15 USC 278g-3e - Contractor compliance with coordinated disclosure of security vulnerabilities relating to agency Internet of Things devices

U.S Code last checked for updates: Apr 28, 2024

§ 278g–3e.

Contractor compliance with coordinated disclosure of security vulnerabilities relating to agency Internet of Things devices

(a)

Prohibition on procurement and use

(1)

In general

(2)

Simplified acquisition threshold

(b)

Waiver

(1)

Authority

The head of an agency may waive the prohibition under subsection (a)(1) with respect to an Internet of Things device if the Chief Information Officer of that agency determines that—

(A)

the waiver is necessary in the interest of national security;

(B)

procuring, obtaining, or using such device is necessary for research purposes; or

(C)

such device is secured using alternative and effective methods appropriate to the function of such device.

(2)

Agency process

(c)

Reports to Congress

(1)

Report

Every 2 years during the 6-year period beginning on December 4, 2020, the Comptroller General of the United States shall submit to the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate a report—

(A)

on the effectiveness of the process established under subsection (b)(2);

(B)

that contains recommended best practices for the procurement of Internet of Things devices; and

(C)

that lists—

(i)

the number and type of each Internet of Things device for which a waiver under subsection (b)(1) was granted during the 2-year period prior to the submission of the report; and

(ii)

the legal authority under which each such waiver was granted, such as whether the waiver was granted pursuant to subparagraph (A), (B), or (C) of such subsection.

(2)

Classification of report

(d)

Effective date

(Pub. L. 116–207, § 7, Dec. 4, 2020, 134 Stat. 1005.)

cite as: 15 USC 278g-3e