Amendments
Amendments
2004—Subsec. (c). [Pub. L. 108–375] substituted “subchapter II” for “subtitle II” in introductory provisions.
2003—Subsec. (e). [Pub. L. 108–136] struck out subsec. (e) which directed the Secretary of Defense to annually submit to Congress a report on the Defense Information Assurance Program.
2002—Subsec. (b). [Pub. L. 107–296, § 1001(c)(1)(B)(i)], and [Pub. L. 107–347, § 301(c)(1)(B)(i)], amended subsec. (b) identically, substituting “Objectives of the Program” for “Objectives and Minimum Requirements” in heading and striking out par. (1) designation before “The objectives”.
Subsec. (b)(2). [Pub. L. 107–347, § 301(c)(1)(B)(ii)], struck out par. (2) which read as follows: “The program shall at a minimum meet the requirements of sections 3534 and 3535 of title 44.”
[Pub. L. 107–296, § 1001(c)(1)(B)(ii)], which directed the striking out of “(2) the program shall at a minimum meet the requirements of section 3534 and 3535 of title 44, United States Code.” could not be executed. See above par.
Subsec. (c). [Pub. L. 107–347, § 301(c)(1)(B)(iii)], inserted “, including through compliance with subchapter III of chapter 35 of title 44” after “infrastructure” in introductory provisions.
[Pub. L. 107–296, § 1001(c)(1)(B)(iii)], inserted “, including through compliance with subtitle II of chapter 35 of title 44” after “infrastructure” in introductory provisions.
2000—Subsec. (b). [Pub. L. 106–398, § 1] [[div. A], title X, § 1063(a)], substituted “Objectives and Minimum Requirements” for “Objectives of the Program” in heading, designated existing provisions as par. (1), and added par. (2).
Subsec. (e)(7). [Pub. L. 106–398, § 1] [[div. A], title X, § 1063(b)], added par. (7).
Effective Date Of Amendment
Effective Date of 2002 Amendment
Amendment by [Pub. L. 107–296] effective 60 days after Nov. 25, 2002, see [section 4 of Pub. L. 107–296], set out as an Effective Date note under [section 101 of Title 6], Domestic Security.
Effective Date of 2000 Amendment
Amendment by [Pub. L. 106–398] effective 30 days after Oct. 30, 2000, see section 1 [[div. A], title X, § 1065] of [Pub. L. 106–398], set out as an Effective Date note under [section 3531 of Title 44], Public Printing and Documents.
Miscellaneous
Authorities, Capabilities, and Oversight of the United States Cyber Command
[Pub. L. 113–66, div. A, title IX, § 932], Dec. 26, 2013, [127 Stat. 829], provided that:“(a)Provision of Certain Operational Capabilities.—The Secretary of Defense shall take such actions as the Secretary considers appropriate to provide the United States Cyber Command operational military units with infrastructure and equipment enabling access to the Internet and other types of networks to permit the United States Cyber Command to conduct the peacetime and wartime missions of the Command.“(b) Cyber Ranges.—“(1)In general.—The Secretary shall review existing cyber ranges and adapt one or more such ranges, as necessary, to support training and exercises of cyber units that are assigned to execute offensive military cyber operations.“(2)Elements.—Each range adapted under paragraph (1) shall have the capability to support offensive military operations against targets that—“(A) have not been previously identified and prepared for attack; and“(B) must be compromised or neutralized immediately without regard to whether the adversary can detect or attribute the attack.“(c) Principal Advisor on Military Cyber Force Matters.—“(1)Designation.—The Secretary shall designate, from among the personnel of the Office of the Under Secretary of Defense for Policy, a Principal Cyber Advisor to act as the principal advisor to the Secretary on military cyber forces and activities. The Secretary may only designate an official under this paragraph if such official was appointed to the position in which such official serves by and with the advice and consent of the Senate.“(2)Responsibilities.—The Principal Cyber Advisor shall be responsible for the following:“(A) Overall supervision of cyber activities related to offensive missions, defense of the United States, and defense of Department of Defense networks, including oversight of policy and operational considerations, resources, personnel, and acquisition and technology.“(B) Such other matters relating to offensive military cyber forces as the Secretary shall specify for purposes of this subsection.“(3)Cross-functional team.—The Principal Cyber Advisor shall—“(A) integrate the cyber expertise and perspectives of appropriate organizations within the Office of the Secretary of Defense, Joint Staff, military departments, Defense Agencies, and combatant commands, by establishing and maintaining a full-time cross-functional team of subject matter experts from those organizations; and“(B) select team members, and designate a team leader, from among those personnel nominated by the heads of such organizations.“(d)Training of Cyber Personnel.—The Secretary shall establish and maintain training capabilities and facilities in the Armed Forces and, as the Secretary considers appropriate, at the United States Cyber Command, to support the needs of the Armed Forces and the United States Cyber Command for personnel who are assigned offensive and defensive cyber missions in the Department of Defense.”
Joint Federated Centers for Trusted Defense Systems for the Department of Defense
[Pub. L. 113–66, div. A, title IX, § 937], Dec. 26, 2013, [127 Stat. 834], provided that:“(a) Federation Required.—“(1)In general.—The Secretary of Defense shall provide for the establishment of a joint federation of capabilities to support the trusted defense system needs of the Department of Defense (in this section referred to as the ‘federation’).“(2)Purpose.—The purpose of the federation shall be to serve as a joint, Department-wide federation of capabilities to support the trusted defense system needs of the Department to ensure security in the software and hardware developed, acquired, maintained, and used by the Department, pursuant to the trusted defense systems strategy of the Department and supporting policies related to software assurance and supply chain risk management.“(b)Discharge of Establishment.—In providing for the establishment of the federation, the Secretary shall consider whether the purpose of the federation can be met by existing centers in the Department. If the Department determines that there are capabilities gaps that cannot be satisfied by existing centers, the Department shall devise a strategy for creating and providing resources for such capabilities to fill such gaps.“(c)Charter.—Not later than 180 days after the date of the enactment of this Act [Dec. 26, 2013], the Secretary shall issue a charter for the federation. The charter shall—“(1) be established pursuant to the trusted defense systems strategy of the Department and supporting policies related to software assurance and supply chain risk management; and“(2) set forth—“(A) the role of the federation in supporting program offices in implementing the trusted defense systems strategy of the Department;“(B) the software and hardware assurance expertise and capabilities of the federation, including policies, standards, requirements, best practices, contracting, training, and testing;“(C) the requirements for the discharge by the federation, in coordination with the Center for Assured Software of the National Security Agency, of a program of research and development to improve automated software code vulnerability analysis and testing tools;“(D) the requirements for the federation to procure, manage, and distribute enterprise licenses for automated software vulnerability analysis tools; and“(E) the requirements for the discharge by the federation, in coordination with the Defense Microelectronics Activity, of a program of research and development to improve hardware vulnerability, testing, and protection tools.“(d)Report.—The Secretary shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives], at the time of the submittal to Congress of the budget of the President for fiscal year 2016 pursuant to [section 1105 of title 31], United States Code, a report on the funding and management of the federation. The report shall set forth such recommendations as the Secretary considers appropriate regarding the optimal placement of the federation within the organizational structure of the Department, including responsibility for the funding and management of the federation.”
Improvements in Assurance of Computer Software Procured by the Department of Defense
[Pub. L. 112–239, div. A, title IX, § 933], Jan. 2, 2013, [126 Stat. 1884], provided that:“(a)Baseline Software Assurance Policy.—The Under Secretary of Defense for Acquisition, Technology, and Logistics, in coordination with the Chief Information Officer of the Department of Defense, shall develop and implement a baseline software assurance policy for the entire lifecycle of covered systems. Such policy shall be included as part of the strategy for trusted defense systems of the Department of Defense.“(b)Policy Elements.—The baseline software assurance policy under subsection (a) shall—“(1) require use of appropriate automated vulnerability analysis tools in computer software code during the entire lifecycle of a covered system, including during development, operational testing, operations and sustainment phases, and retirement;“(2) require covered systems to identify and prioritize security vulnerabilities and, based on risk, determine appropriate remediation strategies for such security vulnerabilities;“(3) ensure such remediation strategies are translated into contract requirements and evaluated during source selection;“(4) promote best practices and standards to achieve software security, assurance, and quality; and“(5) support competition and allow flexibility and compatibility with current or emerging software methodologies.“(c)Verification of Effective Implementation.—The Under Secretary of Defense for Acquisition, Technology, and Logistics, in coordination with the Chief Information Officer of the Department of Defense, shall—“(1) collect data on implementation of the policy developed under subsection (a) and measure the effectiveness of such policy, including the particular elements required under subsection (b); and“(2) identify and promote best practices, tools, and standards for developing and validating assured software for the Department of Defense.“(d)Briefing on Additional Means of Improving Software Assurance.—Not later than one year after the date of the enactment of this Act [Jan. 2, 2013], the Under Secretary for Acquisition, Technology, and Logistics shall, in coordination with the Chief Information Officer of the Department of Defense, provide to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a briefing on the following:“(1) A research and development strategy to advance capabilities in software assurance and vulnerability detection.“(2) The state-of-the-art of software assurance analysis and test.“(3) How the Department might hold contractors liable for software defects or vulnerabilities.“(e)Definitions.—In this section:“(1)Covered system.—The term ‘covered system’ means any Department of Defense critical information, business, or weapons system that is—“(A) a major system, as that term is defined in [section 2302(5) of title 10], United States Code;“(B) a national security system, as that term is defined in [section 3542(b)(2) of title 44], United States Code; or“(C) a Department of Defense information system categorized as Mission Assurance Category I in Department of Defense Directive 8500.01E that is funded by the Department of Defense.“(2)Software assurance.—The term ‘software assurance’ means the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout the life cycle.”
Reports to Department of Defense on Penetrations of Networks and Information Systems of Certain Contractors
[Pub. L. 112–239, div. A, title IX, § 941], Jan. 2, 2013, [126 Stat. 1889], provided that:“(a)Procedures for Reporting Penetrations.—The Secretary of Defense shall establish procedures that require each cleared defense contractor to report to a component of the Department of Defense designated by the Secretary for purposes of such procedures when a network or information system of such contractor that meets the criteria established pursuant to subsection (b) is successfully penetrated.“(b)Networks and Information Systems Subject to Reporting.—“(1)Criteria.—The Secretary of Defense shall designate a senior official to, in consultation with the officials specified in paragraph (2), establish criteria for covered networks to be subject to the procedures for reporting system penetrations under subsection (a).“(2)Officials.—The officials specified in this subsection are the following:“(A) The Under Secretary of Defense for Policy.“(B) The Under Secretary of Defense for Acquisition, Technology, and Logistics.“(C) The Under Secretary of Defense for Intelligence.“(D) The Chief Information Officer of the Department of Defense.“(E) The Commander of the United States Cyber Command.“(c)Procedure Requirements.—“(1)Rapid reporting.—The procedures established pursuant to subsection (a) shall require each cleared defense contractor to rapidly report to a component of the Department of Defense designated pursuant to subsection (a) of each successful penetration of the network or information systems of such contractor that meet the criteria established pursuant to subsection (b). Each such report shall include the following:“(A) A description of the technique or method used in such penetration.“(B) A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration.“(C) A summary of information created by or for the Department in connection with any Department program that has been potentially compromised due to such penetration.“(2)Access to equipment and information by department of defense personnel.—The procedures established pursuant to subsection (a) shall—“(A) include mechanisms for Department of Defense personnel to, upon request, obtain access to equipment or information of a cleared defense contractor necessary to conduct forensic analysis in addition to any analysis conducted by such contractor;“(B) provide that a cleared defense contractor is only required to provide access to equipment or information as described in subparagraph (A) to determine whether information created by or for the Department in connection with any Department program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated; and“(C) provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.“(3)Limitation on dissemination of certain information.—The procedures established pursuant to subsection (a) shall prohibit the dissemination outside the Department of Defense of information obtained or derived through such procedures that is not created by or for the Department except with the approval of the contractor providing such information.“(d)Issuance of Procedures and Establishment of Criteria.—“(1)In general.—Not later than 90 days after the date of the enactment of this Act [Jan. 2, 2013]—“(A) the Secretary of Defense shall establish the procedures required under subsection (a); and“(B) the senior official designated under subsection (b)(1) shall establish the criteria required under such subsection.“(2)Applicability date.—The requirements of this section shall apply on the date on which the Secretary of Defense establishes the procedures required under this section.“(e)Definitions.—In this section:“(1)Cleared defense contractor.—The term ‘cleared defense contractor’ means a private entity granted clearance by the Department of Defense to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense.“(2)Covered network.—The term ‘covered network’ means a network or information system of a cleared defense contractor that contains or processes information created by or for the Department of Defense with respect to which such contractor is required to apply enhanced protection.”
Insider Threat Detection
[Pub. L. 112–81, div. A, title IX, § 922], Dec. 31, 2011, [125 Stat. 1537], provided that:“(a)Program Required.—The Secretary of Defense shall establish a program for information sharing protection and insider threat mitigation for the information systems of the Department of Defense to detect unauthorized access to, use of, or transmission of classified or controlled unclassified information.“(b)Elements.—The program established under subsection (a) shall include the following:“(1) Technology solutions for deployment within the Department of Defense that allow for centralized monitoring and detection of unauthorized activities, including—“(A) monitoring the use of external ports and read and write capability controls;“(B) disabling the removable media ports of computers physically or electronically;“(C) electronic auditing and reporting of unusual and unauthorized user activities;“(D) using data-loss prevention and data-rights management technology to prevent the unauthorized export of information from a network or to render such information unusable in the event of the unauthorized export of such information;“(E) a roles-based access certification system;“(F) cross-domain guards for transfers of information between different networks; and“(G) patch management for software and security updates.“(2) Policies and procedures to support such program, including special consideration for policies and procedures related to international and interagency partners and activities in support of ongoing operations in areas of hostilities.“(3) A governance structure and process that integrates information security and sharing technologies with the policies and procedures referred to in paragraph (2). Such structure and process shall include—“(A) coordination with the existing security clearance and suitability review process;“(B) coordination of existing anomaly detection techniques, including those used in counterintelligence investigation or personnel screening activities; and“(C) updating and expediting of the classification review and marking process.“(4) A continuing analysis of—“(A) gaps in security measures under the program; and“(B) technology, policies, and processes needed to increase the capability of the program beyond the initially established full operating capability to address such gaps.“(5) A baseline analysis framework that includes measures of performance and effectiveness.“(6) A plan for how to ensure related security measures are put in place for other departments or agencies with access to Department of Defense networks.“(7) A plan for enforcement to ensure that the program is being applied and implemented on a uniform and consistent basis.“(c)Operating Capability.—The Secretary shall ensure the program established under subsection (a)—“(1) achieves initial operating capability not later than October 1, 2012; and“(2) achieves full operating capability not later than October 1, 2013.“(d)Report.—Not later than 90 days after the date of the enactment of this Act [Dec. 31, 2011], the Secretary shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report that includes—“(1) the implementation plan for the program established under subsection (a);“(2) the resources required to implement the program;“(3) specific efforts to ensure that implementation does not negatively impact activities in support of ongoing operations in areas of hostilities;“(4) a definition of the capabilities that will be achieved at initial operating capability and full operating capability, respectively; and“(5) a description of any other issues related to such implementation that the Secretary considers appropriate.“(e)Briefing Requirement.—The Secretary shall provide briefings to the Committees on Armed Services of the House of Representatives and the Senate as follows:“(1) Not later than 90 days after the date of the enactment of this Act [Dec. 31, 2011], a briefing describing the governance structure referred to in subsection (b)(3).“(2) Not later than 120 days after the date of the enactment of this Act, a briefing detailing the inventory and status of technology solutions deployment referred to in subsection (b)(1), including an identification of the total number of host platforms planned for such deployment, the current number of host platforms that provide appropriate security, and the funding and timeline for remaining deployment.“(3) Not later than 180 days after the date of the enactment of this Act, a briefing detailing the policies and procedures referred to in subsection (b)(2), including an assessment of the effectiveness of such policies and procedures and an assessment of the potential impact of such policies and procedures on information sharing within the Department of Defense and with interagency and international partners.“(f)Budget Submission.—On the date on which the President submits to Congress the budget under [section 1105 of title 31], United States Code, for each of fiscal years 2014 through 2019, the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] an identification of the resources requested in such budget to carry out the program established under subsection (a).”
Strategy To Acquire Capabilities To Detect Previously Unknown Cyber Attacks
[Pub. L. 112–81, div. A, title IX, § 953], Dec. 31, 2011, [125 Stat. 1550], provided that:“(a)In General.—The Secretary of Defense shall develop and implement a plan to augment the cybersecurity strategy of the Department of Defense through the acquisition of advanced capabilities to discover and isolate penetrations and attacks that were previously unknown and for which signatures have not been developed for incorporation into computer intrusion detection and prevention systems and anti-virus software systems.“(b) Capabilities.—“(1)Nature of capabilities.—The capabilities to be acquired under the plan required by subsection (a) shall—“(A) be adequate to enable well-trained analysts to discover the sophisticated attacks conducted by nation-state adversaries that are categorized as ‘advanced persistent threats’;“(B) be appropriate for—“(i) endpoints or hosts;“(ii) network-level gateways operated by the Defense Information Systems Agency where the Department of Defense network connects to the public Internet; and“(iii) global networks owned and operated by private sector Tier 1 Internet Service Providers;“(C) at the endpoints or hosts, add new discovery capabilities to the Host-Based Security System of the Department, including capabilities such as—“(i) automatic blocking of unauthorized software programs and accepting approved and vetted programs;“(ii) constant monitoring of all key computer attributes, settings, and operations (such as registry keys, operations running in memory, security settings, memory tables, event logs, and files); and“(iii) automatic baselining and remediation of altered computer settings and files;“(D) at the network-level gateways and internal network peering points, include the sustainment and enhancement of a system that is based on full-packet capture, session reconstruction, extended storage, and advanced analytic tools, by—“(i) increasing the number and skill level of the analysts assigned to query stored data, whether by contracting for security services, hiring and training Government personnel, or both; and“(ii) increasing the capacity of the system to handle the rates for data flow through the gateways and the storage requirements specified by the United States Cyber Command; and“(E) include the behavior-based threat detection capabilities of Tier 1 Internet Service Providers and other companies that operate on the global Internet.“(2)Source of capabilities.—The capabilities to be acquired shall, to the maximum extent practicable, be acquired from commercial sources. In making decisions on the procurement of such capabilities from among competing commercial and Government providers, the Secretary shall take into consideration the needs of other departments and agencies of the Federal Government, State and local governments, and critical infrastructure owned and operated by the private sector for unclassified, affordable, and sustainable commercial solutions.“(c)Integration and Management of Discovery Capabilities.—The plan required by subsection (a) shall include mechanisms for improving the standardization, organization, and management of the security information and event management systems that are widely deployed across the Department of Defense to improve the ability of United States Cyber Command to understand and control the status and condition of Department networks, including mechanisms to ensure that the security information and event management systems of the Department receive and correlate data collected and analyses conducted at the host or endpoint, at the network gateways, and by Internet Service Providers in order to discover new attacks reliably and rapidly.“(d)Provision for Capability Demonstrations.—The plan required by subsection (a) shall provide for the conduct of demonstrations, pilot projects, and other tests on cyber test ranges and operational networks in order to determine and verify that the capabilities to be acquired pursuant to the plan are effective, practical, and affordable.“(e)Report.—Not later than April 1, 2012, the Secretary shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the plan required by subsection (a). The report shall set forth the plan and include a comprehensive description of the actions being undertaken by the Department to implement the plan.”
Strategy on Computer Software Assurance
[Pub. L. 111–383, div. A, title IX, § 932], Jan. 7, 2011, [124 Stat. 4335], provided that:“(a)Strategy Required.—The Secretary of Defense shall develop and implement, by not later than October 1, 2011, a strategy for assuring the security of software and software-based applications for all covered systems.“(b)Covered Systems.—For purposes of this section, a covered system is any critical information system or weapon system of the Department of Defense, including the following:“(1) A major system, as that term is defined in [section 2302(5) of title 10], United States Code.“(2) A national security system, as that term is defined in [section 3542(b)(2) of title 44], United States Code.“(3) Any Department of Defense information system categorized as Mission Assurance Category I.“(4) Any Department of Defense information system categorized as Mission Assurance Category II in accordance with Department of Defense Directive 8500.01E.“(c)Elements.—The strategy required by subsection (a) shall include the following:“(1) Policy and regulations on the following:“(A) Software assurance generally.“(B) Contract requirements for software assurance for covered systems in development and production.“(C) Inclusion of software assurance in milestone reviews and milestone approvals.“(D) Rigorous test and evaluation of software assurance in development, acceptance, and operational tests.“(E) Certification and accreditation requirements for software assurance for new systems and for updates for legacy systems, including mechanisms to monitor and enforce reciprocity of certification and accreditation processes among the military departments and Defense Agencies.“(F) Remediation in legacy systems of critical software assurance deficiencies that are defined as critical in accordance with the Application Security Technical Implementation Guide of the Defense Information Systems Agency.“(2) Allocation of adequate facilities and other resources for test and evaluation and certification and accreditation of software to meet applicable requirements for research and development, systems acquisition, and operations.“(3) Mechanisms for protection against compromise of information systems through the supply chain or cyber attack by acquiring and improving automated tools for—“(A) assuring the security of software and software applications during software development;“(B) detecting vulnerabilities during testing of software; and“(C) detecting intrusions during real-time monitoring of software applications.“(4) Mechanisms providing the Department of Defense with the capabilities—“(A) to monitor systems and applications in order to detect and defeat attempts to penetrate or disable such systems and applications; and“(B) to ensure that such monitoring capabilities are integrated into the Department of Defense system of cyber defense-in-depth capabilities.“(5) An update to Committee for National Security Systems Instruction No. 4009, entitled ‘National Information Assurance Glossary’, to include a standard definition for software security assurance.“(6) Either—“(A) mechanisms to ensure that vulnerable Mission Assurance Category III information systems, if penetrated, cannot be used as a foundation for penetration of protected covered systems, and means for assessing the effectiveness of such mechanisms; or“(B) plans to address critical vulnerabilities in Mission Assurance Category III information systems to prevent their use for intrusions of Mission Assurance Category I systems and Mission Assurance Category II systems.“(7) A funding mechanism for remediation of critical software assurance vulnerabilities in legacy systems.“(d)Report.—Not later than October 1, 2011, the Secretary of Defense shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] a report on the strategy required by subsection (a). The report shall include the following:“(1) A description of the current status of the strategy required by subsection (a) and of the implementation of the strategy, including a description of the role of the strategy in the risk management by the Department regarding the supply chain and in operational planning for cyber security.“(2) A description of the risks, if any, that the Department will accept in the strategy due to limitations on funds or other applicable constraints.”
Institute for Defense Computer Security and Information Protection
[Pub. L. 106–398, § 1] [[div. A], title IX, § 921], Oct. 30, 2000, [114 Stat. 1654], 1654A–233, provided that:“(a)Establishment.—The Secretary of Defense shall establish an Institute for Defense Computer Security and Information Protection.“(b)Mission.—The Secretary shall require the institute—“(1) to conduct research and technology development that is relevant to foreseeable computer and network security requirements and information assurance requirements of the Department of Defense with a principal focus on areas not being carried out by other organizations in the private or public sector; and“(2) to facilitate the exchange of information regarding cyberthreats, technology, tools, and other relevant issues.“(c)Contractor Operation.—The Secretary shall enter into a contract with a not-for-profit entity, or a consortium of not-for-profit entities, to organize and operate the institute. The Secretary shall use competitive procedures for the selection of the contractor to the extent determined necessary by the Secretary.“(d)Funding.—Of the amount authorized to be appropriated by section 301(5) [[114 Stat. 1654]A–52], $5,000,000 shall be available for the Institute for Defense Computer Security and Information Protection.“(e)Report.—Not later than April 1, 2001, the Secretary shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] the Secretary’s plan for implementing this section.”