Congress Elevates Defense CYBERCOM to Full Combatant Command

Both chambers resolved differences in their respective versions of the fiscal year (FY) 2017 National Defense Authorization Act (NDAA). The resulting conference report was approved by the House on December 2 by a margin of 375 to 34 and by the Senate on December 8 with a vote of 92 to 7. The bill is expected to be signed by the President Obama.

The yearly NDAA traditionally has major impacts to the direction, operations and funding of the Department of Defense (DoD) and this year’s bill is no exception, especially when it comes to the evolution of DoD cyber operations.  

Specifically, the bill elevates CYBERCOM to a full unified combatant command, up from a sub-unified command beneath the U.S. Strategic Command where it has resided since its inception.

In a move that has been debated and weighted, Congress is raising the profile of CYBERCOM in an ongoing effort to press the Pentagon to take a more active role deterring increasingly-aggressive cyber actions by well-known adversaries like Russia, China, North Korea, Iran, and others.

The legislative language emphasizes that the principal function of the command is to “prepare cyber operations forces to carry out assigned missions,” which includes “all active and reserve cyber operations forces of the armed forces stationed in the United States.”

The commander of CYBERCOM is ultimately responsible for ensuring the combat readiness of DoD cyber forces and maintaining CYBERCOM’s the preparedness to carry out assigned missions. In addition to operational oversight, the commander is tasked with developing strategy, doctrine, and tactics; budget preparation and expenditure; force training and development; and intelligence support. Congress requires that the commander hold the rank of general or admiral, depending on their service branch.

Following the support of strong advocates like Sen. John McCain (R-AZ), the FY 2017 NDAA retains the dual-hatted leadership whereby the commander of CYBERCOM also serves as director of the National Security Agency (NSA), a leadership structure has been in place since CYBERCOM’s creation in 2010.  The bill puts conditions in place before the Secretary of Defense could split CYBERCOM from the NSA, which include certifying to the congressional armed services committees that CYBERCOM's operational infrastructure, command and control systems, tools and weapons, and staff development have all reached full operational capability (FOC), a status currently scheduled for 2018.