§ 2224. Defense Information Assurance Program

§ 2224. Defense Information Assurance Program

(a) Defense Information Assurance Program.— The Secretary of Defense shall carry out a program, to be known as the “Defense Information Assurance Program”, to protect and defend Department of Defense information, information systems, and information networks that are critical to the Department and the armed forces during day-to-day operations and operations in times of crisis.

(b) Objectives of the Program.— The objectives of the program shall be to provide continuously for the availability, integrity, authentication, confidentiality, nonrepudiation, and rapid restitution of information and information systems that are essential elements of the Defense Information Infrastructure.

(c) Program Strategy.— In carrying out the program, the Secretary shall develop a program strategy that encompasses those actions necessary to assure the readiness, reliability, continuity, and integrity of Defense information systems, networks, and infrastructure, including through compliance with subchapter II of chapter 35 of title 44, including through compliance with subchapter III of chapter 35 of title 44. The program strategy shall include the following:

(1) A vulnerability and threat assessment of elements of the defense and supporting nondefense information infrastructures that are essential to the operations of the Department and the armed forces.

(2) Development of essential information assurances technologies and programs.

(3) Organization of the Department, the armed forces, and supporting activities to defend against information warfare.

(4) Joint activities of the Department with other departments and agencies of the Government, State and local agencies, and elements of the national information infrastructure.

(5) The conduct of exercises, war games, simulations, experiments, and other activities designed to prepare the Department to respond to information warfare threats.

(6) Development of proposed legislation that the Secretary considers necessary for implementing the program or for otherwise responding to the information warfare threat.

(d) Coordination.— In carrying out the program, the Secretary shall coordinate, as appropriate, with the head of any relevant Federal agency and with representatives of those national critical information infrastructure systems that are essential to the operations of the Department and the armed forces on information assurance measures necessary to the protection of these systems.

[(e) Repealed. Pub. L. 108–136, div. A, title X, § 1031(a)(12), Nov. 24, 2003, 117 Stat. 1597.]

(f) Information Assurance Test Bed.— The Secretary shall develop an information assurance test bed within the Department of Defense to provide—

(1) an integrated organization structure to plan and facilitate the conduct of simulations, war games, exercises, experiments, and other activities to prepare and inform the Department regarding information warfare threats; and

(2) organization and planning means for the conduct by the Department of the integrated or joint exercises and experiments with elements of the national information systems infrastructure and other non-Department of Defense organizations that are responsible for the oversight and management of critical information systems and infrastructures on which the Department, the armed forces, and supporting activities depend for the conduct of daily operations and operations during crisis.

(Added Pub. L. 106–65, div. A, title X, § 1043(a), Oct. 5, 1999, 113 Stat. 760; amended [Pub. L. 106–398, § 1 [div. A], title X, § 1063], Oct. 30, 2000, 114 Stat. 1654, 1654A–274; Pub. L. 107–296, title X, § 1001(c)(1)(B), Nov. 25, 2002, 116 Stat. 2267; Pub. L. 107–347, title III, § 301(c)(1)(B), Dec. 17, 2002, 116 Stat. 2955; Pub. L. 108–136, div. A, title X, § 1031(a)(12), Nov. 24, 2003, 117 Stat. 1597; Pub. L. 108–375, div. A, title X, § 1084(d)(17), Oct. 28, 2004, 118 Stat. 2062.)

Editorial Notes

Amendments

2004—Subsec. (c). Pub. L. 108–375 substituted “subchapter II” for “subtitle II” in introductory provisions.

2003—Subsec. (e). Pub. L. 108–136 struck out subsec. (e) which directed the Secretary of Defense to annually submit to Congress a report on the Defense Information Assurance Program.

2002—Subsec. (b). Pub. L. 107–296, § 1001(c)(1)(B)(i), and Pub. L. 107–347, § 301(c)(1)(B)(i), amended subsec. (b) identically, substituting “Objectives of the Program” for “Objectives and Minimum Requirements” in heading and striking out par. (1) designation before “The objectives”.

Subsec. (b)(2). Pub. L. 107–347, § 301(c)(1)(B)(ii), struck out par. (2) which read as follows: “The program shall at a minimum meet the requirements of sections 3534 and 3535 of title 44.”

Pub. L. 107–296, § 1001(c)(1)(B)(ii), which directed the striking out of “(2) the program shall at a minimum meet the requirements of section 3534 and 3535 of title 44, United States Code.” could not be executed. See above par.

Subsec. (c). Pub. L. 107–347, § 301(c)(1)(B)(iii), inserted “, including through compliance with subchapter III of chapter 35 of title 44” after “infrastructure” in introductory provisions.

Pub. L. 107–296, § 1001(c)(1)(B)(iii), inserted “, including through compliance with subtitle II of chapter 35 of title 44” after “infrastructure” in introductory provisions.

2000—Subsec. (b). [Pub. L. 106–398, § 1 [div. A], title X, § 1063(a)], substituted “Objectives and Minimum Requirements” for “Objectives of the Program” in heading, designated existing provisions as par. (1), and added par. (2).

Subsec. (e)(7). [Pub. L. 106–398, § 1 [div. A], title X, § 1063(b)], added par. (7).

Statutory Notes and Related Subsidiaries

Effective Date of 2002 Amendment

Amendment by Pub. L. 107–296 effective 60 days after Nov. 25, 2002, see section 4 of Pub. L. 107–296, set out as an Effective Date note under section 101 of Title 6, Domestic Security.

Effective Date of 2000 Amendment

Amendment by Pub. L. 106–398 effective 30 days after Oct. 30, 2000, see section 1 [[div. A], title X, § 1065] of Pub. L. 106–398, Oct. 30, 2000, 114 Stat. 1654, formerly set out as an Effective Date note under former section 3531 of Title 44, Public Printing and Documents.

Biological Data for Artificial Intelligence

Pub. L. 119–60, div. A, title II, § 245, Dec. 18, 2025, 139 Stat. 796, provided that: “(a) AI Accessibility to Qualified Biological Data Resources.—“(1) In general.—Not later than one year after the date of the enactment of this Act [Dec. 18, 2025], the Secretary of Defense shall develop and implement requirements that ensure qualified biological data resources created by research entirely funded by the Department of Defense are collected and stored in a manner that facilitates the use of such qualified biological data resources for advanced computational methods, including artificial intelligence. “(2) Elements.—The requirements implemented under subsection (a) shall include the following:“(A) A definition of the term ‘qualified biological data resource’ for the purposes of such requirements, which shall be based on one or more of the following criteria:“(i) The type of biological data generated. “(ii) The size of the dataset involved. “(iii) The amount of Federal funds awarded to the research that created such qualified biological data resource. “(iv) The level of sensitivity of the biological data generated. “(v) Any other factor determined appropriate by the Secretary of Defense. “(B) Guidance on the metrics and metadata included under such requirements to indicate data quality, including usability, interoperability, and completeness. “(C) Requirements for tiered levels of cybersecurity safeguards and access controls for the storage of biological data. “(D) Exceptions to such requirements, including for biological data that may implicate national security. “(E) Requirements for the protection of the privacy of individuals. “(b) Consultation and Considerations.—In developing and implementing the requirements under subsection (a), the Secretary shall—“(1) consult with the Secretaries of the military departments, the heads of the research laboratories of each of the Armed Forces, and relevant individuals and entities in the private sector and academia who have received funding for research from the Department of Defense to ensure that such requirements are not overly burdensome; and “(2) review and incorporate, to the extent the Secretary determines appropriate, existing Federal frameworks and standards for the use of qualified biological data resources for advanced computational methods.”

Secure Mobile Phones for Senior Officials and Personnel Performing Sensitive Functions

Pub. L. 119–60, div. A, title XV, § 1511, Dec. 18, 2025, 139 Stat. 1147, provided that: “(a) In General.—Beginning not later than 90 days after the date of enactment of this Act [Dec. 18, 2025], the Secretary of Defense shall ensure that each wireless mobile phone the Department of Defense provides to a senior official of the Department or any other employee of the Department who performs sensitive national security functions, as determined by the Secretary, and all related telecommunications services are acquired under contracts or other agreements that require the enhanced cybersecurity protections described in subsection (b). “(b) Protections Described.—The enhanced cybersecurity protections described in this subsection enhanced [sic] cybersecurity protections for wireless mobile phones and related telecommunication services that includes [sic]—“(1) encryption of data on the wireless mobile phones and of all telecommunications to and from the wireless mobile phones through such telecommunication services; “(2) capabilities to mitigate or obfuscate persistent device identifiers, including periodic rotation of network or hardware identifiers to reduce the risk of inappropriate tracking of the activity or location of the wireless mobile phones; and “(3) the capability to continuously monitor the wireless mobile phones. “(c) Report.—Not later than 180 days after the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report containing—“(1) a list of the contracts or other agreements entered into pursuant to subsection (a); “(2) the criteria used by the Secretary to determine which employees of the Department of Defense performs [sic] sensitive national security functions for the purposes of subsection (a), and the total number of such employees; and “(3) the total costs of wireless mobile phones and telecommunication services required by subsection (a).”

Physical and Cybersecurity Procurement Requirements for Artificial Intelligence Systems