{"identifier":"/us/usc/t50/s3242","title":50,"num":"\u00a7\u202f3242.","heading":"Annual reports on certain cyber vulnerabilities procured by intelligence community and foreign commercial providers of cyber vulnerabilities","text":"\u00a7\u202f3242.\nAnnual reports on certain cyber vulnerabilities procured by intelligence community and foreign commercial providers of cyber vulnerabilities\n(a)\nAnnual reports\nOn an annual basis through 2026, the Director of the Central Intelligence Agency and the Director of the National Security Agency, in coordination with the Director of National Intelligence, shall jointly submit to the congressional intelligence committees a report containing information on foreign commercial providers and the cyber vulnerabilities procured by the intelligence community through foreign commercial providers.\n(b)\nElements\nEach report under subsection (a) shall include, with respect to the period covered by the report, the following:\n(1) A description of each cyber vulnerability procured through a foreign commercial provider, including\u2014\n(A) a description of the vulnerability;\n(B) the date of the procurement;\n(C) whether the procurement consisted of only that vulnerability or included other vulnerabilities;\n(D) the cost of the procurement;\n(E) the identity of the commercial provider and, if the commercial provider was not the original supplier of the vulnerability, a description of the original supplier;\n(F) the country of origin of the vulnerability; and\n(G) an assessment of the ability of the intelligence community to use the vulnerability, including whether such use will be operational or for research and development, and the approximate timeline for such use.\n(2) An assessment of foreign commercial providers that\u2014\n(A) pose a significant threat to the national security of the United States; or\n(B) have provided cyber vulnerabilities to any foreign government that\u2014\n(i) has used the cyber vulnerabilities to target United States persons, the United States Government, journalists, or dissidents; or\n(ii) has an established pattern or practice of violating human rights or suppressing dissent.\n(3) An assessment of whether the intelligence community has conducted business with the foreign commercial providers identified under paragraph (2) during the 5-year period preceding the date of the report.\n(c)\nForm\nEach report under subsection (a) may be submitted in classified form.\n(d)\nDefinitions\nIn this section:\n(1)\nCommercial provider\nThe term \u201ccommercial provider\u201d means any person that sells, or acts as a broker, for a cyber vulnerability.\n(2)\nCyber vulnerability\nThe term \u201ccyber vulnerability\u201d means any tool, exploit, vulnerability, or code that is intended to compromise a device, network, or system, including such a tool, exploit, vulnerability, or code procured by the intelligence community for purposes of research and development.","url":"https://projectusc.org/usc/t50/s3242.html","content":[{"t":"sec","id":"/us/usc/t50/s3242","children":[{"t":"num","text":"\u00a7\u202f3242."},{"t":"heading","text":"Annual reports on certain cyber vulnerabilities procured by intelligence community and foreign commercial providers of cyber vulnerabilities"},{"t":"subsec","id":"/us/usc/t50/s3242/a","children":[{"t":"num","text":"(a)"},{"t":"heading","text":"Annual reports"},{"t":"content","children":[{"t":"p","text":"On an annual basis through 2026, the Director of the Central Intelligence Agency and the Director of the National Security Agency, in coordination with the Director of National Intelligence, shall jointly submit to the congressional intelligence committees a report containing information on foreign commercial providers and the cyber vulnerabilities procured by the intelligence community through foreign commercial providers.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t50/s3242/b","children":[{"t":"num","text":"(b)"},{"t":"heading","text":"Elements"},{"t":"chapeau","text":"Each report under subsection (a) shall include, with respect to the period covered by the report, the following:"},{"t":"para","id":"/us/usc/t50/s3242/b/1","children":[{"t":"num","text":"(1)"},{"t":"chapeau","text":" A description of each cyber vulnerability procured through a foreign commercial provider, including\u2014"},{"t":"subpara","id":"/us/usc/t50/s3242/b/1/A","children":[{"t":"num","text":"(A)"},{"t":"content","text":" a description of the vulnerability;","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t50/s3242/b/1/B","children":[{"t":"num","text":"(B)"},{"t":"content","text":" the date of the procurement;","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t50/s3242/b/1/C","children":[{"t":"num","text":"(C)"},{"t":"content","text":" whether the procurement consisted of only that vulnerability or included other vulnerabilities;","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t50/s3242/b/1/D","children":[{"t":"num","text":"(D)"},{"t":"content","text":" the cost of the procurement;","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t50/s3242/b/1/E","children":[{"t":"num","text":"(E)"},{"t":"content","text":" the identity of the commercial provider and, if the commercial provider was not the original supplier of the vulnerability, a description of the original supplier;","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t50/s3242/b/1/F","children":[{"t":"num","text":"(F)"},{"t":"content","text":" the country of origin of the vulnerability; and","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t50/s3242/b/1/G","children":[{"t":"num","text":"(G)"},{"t":"content","text":" an assessment of the ability of the intelligence community to use the vulnerability, including whether such use will be operational or for research and development, and the approximate timeline for such use.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t50/s3242/b/2","children":[{"t":"num","text":"(2)"},{"t":"chapeau","text":" An assessment of foreign commercial providers that\u2014"},{"t":"subpara","id":"/us/usc/t50/s3242/b/2/A","children":[{"t":"num","text":"(A)"},{"t":"content","text":" pose a significant threat to the national security of the United States; or","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t50/s3242/b/2/B","children":[{"t":"num","text":"(B)"},{"t":"chapeau","text":" have provided cyber vulnerabilities to any foreign government that\u2014"},{"t":"clause","id":"/us/usc/t50/s3242/b/2/B/i","children":[{"t":"num","text":"(i)"},{"t":"content","text":" has used the cyber vulnerabilities to target United States persons, the United States Government, journalists, or dissidents; or","tail":"\n"}],"tail":"\n"},{"t":"clause","id":"/us/usc/t50/s3242/b/2/B/ii","children":[{"t":"num","text":"(ii)"},{"t":"content","text":" has an established pattern or practice of violating human rights or suppressing dissent.","tail":"\n"}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t50/s3242/b/3","children":[{"t":"num","text":"(3)"},{"t":"content","text":" An assessment of whether the intelligence community has conducted business with the foreign commercial providers identified under paragraph (2) during the 5-year period preceding the date of the report.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t50/s3242/c","children":[{"t":"num","text":"(c)"},{"t":"heading","text":"Form"},{"t":"content","children":[{"t":"p","text":"Each report under subsection (a) may be submitted in classified form.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t50/s3242/d","children":[{"t":"num","text":"(d)"},{"t":"heading","text":"Definitions"},{"t":"chapeau","text":"In this section:"},{"t":"para","id":"/us/usc/t50/s3242/d/1","children":[{"t":"num","text":"(1)"},{"t":"heading","text":"Commercial provider"},{"t":"content","children":[{"t":"p","text":"The term \u201ccommercial provider\u201d means any person that sells, or acts as a broker, for a cyber vulnerability.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t50/s3242/d/2","children":[{"t":"num","text":"(2)"},{"t":"heading","text":"Cyber vulnerability"},{"t":"content","children":[{"t":"p","text":"The term \u201ccyber vulnerability\u201d means any tool, exploit, vulnerability, or code that is intended to compromise a device, network, or system, including such a tool, exploit, vulnerability, or code procured by the intelligence community for purposes of research and development.","tail":"\n"}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"text","text":"\n"},{"t":"text","text":"\n"}]}]}