2011 US Code
Title 10 - Armed Forces
Subtitle A - General Military Law (§§ 101 - 2925)
Part IV - SERVICE, SUPPLY, AND PROCUREMENT (§§ 2201 - 2925)
Chapter 131 - PLANNING AND COORDINATION (§§ 2201 - 2229a)
Section 2224 - Defense Information Assurance Program
View MetadataPublication Title | United States Code, 2006 Edition, Supplement 5, Title 10 - ARMED FORCES |
Category | Bills and Statutes |
Collection | United States Code |
SuDoc Class Number | Y 1.2/5: |
Contained Within | Title 10 - ARMED FORCES Subtitle A - General Military Law PART IV - SERVICE, SUPPLY, AND PROCUREMENT CHAPTER 131 - PLANNING AND COORDINATION Sec. 2224 - Defense Information Assurance Program |
Contains | section 2224 |
Date | 2011 |
Laws in Effect as of Date | January 3, 2012 |
Positive Law | Yes |
Disposition | standard |
Source Credit | Added Pub. L. 106-65, div. A, title X, §1043(a), Oct. 5, 1999, 113 Stat. 760; amended Pub. L. 106-398, §1 [[div. A], title X, §1063], Oct. 30, 2000, 114 Stat. 1654, 1654A-274; Pub. L. 107-296, title X, §1001(c)(1)(B), Nov. 25, 2002, 116 Stat. 2267; Pub. L. 107-347, title III, §301(c)(1)(B), Dec. 17, 2002, 116 Stat. 2955; Pub. L. 108-136, div. A, title X, §1031(a)(12), Nov. 24, 2003, 117 Stat. 1597; Pub. L. 108-375, div. A, title X, §1084(d)(17), Oct. 28, 2004, 118 Stat. 2062. |
Statutes at Large References | 113 Stat. 760 114 Stat. 1654, 1654A-52 116 Stat. 2267, 2955 117 Stat. 1597 118 Stat. 2062 124 Stat. 4335 125 Stat. 1537, 1550 |
Public Law References | Public Law 106-65, Public Law 106-398, Public Law 107-296, Public Law 107-347, Public Law 108-136, Public Law 108-375, Public Law 111-383, Public Law 112-81 |
Download PDF
(a)
(b)
(c)
(1) A vulnerability and threat assessment of elements of the defense and supporting nondefense information infrastructures that are essential to the operations of the Department and the armed forces.
(2) Development of essential information assurances technologies and programs.
(3) Organization of the Department, the armed forces, and supporting activities to defend against information warfare.
(4) Joint activities of the Department with other departments and agencies of the Government, State and local agencies, and elements of the national information infrastructure.
(5) The conduct of exercises, war games, simulations, experiments, and other activities designed to prepare the Department to respond to information warfare threats.
(6) Development of proposed legislation that the Secretary considers necessary for implementing the program or for otherwise responding to the information warfare threat.
(d)
[(e) Repealed. Pub. L. 108–136, div. A, title X, §1031(a)(12), Nov. 24, 2003, 117 Stat. 1597.]
(f)
(1) an integrated organization structure to plan and facilitate the conduct of simulations, war games, exercises, experiments, and other activities to prepare and inform the Department regarding information warfare threats; and
(2) organization and planning means for the conduct by the Department of the integrated or joint exercises and experiments with elements of the national information systems infrastructure and other non-Department of Defense organizations that are responsible for the oversight and management of critical information systems and infrastructures on which the Department, the armed forces, and supporting activities depend for the conduct of daily operations and operations during crisis.
(Added Pub. L. 106–65, div. A, title X, §1043(a), Oct. 5, 1999, 113 Stat. 760; amended Pub. L. 106–398, §1 [[div. A], title X, §1063], Oct. 30, 2000, 114 Stat. 1654, 1654A–274; Pub. L. 107–296, title X, §1001(c)(1)(B), Nov. 25, 2002, 116 Stat. 2267; Pub. L. 107–347, title III, §301(c)(1)(B), Dec. 17, 2002, 116 Stat. 2955; Pub. L. 108–136, div. A, title X, §1031(a)(12), Nov. 24, 2003, 117 Stat. 1597; Pub. L. 108–375, div. A, title X, §1084(d)(17), Oct. 28, 2004, 118 Stat. 2062.)
Amendments2004—Subsec. (c). Pub. L. 108–375 substituted “subchapter II” for “subtitle II” in introductory provisions.
2003—Subsec. (e). Pub. L. 108–136 struck out subsec. (e) which directed the Secretary of Defense to annually submit to Congress a report on the Defense Information Assurance Program.
2002—Subsec. (b). Pub. L. 107–296, §1001(c)(1)(B)(i), and Pub. L. 107–347, §301(c)(1)(B)(i), amended subsec. (b) identically, substituting “Objectives of the Program” for “Objectives and Minimum Requirements” in heading and striking out par. (1) designation before “The objectives”.
Subsec. (b)(2). Pub. L. 107–347, §301(c)(1)(B)(ii), struck out par. (2) which read as follows: “The program shall at a minimum meet the requirements of sections 3534 and 3535 of title 44.”
Pub. L. 107–296, §1001(c)(1)(B)(ii), which directed the striking out of “(2) the program shall at a minimum meet the requirements of section 3534 and 3535 of title 44, United States Code.” could not be executed. See above par.
Subsec. (c). Pub. L. 107–347, §301(c)(1)(B)(iii), inserted “, including through compliance with subchapter III of chapter 35 of title 44” after “infrastructure” in introductory provisions.
Pub. L. 107–296, §1001(c)(1)(B)(iii), inserted “, including through compliance with subtitle II of chapter 35 of title 44” after “infrastructure” in introductory provisions.
2000—Subsec. (b). Pub. L. 106–398, §1 [[div. A], title X, §1063(a)], substituted “
Subsec. (e)(7). Pub. L. 106–398, §1 [[div. A], title X, §1063(b)], added par. (7).
Effective Date of 2002 AmendmentAmendment by Pub. L. 107–296 effective 60 days after Nov. 25, 2002, see section 4 of Pub. L. 107–296, set out as an Effective Date note under section 101 of Title 6, Domestic Security.
Effective Date of 2000 AmendmentAmendment by Pub. L. 106–398 effective 30 days after Oct. 30, 2000, see section 1 [[div. A], title X, §1065] of Pub. L. 106–398, set out as an Effective Date note under section 3531 of Title 44, Public Printing and Documents.
Insider Threat DetectionPub. L. 112–81, div. A, title IX, §922, Dec. 31, 2011, 125 Stat. 1537, provided that:
“(a)
“(b)
“(1) Technology solutions for deployment within the Department of Defense that allow for centralized monitoring and detection of unauthorized activities, including—
“(A) monitoring the use of external ports and read and write capability controls;
“(B) disabling the removable media ports of computers physically or electronically;
“(C) electronic auditing and reporting of unusual and unauthorized user activities;
“(D) using data-loss prevention and data-rights management technology to prevent the unauthorized export of information from a network or to render such information unusable in the event of the unauthorized export of such information;
“(E) a roles-based access certification system;
“(F) cross-domain guards for transfers of information between different networks; and
“(G) patch management for software and security updates.
“(2) Policies and procedures to support such program, including special consideration for policies and procedures related to international and interagency partners and activities in support of ongoing operations in areas of hostilities.
“(3) A governance structure and process that integrates information security and sharing technologies with the policies and procedures referred to in paragraph (2). Such structure and process shall include—
“(A) coordination with the existing security clearance and suitability review process;
“(B) coordination of existing anomaly detection techniques, including those used in counterintelligence investigation or personnel screening activities; and
“(C) updating and expediting of the classification review and marking process.
“(4) A continuing analysis of—
“(A) gaps in security measures under the program; and
“(B) technology, policies, and processes needed to increase the capability of the program beyond the initially established full operating capability to address such gaps.
“(5) A baseline analysis framework that includes measures of performance and effectiveness.
“(6) A plan for how to ensure related security measures are put in place for other departments or agencies with access to Department of Defense networks.
“(7) A plan for enforcement to ensure that the program is being applied and implemented on a uniform and consistent basis.
“(c)
“(1) achieves initial operating capability not later than October 1, 2012; and
“(2) achieves full operating capability not later than October 1, 2013.
“(d)
“(1) the implementation plan for the program established under subsection (a);
“(2) the resources required to implement the program;
“(3) specific efforts to ensure that implementation does not negatively impact activities in support of ongoing operations in areas of hostilities;
“(4) a definition of the capabilities that will be achieved at initial operating capability and full operating capability, respectively; and
“(5) a description of any other issues related to such implementation that the Secretary considers appropriate.
“(e)
“(1) Not later than 90 days after the date of the enactment of this Act [Dec. 31, 2011], a briefing describing the governance structure referred to in subsection (b)(3).
“(2) Not later than 120 days after the date of the enactment of this Act, a briefing detailing the inventory and status of technology solutions deployment referred to in subsection (b)(1), including an identification of the total number of host platforms planned for such deployment, the current number of host platforms that provide appropriate security, and the funding and timeline for remaining deployment.
“(3) Not later than 180 days after the date of the enactment of this Act, a briefing detailing the policies and procedures referred to in subsection (b)(2), including an assessment of the effectiveness of such policies and procedures and an assessment of the potential impact of such policies and procedures on information sharing within the Department of Defense and with interagency and international partners.
“(f)
Pub. L. 112–81, div. A, title IX, §953, Dec. 31, 2011, 125 Stat. 1550, provided that:
“(a)
“(b)
“(1)
“(A) be adequate to enable well-trained analysts to discover the sophisticated attacks conducted by nation-state adversaries that are categorized as ‘advanced persistent threats’;
“(B) be appropriate for—
“(i) endpoints or hosts;
“(ii) network-level gateways operated by the Defense Information Systems Agency where the Department of Defense network connects to the public Internet; and
“(iii) global networks owned and operated by private sector Tier 1 Internet Service Providers;
“(C) at the endpoints or hosts, add new discovery capabilities to the Host-Based Security System of the Department, including capabilities such as—
“(i) automatic blocking of unauthorized software programs and accepting approved and vetted programs;
“(ii) constant monitoring of all key computer attributes, settings, and operations (such as registry keys, operations running in memory, security settings, memory tables, event logs, and files); and
“(iii) automatic baselining and remediation of altered computer settings and files;
“(D) at the network-level gateways and internal network peering points, include the sustainment and enhancement of a system that is based on full-packet capture, session reconstruction, extended storage, and advanced analytic tools, by—
“(i) increasing the number and skill level of the analysts assigned to query stored data, whether by contracting for security services, hiring and training Government personnel, or both; and
“(ii) increasing the capacity of the system to handle the rates for data flow through the gateways and the storage requirements specified by the United States Cyber Command; and
“(E) include the behavior-based threat detection capabilities of Tier 1 Internet Service Providers and other companies that operate on the global Internet.
“(2)
“(c)
“(d)
“(e)
Pub. L. 111–383, div. A, title IX, §932, Jan. 7, 2011, 124 Stat. 4335, provided that:
“(a)
“(b)
“(1) A major system, as that term is defined in section 2302(5) of title 10, United States Code.
“(2) A national security system, as that term is defined in section 3542(b)(2) of title 44, United States Code.
“(3) Any Department of Defense information system categorized as Mission Assurance Category I.
“(4) Any Department of Defense information system categorized as Mission Assurance Category II in accordance with Department of Defense Directive 8500.01E.
“(c)
“(1) Policy and regulations on the following:
“(A) Software assurance generally.
“(B) Contract requirements for software assurance for covered systems in development and production.
“(C) Inclusion of software assurance in milestone reviews and milestone approvals.
“(D) Rigorous test and evaluation of software assurance in development, acceptance, and operational tests.
“(E) Certification and accreditation requirements for software assurance for new systems and for updates for legacy systems, including mechanisms to monitor and enforce reciprocity of certification and accreditation processes among the military departments and Defense Agencies.
“(F) Remediation in legacy systems of critical software assurance deficiencies that are defined as critical in accordance with the Application Security Technical Implementation Guide of the Defense Information Systems Agency.
“(2) Allocation of adequate facilities and other resources for test and evaluation and certification and accreditation of software to meet applicable requirements for research and development, systems acquisition, and operations.
“(3) Mechanisms for protection against compromise of information systems through the supply chain or cyber attack by acquiring and improving automated tools for—
“(A) assuring the security of software and software applications during software development;
“(B) detecting vulnerabilities during testing of software; and
“(C) detecting intrusions during real-time monitoring of software applications.
“(4) Mechanisms providing the Department of Defense with the capabilities—
“(A) to monitor systems and applications in order to detect and defeat attempts to penetrate or disable such systems and applications; and
“(B) to ensure that such monitoring capabilities are integrated into the Department of Defense system of cyber defense-in-depth capabilities.
“(5) An update to Committee for National Security Systems Instruction No. 4009, entitled ‘National Information Assurance Glossary’, to include a standard definition for software security assurance.
“(6) Either—
“(A) mechanisms to ensure that vulnerable Mission Assurance Category III information systems, if penetrated, cannot be used as a foundation for penetration of protected covered systems, and means for assessing the effectiveness of such mechanisms; or
“(B) plans to address critical vulnerabilities in Mission Assurance Category III information systems to prevent their use for intrusions of Mission Assurance Category I systems and Mission Assurance Category II systems.
“(7) A funding mechanism for remediation of critical software assurance vulnerabilities in legacy systems.
“(d)
“(1) A description of the current status of the strategy required by subsection (a) and of the implementation of the strategy, including a description of the role of the strategy in the risk management by the Department regarding the supply chain and in operational planning for cyber security.
“(2) A description of the risks, if any, that the Department will accept in the strategy due to limitations on funds or other applicable constraints.”
Institute for Defense Computer Security and Information ProtectionPub. L. 106–398, §1 [[div. A], title IX, §921], Oct. 30, 2000, 114 Stat. 1654, 1654A–233, provided that:
“(a)
“(b)
“(1) to conduct research and technology development that is relevant to foreseeable computer and network security requirements and information assurance requirements of the Department of Defense with a principal focus on areas not being carried out by other organizations in the private or public sector; and
“(2) to facilitate the exchange of information regarding cyberthreats, technology, tools, and other relevant issues.
“(c)
“(d)
“(e)
Disclaimer: These codes may not be the most recent version. The United States Government Printing Office may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the US site. Please check official sources.