Cybersecurity Provisions Addressing Commercial Products in the FY 2023 NDAA

Over the last few weeks other GovWin analysts and myself have been highlighting procurement and technology provisions in the FY 2023 National Defense Authorization Act (NDAA). This annual legislation regularly includes wide-reaching provisions to address technology, acquisitions and policy issues across the federal government, not just within the Department of Defense (DoD). This article covers select cybersecurity provisions in the FY 2023 NDAA that directly impact the cybersecurity of commercial products acquired and used by the DoD.

Operational Testing for Commercial Cybersecurity Capabilities 

Section 1514 requires the DoD Chief Information Officer (CIO) and the CIOs of the military departments (MilDeps) to develop and submit plans, by February 1, 2024, that ensure covered cybersecurity capabilities are “appropriately tested, evaluated, and proven operationally effective, suitable, and survivable prior to operation on a DoD network;… and specify how test results will be expeditiously provided to the Director of Operational Test and Evaluation.” This provision covers commercial products, commercial off-the-shelf (COTS) items, and noncommercial items acquired through the Adaptive Acquisition Framework procured and deployed by the DoD to satisfy cybersecurity requirements.

Also noteworthy is an element in Section 1514 that the SecDef will issue related policies, guidance and prescribed regulations necessary to carry out this section by February 1, 2024 (emphasis added). This could mean a new Defense Federal Acquisition Regulation(s) (DFAR) could be coming to accompany the DoD plan.

Security of Microelectronics

The law requires the DoD to bolster their ability to take a risk-based approach to using state-of-the-art microelectronics. Section 219 requires the Secretary of Defense (SecDef) to develop and implement, before the end of March 2023, “a capability for quantifiable assurance to achieve practical, affordable, and risk-based objectives for security of microelectronics” to enable the DoD to use state-of-the-art microelectronics for military purposes. The Deputy Secretary of Defense (DepSecDef) will develop this capability, supported by the Under Secretary of Defense for Research and Engineering (USD (R&E)) and the National Security Agency (NSA).

In the overall process, Congress wants the SecDef to determine whether the DoD recommends changes to the International Traffic in Arms Regulations (ITAR) to enable the DoD to use integrated circuits manufactured not using by the Defense Microelectronics Activity (DMEA) accredited processes.

Implications

The focus on the commercial cybersecurity solution and the security of microelectronics used in military platforms and systems comes alongside prohibitions on untrusted semiconductors and related services for federal critical systems also included in the FY 2023 NDAA. These and other recent federal provisions address Supply Chain Risk Management (SCRM) concerns and efforts across the federal government.

In addition to the technological issues, the above provisions will have implications for federal acquisition rules and additional contract clauses to formalize and enforce compliance with these cybersecurity standards. Such rulemaking can take months or years to mature before implementation, giving suppliers and service providers time to adjust and prepare for the impacts.