(a) Review and realignment
(1) Review required
The Secretary of Defense shall conduct a comprehensive review of the roles, responsibilities, relationships, authorities, and governance structures relating to cybersecurity, information technology, network defense, and defensive cyber operations within the Department of Defense in order to achieve the following goals:
Establish clear accountability for the cybersecurity of Department of Defense information networks, including identification of one official designated as the single accountable official responsible for the cybersecurity of Department of Defense information networks.
Improve the operational effectiveness, responsiveness, and unity of effort of Department-wide cybersecurity, information technology, network defense, and defensive cyber operations.
Eliminate structural overlap, duplication, and fragmentation across organizations responsible for cybersecurity, information technology, network defense, and defensive cyber operations.
Reduce overlapping responsibilities and ensure alignment of policy, strategy, budgetary oversight, and operational support necessary for the cybersecurity of Department of Defense information networks in an evolving threat environment.
(2) Scope
The review conducted under this subsection shall include an assessment of the roles, responsibilities, relationships, and authorities among—
the Chief Information Officer of the Department of Defense;
the Assistant Secretary of Defense for Cyber Policy;
the Principal Cyber Advisor to the Secretary of Defense;
the Commander of the United States Cyber Command;
the Department of Defense Cyber Defense Command; and
such other offices, elements, or organizations as the Secretary determines appropriate.
(3) Realignment
As a result of the review, and in order to achieve the goals specified in paragraph (1), the Secretary may, consistent with applicable law—
realign, consolidate, or modify the roles, responsibilities, relationships, and authorities of the officials, offices, elements, and organizations specified in paragraph (2);
reassign functions, personnel, and resources among such officials, offices, elements, and organizations;
eliminate duplicative functions; and
clarify or revise reporting relationships and lines of authority.
(b) Preservation of functions
In carrying out subsection (a), the Secretary shall ensure that all functions necessary for the governance, defense, and operation of Department of Defense information networks are maintained, regardless of the organizational structure to which such functions are assigned.
(c) Limitation on establishment of new office or organization
The Secretary may not establish a new office or organization for the purpose of carrying out this section unless the Secretary determines that such establishment is necessary to achieve the goals specified in subsection (a)(1) and consistent with applicable law.
(d) Limitation on reassignment or elimination of function
The Secretary may not reassign or eliminate a function associated with an official, office, element, or organization for the purpose of carrying out this section unless the Secretary submits to the congressional defense committees a notification of the reassignment or elimination of the function and a period of 15 days has elapsed after the date on which the notification was submitted.
(e) Rule of construction
Nothing in this section shall be construed to authorize the Secretary of Defense to modify, transfer, eliminate, or otherwise alter any role, responsibility, relationship, authority, function, or any other matter expressly required by law.
(f) Report
(1) In general
Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees a report on the results of the review conducted under subsection (a).
(2) Elements
The report shall include—
identification of the official designated as the single accountable official responsible for the cybersecurity of Department of Defense information networks, as specified in subsection (a)(1)(A);
a description of any realignment, consolidation, or modification made, or to be made, to the roles, responsibilities, relationships, and authorities of the officials, offices, elements, and organizations reviewed, as specified in subsection (a)(3)(A);
a description of any reassignment of functions, personnel, and resources made, or to be made, among the officials, offices, elements, and organizations reviewed, as specified in subsection (a)(3)(B);
a description of any duplicative functions eliminated, or to be eliminated, as set forth in subsection (a)(3)(C);
a description of any clarification or revision made, or to be made, to reporting relationships and lines of authority, as set forth in subsection (a)(3)(D);
a mapping of the responsibilities and authorities assigned as of the date of the enactment of this Act to each respective official, office, element, or organization reviewed (including an identification of whether the responsibility or authority is required by law to be assigned to such official, office, element, or organization, and an mapping of the responsibilities and authorities as they will be assigned after completion of the activities specified in subsection (a)(3);
a timeline for implementation of the activities specified in subsection (a)(3), under which all such activities shall be implemented not later than one year after the date of the enactment of this Act;
identification of any legislative recommendations, including any provisions of law requiring amendment, to fully implement the goals specified in subsection (a)(1) and the activities specified in subsection (a)(3); and
a justification for the new structure, including an explanation for how the new structure better achieves the goals specified in subsection (a)(1) than the current structure.
(g) Briefing
Not later than 45 days after the date of the enactment of this Act, the Secretary shall provide a briefing to the congressional defense committees on preliminary findings of the review.