Cybersecurity Provisions in the House 2020 National Defense Authorization Bill
Published: October 24, 2019
The proposed legislation has cybersecurity provisions that impact cyber operations, technologies, acquisitions and supply chain.
Each fiscal year (FY) the US Congress passes a National Defense Authorization Act (NDAA) covering broad provisions for the Department of Defense (DOD) and defense-related activities in other federal departments. With rare exception, the NDAA includes elements that drive information technology policy and practice at the DOD, including cybersecurity and acquisition policy.
Both the House and Senate have passed their respective versions of the FY 2020 NDAA earlier this year. While the disposition of the final version remains in Conference Committee as the House and Senate conferees work through their differences I thought I would pull out some cybersecurity-related provisions in the House version that may likely make it through to the final version.
- Reports on cyber-attacks and intrusions by certain foreign entities – Directs the DOD to report on cyber-attacks and intrusions in the previous 12 months by agents or associates of the Governments of Russian, China, Iran, and North Korea against or into DOD or contractor information systems or the personal communications of DOD personnel. (Sec. 1239)
- Cyber vulnerabilities of major weapon systems – Requires DOD to report to Congress on the results of the major weapon system cyber vulnerability assessments required under the FY 2016 NDAA. Reporting is to including all vulnerability mitigation plans, solutions and efforts underway, lessons learned and detailed justification of any delays in meeting weapon systems assessment dates. (Sec. 1625.)
- Use of operation and maintenance funds for cyber capability development – Authorizes $3M of O&M for each fiscal year 2020 through 2022 for DOD to carry out cyber operations-peculiar capability development projects. DOD will notify Congress of these projects and report yearly on the details. (Sec. 1627)
- Notification of presidential delegation of authorities for military operations in cyberspace – Requires the Secretary of Defense to report to Congress any authorities delegated by the President for military operations in cyberspace that are otherwise held by the National Command Authority, including the procedures to be used to comply with such authorities. (Sec. 1628)
- Security of Navy Consolidated Afloat Networks and Enterprise Services (CANES) – Limits spending to 85% of authorized funding until the program certifies to the congressional defense committees that the recommendations in the Audit of Consolidated Afloat Networks and Enterprise Services Security safeguards (DODIG–2019–072) have been implemented. (Sec. 1629)
- Annual military cyberspace operations report – DOD will report by March 1 yearly to Congress on their defensive and offensive cyberspace operations detailing operational objectives, impacts on IT infrastructure, tools, capabilities, infrastructure and platforms used, the CMF or other DOD teams conducting or supporting the operation, etc. (Sec. 1630)
- Synchronizing cybersecurity efforts in the Defense Industrial Base – By May 1, 2020 DOD will report on efforts and roles and responsibilities relating to cybersecurity in the Defense Industrial Base (DIB), including policies for protecting Controlled Unclassified Information (CUI) and “For Official Use Only” (FOUO) information, programs to support and enforce DIB compliance with cybersecurity standards, regulations, and policies, efforts to increase visibility into the supply chain, and efforts for threat information sharing. (Sec. 1631)
- Status of the National Security Agency and United States Cyber Command partnership – Between enactment and January 1, 2022, requires quarterly congressional briefings on the current and future partnership efforts of the National Security Agency and United States Cyber Command, including existing policies and agreements, projected long-term efforts and the assessment of potentially ending the dual-hat leadership of the two organizations. (Sec. 1632)
- Cybersecurity training programs – Directs the DOD to report on its efforts, programs, initiatives, and investments to train elementary, secondary, and postsecondary students in fields related to cybersecurity, cyber defense, and cyber operations, the metrics it uses to evaluate such efforts and how these efforts are leveraged for the recruitment and retention of both the civilian and military cyberworkforces.(Sec. 1634)
- National Security Presidential Memorandums relating to DOD operations in cyberspace – Requires the President to provide the congressional defense committees with a copy of all National Security Presidential Memorandums relating to DOD operations in cyberspace. (Sec. 1635)
- Cybersecurity Defense Academy pilot program – DOD shall pilot a public-private partnership with eligible cybersecurity organizations to train and place veterans as cybersecurity personnel within the Department. Training courses are to include cybersecurity analysis, penetration testing, threat hunting, advanced exploitation, Linux systems administration and robotics process automation analysis. DOD is also to report on the effectiveness of the program and potential for its continuation. (Sec. 1636)
- JROTC computer science and cybersecurity program – Authorizes the DOD to carry out a program to enhance the preparation of students in the Junior Reserve Officers’ Training Corps for careers in computer science and cybersecurity, including funding and efforts to improve education, training, curricula and training personnel. (Sec. 516)
- Cybersecurity activities with Taiwan – Directs the DOD to report on current and future plans and obstacles to engaging with Taiwan in cybersecurity activities, including the feasibility of establishing an interagency US-Taiwan working group for coordinating responses to emerging cybersecurity issues. (Sec. 1250G)
Supply Chain Security
- Trusted supply chain and operational security standards for microelectronics – By January 1, 2021, the Secretary, in consultation with DHS and NIST, shall establish trusted supply chain and operational security standards for the purchase of microelectronics products and services by the Department. The standards are to establish tiers of trust and security within the supply chain and operational security standards for microelectronics products and services. (Sec. 230C)
- Security of telecommunications and video surveillance services or equipment – Requires DOD to conduct a comprehensive assessment of their covered equipment and services – current or planned – and the systems of covered contractors to ensure the security of the supply chains of those contractors. The assessment is to include identified supply chain risks specific to the defense industrial base, guidance on the remediation, cost-recovery, debarment and suspension process of contractors due to supply chain risks. The DOD is also to issue guidance for risk-based procurements, including assurances of parts traceability for telecommunications equipment or video surveillance equipment. The Armed Services Committee also requires the Defense Secretary to conduct a comprehensive assessment of DOD’s policies relating to telecommunications and video surveillance services and equipment from foreign contractors and subcontractors and identify means to mitigate threats through the debarment and suspension process. (Sec. 851)
- Fifth generation (5G) technologies and supply chain – DOD is to develop a strategy for harnessing and implementing 5G information and communications technologies to enhance military capabilities, maintain a technological advantage on the battlefield, and accelerate the deployment of new commercial products and services enabled by 5G networks throughout the Department. The strategy is to cover Defense Industrial Base (DIB) supply chain risk management and securing DOD IT and weapon systems against malicious activity. (Sec. 233)
- Assured security through allowed contractors – Restricts the DOD to awarding contracts for telecommunications equipment and services for defense and national security installations in Pacific US territories to US-based or non-adversary-based (i.e. allowed) contractors, with very limited exceptions. (Sec. 852)
- Revised acquisition authorities to improve cybersecurity – Directs the DOD to revise the Defense Federal Acquisition Regulation Supplement (DFAR) to include the security of goods acquired by the Department as one of the primary objectives of DOD acquisition. Further, DOD is submit recommendations for legislative action to implement the DFAR revisions. (Sec. 853)
The section includes a “sense of the Congress” that:
- Defense contractors must be incentivized to prioritize security in a manner which exceeds basic compliance with mitigation practices relating to cybersecurity risk and supply chain security standards.
- Contractors should be provided with the tools to meet the needs of the Department with respect to cybersecurity risk and supply chain security.
- DOD must develop policies and regulations that move security from a cost that defense contractors seek to minimize to a key consideration in the award of contracts, equal in importance to cost, schedule, and performance.
- The Department must also develop policies to assist small- and medium-sized manufacturers that provide goods or services in the supply chain for the Department to adopt robust cybersecurity standards.
- Supply chain risk mitigation implemented through requirements generation process – Directs the DOD to develop tools for implementing supply chain risk management policies during the generation of requirements for a contract. (Sec. 855)
The themes of addressing the many cybersecurity challenges that the DOD faces – policy, technical, supply chain, workforce, etc. – are familiar inclusions in the NDAA. Most if not all of the provisions above are incremental actions that would build on existing efforts to advance and adapt to known as well as emerging issues.
As the scope of federal-wide cybersecurity policy and practice has evolved to expand beyond traditional information systems and even weapons systems to consider critical infrastructure inside and outside government the opportunities for solutions that can scale and can adapt to multiple contexts continue to expand as well.