IN THE SENATE OF THE UNITED STATES
June 12, 2019
Mr. Rounds (for himself and Ms. Duckworth) introduced the following bill; which was read twice and referred to the Committee on Armed Services
To improve cyber governance structures in the Department of Defense and to require designation of principal advisors on military cyber force matters, and for other purposes.
This Act may be cited as the
Department of Defense Principal Cyber Advisors Act of 2019.
Cyber governance structures and principal advisors on military cyber force matters
Not later than one year after the date of the enactment of this Act, each Secretary of a military department shall designate a Principal Cyber Advisor to act as the principal advisor to the Secretary of the military department on the cyber forces, cyber programs, and cybersecurity matters of the military department, including matters relating to weapons systems, enabling infrastructure, and the defense industrial base.
Nature of position
Each Principal Cyber Advisor position under paragraph (1) shall be a senior civilian leadership position.
Responsibilities Principal Cyber Advisors
Each Principal Cyber Advisor of a military department shall be responsible for advising the Secretary of the military department and coordinating and overseeing the implementation of policy, strategies, sustainment, and plans on the following:
The resourcing and training of the military cyber forces of the military department and ensuring that such resourcing and training meets the needs of United States Cyber Command.
Acquisition of offensive and defensive cyber capabilities for the military cyber forces of the military department.
Cybersecurity management and operations of the military department.
Acquisition of cybersecurity tools and capabilities for the cybersecurity service providers of the military department.
Improving and enforcing a culture of cybersecurity warfighting and responsibility throughout the military department.
Designation of individuals
In designating a Principal Cyber Adviser under subsection (a), the Secretary of a military department may designate an individual in an existing position in the military department.
The Principal Cyber Advisor of a military department shall work in close coordination with the Principal Cyber Advisor of the Department of Defense, the Chief Information Officer of the Department, relevant military service chief information officers, and other relevant military service officers to ensure service compliance with the Department of Defense Cyber Strategy.
Responsibility to the senior acquisition executives
In addition to the responsibilities set forth in subsection (b), the Principal Cyber Advisor of a military department shall be responsible for advising the senior acquisition executive of the military department and, as determined by the Secretary of the military department, for advising and coordinating and overseeing the implementation of policy, strategies, sustainment, and plans for—
cybersecurity of the industrial base; and
cybersecurity of Department of Defense information systems and information technology services, including how cybersecurity threat information is incorporated and the development of cyber practices, cyber testing, and mitigation of cybersecurity risks.
Review of current responsibilities
Not later than January 1, 2021, each Secretary of a military department shall review the military department's current governance model for cybersecurity with respect to current authorities and responsibilities.
Each review under paragraph (1) shall include the following:
An assessment of whether additional changes beyond the designation of a Principal Cyber Advisor pursuant to subsection (a) are required.
Consideration of whether the current governance structure and assignment of authorities—
enable effective top-down governance;
enable effective Chief Information Officer and Chief Information Security Officer action;
are adequately consolidated so that the authority and responsibility for cybersecurity risk management is clear and at an appropriate level of seniority;
provides authority to a single individual to certify compliance of Department information systems and information technology services with all current cybersecurity standards; and
support efficient coordination across the military departments and services, the Office of the Secretary of Defense, the Defense Information Systems Agency, and United States Cyber Command.
Not later than February 1, 2021, each Secretary of a military department shall brief the congressional defense committees on the findings of the Secretary with respect to the review conducted by the Secretary under subsection (e).
Definition of congressional defense committees
In this section, the term congressional defense committees has the meaning given such term in section 101(a) of title 10, United States Code.