SEC. 1542.

Semiannual reports on Cyber Operational Readiness Assessment program

DIVISION A · TITLE XV: Cyberspace-related Matters · SUBTITLE C: Reports and Other Matters

Source
SECTION TEXT · SEC. 1542.
PrevNext

(a) Semiannual reports required

Not later than 180 days after the date of the enactment of this Act, and not less frequently than once every 180 days thereafter, the Secretary of Defense shall, acting through the Chief Information Officer of the Department of Defense and the Commander of the Department of Defense Cyber Defense Command (DCDC), submit to the congressional defense committees a semiannual report on the implementation of the Cyber Operational Readiness Assessment program of the Department of Defense Cyber Defense Command and the findings from such program.

(b) Contents

Each report required under subsection (a) shall include, for the period covered by the report, the following:

(1)

An overview of the implementation status of the Cyber Operational Readiness Assessment program, including scope, methodology, and assessment cadence across the military departments and the defense agencies and Department of Defense field activities.

(2)

Aggregate and component-level findings on cyber operational readiness, including systemic risks, recurring deficiencies, and trends affecting mission assurance.

(3)

An assessment of operational resilience, including the ability of the Department of Defense to maintain essential functions, contain adversary activity, and recover from cyber incidents during contested operations.

(4)

A description of actions taken or planned to address material risks identified through the program, including timelines, responsible organizations, and any resource constraints.

(5)

An initial plan, and subsequent progress reports, for incorporating operational technology (OT) environments into assessments carried out under the program to ensure a comprehensive operational readiness evaluation of mission‑critical systems, weapon platforms, industrial control systems, and supporting infrastructure.

(6)

An assessment of how assessments under the program will incorporate and operationalize Critical Infrastructure Discovery and Evaluation (CIDE) activities conducted by the Department of Defense Cyber Defense Command on operational technology networks, including alignment of scope, methodology, data collection, reporting, and resourcing to ensure unity of effort and avoid duplication.

(7)

A description of any policy, authority, or resourcing gaps that inhibit full execution of the program as an operational readiness assessment.

(c) Purpose

The purpose of subsection (a) is to ensure that cybersecurity is treated by the Department as an element of operational readiness across the Department and to support senior leader decisionmaking, risk acceptance, and resource prioritization related to the security and resilience of the Department of Defense Information Network (DoDIN).

(d) Termination

The requirements of this section shall terminate on the date that is three years after the date of the enactment of this Act.