Last week, members of the US House of Representatives and Senate reconciled their versions of the annual must-pass National Defense Authorization Act (NDAA). Each year the NDAA contains a wealth of primarily military cybersecurity provisions, delivering hundreds of millions, if not billions, in new cybersecurity funding to the federal government. This year’s bill is no exception.
Titled the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, the legislation clocks in at over 4,408 pages. The entire package is worth $858 billion, an increase of 10.3%, or $80.4 billion, over FY2022 NDAA’s topline with a good chunk of that amount going to cybersecurity efforts.
After the bill’s passage, Representative Rep. Bennie G. Thompson (D-MS), chairman of the Committee on Homeland Security, said, “With respect to cybersecurity, I am pleased that we were able to reach an agreement on bipartisan provisions that originated in the Committee on Homeland Security. They include Congresswoman Slotkin’s legislation to reauthorize the Secret Service’s National Computer Forensics Institute, Congresswoman Luria’s bill to authorize DHS’s President’s Cup Cybersecurity Competition, and legislation authored by Congressman Swalwell aimed at improving DHS’s cybersecurity training to protect industrial control systems.”
Dozens of new military cybersecurity provisions
In addition to the provisions cited by Thompson, the bill contains dozens of other subtitles and subsections that deal strictly with cybersecurity. Among the notable military-related cyber provisions in the bill are the following:
- Increased funding for US Cyber Command’s (Cybercom’s) Hunt Forward Operations. The NDAA authorizes an increase of $44.1 million to support Cybercom’s Hunt Forward Operations. Late last month, Cybercom made public for the first time that it conducted hunt-forward operations alongside Ukrainian Cyber Command personnel from December 2021 to March 2022. The military intelligence arm contends that hunt-forward operations are purely defensive activities and operations are informed by intelligence. Last year Cybercom said it conducted “well over” 24 hunt-forward operations in 14 countries, during which it discovered approximately 30 new pieces of malware, which it shared with US partners.
- Increased funding for Cyber Mission Force operational support. The legislation authorizes an increase of $168 million for Cyber Mission Force operational support, including intelligence support to cyberspace operations.
- Management and oversight of Joint Cyber Warfighting Architecture. The NDAA Authorizes an increase of $56.4 million for Cybercom’s Joint Cyber Warfighting Architecture (JCWA) development. The JCWA is an “overarching vision” that helps synchronize existing cyberspace operations systems and integrate new ones.
- FedRAMP Authorization Act. The bill includes a provision to codify into law and update the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP program is operated by the General Services Administration (GSA) to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal government agencies.
- Protection of critical infrastructure. This provision enhances the military’s ability to step to conduct actions in defense of attacks on critical infrastructure. It states that if “the President determines that there is an active, systematic, and ongoing campaign of attacks in cyberspace by a foreign power against the Government or the critical infrastructure of the United States,” the President may authorize the secretary of defense, acting through the commander of Cybercom, to conduct military cyber activities or operations pursuant to existing statutory war powers in foreign cyberspace to deter, safeguard, or defend against such attacks.
- Five-year AI roadmap for warfighter cyber missions. The NDAA requires a five-year roadmap and implementation plan for rapidly adopting artificial intelligence applications to the warfighter cyber missions within the DOD. The roadmap includes 13 detailed steps for accomplishing this goal, starting with identifying and prioritizing artificial intelligence systems, applications, data identification, and processing to cyber missions within the department.
- Election security and threats report. The legislation directs a biennial, unclassified report to be produced through the 2032 election cycle on Cybercom’s efforts to ensure election security and counter election threats.
- Pilot program to share cyber capabilities with foreign partners. The NDAA establishes a pilot program to allow the secretary of defense to share cyber capabilities with operational foreign partners. Under the bill, the secretary of defense, with the concurrence of the secretary of state, will draw up a list of countries suitable for cyber capabilities sharing and the criteria under which the information will be shared.
- Annual briefing on the relationship between the National Security Agency (NSA) and Cybercom. The bill stipulates that starting on March 1, 2023, and every year after that, the secretary of defense must brief the congressional defense committees on the relationship between the NSA and Cybercom. Since the inception of Cybercom in 2010, NSA and Cybercom, the same director has led both government organizations in a “dual-hatted” arrangement. Experts and officials have periodically suggested that NSA and Cybercom each have their own leadership.
- Requirement to provide cyber protection support for intelligence community personnel in positions highly vulnerable to cyberattack. The section of the bill takes the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020 and makes mandatory the provisions of that Act to provide cyber protection to vulnerable intelligence community personnel mandatory.
- Proactive cybersecurity. This NDAA section requires the CIO of the Intelligence Community to conduct a yearly survey of each element of the intelligence community on the use of proactive cybersecurity initiatives, continuous activity security testing, and active defense techniques.
- Study of cybersecurity threats posed by foreign manufactured cranes at US ports. Under this section of the bill, the maritime administrator, in consultation with the secretary of Homeland Security, the secretary of defense, and the director of the Cybersecurity and Infrastructure Security Agency (CISA), is required to conduct a study to assess whether there are cybersecurity or national security threats posed by foreign manufactured cranes at United States ports. The report is due to congressional leaders no later than one year after the NDAA’s enactment.
Although most of the cybersecurity provisions in the NDAA are related directly to military operations, some are not. Prominent among the non-military sections of the bill is the codification of the State Department’s Bureau of Cyberspace and Digital Policy, which is currently headed by the recently inaugurated Ambassador Nate Fink.
Cybersecurity provisions missing from the NDAA.
Some anticipated NDAA provisions were dropped in the reconciliation between the House and Senate versions of the legislation. Chief among the provisions that didn’t make the cut is one that was intended to establish a five-year term for the director of CISA, which was included in the House-passed version of the bill.
The final bill also excluded a provision from Representative Ritchie Torres (D-NY) that would have required DHS’s Cyber Safety Review Board (CSRB) to analyze the SolarWinds breach. Although a White House executive order instructed the CSFB to start its work by analyzing that incident, the board opted to study the Log4j vulnerability instead.
Finally, following pressure from trade sector groups, another provision dropped from the bill was a requirement that vendors provide a software bill of materials (SBOM) on the technology they offer government agencies. That provision was contained in the Senate version of the bill but was removed from the final bill as lawmakers yielded to private sector arguments that more time is needed to develop solutions that will better secure the country’s cybersecurity supply chain.
A Senate vote on the bipartisan reconciliation bill is scheduled for this week. After that, the bill heads to President Biden's desk for his signature.
Gloss