StacksVerified U.S. regulatory reference

22 U.S.C. § 10308

Verified against govinfo.gov as of June 20, 2026View official text on govinfo.gov
  1. (a)In this section:
    1. (1)The term “at-risk personnel” means personnel of the Department—
      1. (A)whom the Secretary determines to be highly vulnerable to cyber attacks and hostile information collection activities because of their positions in the Department; and
      2. (B)whose personal technology devices or personal accounts are highly vulnerable to cyber attacks and hostile information collection activities.
    2. (2)The term “personal accounts” means accounts for online and telecommunications services, including telephone, residential internet access, email, text and multimedia messaging, cloud computing, social media, health care, and financial services, used by Department personnel outside of the scope of their employment with the Department.
    3. (3)The term “personal technology devices” means technology devices used by personnel of the Department outside of the scope of their employment with the Department, including networks to which such devices connect.
  2. (b)The Secretary, in consultation with the Secretary of Homeland Security and the Director of National Intelligence, as appropriate—
    1. (1)shall offer cyber protection support for the personal technology devices and personal accounts of at-risk personnel; and
    2. (2)may provide the support described in paragraph (1) to any Department personnel who request such support.
  3. (c)Subject to the availability of resources, the cyber protection support provided to personnel pursuant to subsection (b) may include training, advice, assistance, and other services relating to protection against cyber attacks and hostile information collection activities.
  4. (d)The Department is prohibited pursuant to this section from accessing or retrieving any information from any personal technology device or personal account of Department employees unless—
    1. (1)access or information retrieval is necessary for carrying out the cyber protection support specified in this section; and
    2. (2)the Department has received explicit consent from the employee to access a personal technology device or personal account prior to each time such device or account is accessed.
  5. (e)Nothing in this section may be construed—
    1. (1)to encourage Department personnel to use personal technology devices for official business; or
    2. (2)to authorize cyber protection support for senior Department personnel using personal devices, networks, and personal accounts in an official capacity.
  6. (f)
    1. (1)Not later than 180 days after December 22, 2023, the Secretary shall submit to the appropriate committees of Congress a report regarding the provision of cyber protection support pursuant to subsection (b), which shall include—
      1. (A)a description of the methodology used to make the determination under subsection (a)(1); and
      2. (B)guidance for the use of cyber protection support and tracking of support requests for personnel receiving cyber protection support pursuant to subsection (b).
    2. (2)In this subsection, the term “appropriate committees of Congress” means—
      1. (A)the appropriate congressional committees;
      2. (B)the Select Committee on Intelligence and the Committee on Homeland Security and Governmental Affairs of the Senate; and
      3. (C)the Permanent Select Committee on Intelligence and the Committee on Oversight and Accountability of the House of Representatives.