Skip to main content
The Army Lawyer | Issue 4 2022View PDF

What’s It Like? Mastery of Cyber Law

Written By
Hannah Zeigler
Tags
2024-01-24
Fortitude Hall, the headquarters of U.S. Army Cyber Command in Fort Gordon, GA. (Photo courtesy of authors)

Fortitude Hall, the headquarters of U.S. Army Cyber Command in Fort Gordon, GA. (Photo courtesy of authors)

What’s It Like?

Mastery of Cyber Law

Maneuvering Through Cyberspace

By Major Vivek “Frank” M. Shah & Captain Trevor W. Waliszewski

You have just begun an assignment as a cyber law attorney with no experience in the field. Bombarded with new terminology, to include a volume of acronyms, your trepidation propels you into a spiral of confusion over all the nuances of cyberspace. Then you step back and take a breath. In a moment of stillness, you realize that this is national security law (NSL), just like what you have practiced in the past. The analysis is the same, the concepts are the same, and the unfamiliar issues are just different flavors of the same pie. With renewed enthusiasm, you begin the journey of mastery of the law.

As a component of NSL, cyberspace law maneuvers through an environment that evolves constantly. This creates pressure for the attorney to remain agile and disciplined to appreciate the nuances and adjust as the mission develops. Mastery of the law “forms through experience, training, and intensive, lifelong learning and professional development.”1The learning begins with a big-picture overview of the fundamentals to shape the experience. To support this journey toward mastery, this article provides an overview of the fundamentals of legal practice in cyberspace operations.

Like any other type of NSL, before you begin an assignment as an Army cyber law attorney, you must understand the mission, the authority, and the multidisciplinary aspects. To set the conditions for future victory, you must have the perspective to appreciate how the attack affects legal disciplines alongside NSL, such as contract and fiscal law.

There are three cyberspace mission types; they each have different objectives and involve different organizations. These missions are Department of Defense information network (DoDIN) operations, defensive cyberspace operations (DCO), and offensive cyberspace operations (OCO).2 Once you have identified the mission, you need to understand the authority to perform that mission. There are multiple possible authorities, but they begin with the U.S. Constitution and end with operation orders.

Finally, the multidisciplinary approach requires you to recognize the interplay between NSL and contract and fiscal law. Contract and fiscal law is a critical component of NSL. The military cannot achieve its missions or protect national security interests without the acquisition process. However, the full and open competition requirements in the Federal Acquisition Regulation3 may affect the speed with which the military can deploy a particular cyber capability.

Mission

The first thing a cyber law attorney has to consider is the mission. The commander of U.S. Cyber Command “is the coordinating authority for global [cyberspace operations].”4 Therefore, to understand the cyber mission, you must first look to the joint publications to understand the doctrinal definition of cyberspace. Cyberspace is:

a global domain within the information environment (IE) that consists of the interdependent network of information technology (IT) infrastructures and resident data. It includes the internet, telecommunications networks, computer systems, and embedded processors and controllers. Cyberspace operations (CO) are the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.5

Put simply, cyberspace is the digital world, and cyberspace operations are the method through which the military achieves its cyberspace objectives.

The three CO missions are separate and distinct, but an operation in one aspect of CO can quickly transition into another. For example, a DoDIN operations mission can turn into a DCO mission based on a particular threat to the network. Therefore, you must be able to discern the mission at the outset and pay close attention to it as it develops.

Department of Defense information network operations include operational actions taken “to secure, configure, operate, extend, maintain, and sustain DoD cyberspace to create and preserve the confidentiality, availability, and integrity of the DoDIN.”6 These operations are focused on protecting the DoD network and ensuring all our equipment functions. They “are network focused and threat-agnostic,”7 which means the operations do not focus on a specific threat. Rather, the operations exist to protect the network from any vulnerabilities. This includes anything from antivirus software to log-in verifications.

Defensive cyberspace operations missions protect the DoDIN by “defeating on-going or imminent malicious cyberspace activity.”8 While DoDIN operations are threat-agnostic, DCO missions go after specific threats with “the goal . . . to defeat the threat of a specific adversary and/or to return a compromised network to a secure and functional state.”9 Defensive cyberspace operations missions employ internal defensive measures (DCO-IDM), including “risk- and intelligence-driven internal threat hunting for advanced and/or persistent threats, as well as the active internal countermeasures and responses to eliminate and mitigate these threats.”10

Offensive cyberspace operations missions “project power in and through cyberspace.”11 They are maneuvers in “gray and red cyberspace through actions taken in support of [combatant commander] or national objectives.”12 These missions include “target[ing] enemy cyberspace functions” and require careful analysis on “scope, [rules of engagement], and measurable objectives.”13

Cyberspace is a global domain. (Photo courtesy of authors)

Cyberspace is a global domain. (Photo courtesy of authors)

Authority

The next thing a cyber law attorney needs to consider is the authority they are relying on. Any authority for the U.S. military to operate, whether in cyberspace or in other domains, must originate from the U.S. Constitution. Article II gives the President “broad constitutional authority to protect the Nation’s security in the manner he deems fit.”14 That authority derives from the executive power under Article II, Section 1; the designation as “Commander in Chief” under Article II, Section 2; and the power to recognize foreign governments under Art. II, Section 3.15 Within this wide grant of constitutional powers, a substantial subset are known as the President’s military powers, which have long been understood to exist “in time of peace as well as in time of war.”16 Under these powers, the President holds wide discretion “to dispose of troops and equipment,” to “carry[] out maneuvers or training, or the preparation of fortifications, or the instruction of others in matters of defense,” and to deploy forces “either on missions of good will or rescue, or for the purpose of protecting American lives or property or American interests.”17

Congressional authorizations further enhance the President’s already expansive Article II powers to conduct operations in cyberspace.18 For example, Congress recognizes executive branch authority to conduct “military activities or operations in cyberspace” outside the context of armed conflict, affirming that even clandestine operations and activities in cyberspace are traditional military activities and are excepted from the Covert Action Statute.19 Similarly, Congress codified the “principal mission” of U.S. Cyber Command, which “is to direct, synchronize, and coordinate military cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners.”20 In sum, legislative and executive sources, read together, point to an expansive view of Presidential authority to employ the military throughout cyberspace.

Cybersecurity responsibilities may lie outside of the DoD. (Photo courtesy of authors)

Cybersecurity responsibilities may lie outside of the DoD. (Photo courtesy of authors)

Because of the President’s expansive power in this domain, practicing cyber law in the U.S. Armed Forces often involves ensuring that a particular cyberspace action nests entirely within a clear and unbroken line of executive authority. Even if the President could take a particular action in cyberspace, it does not necessarily mean that the commander you are advising can. At the onset, most of the executive branch’s cyberspace authorities and responsibilities lie outside of the DoD. For example, the Cybersecurity & Infrastructure Security Agency within the Department of Homeland Security has primary responsibility for securing and defending the “dot gov” portions of cyberspace and for coordinating the cybersecurity efforts of government and industry.21 The Federal Bureau of Investigation retains primary responsibility to investigate cyberspace criminal activity in the United States.22 Even (and perhaps especially) in a time of cyber crisis, it is important for legal practitioners to take a step back and consider whether another agency is better situated to take a proposed action, as well as whether the proposed action might interfere with the rights—or foster abdication of the responsibilities—of private actors. As a hierarchical organization, rights and responsibilities within the DoD follow the chain of command.

Legal practitioners must understand the DoD operational chain of command to advise on cyberspace operations. The DoD has eleven combatant commands.23 Pursuant to the Goldwater-Nichols Department of Defense Reorganization Act of 1986 (known as the Goldwater-Nichols Act), the chain of command runs from the President through the Secretary of Defense to the combatant commanders.24 Particularly in cyberspace operations, legal practitioners need to appreciate this structure to understand the legal limitations on their respective service headquarters.

The services have no operational authority; they “organize[], train[], educate[], man[], fund[], administer[], and sustain[] assigned Army forces.”25 The services provide forces to combatant commands, by order of the Secretary of Defense. Through a laborious, and sometimes contentious process, the Secretary assigns or allocates forces from the services to the combatant commands through global force management (GFM).26 In layman’s terms, GFM is like a board in a game, where the Secretary of Defense moves troops about according to national security interests. The combatant commanders, therefore, have expansive authority over the forces in their formation. Practically speaking, this means if Army Cyber Command provides forces to a combatant commander to support a mission, the Army may lose the ability to control how the combatant commander employs those forces.

Each service component has established a Joint Forces Headquarters-Cyber (JFHQ-C) under CYBERCOM. On an annual basis, and after coordination with the other combatant commands, the Secretary of Defense approves CYBERCOM’s proposed alignment of cyber forces,27 typically resulting in JFHQ-C support relationships with specific combatant commands.28 The commanders of the JFHQ-C “analyze, plan, and execute CO missions in support of the [combatant commanders].”29 For example, an Air Force commander leads JFHQ-C (Air Force), and supports a designated list of combatant commands.30 When the Army provides Soldiers to JFHQ-C (Air Force), the Army commander loses control over the Soldiers. Legal practitioners need to appreciate the joint nature of cyberspace operations and how GFM changes operational control over allocated or assigned forces.

In addition to DoD’s management of force allocation and assignment, the Goldwater-Nichols Act affects another aspect of CO. Directive authority for cyberspace operations (DACO) is an important CO authority that CYBERCOM delegated to certain assigned forces, including the service cyber component commanders. Directive authority for cyberspace operations is the authority to issue orders and directives to all DoD components to execute global DoDIN operations and DCO-IDM. 31 These directives and orders are meant to compel unity of action to secure, operate, and defend the DoDIN. Established DACO applies only to DoDIN operations and DCO-IDM, and it is limited to actions taken on the DoDIN.32 Examples of actions that could be taken pursuant to DACO include mandating security upgrades, configuration changes and immediate patches to systems, or blocking network traffic to stop malware beaconing out from infected devices.33 The most visible and consequential execution of DACO is when an authorized commander quarantines or removes devices or entire portions of the network from the DoDIN to protect the network.

On a morning when it takes longer than usual to log in to your Government computer, it is possible that the delay was caused by an action executed for the good of the entire DoDIN pursuant to DACO, which a judge advocate (or two) meticulously reviewed.

A commander with DACO can direct actions to protect DoDIN networks that have visible impacts on other Army commands. On a morning when it takes longer than usual to log in to your Government computer, it is possible that the delay was caused by an action executed for the good of the entire DoDIN pursuant to DACO, which a judge advocate (or two) meticulously reviewed.34 Or it could just be a “PC Load Letter” glitch.35 Sometimes computers are just infuriating!

Given DACO’s ramifications on external organizations and ongoing operations, legal practitioners advising on DACO need to focus on whether the proposed action fits within DoDIN operations or DCO-IDM, and whether the effects are localized entirely on the DoDIN. And no, DACO does not empower leaders to direct another unit’s Soldiers to cut the sergeant major’s grass (just in case you were asking for a friend).

Even though DACO flows from the Secretary of Defense through commander, USCYBERCOM, it can, and should, be implemented in coordination with the services. Accordingly, the Army has reinforced DACO’s significance by instructing compliance from “all [Army commands], [Army service component commands], [direct reporting units], [program executive office]/program managers, and other Army forces/elements.”36 Additionally, DACO does not extend to equipping activities of the services that primarily occur up to the point where the device is plugged in. These activities are often referred to as authorization to operate.37 Finally, DACO is distinct from, but often is used to fulfil, the responsibilities of a cybersecurity service provider (CSSP).38 Cybersecurity includes activities that overlap with both security actions of DoDIN operations and defense actions of DCO-IDM,39 and includes actions upon which the authorization to operate is contingent (for example, when authorization is contingent on keeping the system patched and up to date).

In a conflict between actions necessary to comply with the authorization to operate and an exercise of DACO, DACO trumps. Just as any commander in the field can override scheduled maintenance on a tank that they need immediately for operations, a commander with DACO may need to prioritize an action for the good of the entire DoDIN.

When taking other actions in cyberspace, whether defending outside the DoDIN in time of crisis or delivering effects as part of an OCO operation, a legal practitioner will need to confirm that the action falls under a line of authority traceable to the President, any necessary prerequisites or conditions are met, and that all accompanying processes have been followed.

Fortitude Hall, the headquarters of U.S. Army Cyber Command, fosters a highly collaborative work environment for high-tech professionals with state-of-the-art audio and video workstations, video teleconference rooms, and small group meeting spaces throughout its open-concept work centers. (Photo courtesy of authors)

Fortitude Hall, the headquarters of U.S. Army Cyber Command, fosters a highly collaborative work environment for high-tech professionals with state-of-the-art audio and video workstations, video teleconference rooms, and small group meeting spaces throughout its open-concept work centers. (Photo courtesy of authors)

Multidisciplinary

The third consideration legal practitioners in cyber need to understand is the interplay between national security law and contract and fiscal law. While there has long been an interplay between the two disciplines,40 the nature of cyberspace, where a piece of information technology might be deployed instantaneously upon delivery, has intensified these interdependencies. Issues range from full and open competition in classified operations, implications of when an acquisition deviates from its original use, and contractual issues related to cloud-based services.

With limited exceptions, the U.S. Government “promote[s] and provide[s] for full and open competition in soliciting offers and awarding Government contracts.”41 This policy seeks to eliminate nepotism and corruption and attempts to ensure all qualified companies and individuals can compete for a Government contract. However, in the interests of national security, some acquisitions require protection due to the classified nature of a project or operation. The issue arises of ensuring full and open competition while also protecting the sensitive nature of operational information.

The DoD uses alternative compensatory control measures (ACCM) “to safeguard sensitive intelligence or operations and support information . . . when normal measures are insufficient to achieve strict need-to-know controls, and where [special access program] controls are not required.”42 Pursuant to Army Regulation 380-381, “ACCMs are not authorized to protect acquisition programs.”43 However, the DoD guidance is more nuanced. It prohibits ACCM use “for acquisition programs or activities progressing through the acquisition process.”44 The DoD defines an acquisition program as “[a] directed, funded effort that provides a new, improved, or continuing materiel, weapon, information system, or service capability in response to an approved need.”45

The legal practitioner will have to analyze where the program or activity falls in the acquisition process. For example, if the Army intends to use a capability that another agency already has, the Army can protect access to that program with an ACCM since the acquisition process has ended. However, the legal practitioner should scrutinize whether the Army intends to improve the existing product or just tailor it to serve the Army’s operational needs. Depending on what the Army does, it might trigger the ACCM prohibition. This can get quite complicated when dealing with software because the addition of several thousand lines of code could improve an information or weapon system, or it could simply adjust the scope to fit the Army’s needs from how another agency used the same software. The legal practitioner should lean on the technical experts in the requiring activity to articulate any changes to the program in a way that a layperson would understand.

Another exception to full and open competition includes a situation where “the disclosure of the agency’s needs would compromise the national security unless the agency is permitted to limit the number of sources from which it solicits bids or proposals.”46 The Government cannot use the national security exception at will. Rather, it must support the need for limiting disclosure using the justification and approval process.47 For FAR-based contracts, the NSL practitioner needs to ensure the requiring activity provides an adequate justification, and not a generic statement citing a vague need to protect national security information.

Just as NSL may shape how the command can meet a requirement, the funding stream or acquisition method might constrain an operational commander’s freedom of maneuver. Legal practitioners need the awareness to identify when this might occur. For example, when the Army purchases information technology out of the operations and maintenance appropriation, the funding stream likely prevents use of that technology for certain types of test and evaluation activity.48 Instead, those activities should be funded out of the research, development, test, and evaluation appropriation.49 This is true no matter how badly the commander might need to expand the current performance envelope of existing information technology to achieve a near-term objective. The legal practitioner should therefore analyze an acquisition’s purpose with the foresight to understand potential national security uses for the technology.50

Additionally, NSL practitioners may need to note contract law controls and mitigations to ensure that service contracts comply with the FAR. This includes processes that ensure contractors do not perform inherently governmental functions, such as “the direction and control of intelligence and counter-intelligence operations.”51 In addition to the prohibition on contracting inherently governmental services,52 there are stringent limitations on contracting for services closely associated with inherently governmental functions.53

Within the Army, leveraging the contracting authority of a servicing activity such as the Army Contracting Command or the General Services Agency does not relieve your command, as the requiring activity, of its share of responsibility for how that contract gets implemented. For example, decisions to contract for services closely associated with inherently governmental functions should be made cautiously by the requiring activity at the appropriate level.54 Army leaders justify their decisions using the request for service contract approval form.55 During ongoing operations, legal practitioners should be cognizant of the scope of the relevant request for service contract approval and any corresponding controls or limitations.

Finally, as demand for cloud services increases throughout the DoD,56 subparts of the Federal Acquisition Regulation and its supplements will become increasingly important to operational commanders. Department guidance defines the DoDIN broadly to include information technology that is “operated by or on behalf of,”57 or “leased” by,58 the DoD. This includes leveraging certain software, platforms, or infrastructure, which is drawn from a shared pool of configurable computing resources and allocated to the DoD based on time-bound demands, as part of what is commonly understood to be the “cloud.” In such situations, contract clauses may govern the contours of what information is available to the commander in time of crisis,59 and what access that commander might have to compromised equipment.60

Additionally, a vendor might have a different understanding of what triggers a reporting requirement.61 Or, it may have a different characterization of what pieces of equipment were used to fulfill a DoD contract, especially if, as can be the case, a given piece of equipment only spent a few milliseconds fulfilling the requirement.62 By necessity, a commander’s area of interest, including all avenues of approach onto the DoDIN, will constitute a far greater portion of cyberspace than their area of operations, the boundaries of which may be shaped by contract. A thorough understanding of all NSL issues arising out of cloud migration is well beyond the scope of this article, but legal practitioners need to be able to recognize when to look to a contract, or more likely coordinate with the contracting office, while advising on NSL in cyberspace.

Conclusion

Although CO present unique challenges to the practice of NSL, at the root of all operations lie the constants of mission and authority. Legal practitioners should approach cyber law the same as any other area of NSL and conduct legal reviews with the patience to track the authorities. Sometimes, the authority to conduct a mission is limited by geographic areas of responsibility, and sometimes it is limited through Presidential policy. Additionally, a commander might have the capability to perform an action in their area of operations but has not been given a mission to conduct it. Furthermore, contract and fiscal law attorneys working in an operational command should also consider national security implications when reviewing acquisitions. The big picture overview, therefore, begins with mission and authority and ends with a multidisciplinary approach that hinges on mental agility. This mental agility will ensure that legal practitioners approach their mastery of cyberspace law holistically, which will ultimately make them better command advisors. TAL

MAJ Shah is the Chief of National Security Law at Army Cyber Command at Fort Gordon, Georgia.

CPT Waliszewski is a contract and fiscal law attorney at Army Cyber Command at Fort Gordon, Georgia.

Notes

1. U.S. Army Judge Advoc. Gen.’s Corps, U.S. Army JAG Corps Four Constants (n.d.), https://www.jagcnet.army.mil/Sites/JAGC.nsf/0/46DCA0CA1EE75266852586C5004A681F/$File/US%20Army%20JAG%20Corps%20Four%20Constants%20Smart%20Card.pdf.

2. Joint Chiefs of Staff, Joint Pub. 3-12, Cyberspace Operations ch. II, para. 2(a) (19 Dec. 2022) [hereinafter JP 3-12].

3. FAR § 6.101(a) (2023) (“[C]ontracting officers shall promote and provide for full and open competition in soliciting offers and awarding Government contracts.”).

4. Joint Chiefs of Staff, Joint Pub. 3-04, Information in Joint Operations ch. III, para. 3(f)(2) (14 Sept. 2022); see also 10 U.S.C. § 167b.

5. JP 3-12, supra note 2, ch. I, para. 1(a).

6. JP 3-12, supra note 2, ch. II, para. 2(b)(1).

7. JP 3-12, supra note 2, ch. II, para. 2(b)(1).

8. JP 3-12, supra note 2, Glossary (defining “defensive cyberspace operations”).

9. JP 3-12, supra note 2, ch. II, para. 2(b)(2).

10. JP 3-12, supra note 2, ch. II, para. 2(b)(2)(a). Doctrinally, defensive cyberspace operations internal defensive measures (DCO-IDM) on the Department of Defense information network (DoDIN) is only a subset of possible DCO missions. Defensive cyberspace operations could also include defense of non-DoD cyberspace and/or DCO response actions (DCO-RA) external to the defended network. Each of these missions have legal implications beyond the scope of this article, and often implicate the resources and responsibilities of “other [United States Government] departments and agencies, private-sector entities, and [partner nations].” JP 3-12, supra note 2, ch. II, para. 2(b)(2)(c). When this article discusses DCO, it will focus on DCO-IDM on the DoDIN.

11. JP 3-12, supra note 2, Glossary (defining “offensive cyberspace operations”).

12. JP 3-12, supra note 2, ch. II, para. 2(b)(3). “Red cyberspace” encompasses “those portions of cyberspace owned or controlled by, or on behalf of, an adversary or enemy.” “Blue cyberspace” encompasses “areas in cyberspace owned or controlled by the United States Government [USG] or a [U.S.] person” as well as any “other areas of cyberspace DoD is ordered to protect.” “Gray cyberspace” is the rest of cyberspace that is neither “blue” nor “red.” JP 3-12, supra note 2, ch. I, para. 2(c).

13. JP 3-12, supra note 2, ch. II, para. 2(b)(3).

14. Hamdan v. Rumsfeld, 548 U.S. 557, 679 (2006) (Thomas, J., dissenting) (citing Prize Cases, 67 U.S. 635, 668 (1863) and Fleming v. Page, 50 U.S. 603, 625 (1850)).

15. Id.

16. Training of British Flying Students in the United States, 40 Op. Att’y Gen. 58, 61 (Jackson, A.G.) (1941).

17. Id. at 62.

18. See Paul C. Ney, Jr., DoD General Counsel Remarks at U.S. Cyber Command Legal Conference, U.S. Dep’t of Def. (Mar. 2, 2020), https://www.defense.gov/News/Speeches/speech/article/2099378/dod-general-counsel-remarks-at-us-cyber-command-legal-conference.

19. 10 U.S.C. § 394; see also Major Laura B. West, The Rise of the Fifth Fight in Cyberspace: A New Legal Framework and Implications for Great Power Competition, 229 Mil. L. Rev. 273 (2021).

20. 10 U.S.C. § 167b(a)(2).

21. 6 U.S.C. § 652.

22. See Christopher Wray, CISA Cybersecurity Summit: Addressing Threats Through Partnerships, Fed. Bureau of Investigations, https://www.fbi.gov/news/speeches/cisa-cybersecurity-summit-addressing-threats-through-partnerships (last visited Apr. 24, 2023).

23. See Combatant Commands, Dep’t of Def., https://www.defense.gov/About/combatant-commands (last visited Apr. 11, 2023).

24. Goldwater-Nichols Department of Defense Reorganization Act of 1986, Pub. L. No. 99-433, § 211, 100 Stat. 992, 1012 (Oct. 1, 1986).

25. U.S. Dep’t of Army, Reg. 10-87, Army Commands, Army Service Component Commands, and Direct Reporting Units para. 14-2(b)(5) (11 Dec. 2017) [hereinafter AR 10-87].

26. See Chairman, Joint Chiefs of Staff, Instr. 3100.01E, Joint Strategic Planning System encl. G (21 May 2021).

27. See JP 3-12, supra note 2, ch. III, para. 3(e)(11).

28. See JP 3-12, supra note 2, ch. IV, para. 5(d)(2)(c).

29. JP 3-12, supra note 2, ch. III, para. 3(e)(17)(d).

30. R.J. Biermann, AFCYBER Airmen Reach ‘Firsts’ in Global Exercises, Joint Base San Antonio (Apr. 16, 2019), https://www.jbsa.mil/News/News/Article/1815331/afcyber-airmen-reach-firsts-in-global-exercises.

31. U.S. Dep’t of Def., Instr. 8530.01, Cybersecurity Activities Support to DoD Information Network Operations Glossary at 44 (7 Mar. 2016) (C1, 25 July 2017) [hereinafter DoDI 8530.01] (defining “DACO”).

32. See JP 3-12, supra note 2, ch. III, para. 2(b) (referencing Chairman of the Joint Chief of Staff’s execute-order establishment of directive authority for cyberspace operations for the protection of the DoDIN).

33. See JP 3-12, supra note 2, ch. II, paras. 2(c)(2), 2(d).

34. For a commercial-sector perspective on the difficulty in balancing the need to keep information technology available and user-friendly with the imperative to keep it patched and secure, see Steven J. Vaughan-Nichols, To Patch or Not to Patch: That is the Question, Computerworld (July 13, 2021, 4:00 AM), https://www.computerworld.com/article/3624584/to-patch-or-not-to-patch-that-is-the-question.html.

35. See Office Space (Twentieth Century Fox 1999).

36. AR 10-87, supra note 25, para. 14-3(c)(2)(a).

37. U.S. Dep’t of Army, Reg. 25-2, Army Cybersecurity para. 2-1(a)(3) (4 Apr. 2019).

38. See JP 3-12, supra note 2, ch. II, para. 2(e)(1). Services can assign cybersecurity service provider responsibility in a manner that aligns with joint-operational authorities. E.g., U.S. Dep’t of Army, Reg. 25-1, Army Information Technology para. 2-27(b)(5) (15 July 2019).

39. See JP 3-12, supra note 2, ch II, paras. 2(c)(2)-(3).

40. See, e.g., Training of British Flying Students in the United States, 40 Op. Att’y Gen. 58, 59 (reserving questions of fiscal law while asserting that presidential authority extends to the training of British pilots).

41. FAR 6.101(a) (2023); see also 10 U.S.C. § 2304; 41 U.S.C. § 3301.

42. U.S. Dep’t of Army, Reg. 380-381, Special Access Programs (SAPs) and Sensitive Activities Glossary at 83 (21 Apr. 2004) [hereinafter AR 380-381] (defining “alternative compensatory control measures”).

43. Id. para. 1-4(b).

44. U.S. Dep’t of Def., 5200.01, DoD Information Security Program: Protection of Classified Information, vol. 3, encl. 2, para. 18(c)(3), (24 Feb. 2012) (C2, 19 Mar. 2013).

45. DAU Glossary, DAU, https://www.dau.edu/glossary/Pages/Glossary.aspx (last visited Apr. 27, 2023) (defining “acquisition program”).

46. FAR 6.302-6(a)(2) (2023).

47. FAR 6.302-6(c)(1) (2023); see also FAR 6.303, 6.304.

48. See U.S. Dep’t of Def., 7000.14-R, DoD Financial Management Regulation vol. 2A, ch. 01, para. 2.1.3.3 (Oct. 2008) [hereinafter DoD FMR].

49. See id. para. 2.12.2.3.

50. See generally Contract Fiscal Actions Div., Off. of the Staff Judge Advoc., Funding Determinations for Army IT Acquisitions, 2019 Army Law., no. 5, 2019, at 37.

51. FAR 7.503(c)(8) (2023).

52. FAR 7.503(c) (2023).

53. FAR 7.503(d) (2023).

54. See AFARS 5107.503(e)(i) (Mar. 1, 2023).

55. AFARS 5107.503(e)(ii) (Mar. 1, 2023); see also U.S. Dep’t of Army, Reg. 70-13, Management and Oversight of Service Acquisitions, paras. 2-2, 2-9 (30 July 2010).

56. See U.S. Gov’t Accountability Off., GAO-22-104070, Cloud Computing: DOD Needs to Improve Workforce Planning and Software Application Modernization 14 (2022).

57. DoDI 8530.01, supra note 31, para. 2(c).

58. JP 3-12, supra note 2, ch I, para. 2(d).

59. E.g., DFARS 252.239-7010(d)-(h) (Mar. 2023).

60. E.g., DFARS 252.239-7010(i) (Mar. 2023).

61. For example, see Press Release, U.S. Att’ys Off., N. Dist. of Cal., Former Chief Security Officer of Uber Convicted of Federal Charges for Covering up Data Breach Involving Millions of Uber User Records (Oct. 5, 2022), https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach (“The evidence demonstrated that, shortly after learning the extent of the 2016 breach and rather than reporting it [to the relevant government agency or to the users concerned], Sullivan executed a scheme to prevent any knowledge of the breach from reaching [the government agency].”).

62. For an example of a commercial cloud service measured, in part, by execution time as rounded to the nearest millisecond, see AWS Lambda Pricing: A Simple Guide to Your Lambda Costs, CLOUDZERO (Mar. 10, 2023), https://www.cloudzero.com/blog/lambda-pricing.