Cybersecurity Provisions in the Draft FY 2025 National Defense Authorization Act

Both chambers of the U.S. Congress have advanced their respective versions of the FY 2025 National Defense Authorization Act (NDAA). This annual legislation regularly includes wide-ranging provisions to address technology, acquisitions and policy issues within the Department of Defense (DOD) and beyond. Cybersecurity is among the most common concerns that Congress addresses within the NDAA.

House NDAA Cybersecurity Provisions

The full House of Representatives passed the House version of the FY 2025 NDAA, H.R. 8070 on June 14. The bill includes the following provisions (emphasis added).

• Sec. 847 requires the DOD to implement incentives for contractors to implement policies, procedures and tools that assess and monitor their supply chains for potential vulnerabilities and security risks.
• Sec. 1502 establishes a DOD Hackathon program to test system and software vulnerabilities.
• Sec. 1503 subordinates the Joint Force Headquarters-DOD Information Network currently at DISA to the U.S. Cyber Command.
• Sec. 1511 orders the DOD to evaluate improved security products and services for mobile devices. Solutions to be reviewed include anonymizing-enabling technologies, dynamic selector rotation, un-linkable payment structures, anonymous onboarding, network-enabled full content inspection, mobile-device case hardware, on-device virtual private networks, protected Domain Name Server infrastructure, extended coverage endpoint detection and any protection leveraging GenAI.
• Sec. 1536 instructs the DOD to investigate the feasibility and desirability of creating a new branch of the armed services called the U.S. Cyber Force.
• Sec. 1746 directs the DOD to define and categorize foreign mobile applications of concern to DOD personnel or operations, distinguishing among applications (e.g., shopping, social media, entertainment, health) and create a risk framework that assesses each foreign mobile application from a country of concern for any potential impact.
• Sec. 1747 directs the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Director (NCD), the National Institute of Standards and Technology (NIST), and any other appropriate Executive branch department to review the Federal Acquisition Regulation (FAR) contract requirements and language for contractor vulnerability disclosure programs and recommend updates to the FAR to ensure that contractors implement a vulnerability disclosure policy consistent with NIST guidelines for contractors,  as required under the IoT Cybersecurity Improvement Act of 2020.

Senate NDAA Cybersecurity Provisions

The Senate Armed Services Committee completed its markup of the FY 2025 NDAA on June 14 as well, but the text of the bill is not expected to be made public until July, according to media, when the bill goes to the full Senate for consideration.

However, the Senate Armed Services Committee has released an Executive Summary of the Senate version with the following cybersecurity provisions, albeit without details (emphasis added).

• Requires a DOD report on cybersecurity cooperation activities with international partners and allies to mitigate cyber threats to undersea cables.
• Establishes a DOD capability to support all-source intelligence on cyber threat actors’ operations and capabilities.
• Requires the DOD Cyber Crime Center to conduct cyber exercises with the defense industrial base (DIB) for assessing gaps in capabilities and resources.
• Requires a strategy for the management and cybersecurity of the Joint Warfighting Cloud Capability and other multi-cloud environments.
• Requires the development of guidance for integrating Internet of Military Things hardware into the DOD’s zero trust strategy.
• Directs DOD to issue guidance incorporating operational technology (OT) into the information assurance vulnerability management program.
• Requires a (independent/external?) assessment of the DOD’s implementation of the Cybersecurity Maturity Model Certification 2.0 program.
• Limits funding for the Joint Warfighting Cyber Architecture (JCWA) until the Commander of U.S. CYBERCOM provides a plan to minimize work on the current JCWA architecture and create a baseline plan for a Next Generation JCWA.
• Makes permanent the authority for the Joint Federated Assurance Center.
• Requires DOD to submit a strategy for a cybersecurity cooperation pilot program in Latin America and the Caribbean.
• Directs DOD to develop a cybersecurity strategy for Guam.

Contractor Implications

Once the full Senate debates, amends and (presumably) passes their version of the bill, the legislation then goes through the reconciliation process, where a committee composed of members and staff from both chambers hammer out their differences before presenting a common bill to both chambers for final passage. At this point in the process, it remains undetermined which of the above provisions, and in what form, will survive reconciliation to make it to a final vote.

Some of the provisions, should they endure, could potentially spur investments of interest to industry, e.g., security products and services for mobile devices, etc. Other provisions are more regulatory in nature, e.g., contractor supply chains monitoring incentives and FAR requirements for vulnerability disclosure programs.

These regulatory provisions, especially the potential for a new FAR rule, will remind many of the ongoing development of the DOD’s Cybersecurity Maturity Model Certification (CMMC) program, which is spurring multiple FAR rules to support its creation and enforcement.

The Senate NDAA currently includes a requirement for an assessment of DOD’s implementation of CMMC, which is ongoing and not expected to go live until calendar 2025. It is not yet clear whether such an assessment would be conducted by an internal party or by an external third-party. Many would be interested in the findings, although they may not be made public.

Many contractors have persisting questions and concerns about how CMMC will impact their cost of doing business with the government. This is especially true for many small businesses, who are concerned over the potential costs and administrative burdens of compliance.

The question now becomes, will a new FAR requirement for contractor vulnerability disclosure programs become yet another cost and administrative burden on DIB companies? Could this become "the next CMMC"? Time will tell.