Federal IT Impacts Within the FY 2018 NDAA

Published: November 30, 2017

CybersecurityDEFENSEIT WorkforceNational Defense Authorization Act

The U.S. Senate and House of Representatives have sent to President Trump a final National Defense Authorization Act (NDAA) for fiscal year (FY) 2018.

The Hill recently reported that Congress has authorized $692.1 billion in spending within this annual defense policy bill, made up of $626.4 billion for the base defense budget and $65.7 billion for Overseas Contingency Operations (OCO), or war funding. Final spending figures will not be settled until Congress passes an actual Department of Defense (DoD) appropriations bill, which is still in the works. However, the meat of where the DoD will be focusing their efforts in the current fiscal year (and, in some cases, beyond) is contained in the NDAA Conference Report, which passed both chambers of Congress and is awaiting signature by the president.

What makes the annual NDAA an important bill to watch and relevant to the federal IT landscape is that Congress customarily uses the bill to set some direction for information technology (IT) policy and acquisitions at the DoD as well as for the rest of the federal departments and agencies.

As is representative of recent previous NDAAs, the FY 2018 bill impacts DoD and overall federal IT in several areas. Some of the more noteworthy elements include:

  • Elevates the DoD CIO’s role and realigns its authorities  – This provision establishes a Chief Information Warfare Officer (CIWO), who would assume responsibility for Defense-wide information warfighting functions and be presidentially appointed and Senate confirmed. The move also shifts the current CIO roles and responsibilities for business systems and statutory requirements outside of the new CIWO role to the DoD Chief Management Officer (CMO), expanding this role. New CIO would have greater responsibilities related to budgets and standards and would evaluate and certify that DoD budgets are sufficient to meet the department-wide functional requirements under its purview.
  • Establishes a DoD Strategic Cybersecurity Program (SCP) – The Secretary of Defense (SECDEF), through the Director of the National Security Agency, will review the cybersecurity of broad areas of DoD systems, from weapons systems and nuclear deterrent systems, to critical infrastructure. The SCP would also assess the cybersecurity adequacy of proposed systems and infrastructure in order to ensure the effectiveness of these systems. The goal of the SCP is to organize and focus efforts and to identify where gaps exist in terms of people, resources, focus and authorities.
  • Seeks improved cyber- processes, tools, and technologies – The USCYBERCOM will evaluate better ways for developing, acquiring, and maintaining software-based cyber tools and applications, including the use of agile development. The DoD evaluate potential offensive and defensive cyber applications of blockchain technology and other distributed database technologies.
  • Assesses cyber training capabilities – Numerous provisions are included to evaluate the cyber training and education capacities for DoD cyber mission forces (CMF) and for deployed forces as well as larger cyber-related education and scholarship initiatives to build long-term U.S. capacity.
  • Modernizing Government Technology (MGT) – The NDAA included an amendment adding the Modernizing Government Technology (MGT) Act to the bill, whereby agencies can establish working capital funds (WCFs) for modernizing technology and can reprogram or transfer funds for up to three years to modernize or retire legacy systems. MGT applies beyond the DoD to federal IT as a whole.


The increasing prominence of cybersecurity within the DoD sphere over the last decade cannot be overstated. The growing awareness and concern for the cyber- vulnerabilities of defense weapons systems and related platforms might possibly be exceeded only by the DoD’s increased dependence on C4ISR and IT systems in general to achieve its varied mission.

As the DoD and its components continue to work to both harden vulnerable IT-embedded platforms and to identify ways to leverage more traditional C4ISR for greater mission cyber- capabilities they will need the support of the larger defense technology community to achieve those objectives as well as to help advance defense cyber policies, plans and standards.

The MGT Act could conceivably help agencies save billions of dollars over maintaining legacy systems that either are difficult or impossible to modernize or would be cost-prohibitive, overly complex, and too time-consuming to do so. The use of WCFs will allow some funding flexibility in a world of “one-year money” for IT budgets so agencies may tackle larger efforts that cannot be handled effectively in one year or that need funding stability over multiple years. Further, current policy from the White House has stated the need for agencies to modernize systems as the major means to improving cybersecurity, and MGT could help that along.

Much will depend on how individual agencies implement MGT, but as it gains momentum we would expect to see them begin shifting IT spending away from legacy maintenance toward modernization efforts, possibly resulting in less overall IT spending over the long haul. This will take time, so the marketplace should not expect any major disruption barring additional outside measures from the White House or Congress.