10 U.S.C. § 499
(b) Elements.— In conducting the assessment required by subsection (a), the Commanders shall—
(c) Reports Required.—
(1) For each assessment conducted under subsection (a), the Commanders shall jointly submit to the Chairman of the Joint Chiefs of Staff, for submission to the Council on Oversight of the National Leadership Command, Control, and Communications System established under section 171a of this title, a report on the assessment that includes the following:
(Added Pub. L. 115–91, div. A, title XVI, § 1651(a), , 131 Stat. 1756; amended Pub. L. 117–81, div. A, title XV, § 1534, , 135 Stat. 2054.)
2021—Subsec. (c). Pub. L. 117–81, § 1534(1), substituted “Reports” for “Report” in heading.
Subsec. (c)(1). Pub. L. 117–81, § 1534(2), substituted “For each assessment conducted under subsection (a), the Commanders” for “The Commanders” and “the assessment” for “the assessment required by subsection (a)” in introductory provisions.
Subsec. (c)(2). Pub. L. 117–81, § 1534(3), which directed substitution of “each report” for “the report”, was executed by making the substitution in both places it appeared, to reflect the probable intent of Congress.
Subsec. (c)(3). Pub. L. 117–81, § 1534(4), substituted “Not later than 90 days after the date of the submission of a report under paragraph (1), the Secretary” for “The Secretary” and struck out “required by paragraph (1)” before “, any comments”.
Pub. L. 116–283, div. A, title XVII, § 1747, , 134 Stat. 4140, provided that:
- “(a) Plan for Implementation of Findings and Recommendations From First Annual Assessment of Cyber Resiliency of Nuclear Command and Control System.— Not later than , the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a comprehensive plan, including a schedule and resourcing plan, for the implementation of the findings and recommendations included in the first report submitted under section 499(c)(3) of title 10, United States Code.
“(b) Concept of Operations and Oversight Mechanism for Cyber Defense of Nuclear Command and Control System.— Not later than , the Secretary shall develop and establish—
“(1) a concept of operations for defending the nuclear command and control system against cyber attacks, including specification of the—
- “(A) roles and responsibilities of relevant entities within the Office of the Secretary, the military services, combatant commands, the Defense Agencies, and the Department of Defense Field Activities; and
- “(B) cybersecurity capabilities to be acquired and employed and operational tactics, techniques, and procedures, including cyber protection team and sensor deployment strategies, to be used to monitor, defend, and mitigate vulnerabilities in nuclear command and control systems; and
“(2) an oversight mechanism or governance model for overseeing the implementation of the concept of operations developed and established under paragraph (1), related development, systems engineering, and acquisition activities and programs, and the plan required by subsection (a), including specification of the—
- “(A) roles and responsibilities of relevant entities within the Office of the Secretary, the military services, combatant commands, the Defense Agencies, and the Department of Defense Field Activities in overseeing the defense of the nuclear command and control system against cyber attacks;
“(B) responsibilities and authorities of the Strategic Cybersecurity Program in overseeing and, as appropriate, executing—
- “(i) vulnerability assessments; and
- “(ii) development, systems engineering, and acquisition activities; and
- “(C) processes for coordination of activities, policies, and programs relating to the cybersecurity and defense of the nuclear command and control system.”