Page:United States Statutes at Large Volume 124.djvu/4192

 124 STAT. 4166 PUBLIC LAW 111–383—JAN. 7, 2011 (1) REPORTS REQUIRED.—Not later than 240 days after the date of the enactment of this Act, and annually thereafter at or about the time of the submittal to Congress of the budget of the President for a fiscal year (as submitted pursuant to section 1105(a) of title 31, United States Code), the Secretary of Defense shall, in coordination with the Secretary of Home- land Security, submit to Congress a report on any demonstra- tion projects carried out under subsection (a), and on the pilot projects carried out under subsection (b), during the preceding year. (2) ELEMENTS.—Each report under this subsection shall include the following: (A) A description and assessment of any activities under the demonstration projects and pilot projects referred to in paragraph (1) during the preceding year. (B) For the pilot projects supported or conducted under subsection (b)(2)— (i) a quantitative and qualitative assessment of the extent to which managed security services covered by the pilot project could provide effective and afford- able cybersecurity capabilities for components of the Department of Defense and for entities in the defense industrial base, and an assessment whether such serv- ices could be expanded rapidly to a large scale without exceeding the ability of the Federal Government to manage such expansion; and (ii) an assessment of whether managed security services are compatible with the cybersecurity strategy of the Department of Defense with respect to con- ducting an active, in-depth defense under the direction of United States Cyber Command. (C) For the pilot projects supported or conducted under subsection (b)(3)— (i) a description of any performance metrics estab- lished for purposes of the pilot project, and a descrip- tion of any processes developed for purposes of account- ability and governance under any partnership under the pilot project; and (ii) an assessment of the role a partnership such as a partnership under the pilot project would play in the acquisition of cyberspace capabilities by the Department of Defense, including a role with respect to the development and approval of requirements, approval and oversight of acquiring capabilities, test and evaluation of new capabilities, and budgeting for new capabilities. (D) For the pilot projects supported or conducted under subsection (b)(4)— (i) a framework and taxonomy for evaluating prac- tices that secure the global supply chain, as well as practices for securely operating in an uncertain or com- promised supply chain; (ii) an assessment of the viability of applying commercial practices for securing the global supply chain; and