Cybersecurity Provisions in the FY 2016 National Defense Authorization Act

Earlier this month, the House passed their version of the NDAA on a 269-151 vote, authorizing about $612 billion in Department of Defense (DoD) spending, split between $523 billion in base funding and an additional $90 billion in Overseas Contingency Operations (OCO) funds. The Armed Services Committee in the Senate passed its version of the NDAA out of committee setting up a vote in the full Senate in June. Those respective versions will then be reconciled in joint conference committee before undergoing a final up-down vote in both chambers. Included in each version are cybersecurity provisions

The House Armed Services Committee (HASC) Report on the bill reveals several cybersecurity-related priorities which the committee wants the Pentagon to address in varying degrees of specificity:

• Cyber Defense Network Segmentation – The HASC encourages the Department to explore ways to use compartmentalization or segmentation across systems as part of a software-defined networking approach in order to increase the security of its networks.
• Cyber Support to Civil Authorities – The bill directs the Comptroller General (CG) of the United States to assess the DoD’s plans and actions for providing support to civil authorities in the event of a domestic cyber incident, and to provide a report on the findings. Specifically, CG is to assess how the DoD has planned and identified its critical capabilities for responding to domestic cyber civil support incidents, to what extent DoD has trained for domestic cyber civil support and coordinated with the Department of Homeland Security (DHS), etc., and to what extent has the DoD and DHS have developed a common approach and that balances the differences in individual state approaches.
• Department of Defense Cyber Mission Forces – The FY 2015 NDAA included a requirement for the Secretary of Defense (SECDEF) to provide to Congress an annual budget justification beginning with the FY 2017 budget request (which is already under formulation) that includes a major force program category for the Future Years Defense Program (FYDP) for the training, manning, and equipping of the cyber mission forces and the program elements for those cyber mission forces. The FY 2016 NDAA directs the SECDEF to provide a briefing to the congressional defense committees by September 1, 2015, on progress towards meeting the requirements.
• Mission System Cybersecurity – Existing weapon and mission systems are increasingly being networked together for greater effectiveness and interoperability, but this can make them vulnerable to cybersecurity attack. This NDAA directs the Under Secretary of Defense for Acquisition, Technology, and Logistics to brief the HASC by February 1, 2016, detailing the process, plans, and budget for identifying, assessing and remediating cyber- vulnerabilities on legacy weapons and mission systems.
• Multi-source Cyber Intelligence Analysis Needs – To support the DoD’s cyber mission through greater analysis capabilities  the NDAA directs the SECDEF to assess and validate their multi-source cyber intelligence collection and analysis needs and to brief the relevant House committees by November 1, 2015. The assessment is to cover both the number of personnel needed as well as the types and priority for current missions and tasking.
• Network Access Control Technologies for Secure Facilities – Recognizing the growth of mobile device use and that the DoD’s Secure Compartmented Information Facilities (SCIFs) need to be both highly secure and highly connected the HASC encourages the DoD to explore the use of network access control technologies to intelligently manage appropriate mobile device usage by cleared personnel, and to use such systems to determine the location of any unauthorized mobile devices within a secured facility.
• Programmable Embedded Information Security Product (PEIP) – The Navy has been working on a new cryptographic system to more rapidly enable upgrading of encryption algorithms and hardware. The committee includes language to encourage the Navy and the DoD to continue investing in ways to expand the functionality of the PEIP system and to use is as a model for future cryptographic modernization efforts.
• Smart Building Cyber Vulnerability Assessment – The DoD’s increasing move toward smart building with wireless controls and networks can introduce cyber- vulnerabilities. Citing a Government Accountability Office study (GAO–15–6) which highlighted the vulnerabilities and cyber risks to building and access control systems, the NDAA would require the SECDEF to brief the HARC by January 1, 2016 on the cyber risks to smart buildings and access control systems from radio frequency systems and wireless communications and identify available technologies and practices to potentially counter and mitigate these security risks.

Implications

As several of these provisions indicate, some of DoD’s cyber- priorities are multi-year concerns and efforts that will take time to fully mature. However, each NDAA provides a glimpse into the current state of cybersecurity at the DoD and what future needs and priorities might be.

One key theme is the recognition of the cybersecurity challenge that increasingly internetworked systems and devices pose to the Pentagon and the defense mission. The rate of interconnectivity continues to increase, and so will the need to mitigate any resulting vulnerability and risk exposure. Recognizing this presents opportunities to bring effective solutions that DoD will need to keep moving forward.