124 STAT. 4337 PUBLIC LAW 111–383—JAN. 7, 2011 strategy, including a description of the role of the strategy in the risk management by the Department regarding the supply chain and in operational planning for cyber security. (2) A description of the risks, if any, that the Department will accept in the strategy due to limitations on funds or other applicable constraints. SEC. 933. STRATEGY FOR ACQUISITION AND OVERSIGHT OF DEPART- MENT OF DEFENSE CYBER WARFARE CAPABILITIES. (a) STRATEGY REQUIRED.—The Secretary of Defense, in con- sultation with the Secretaries of the military departments, shall develop a strategy to provide for the rapid acquisition of tools, applications, and other capabilities for cyber warfare for the United States Cyber Command and the cyber operations components of the military departments. (b) BASIC ELEMENTS.—The strategy required by subsection (a) shall include the following: (1) An orderly process for determining and approving oper- ational requirements. (2) A well-defined, repeatable, transparent, and disciplined process for developing capabilities to meet such requirements, in accordance with the information technology acquisition process developed pursuant to section 804 of the National Defense Authorization Act for Fiscal Year 2010 (Public Law 111–84; 10 U.S.C. 2225 note). (3) The allocation of facilities and other resources to thor- oughly test such capabilities in development, before deployment, and before use in order to validate performance and take into account collateral damage and other so-called second-order effects. (c) ADDITIONAL ELEMENTS.—The strategy required by sub- section (a) shall also provide for the following: (1) Safeguards to prevent— (A) the circumvention of operational requirements and acquisition processes through informal relationships among the United States Cyber Command, the Armed Forces, the National Security Agency, and the Defense Information Systems Agency; and (B) the abuse of quick-reaction processes otherwise available for the rapid fielding of capabilities. (2) The establishment of reporting and oversight processes for requirements generation and approval for cyber warfare capabilities, the assignment of responsibility for providing capabilities to meet such requirements, and the execution of development and deployment of such capabilities, under the authority of the Chairman of the Joint Requirements Oversight Council, the Under Secretary of Defense for Policy, and other officials in the Office of the Secretary of Defense, as designated in the strategy. (3) The establishment and maintenance of test and evalua- tion facilities and resources for cyber infrastructure to support research and development, operational test and evaluation, operational planning and effects testing, and training by repli- cating or emulating networks and infrastructure maintained and operated by the military and political organizations of potential United States adversaries, by domestic and foreign
