Cybersecurity Provisions in the FY 2026 National Defense Authorization Act

Published: December 17, 2025

Federal Market AnalysisArtificial Intelligence/Machine LearningCloud ComputingCybersecurityDEFENSEInformation TechnologyNational Defense Authorization ActPolicy and LegislationSmall BusinessCYBERCOM

The final FY 2026 NDAA contains numerous cybersecurity and related supply chain and acquisition provisions that are of interest to contractors.

The U.S. Senate has passed S. 1071, National Defense Authorization Act (NDAA) for Fiscal Year 2026, which is the final hurdle before it goes to the President for signature into law.

Each year’s NDAA typically contains numerous provisions to address various cybersecurity concerns across the government sector and beyond. This year’s bill continues that pattern, with far-reaching provisions that address cybersecurity, supply chain and acquisition areas, many of which have implications for government contractors.

Key Cybersecurity Provisions


Section 1501: Planning, Programming, and Budget Coordination for Cyber Mission Force

Establishes requirements for coordinating planning, programming, and budgeting activities for Cyber Mission Force operations.

  • Requires coordination mechanisms between cyber operational units and budget planners
  • Emphasizes multi-year planning horizons for cyber capabilities
  • Aligns funding with mission requirements and operational tempo

Section 1502: Modification to Reporting Requirements for Senior Military Advisor for Cyber Policy

Updates reporting requirements for the Senior Military Advisor for Cyber Policy position.

  • Streamlines reporting while ensuring Congress receives adequate information on cyber policy
  • Modifies reporting frequency, content requirements, and level of detail
  • Provides flexible reporting mechanisms for dynamic cyber policy environment

Section 1507: Prohibition on Elimination of Certain Cyber Assessment Capabilities for Test and Evaluation

Prohibits elimination or reduction of cyber assessment capabilities essential for test and evaluation activities.

  • Protects critical infrastructure and expertise for assessing cybersecurity posture before systems are fielded
  • Preserves cyber ranges, red team capabilities, vulnerability assessment tools, and specialized testing facilities
  • Ensures continuity in conducting thorough cyber evaluations in acquisition and operational testing

Section 1508: Prohibition on Availability of Funds to Modify Authorities of Commander of United States Cyber Command

Restricts use of appropriated funds to modify or change authorities assigned to the Commander of United States Cyber Command.

  • Maintains stability in command structure and authorities during fiscal year 2026
  • Prevents organizational changes that could disrupt cyber operations
  • Requires explicit congressional approval for any changes to USCYBERCOM authorities

Section 1511: Secure Mobile Phones for Senior Officials and Personnel Performing Sensitive Functions

Mandates procurement and deployment of secure mobile phone devices for senior officials and personnel performing sensitive functions.

  • Requires end-to-end encrypted communications, protection against surveillance and interception
  • Establishes standards for secure mobile device capabilities and defines personnel categories requiring such devices
  • Implements device management systems ensuring continuous security monitoring and rapid response to emerging threats

Section 1512: Artificial Intelligence and Machine Learning Security in the Department of Defense

Establishes comprehensive security requirements for artificial intelligence and machine learning systems deployed or developed by the Department of Defense.

  • Requires all AI/ML systems incorporate security by design principles from initial concept through deployment and operation
  • Mandates secure development environments, protection of training data, validation and verification of model outputs, adversarial testing, and continuous monitoring
  • Requires secure model storage and version control, access controls, documentation of model lineage and training procedures, and assessment through red teaming

Section 1513: Physical and Cybersecurity Procurement Requirements for Artificial Intelligence Systems

Establishes dual requirements for both physical security and cybersecurity in procurement of artificial intelligence systems.

  • Physical security: secure facilities, access controls, environmental controls, video surveillance, secure transportation procedures, and protection against electromagnetic interference
  • Cybersecurity: secure network architecture, encryption, secure authentication/authorization, continuous monitoring, regular security assessments, and supply chain security
  • Requires procurement specifications include both security types, vendor compliance demonstration through testing and certification, and security evaluation in source selection

Section 1514: Collaborative Cybersecurity Educational Program

Establishes framework for collaborative cybersecurity educational programs involving DoD, academic institutions, and private sector partners.

  • Provides faculty development programs, research partnerships on cybersecurity challenges, and pathways for students to transition into DoD positions
  • Includes programs to upskill current DoD workforce members

Section 1515: Incorporation of Artificial Intelligence Considerations into Cybersecurity Training

Requires cybersecurity training programs across DoD be updated to include specific content on artificial intelligence security considerations.

  • Requires training content to address unique AI/ML security vulnerabilities, adversarial attacks, data poisoning techniques, security best practices, and testing approaches
  • Includes incident response procedures specific to AI systems, ethical considerations in AI security, and emerging AI security threats

Section 1521: Accountability of the Authorization to Operate Processes

Significantly enhances accountability requirements for Authorization to Operate (ATO) processes across the Department of Defense.

  • Requires standardized documentation, clear accountability chains identifying who granted each ATO and who maintains security posture
  • Mandates continuous monitoring with automated reporting, periodic re-assessment and re-authorization, and tracking systems providing visibility into ATO status
  • Establishes consequences for operating systems without valid ATOs and procedures for risk-based decision making when security exceptions are necessary

Section 1522: Annual Report on Department of Defense Unified Datalink Strategy

Requires annual report on the Department's unified datalink strategy for ensuring interoperability of tactical data links across platforms and services.

  • Report must address progress in implementing standardized datalink protocols, cybersecurity measures protecting datalink systems, and encryption and transmission security
  • Includes identification of legacy systems requiring security upgrades, plans for transitioning to more secure datalink technologies, and assurance that increased connectivity does not create new vulnerabilities

Section 1531: Modification of High-Performance Computing Roadmap

Modifies requirements for DoD's high-performance computing roadmap to reflect evolving computational requirements driven by artificial intelligence.

  • Addresses future HPC capability requirements driven by AI/ML applications, security architecture for HPC systems, and acquisition strategies
  • Covers securing HPC environments processing massive datasets, protecting intellectual property, ensuring supply chain security, and implementing zero-trust architectures

Section 1543: Study on Reducing Incentives for Cyber Attacks on Defense Critical Infrastructure of the United States

Mandates comprehensive study examining methods to reduce adversary incentives for conducting cyber-attacks against defense critical infrastructure.

  • Examines adversary objectives in targeting defense infrastructure, cost-benefit calculations, potential consequences that might deter attacks, and defensive measures
  • Considers strategies for increasing resilience, deception and defensive cyber operations, international norms and agreements, and combinations of measures

Section 1544: Integration of Reserve Component into Cyber Mission Force

Establishes requirements and procedures for integrating Reserve Component members into Cyber Mission Force.

  • Includes identification of positions suitable for reservists, training and certification standards, scheduling and readiness procedures, and career paths
  • Provides retention incentives, security clearance and access procedures, and integration into cyber exercises and operations
  • Addresses cultural, procedural, and technical barriers while maintaining consistent high standards regardless of component

Section 1545: Annual Report on Mission Assurance Coordination Board Activities

Requires annual reporting on Mission Assurance Coordination Board activities responsible for coordinating mission assurance efforts across DoD.

  • Report details activities to improve mission assurance, identification and assessment of mission-critical systems, and coordination between mission assurance and cybersecurity
  • Includes exercises evaluating mission assurance under stress conditions, corrective actions for identified gaps, and resource requirements
  • Emphasizes cybersecurity resilience, including ability of systems to continue operating when under cyber-attack or in communications-degraded environments

Section 1546: Limitation on Divestment, Consolidation, and Curtailment of Certain Electronic Warfare Test and Evaluation Activities

Places restrictions on DoD's ability to divest, consolidate, or curtail specific electronic warfare test and evaluation activities and capabilities.

  • Protects EW test ranges and facilities, specialized test equipment, expertise and workforce, and capabilities for evaluating cyber-electronic warfare convergence
  • Prevents consolidation or closure of test facilities that would reduce testing capacity at a time when electromagnetic spectrum operations are increasingly critical

Section 1067: Cybersecurity and Resilience Annex in Strategic Rail Corridor Network Assessments

Requires that assessments of the Strategic Rail Corridor Network include a specific cybersecurity and resilience annex.

  • Addresses identification of cyber-physical systems critical to military transportation, assessment of current cybersecurity controls, and identification of vulnerabilities
  • Includes evaluation of rail network resilience to cyber-attacks, coordination mechanisms with rail operators, and backup transportation options

Acquisition-Related Cybersecurity Provisions


Section 866: Cybersecurity Regulatory Harmonization

Directs DoD to harmonize cybersecurity regulations, requirements, and compliance frameworks across the Department.

  • Conducts comprehensive review of all existing cybersecurity requirements, identifies areas of duplication/conflict/inconsistency, and develops unified framework
  • Eliminates unnecessary requirements, establishes clear implementation guidance, creates streamlined compliance procedures, and ensures risk-based requirements
  • Requires coordination with industry stakeholders and could significantly reduce compliance costs while improving security

Section 877: Enhanced Security Strategy for Procurement of Private Fifth-Generation Wireless Technology

Establishes enhanced security requirements and strategy for DoD procurement of private 5G wireless networks and related technologies.

  • Addresses supply chain security for all 5G components, vendor restrictions, secure architecture requirements, and protection against 5G-specific threats
  • Includes security requirements for 5G-connected devices, spectrum security, continuous monitoring capabilities, and incident response procedures

Supply Chain Security Provisions


Section 845: Modifications to Certain Procurements from Certain Chinese Entities

Updates and modifies existing restrictions on DoD procurements from Chinese entities and entities connected to China.

  • Modifications may include expansion of prohibited Chinese entities list, tightening restrictions on indirect procurement, enhanced due diligence requirements, and stricter enforcement
  • Narrows waiver authorities and extends restrictions to emerging technologies where Chinese involvement poses risks
  • Requires contractors to implement comprehensive supply chain visibility and ongoing monitoring to detect prohibited entities

Section 850: Phase-out of Computer and Printer Acquisitions Involving Entities Owned or Controlled by China

Establishes timeline for phasing out DoD acquisition of computers, printers, and related IT equipment from entities owned or controlled by China.

  • Requirements include identifying all Chinese-manufactured IT currently in use, assessing alternatives from trusted vendors, establishing phase-out timeline with milestones
  • Prohibits new acquisitions from Chinese-controlled entities, requires vendor certification, and establishes approved vendor lists

Section 851: Prohibition on Contracting with Certain Biotechnology Providers

Establishes prohibitions on DoD contracting with biotechnology providers that pose security concerns, particularly those with connections to foreign adversaries.

  • Prohibited providers may include entities based in countries of concern, companies with foreign ownership enabling adversary data access, and providers with inadequate data security
  • Requires due diligence to ensure biotechnology providers meet security requirements, maintain data within U.S., implement specific cybersecurity controls, and undergo regular audits

Contractor Implications


The FY 2026 NDAA advances security requirements for AI/ML systems, requiring secure-by-design practices, dual physical and cybersecurity controls, independent assessment and oversight, and restrictions on certain AI technologies. Contractors that proactively invest in AI security capabilities, develop expertise in AI red teaming and adversarial testing, and establish robust AI governance frameworks will gain significant competitive advantages.

The bill’s enhanced ATO accountability provisions will require robust continuous monitoring, clear audit trails and detailed evidence of security effectiveness throughout system lifecycles. Service providers that have not already done so should implement automated continuous monitoring capabilities that provide real-time security-posture visibility and auditability.

The bill will significantly tighten supply chain security, requiring comprehensive inventories of existing equipment, identification of alternative vendors, multi-tier supply chain visibility to trace components to original manufacturers, and continuous monitoring to prevent prohibited technology from entering through subcontractors. Contractors and suppliers with robust supply chain risk management systems and relationships with trusted approved vendors will have a sustained market advantage. Small businesses may need to partner with larger primes who have resources to implement required supply chain security programs.

The expanded cybersecurity workforce development provisions emphasize AI security, requiring all cybersecurity training programs be updated to include AI-specific content addressing vulnerabilities, adversarial attacks, secure development practices, and incident response. Organizations investing in AI security expertise and contributing to DoD cybersecurity workforce development will be well positioned to address these increasingly complex challenges. Small businesses may potentially benefit by focusing on niche areas such as AI security training where demand exceeds supply.

The DoD’s harmonization of cyber regulations may offer relief from overlapping requirements and potentially reduce compliance costs, if DoD successfully consolidates redundant cybersecurity mandates. Contractors should actively engage with DoD in the harmonization process to inform these efforts.