Statutes, codes, and regulations
United States Code
Title 50 - WAR AND NATIONAL DEFENSEChapter 44 - NATIONAL SECURITY
Subchapter IX - ADDITIONAL MISCELLANEOUS PROVISIONS
Section 3242 - Annual reports on certain cyber vulnerabilities procured by intelligence community and foreign commercial providers of cyber vulnerabilities

50 U.S.C. § 3242

Download
PDF
Current through P.L. 118-64 (published on www.congress.gov on 05/24/2024), except for [P. L. 118-63]
Section 3242 - Annual reports on certain cyber vulnerabilities procured by intelligence community and foreign commercial providers of cyber vulnerabilities
(a) Annual reports

On an annual basis through 2026, the Director of the Central Intelligence Agency and the Director of the National Security Agency, in coordination with the Director of National Intelligence, shall jointly submit to the congressional intelligence committees a report containing information on foreign commercial providers and the cyber vulnerabilities procured by the intelligence community through foreign commercial providers.

(b) Elements

Each report under subsection (a) shall include, with respect to the period covered by the report, the following:

(1) A description of each cyber vulnerability procured through a foreign commercial provider, including-
(A) a description of the vulnerability;
(B) the date of the procurement;
(C) whether the procurement consisted of only that vulnerability or included other vulnerabilities;
(D) the cost of the procurement;
(E) the identity of the commercial provider and, if the commercial provider was not the original supplier of the vulnerability, a description of the original supplier;
(F) the country of origin of the vulnerability; and
(G) an assessment of the ability of the intelligence community to use the vulnerability, including whether such use will be operational or for research and development, and the approximate timeline for such use.
(2) An assessment of foreign commercial providers that-
(A) pose a significant threat to the national security of the United States; or
(B) have provided cyber vulnerabilities to any foreign government that-
(i) has used the cyber vulnerabilities to target United States persons, the United States Government, journalists, or dissidents; or
(ii) has an established pattern or practice of violating human rights or suppressing dissent.
(3) An assessment of whether the intelligence community has conducted business with the foreign commercial providers identified under paragraph (2) during the 5-year period preceding the date of the report.
(c) Form

Each report under subsection (a) may be submitted in classified form.

(d) Definitions

In this section:

(1) Commercial provider

The term "commercial provider" means any person that sells, or acts as a broker, for a cyber vulnerability.

(2) Cyber vulnerability

The term "cyber vulnerability" means any tool, exploit, vulnerability, or code that is intended to compromise a device, network, or system, including such a tool, exploit, vulnerability, or code procured by the intelligence community for purposes of research and development.

50 U.S.C. § 3242

July 26, 1947, ch. 343, title XI, §1112, as added Pub. L. 117-103, div. X, title VIII, §822(a), Mar. 15, 2022, 136 Stat. 1020.

STATUTORY NOTES AND RELATED SUBSIDIARIES

FIRST REPORT Pub. L. 117-103, div. X, title VIII, §822(b), Mar. 15, 2022, 136 Stat. 1021, provided that: "Not later than 90 days after the date of the enactment of this Act [Mar. 15, 2022], the Director of the Central Intelligence Agency and the Director of the National Security Agency shall jointly submit the first report required under section 1112 of the National Security Act of 1947 [ 50 U.S.C. 3242 ], as added by subsection (a)."

congressional intelligence committees
The term "congressional intelligence committees" means-(A) the Select Committee on Intelligence of the Senate; and(B) the Permanent Select Committee on Intelligence of the House of Representatives.
intelligence community
The term "intelligence community" includes the following:(A) The Office of the Director of National Intelligence.(B) The Central Intelligence Agency.(C) The National Security Agency.(D) The Defense Intelligence Agency.(E) The National Geospatial-Intelligence Agency.(F) The National Reconnaissance Office.(G) Other offices within the Department of Defense for the collection of specialized national intelligence through reconnaissance programs.(H) The intelligence elements of the Army, the Navy, the Air Force, the Marine Corps, the Space Force, the Coast Guard, the Federal Bureau of Investigation, the Drug Enforcement Administration, and the Department of Energy.(I) The Bureau of Intelligence and Research of the Department of State.(J) The Office of Intelligence and Analysis of the Department of the Treasury.(K) The Office of Intelligence and Analysis of the Department of Homeland Security.(L) Such other elements of any department or agency as may be designated by the President, or designated jointly by the Director of National Intelligence and the head of the department or agency concerned, as an element of the intelligence community.
intelligence
The term "intelligence" includes foreign intelligence and counterintelligence.
national intelligence
The terms "national intelligence" and "intelligence related to national security" refer to all intelligence, regardless of the source from which derived and including information gathered within or outside the United States, that-(A) pertains, as determined consistent with any guidance issued by the President, to more than one United States Government agency; and(B) that involves-(i) threats to the United States, its people, property, or interests;(ii) the development, proliferation, or use of weapons of mass destruction; or(iii) any other matter bearing on United States national or homeland security.