Takeaways for Industry from FY 2017 NDAA Subcommittee on Emerging Threats Proposals

Published: June 15, 2016

Acquisition ReformARMYCONGRESSCybersecurityDEFENSENational Defense Authorization ActPolicy and Legislation

The FY 2017 NDAA is winding its way through Congressional committees with implications for the Department of Defense’s IT procurement processes and spending.

Constructing a new National Defense Authorization Bill every year entails incorporating the recommendations of Senate and House committees and subcommittees. One of those august legislative bodies generating content for the FY 2017 version of the NDAA is the House Subcommittee on Emerging Threats and Capabilities. Its summary of language to add to the FY 2017 NDAA covers subjects that span procurement, research and development, and technology use (particularly cyber) by the Department of Defense. Here is a brief summary of the most interesting items included by the Subcommittee.

One organizational note is necessary here. Section and paragraph numbers have not been assigned in the Subcommittee’s draft document so reference will be made to provisions by the TITLE numbers under which they are organized instead.

Procurement/Acquisition (TITLE VIII)

This section proposes that the Under Secretary of Defense for Acquisition, Technology, and Logistics review current policies to eliminate the use of potentially anti-competitive specifications, “such as the use of brand name procurements, or references to proprietary specification or standards in IT acquisitions.” This measure appears to support the DoD’s use of generic commercial-off-the-shelf components, thereby reducing costs.

Research and Development (TITLE II)

Language in this section seeks to limit the obligation of funds for the Defense Innovation Unit Experimental (DIUx) based on concerns that the Secretary of Defense is not providing “sufficient guidance, oversight, and coordination with and into the various laboratories, engineering centers, and existing state and local innovation centers” that must coordinate their efforts with nontraditional commercial partners. Translation – The SECDEF is moving too fast for the Subcommittee’s liking. Additional briefings and reporting should clear this up.

Another provision requires the Secretary of Defense “to develop and sustain a new security clearance IT architecture to replace the legacy system of the Office of Personnel Management. Look for spending on this system to ramp up in FY 2017 and especially FY 2018.

In the ongoing struggle to provided trusted components for Defense IT systems, this section also directs the SECDEF to develop a strategy for assured access to trusted microelectronics. The SECDEF would be “required to certify by September 30, 2020, that the DoD has implemented the recommendations of the strategy, and has created an assured means of accessing sufficient supply of trusted microelectronics.”

Lastly, TITLE II directs the Defense Information Systems Agency to create a pilot program for prototyping “commercially available IT tools” to determine their impact on Defense networks and computing environments. No definition of an “IT tool” is provided, but it is probably safe to assume that the Subcommittee means software capabilities. Presumably the intent of this measure is to have DISA test capabilities for security vulnerabilities before they are dispersed into DoD’s IT environment.  

Technology Use (TITLE XVI)

This section directs the Secretary of Defense to work with the combatant commands in developing “cyber opposition forces” for training exercises, including “the development of a joint certification and training standard for cyber opposition forces by March 31, 2017.” Cyber opposition forces would act as adversaries during training exercises on DoD cyber ranges – particularly the nascent Persistent Training Environment being developed by Army Cyber Command (ARCYBER) – by emulating the kinds of threats that DoD’s Cyber Mission Teams would encounter. Industry support training cyber opposition forces will almost certainly be required as the Subcommittee expects DoD to “marry” the training of cyber opposition forces to the persistent training environment.

Finally, this section would limit the obligation of funds in FY 2017 for cryptographic systems and key management infrastructure until the SECDEF, “in coordination with the Director of the National Security Agency, provides a report on the integration of cryptographic modernization and key management infrastructure programs of the military departments.” The Subcommittee’s objective for requesting the report is to understand “how the military departments have implemented stronger leadership, increased integration, and reduced redundancy with respect to such modernization and programs.” Funding for these systems amounts roughly $177M in FY 2017 with the lion’s share of that total falling under the Communications Security (COMSEC) program in Army’s Procurement budget.