CHAPTER 19-CYBER AND INFORMATION OPERATIONS MATTERS
Editorial Notes
Amendments
2023-
2022-
2019-
2018-
2015-
2014-
Statutory Notes and Related Subsidiaries
Department of Defense Data Ontology Governance Working Group
"(a)
"(1)
"(2)
"(3)
"(A)
"(B)
"(b)
"(c)
"(1) the Chief Digital and Artificial Intelligence Officer of the Department of Defense;
"(2) the Chief Information Officer of the Department of Defense;
"(3) the Chief Data Officers of the Department of Defense;
"(4) the Chief Information Officers of the military departments and the combatant commands;
"(5) such representatives from defense intelligence elements as the Secretary of Defense considers appropriate;
"(6) the Under Secretary of Defense for Research and Engineering and the service acquisition executive for each military department; and
"(7) such other officers or employees of the Department of Defense as the Secretary considers appropriate.
"(d)
"(1) coordinate with and build upon any existing data ontology development efforts for foundational data ontologies within the Department of Defense and the intelligence community (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)) to ensure complementary and nonduplicative efforts;
"(2) incorporate Department-wide data and data from defense intelligence elements into the development of domain-specific data ontologies Department-wide;
"(3) develop and maintain domain-specific data ontologies that address functional areas within the Department;
"(4) establish a process to identify and designate functional area leads responsible for leading the development, review, approval, and respective guidance of domain-specific data ontologies for the functional areas of such elements;
"(5) develop a structure for governing data ontologies of the Department that includes-
"(A) a centralized, accessible repository for domain-specific data ontologies of the Department;
"(B) clear ownership and role definitions for data ontology management, including authorities regarding access and modification;
"(C) standardized governance procedures for updating, reviewing, and maintaining the data ontologies;
"(D) adherence to established data ontology engineering principles that promote interoperability and reusability across domains;
"(E) infrastructure requirements that include on premises, multi-cloud and hybrid environments;
"(F) access to information networks that are on all classification levels; and
"(G) integration of domain-specific ontologies with existing Department data management practices and systems.
"(e)
"(1)
"(2)
"(3)
"(A) leading the development and maintenance of domain-specific data ontologies within the functional areas for which such entity is designated as the functional area lead;
"(B) reviewing and approving domain-specific data ontology elements specific to such functional areas;
"(C) ensuring alignment between domain-specific data ontologies specific to such functional areas and the enterprise-wide foundational data ontology;
"(D) developing guidance specific to such domain-specific data ontologies for data ontology implementation; and
"(E) serving as the authoritative source for knowledge on domains in such functional areas within the data ontology governance structure.
"(f)
"(1)
"(2)
"(3)
"(4)
"(g)
"(1)
"(2)
"(h)
"(1) The term 'data ontology' means a formal, structured representation and categorization of data elements, their properties, and the relationships between them within an information system or knowledge domain that enables consistent interpretation, integration, and analysis of data across different systems and users.
"(2) The term 'Defense intelligence element' has the meaning given such term in section 429 of title 10, United States Code.
"(3) The term 'domain-specific data ontology' means a data ontology that is specific to a particular functional areas [sic] within the Department of Defense.
"(4) The term 'foundational data ontology' means a top-level, domain-independent data ontology that establishes universal categories and primitives applicable across information systems and upon which domain-specific ontologies are based.
"(5) The term 'functional area' means a specialized functional, operational, or subject-matter areas within the Department.
"(6) The terms 'military department' and 'service acquisition executive' have the meanings given such terms, respectively, in title 10, United States Code."
Prohibition on Access to Department of Defense Cloud-Based Resources by Certain Individuals
"(a)
"(1)
"(2)
"(A) Physical access to any facility, hardware, or equipment that hosts or operates a Department of Defense cloud computing system.
"(B) Logical or remote access to a Department of Defense cloud computing system, including with respect to management interfaces, virtualization platforms, security controls, or monitoring systems.
"(C) Logical or remote access to Department of Defense data or workloads on a Department of Defense cloud computing system, including with respect to applications, configurations, network architecture, data schemas, security settings, access logs or other information that could compromise the confidentiality, integrity, or availability of the system, software, or data.
"(D) Indirect access to confidential and technical information not publicly available about a Department of Defense cloud computing system through observation, documentation, briefings, or other communication means (excluding administrative data normally shared to support business operations and compliance requirements applied to publicly traded companies).
"(b)
"(1) review all relevant guidance, directives, procedures, requirements, and regulations of the Department of Defense, including the Cloud Computing Security Requirements Guide, the Security Technical Implementation Guides, and related instructions of the Department; and
"(2) make such revisions as may be necessary to ensure conformity and compliance with subsection (a).
"(c)
"(1) Not later than June 1, 2026, an initial briefing on the implementation status, including policies, procedures, and controls implemented to carry out this section.
"(2) Not later than June 1, 2027, and annually thereafter through 2028, briefings on the implementation progress, effectiveness of controls, security incidents, and recommendations for legislative or administrative action.
"(d)
"(1) software development activities, including the development, modification, or contribution to open-source code and software; or
"(2) collaboration on or access to publicly available open-source software components that may be incorporated into Department of Defense cloud computing systems.
"(e)
"(1) The term 'covered nation' has the meaning given that term in section 4872 of title 10, United States Code.
"(2) The term 'Department of Defense cloud computing system' means any cloud computing (as defined by section 239.7601 of the Defense Federal Acquisition Regulation Supplement) environment accredited by the Secretary of Defense for controlled unclassified information or classified information, or a cloud computing environment that is a national security system (as defined by section 3552(b)(6) of title 44)."
Establishment of the Department of Defense Hackathon Program
"(a)
"(b)
"(c)
"(1)(A) Each year, two commanders of combatant commands shall each carry out a Hackathon and two Secretaries of military departments shall each carry out a Hackathon, as determined by the Chief Digital and Artificial Intelligence Officer of the Department of Defense in accordance with this subsection.
"(B) The commanders of combatant commands and the Secretaries of military departments carrying out Hackathons pursuant to subparagraph (A) shall change each year.
"(C) Each host of a Hackathon shall-
"(i) provide to the participants invited to participate in such Hackathon a per diem allowance in accordance with section 5702 of title 5, United States Code, or section 452 of title 37, United States Code, as applicable; and
"(ii) not later than 60 days after the completion of such Hackathon, make available to the Department of Defense a report on such Hackathon.
"(2) Any commander of a combatant command or Secretary of a military department may carry out a Hackathon in addition to the Hackathons required under paragraph (1).
"(d)
"(1) The host of each Hackathon shall establish objectives for the Hackathon that address a critical, technical challenge of the combatant command or military department of the host, as applicable, through the use of individuals with specialized and relevant skills, including data scientists, developers, software engineers, and other specialists as determined appropriate by the Chief Digital and Artificial Intelligence Officer of the Department of Defense or the host.
"(2) In addition to the objectives established by the host of a Hackathon under paragraph (1), the objectives for each Hackathon shall include-
"(A) fostering innovation across the Department of Defense, including in military departments and the combatant commands; and
"(B) creating repeatable processes enabling the commanders of combatant commands and the Secretaries of the military departments to more rapidly identify and develop solutions to critical, technical challenges across the Department of Defense.
"(e)
"(1) the term 'Hackathon' means an event carried out under the Program at which employees across the Department of Defense meet to collaboratively attempt to develop functional software or hardware solutions during the event to solve a critical, technical challenge determined by the host;
"(2) the term 'host', with respect to a Hackathon, means the commander of the combatant command or the Secretary of the military department carrying out the Hackathon;
"(3) the term 'military department' has the meaning given such term in section 101(a) of title 10, United States Code; and
"(4) the term 'Program' means the program established under subsection (a)."
Alignment of Department of Defense Cyber International Strategy With National Defense Strategy and Department of Defense Cyber Strategy
"(a)
"(1) the national defense strategy published in 2022 pursuant to section 113(g) of title 10, United States Code;
"(2) the Cyber Strategy of the Department published during fiscal year 2023; and
"(3) the current International Cyberspace Security Cooperation Guidance of the Department, as of the date of the enactment of this Act.
"(b)
"(1) Efforts to build the internal capacity of the Department to support international strategy policy engagements with allies and partners of the United States.
"(2) Efforts to coordinate and align cyberspace operations with foreign partners of the United States, including alignment between hunt-forward missions and other cyber international strategy activities conducted by the Department, including identification of processes, working groups, and methods to facilitate coordination between geographic combatant commands and the United States Cyber Command.
"(3) Efforts to deliberately cultivate operational and intelligence-sharing partnerships with key allies and partners of the United States to advance the cyberspace operations objectives of the Department.
"(4) Efforts to identify key allied and partner networks, infrastructure, and systems that the Joint Force will rely upon for warfighting and to-
"(A) support the cybersecurity and cyber defense of those networks, infrastructure, and systems;
"(B) build partner capacity to actively defend those networks, infrastructure, and systems;
"(C) eradicate malicious cyber activity that has compromised those networks, infrastructure, and systems, such as when identified through hunt-forward operations; and
"(D) leverage the commercial and military cybersecurity technology and services of the United States to harden and defend those networks, infrastructure, and systems.
"(5) Efforts to secure the environments and networks of mission partners of the United States used to hold intelligence and information originated by the United States.
"(6) Prioritization schemas, funding requirements, and efficacy metrics to drive cyberspace security investments in the tools, technologies, and capacity-building efforts that will have the greatest positive impact on the resilience and ability of the Department to execute its operational plans and achieve integrated deterrence.
"(c)
"(d)
"(1)
"(2)
"(A) An overview of efforts undertaken pursuant to this section.
"(B) An accounting of all the security cooperation activities of the Department germane to cyberspace and changes made pursuant to implementation of this section.
"(C) A detailed schedule with target milestones and required expenditures for all planned activities related to the efforts described in subsection (b).
"(D) Interim and final metrics for building the cyberspace security cooperation enterprise of the Department.
"(E) Identification of such additional funding, authorities, and policies, as the Under Secretary determines may be required.
"(F) Such recommendations as the Under Secretary may have for legislative action to improve the effectiveness of cyberspace security cooperation of the Department with foreign partners and allies.
"(e)
Enhancement of Cyberspace Training and Security Cooperation
"(a)
"(1)
"(2)
"(A) by not later than one year after the date of the enactment of this Act [Dec. 23, 2022] with respect to the Joint Military Attaché School; and
"(B) by not later than September 30, 2025, with respect to the Defense Security Cooperation University.
"(3)
"(A) is tailored to the trainees' anticipated embassy role and functions; and
"(B) provides familiarity with-
"(i) the different purposes of cyberspace engagements with partners and allies of the United States, including threat awareness, cybersecurity, mission assurance, and operations;
"(ii) the types of cyberspace security cooperation programs and activities available for partners and allies of the United States, including bilateral and multilateral cyberspace engagements, information and intelligence sharing, training, and exercises;
"(iii) the United States Cyber Command cyberspace operations with partners, including an overview of the Hunt Forward mission and process;
"(iv) the roles and responsibilities of the United States Cyber Command, the geographic combatant commands, and the Defense Security Cooperation Agency for cybersecurity cooperation within the Department of Defense; and
"(v) such other matters as the Under Secretaries, in coordination with the Commander of United States Cyber Command, consider appropriate.
"(4)
"(b)
"(1) Sufficiency of the training provided in the Defense Security Cooperation University and the Joint Military Attaché School.
"(2) Additional training requirements, familiarization requirements, or both such requirements necessary for officers assigned to particular locations or positions.
"(3) Areas for increased cooperation.
"(4) A plan for completing the activities required by subsection (a).
"(5) Additional resources required to complete such activities.
"(c)