Cybersecurity Provisions in the Draft 2022 National Defense Authorization Bill

Every fiscal year (FY) the U.S. Congress drafts, debates and eventually passes a National Defense Authorization Act (NDAA) covering wide-ranging provisions for the Department of Defense (DOD) and defense-related activities in other federal departments. It is also common for Congress to include provisions that address technology, acquisitions and other contracting policy priorities in the annual NDAA that drive policy and practice at the DOD and across federal agencies.

Passed by the House of Representatives on September 23, 2021, H.R. 4350 is currently being reconciled with Senate NDAA bill S. 2792, which was introduced in the Senate on September 22, 2021. This week, the Senate continues to debate provisions and offer amendments. Once the Senate closes that process then the bill will go to reconciliation among the two chambers before an up-or-down vote is held on the final bill. Assuming that final bill passes both bodies, it would then go to the president for signature into law.  

The provisions listed here are from the draft versions of H.R. 4350 and S. 2792 and may not appear in the final bill that is eventually signed into law.

Select Provisions in the House FY 2022 NDAA (H.R. 4350) include:

National Guard Critical Infrastructure Protection Operations

• Requires DOD to report to Congress on the feasibility and advisability of including training or other duty for cybersecurity operations and missions to protect critical infrastructure by members of the National Guard.

Cyber Capabilities Compliance Responsibilities

• Directs DOD to report to Congress on the DOD’s compliance responsibilities regarding cyber capabilities (including cyber weapons), including the DOD’s definition of ‘‘cyber capability’’ that includes all software, hardware, middleware, code, and other information technology developed using amounts from the DOD Cyberspace Activities Budget.

DOD Academic Engagement Program Office for Creating DOD Cyber Talent

• DOD would be required to study the feasibility of establishing a designated DOD central program office (PO) for overseeing all academic engagement programs focusing on creating cyber talent across the DOD. The study would encompass practices for DOD cyber education spending; interactions with the consortium or consortia of universities (established in the FY 2020 NDAA); unique aspects of cyber versus other STEM programs; and whether a central program office will save the DOD money.

Cyber Threat Information Collaboration Environment

• DHS, in coordination with the DOD and NSA, would develop an information collaboration environment and associated analytic tools that enable entities to identify, mitigate, and prevent malicious cyber activity. 
• CISA would be tasked with identifying and evaluating existing federal sources, programs, applications, or platforms intended to detect, identify, analyze, and monitor cybersecurity risks and cybersecurity threats. CISA would also coordinate with private sector critical infrastructure entities and others to identify private sector cyber threat capabilities, needs, and gaps. 

Cyber Threat Data Standards and Interoperability Council

• Establishes an interagency Cyber Threat Data Standards and Interoperability Council to establish data standards and requirements for public and private participation in the information collaboration environment. Participating or interoperable programs may include:
  • Network-monitoring and intrusion detection programs
  • Cyber threat indicator sharing programs
  • Government-sponsored network sensors or network-monitoring programs
  • Incident response and cybersecurity technical assistance programs
  • Malware forensics and reverse-engineering programs

Enterprise-Wide Procurement of Commercial Cyber Threat Information Products

• DOD would be required to establish a program management office for the enterprise-wide procurement of commercial cyber threat information products (CTIPs). The PMO would assess DOD needs and requirements for CTIPs, develop appropriate contract language for CTIPs acquisitions, and procure CTIPs on behalf of the DOD.

 

Select Provisions in the draft Senate FY 2022 NDAA (S. 2792) include:

Cyber Data Management

• Requires DOD to develop the following cyber data management strategies, plans and processes:
  • A strategy and plan to access and utilize data associated with the Department of Defense Information Network (DODIN) enterprise that can support offensive and defensive cyber operations from DOD components other than the Cyber Mission Forces, such as the NSA, counterintelligence components, and cybersecurity service providers.
  • Processes to ingest, structure, and store cyber-relevant data from intelligence data, cyber threat information and DODIN data from Big Data Platform instances, Cyber Operations Force systems, United States Cyber Command (USCYBERCOM) commercial clouds, and other DOD data lakes.
  • A strategy for piloting efforts for the operational use of mission data by the Cyber Operations Force.

USCYBERCOM Planning, Programming, Budgeting, and Execution

• Gives the Commander of USCYBERCOM responsibility for directly controlling and managing the planning, programming, budgeting, and execution of the resources to train, equip, operate, and sustain the Cyber Mission Forces. Control over budget execution will take effect on January 1, 2022, and planning, programming, budgeting, and execution of resources would apply to fiscal year 2024 and beyond.

Coordination Between USCYBERCOM and Private Sector

• Directs USCYBERCOM to establish a voluntary process to engage with commercial IT and cybersecurity companies to explore and develop ways in which USCYBERCOM and companies could assist and coordinate efforts against foreign malicious cyber actors.

Public-Private Partnerships with Internet Companies to Detect and Disrupt Adversary Cyber Operation

• Directs the DOD to establish a pilot program to assess the feasibility and advisability of entering into public-private partnerships with internet ecosystem companies to facilitate actions by such companies to discover and disrupt the use of their platforms, systems, services, and infrastructure by malicious cyber actors.
• Authorizes DOD to: assist participating companies in building capabilities to detect and disrupt malicious cyber actors; help them collect, analyze and share cyber threat data; and provide companies with timely information to defend against malicious cyber actors.

Zero Trust Strategy, Principles, Model Architecture, and Implementation Plans

• Directs the DOD CIO and the Commander of Joint Force Headquarters–Department of Defense Information Network (JFHQ-DODIN) to jointly develop a zero trust (ZT) strategy, principles, and a model architecture to be implemented across the DODIN, including classified networks, operational technology, and weapon systems. The ZT strategy and architecture would encompass cloud environments; identity, credential, and access management; macro and micro network segmentation; end-to-end encryption; least privilege access; and other ZT principles.
• Directs DOD to assess the utility of the Joint Regional Security Stacks (JRSS) and the related elements for their relevance and applicability to the ZT architecture and opportunities for integration or divestment.
• Directs the DOD to implement cybersecurity training on zero trust at the executive level, cybersecurity practitioner level, and general user level.
• Directs the DOD to conduct outreach to industry, academia, international partners, and other federal departments and agencies on issues relating to deployment of zero trust architectures.

Cyber Threat Hunting

• Directs the DOD to facilitate cyber protection team and cybersecurity service provider threat hunting and discovery of novel adversary activity.

Cybersecurity-as-a-Service Models

• Directs the DOD to assess the potential of and encourage use of third-party cybersecurity-as-a-service models.

DODIN Automated C2

• Directs the DOD to assess and implement the JFHQ-DODIN’s automated command and control (C2) of the entire DODIN.

Countering Ransomware

• Directs the DOD to assess their policy, capacity, and capabilities to diminish and defend the U.S. from ransomware threats, including assessing current and potential threats and risks to national and economic security; to assess the current and potential role of USCYBERCOM; and to develop recommendations for the DOD to build capabilities to deter and counter ransomware.

Comparative Analysis of Cybersecurity Capabilities

• Directs the DOD to conduct a comparative analysis of the cybersecurity tools, applications, and capabilities offered by cloud-based productivity and collaboration suites offered under the DEOS and ESA contracts relative to the DOD “Zero Trust Reference Architecture,” including ICAM options, AI and ML capabilities and options, network consolidation and segmentation capabilities, and automated orchestration and interoperability capabilities.

Assessment of Cybersecurity Posture and Development of Targeting Strategies and Capabilities

• Directs the DOD to conduct an assessment or exercise to assess the current and emerging offensive cyber posture of U.S. adversaries and the current operational assumptions and plans of the Armed Forces for offensive cyber operations. Assessments should include adversary capabilities to deny or degrade U.S. activities in cyberspace, targeting of U.S. critical infrastructure, and the potential effect of emerging technologies, such as fifth generation mobile networks, expanded use of cloud services, and artificial intelligence. DOD is to also develop future cyber targeting strategies and capabilities across the categories of cyber missions and develop strategies for appropriate utilization of Cyber Mission Teams.

Report on the Cybersecurity Maturity Model Certification Program

• Directs the DOD to report on the CMMC program in consideration of the recent internal program review. (Read about DOD’s latest revisions to CMMC here.) The report must include: 
  • Programmatic changes resulting from the internal program review
  • Strategy and process for CMMC rulemaking
  • Budget and resources required
  • Plans for communication and coordination with the defense industrial base
  • Coordination needed within DOD and between federal agencies
  • Status of efforts to develop the framework for the testing and accreditation of cybersecurity products and services, as required by section 1648 of the FY 2020 NDAA
  • Plans for reimbursement of compliance expenses for small and non-traditional businesses and for reimbursing CMMC expenses for first-time DOD contract-bidders if they do not receive a contract award
  • Roles and responsibilities of prime contractors for assisting and managing cybersecurity performance of subcontractors.

DOD Support of CISA for Cyber Threats and to Critical Infrastructure

• Directs DOD to report on how the DOD can improve support and assistance to CISA to increase awareness of threats and vulnerabilities affecting domestic networks that are critical infrastructure, including infrastructure that is critical to DOD and to the defense of the U.S. The report must identify potential support areas, including information sharing and voluntary network monitoring; identify legal, policy, organizational, or technical barriers to enabling support; assess budgetary and other resource effects; and provide a plan to provide support.