Page:United States Statutes at Large Volume 124.djvu/4365

 124 STAT. 4339 PUBLIC LAW 111–383—JAN. 7, 2011 of missions and activities that the Department may choose to conduct in cyberspace. (2) The decisions of the Secretary with respect to such issues, and the recommendations of the Secretary to the Presi- dent for decisions on such of those issues as exceed the authority of the Secretary to resolve, together with the rationale and justification of the Secretary for such decisions and rec- ommendations. (3) A description of the intentions of the Secretary with regard to modifying the National Military Strategy for Cyber- space Operations. (4) The current use of, and potential applications of, mod- eling and simulation tools to identify likely cybersecurity vulnerabilities, as well as new protective and remediation means, within the Department. (5) The application of modeling and simulation technology to develop strategies and programs to deter hostile or malicious activity intended to compromise Department information sys- tems. (c) FORM.—The report required under this section shall be submitted in unclassified form, but may include a classified annex. SEC. 935. REPORTS ON DEPARTMENT OF DEFENSE PROGRESS IN DEFENDING THE DEPARTMENT AND THE DEFENSE INDUS- TRIAL BASE FROM CYBER EVENTS. (a) REPORTS ON PROGRESS REQUIRED.—Not later than 180 days after the date of the enactment of this Act, and March 1 every year thereafter through 2015, the Secretary of Defense shall submit to the congressional defense committees a report on the progress of the Department of Defense in defending the Department and the defense industrial base from cyber events (such as attacks, intrusions, and theft). (b) ELEMENTS.—Each report under subsection (a) shall include the following: (1) In the case of the first report, a baseline for measuring the progress of the Department of Defense in defending the Department and the defense industrial base from cyber events, including definitions of significant cyber events, an appropriate categorization of various types of cyber events, the basic methods used in various cyber events, the vulnerabilities exploited in such cyber events, and the metrics to be utilized to determine whether the Department is or is not making progress against an evolving cyber threat. (2) An ongoing assessment of such baseline against key cyber defense strategies (described in subsection (c)) to deter- mine implementation progress. (3)(A) A description of the nature and scope of significant cyber events against the Department and the defense industrial base during the preceding year, including, for each such event, a description of the intelligence or other Department data acquired, the extent of the corruption or compromise of Depart- ment information or weapon systems, and the impact of such event on the Department generally and on operational capabili- ties. (B) For any such event that has been investigated by or on behalf of the Damage Assessment Management Office,