The annual National Defense Authorization Act (NDAA) regularly contains technology and acquisition provisions that can have broad effects on the federal IT landscape, and this year’s FY 2026 NDAA sustains that tradition.

Both the House and Senate have now passed their respective versions of the FY 2026 NDAA. Each body’s version contains numerous provisions to address various cybersecurity concerns across the government sector and beyond.

House NDAA Cybersecurity Provisions

The full House of Representatives passed the their version of the FY 2026 NDAA, H.R.3838, on September 9. The bill includes the following provisions:

• Sec. 877 – Establishes a bio-industrial commercialization program to expand domestic biomanufacturing capacity, including for cybersecurity-related products.
• Sec. 878 – Creates a common repository for supplier information to streamline cybersecurity and cloud vetting.
• Sec. 879 – Establishes a Civil Reserve Manufacturing Network to support secure supply chains including cyber and cloud infrastructure.
• Sec. 1205 – Authorizes joint R&D with Israel on emerging technologies including AI, cybersecurity, quantum, and robotics.
• Sec. 1501 – Requires accountability improvements for Authorization to Operate (ATO) processes in DOD cyber operations.
• Sec. 1502 – Codifies the National Centers of Academic Excellence in Cybersecurity.
• Sec. 1503 – Directs assessment of cyber operational support to geographic combatant commands.
• Sec. 1504 – Limits divestment or consolidation of electronic warfare test and evaluation activities.
• Sec. 1505 – Establishes a plan to incentivize critical cyber skills in the Armed Forces.
• Sec. 1506 – Evaluates Joint Task Force–Cyber for the Indo-Pacific region.
• Sec. 1511 – Requires annual report on weapon systems data accessibility and cybersecurity.
• Sec. 1512 – Mandates inclusion of AI considerations in annual cybersecurity training.
• Sec. 1513 – Updates cybersecurity requirements for telecommunications contracts.
• Sec. 1514 – Requires federal contractors to implement vulnerability disclosure policies.
• Sec. 1515 – Directs DOD to develop a strategy to defend against risks posed by AI.
• Sec. 1521 – Supports use of biological data to improve AI systems.
• Sec. 1522 – Authorizes procurement of best-in-class cyber data products and services.
• Sec. 1531 – Requires DOD to address AI and machine learning security across its operations.
• Sec. 1532 – Establishes a pilot program for data-enabled fleet maintenance using AI.
• Sec. 1533 – Supports use of generative AI for national defense applications.
• Sec. 1534 – Requires reports on AI use in DOD business processes.
• Sec. 1616 – Prohibits access to DOD cloud-based resources by individuals from non-allied nations.
• Sec. 1617 – Authorizes NSA to support cybersecurity operations for the defense industrial base and critical infrastructure.
• Sec. 1618 – Requires a report on Russian cyber sabotage and active measures in NATO territory.

Senate NDAA Cybersecurity Provisions

The full Senate passed the their version of the FY 2026 NDAA, S.2296, on October 9 with the following cyber-related provisions:

• Sec. 470 – Requires contractor performance reports to include cybersecurity breaches as a negative performance factor.
• Sec. 1552 – Reforms the process for managing inactive security clearances to improve oversight and reduce risk.
• Sec. 1599f – Establishes new authorities to recruit and retain cyber workforce talent across the Department of Defense.
• Sec. 1601 – Directs the development of a comprehensive strategy to build and sustain the DOD cyber workforce.
• Sec. 1603 – Requires a strategy to deter cyberattacks against defense critical infrastructure.
• Sec. 1605 – Mandates a report on integrating reserve components into the cyber mission force.
• Sec. 1606 – Evaluates cyber range infrastructure and funding to support training and readiness.
• Sec. 1609 – Expands cyber operational authority to include defense of DOD critical infrastructure.
• Sec. 1611 – Launches a modernization program for full content inspection to enhance network security.
• Sec. 1612 – Requires an assessment of real-time cyber threat monitoring for defense weapons platforms.
• Sec. 1620A – Prohibits the elimination of cyber assessment capabilities used in test and evaluation.
• Sec. 1620C – Establishes a strategy and working group to ensure the security and resiliency of undersea cables.
• Sec. 1620D – Directs an audit and updated guidance to mitigate risks from cloud computing contracts with foreign exposure.
• Sec. 1621 – Creates a public-private cybersecurity partnership to protect highly capable AI systems.
• Sec. 1623 – Requires oversight and assessment of AI models used in defense applications.
• Sec. 1624 – Establishes an ontology governance working group to standardize AI and cybersecurity data models.
• Sec. 1627 – Sets physical and cybersecurity procurement requirements for AI systems to address insider threats and supply chain risks.
• Sec. 6081 – Titles the GAIN AI Act of 2025, focused on securing access to advanced AI chips for U.S. entities.
• Sec. 6082 – Expresses Congressional concern over foreign access to advanced AI chips and urges export restrictions.
• Sec. 6611 – Requires a strategy for quantum readiness, including migration to post-quantum cryptography.
• Sec. 6612 – Establishes standards for secure and interoperable defense collaboration technologies.
• Sec. 6613 – Prohibits access to DOD cloud-based resources by individuals from non-allied nations.

Representatives from both chambers now head to a joint Conference Committee to reconcile the differences among their respective bills. Time will tell which provisions survive the process to become law.