Department of Defense, and any other matters determined by the Comptroller General."

Pilot Program on Evaluation of Commercial Information Technology

Pub. L. 114–328, div. A, title II, §232, Dec. 23, 2016, 130 Stat. 2061, provided that:

"(a) Pilot Program.—The Director of the Defense Information Systems Agency may carry out a pilot program to evaluate commercially available information technology tools to better understand the potential impact of such tools on networks and computing environments of the Department of Defense.

"(b) Activities.—Activities under the pilot program may include the following:

"(1) Prototyping, experimentation, operational demonstration, military user assessments, and other means of obtaining quantitative and qualitative feedback on the commercial information technology products.

"(2) Engagement with the commercial information technology industry to—

"(A) forecast military requirements and technology needs; and

"(B) support the development of market strategies and program requirements before finalizing acquisition decisions and strategies.

"(3) Assessment of novel or innovative commercial technology for use by the Department of Defense.

"(4) Assessment of novel or innovative contracting mechanisms to speed delivery of capabilities to the Armed Forces.

"(5) Solicitation of operational user input to shape future information technology requirements of the Department of Defense.

"(c) Limitation on Availability of Funds.—Of the amounts authorized to be appropriated for research, development, test, and evaluation, Defense-wide, for each of fiscal years 2017 through 2022, not more than $15,000,000 may be expended on the pilot program in any such fiscal year."

Additional Requirements Relating to the Software Licenses of the Department of Defense

Pub. L. 113–66, div. A, title IX, §935, Dec. 26, 2013, 127 Stat. 833, provided that:

"(a) Updated Plan.—

"(1) Update.—The Chief Information Officer of the Department of the Defense shall, in consultation with the chief information officers of the military departments and the Defense Agencies, update the plan for the inventory of selected software licenses of the Department of Defense required under section 937 of the National Defense Authorization Act for 2013 [probably means the National Defense Authorization Act for Fiscal Year 2013] (Public Law 112–239; 10 U.S.C. 2223 note) to include a plan for the inventory of all software licenses of the Department of Defense for which a military department spends more than $5,000,000 annually on any individual title, including a comparison of licenses purchased with licenses in use.

"(2) Elements.—The update required under paragraph (1) shall—

"(A) include plans for implementing an automated solution capable of reporting the software license compliance position of the Department and providing a verified audit trail, or an audit trail otherwise produced and verified by an independent third party;

"(B) include details on the process and business systems necessary to regularly perform reviews, a procedure for validating and reporting deregistering and registering new software, and a mechanism and plan to relay that information to the appropriate chief information officer; and

"(C) a proposed timeline for implementation of the updated plan in accordance with paragraph (3).

"(3) Submission.—Not later than September 30, 2015, the Chief Information Officer of the Department of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] the updated plan required under paragraph (1).

"(b) Performance Plan.—If the Chief Information Officer of the Department of Defense determines through the implementation of the process and business systems in the updated plan required by subsection (a) that the number of software licenses of the Department for an individual title for which a military department spends greater than $5,000,000 annually exceeds the needs of the Department for such software licenses, or the inventory discloses that there is a discrepancy between the number of software licenses purchased and those in actual use, the Chief Information Officer of the Department of Defense shall implement a plan to bring the number of such software licenses into balance with the needs of the Department and the terms of any relevant contract."

Collection and Analysis of Network Flow Data

Pub. L. 112–239, div. A, title IX, §935, Jan. 2, 2013, 126 Stat. 1886, provided that:

"(a) Development of Technologies.—The Chief Information Officer of the Department of Defense may, in coordination with the Under Secretary of Defense for Policy and the Under Secretary of Defense for Intelligence [now Under Secretary of Defense for Intelligence and Security] and acting through the Director of the Defense Information Systems Agency, use the available funding and research activities and capabilities of the Community Data Center of the Defense Information Systems Agency to develop and demonstrate collection, processing, and storage technologies for network flow data that—

"(1) are potentially scalable to the volume used by Tier 1 Internet Service Providers to collect and analyze the flow data across their networks;

"(2) will substantially reduce the cost and complexity of capturing and analyzing high volumes of flow data; and

"(3) support the capability—

"(A) to detect and identify cyber security threats, networks of compromised computers, and command and control sites used for managing illicit cyber operations and receiving information from compromised computers;

"(B) to track illicit cyber operations for attribution of the source; and

"(C) to provide early warning and attack assessment of offensive cyber operations.

"(b) Coordination.—Any research and development required in the development of the technologies described in subsection (a) shall be conducted in cooperation with the heads of other appropriate departments and agencies of the Federal Government and, whenever feasible, Tier 1 Internet Service Providers and other managed security service providers."

Competition for Large-Scale Software Database and Data Analysis Tools

Pub. L. 112–239, div. A, title IX, §936, Jan. 2, 2013, 126 Stat. 1886, provided that:

"(a) Analysis.—

"(1) Requirement.—The Secretary of Defense, acting through the Chief Information Officer of the Department of Defense, shall conduct an analysis of large-scale software database tools and large-scale software data analysis tools that could be used to meet current and future Department of Defense needs for large-scale data analytics.

"(2) Elements.—The analysis required under paragraph (1) shall include—

"(A) an analysis of the technical requirements and needs for large-scale software database and data analysis tools, including prioritization of key technical features needed by the Department of Defense; and

"(B) an assessment of the available sources from Government and commercial sources to meet such needs, including an assessment by the Deputy Assistant Secretary of Defense for Manufacturing and Industrial Base Policy to ensure sufficiency and diversity of potential commercial sources.

"(3) Submission.—Not later than 180 days after the date of the enactment of this Act [Jan. 2, 2013], the Chief Information Officer shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] the results of the analysis required under paragraph (1).

"(b) Competition Required.—

"(1) In general.—If, following the analysis required under subsection (a), the Chief Information Officer of the Department of Defense identifies needs for software systems or large-scale software database or data analysis tools, the Department shall acquire such systems or such tools based on market research and using competitive procedures in accordance with applicable law and the Defense Federal Acquisition Regulation Supplement.

"(2) Notification.—If the Chief Information Officer elects to acquire large-scale software database or data analysis tools using procedures other than competitive procedures, the Chief Information Officer and the Under Secretary of Defense for Acquisition, Technology, and Logistics shall submit a written notification to the congressional defense committees on a quarterly basis until September 30, 2018, that describes the acquisition involved, the date the decision was made, and the rationale for not using competitive procedures."

Software Licenses of the Department of Defense

Pub. L. 112–239, div. A, title IX, §937, Jan. 2, 2013, 126 Stat. 1887, provided that:

"(a) Plan for Inventory of Licenses.—

"(1) In general.—Not later than 180 days after the date of the enactment of this Act [Jan. 2, 2013], the Chief Information Officer of the Department of the [sic] Defense shall, in consultation with the chief information officers of the military departments and the Defense Agencies, issue a plan for the inventory of selected software licenses of the Department of Defense, including a comparison of licenses purchased with licenses installed.

"(2) Selected software licenses.—The Chief Information Officer shall determine the software licenses to be treated as selected software licenses of the Department for purposes of this section. The licenses shall be determined so as to maximize the return on investment in the inventory conducted pursuant to the plan required by paragraph (1).

"(3) Plan elements.—The plan under paragraph (1) shall include the following:

"(A) An identification and explanation of the software licenses determined by the Chief Information Officer under paragraph (2) to be selected software licenses for purposes of this section, and a summary outline of the software licenses determined not to be selected software licenses for such purposes.

"(B) Means to assess the needs of the Department and the components of the Department for selected software licenses during the two fiscal years following the date of the issuance of the plan.

"(C) Means by which the Department can achieve the greatest possible economies of scale and cost savings in the procurement, use, and optimization of selected software licenses.

"(b) Performance Plan.—If the Chief Information Officer determines through the inventory conducted pursuant to the plan required by subsection (a) that the number of selected software licenses of the Department and the components of the Department exceeds the needs of the Department for such software licenses, the Secretary of Defense shall implement a plan to bring the number of such software licenses into balance with the needs of the Department."

Ozone Widget Framework

Pub. L. 112–81, div. A, title IX, §924, Dec. 31, 2011, 125 Stat. 1539, provided that:

"(a) Mechanism for Internet Publication of Information for Development of Analysis Tools and Applications.—The Chief Information Officer of the Department of Defense, acting through the Director of the Defense Information Systems Agency, shall implement a mechanism to publish and maintain on the public Internet the application programming interface specifications, a developer's toolkit, source code, and such other information on, and resources for, the Ozone Widget Framework (OWF) as the Chief Information Officer considers necessary to permit individuals and companies to develop, integrate, and test analysis tools and applications for use by the Department of Defense and the elements of the intelligence community.

"(b) Process for Voluntary Contribution of Improvements by Private Sector.—In addition to the requirement under subsection (a), the Chief Information Officer shall also establish a process by which private individuals and companies may voluntarily contribute the following:

"(1) Improvements to the source code and documentation for the Ozone Widget Framework.

"(2) Alternative or compatible implementations of the published application programming interface specifications for the Framework.

"(c) Encouragement of Use and Development.—The Chief Information Officer shall, whenever practicable, encourage and foster the use, support, development, and enhancement of the Ozone Widget Framework by the computer industry and commercial information technology vendors, including the development of tools that are compatible with the Framework."

Continuous Monitoring of Department of Defense Information Systems for Cybersecurity

Pub. L. 111–383, div. A, title IX, §931, Jan. 7, 2011, 124 Stat. 4334, provided that:

"(a) In General.—The Secretary of Defense shall direct the Chief Information Officer of the Department of Defense to work, in coordination with the Chief Information Officers of the military departments and the Defense Agencies and with senior cybersecurity and information assurance officials within the Department of Defense and otherwise within the Federal Government, to achieve, to the extent practicable, the following:

"(1) The continuous prioritization of the policies, principles, standards, and guidelines developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) based upon the evolving threat of information security incidents with respect to national security systems, the vulnerability of such systems to such incidents, and the consequences of information security incidents involving such systems.

"(2) The automation of continuous monitoring of the effectiveness of the information security policies, procedures, and practices within the information infrastructure of the Department of Defense, and the compliance of that infrastructure with such policies, procedures, and practices, including automation of—

"(A) management, operational, and technical controls of every information system identified in the inventory required under section 3505(c) of title 44, United States Code; and

"(B) management, operational, and technical controls relied on for evaluations under [former] section 3545 of title 44, United States Code [see now 44 U.S.C. 3555].

"(b) Definitions.—In this section:

"(1) The term 'information security incident' means an occurrence that—

"(A) actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information such system processes, stores, or transmits; or

"(B) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies with respect to an information system.

"(2) The term 'information infrastructure' means the underlying framework, equipment, and software that an information system and related assets rely on to process, transmit, receive, or store information electronically.

"(3) The term 'national security system' has the meaning given that term in [former] section 3542(b)(2) of title 44, United States Code [see now 44 U.S.C. 3552(b)(6)]."