Page:United States Statutes at Large Volume 124.djvu/4361

 124 STAT. 4335 PUBLIC LAW 111–383—JAN. 7, 2011 incidents with respect to national security systems, the vulner- ability of such systems to such incidents, and the consequences of information security incidents involving such systems. (2) The automation of continuous monitoring of the effectiveness of the information security policies, procedures, and practices within the information infrastructure of the Department of Defense, and the compliance of that infrastruc- ture with such policies, procedures, and practices, including automation of— (A) management, operational, and technical controls of every information system identified in the inventory required under section 3505(c) of title 44, United States Code; and (B) management, operational, and technical controls relied on for evaluations under section 3545 of title 44, United States Code. (b) DEFINITIONS.—In this section: (1) The term ‘‘information security incident’’ means an occurrence that— (A) actually or potentially jeopardizes the confiden- tiality, integrity, or availability of an information system or the information such system processes, stores, or trans- mits; or (B) constitutes a violation or imminent threat of viola- tion of security policies, security procedures, or acceptable use policies with respect to an information system. (2) The term ‘‘information infrastructure’’ means the under- lying framework, equipment, and software that an information system and related assets rely on to process, transmit, receive, or store information electronically. (3) The term ‘‘national security system’’ has the meaning given that term in section 3542(b)(2) of title 44, United States Code. SEC. 932. STRATEGY ON COMPUTER SOFTWARE ASSURANCE. (a) STRATEGY REQUIRED.—The Secretary of Defense shall develop and implement, by not later than October 1, 2011, a strategy for assuring the security of software and software-based applications for all covered systems. (b) COVERED SYSTEMS.—For purposes of this section, a covered system is any critical information system or weapon system of the Department of Defense, including the following: (1) A major system, as that term is defined in section 2302(5) of title 10, United States Code. (2) A national security system, as that term is defined in section 3542(b)(2) of title 44, United States Code. (3) Any Department of Defense information system cat- egorized as Mission Assurance Category I. (4) Any Department of Defense information system cat- egorized as Mission Assurance Category II in accordance with Department of Defense Directive 8500.01E. (c) ELEMENTS.—The strategy required by subsection (a) shall include the following: (1) Policy and regulations on the following: (A) Software assurance generally. (B) Contract requirements for software assurance for covered systems in development and production. Deadline. 10 USC 2224 note.