Cybersecurity Provisions in the Final FY 2025 National Defense Authorization Act
Published: January 13, 2025
Federal Market AnalysisCybersecurityDEFENSENational Defense Authorization ActPolicy and Legislation
The final FY 2025 NDAA includes cybersecurity provisions of contractor interest.
In the waning days of the 118th Congress, legislators passed and the president signed the FY 2025 National Defense Authorization Act (NDAA). This annual legislation regularly includes numerous provisions to address technology, acquisitions and policy issues within the Department of Defense (DOD) and beyond. Cybersecurity is among the most common concerns that Congress addresses within the annual bill, and the FY 2025 NDAA is no exception.
While many of the cybersecurity provisions proposed in the draft House and Senate bills did not make it into the final bill, several key provisions survived the reconciliation process. Below are the most notable cybersecurity-related provisions in the final FY 2025 NDAA, many of which may have contractor implications, or at least should be on their radar for potential impacts. (Italics is added for emphasis.)
- Department of Defense Information Network Subordinate Unified Command (Sec. 1502) – Directs the Secretary of Defense (SECDEF) to designate the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) as a subordinate unified command under the United States Cyber Command (USCYBERCOM). The SECDEF shall issue a notice regarding the designation and the mission of the JFHQ-DODIN as the lead organization for the network operations, security, and defense of the DODIN.
- Establishment of the Department of Defense Hackathon program (Sec. 1503) – Directs the DOD Chief Digital and Artificial Intelligence Officer (CDAO) to establish a DOD Hackathon Program, to be carried out not fewer than four times each year, two each to be hosted by two combatant commands (COCOMs) and two military departments (MILDEPs), with hosts changing each year. The CDAO is to develop and implement Hackathons standards, provide supporting technical infrastructure, and determine the hosts each year. Each host will establish their Hackathon objectives that address critical technical challenges, foster innovation and create repeatable processes that enable the DOD to more rapidly identify and develop solutions to these challenges.
- Support for Cyber Threat Tabletop Exercise Program with The Defense Industrial Base (Sec. 1504) – Within the next year, the Assistant Secretary of Defense for Cyber Policy (ASD(CP)) is to establish and conduct a ‘‘Cyber Threat Tabletop Exercise Program’’ to prepare the DOD and the defense industrial base (DIB) for cyber attacks preceding or during times of conflict or wars. These tabletop exercises will simulate cyber attack scenarios affecting the DIB to test and improve responses and response plans. These exercises will be carried out on a biannual basis until December 30, 2030.
- Information Technology Programs of the National Background Investigation Service (Sec. 1512) – Directs the Defense Counterintelligence and Security Agency, in coordination with the DOD Chief Information Officer (CIO), to ensure that the National Background Investigation Services are in compliance with the relevant security and privacy standards and guidelines published in National Institution of Standards and Technology (NIST) Special Publication 800–53, Revision 5, or successor publication or revision.
- Guidance for Application of Zero Trust Strategy to Internet of Things Hardware Used in Military Operations. (Sec. 1513) – Directs the DOD CIO to develop guidance for how—(1) the DOD zero trust strategy applies to Internet of Things (IoT) hardware, including human-wearable devices, sensors, and other smart technology used by the United States in military operations; and (2) the role identity, credential, and access management technologies serve in enforcing the DOD zero trust strategy.
- Management and Cybersecurity of Multi-cloud Environments (Sec. 1514) – Requires the DOD CIO to develop a strategy for the management and cybersecurity of DOD’s multi-cloud environments. The strategy is to align with the DOD’s zero trust strategy; provide the DOD with network visibility and interoperability across all of its multi-cloud environments; leverage identity, credential, and access management (ICAM) technologies; use enterprise-wide endpoint security; improve the identification and resolution of security concerns for each cloud environment prior to and during their adoption the DOD; increase the adoption of artificial intelligence (AI) applications into DOD multi-cloud environments; increase the transparency reporting of multi-cloud usage to improve planning for capacity demand, budgeting, and predictability for users and contractors providing multi-cloud environments and the related goods and services; identify opportunities for improved planning for data use and storage in multi-cloud environments, when this data is used to train AI models or other commercially developed software systems; identify ways to streamline cloud-service certification processes for cloud service providers; and plan for training DOD personnel on how to incorporate the use of multi-cloud environments into the DOD’s functions and effectively leverage cybersecurity capabilities in these multi-cloud environments.
- Protective Measures for Mobile Devices within the Department of Defense (Sec. 1515) – Requires the SECDEF to carry out a detailed evaluation of the cybersecurity products and services for mobile devices to identify products and services that may improve the cybersecurity of mobile devices used by the DOD, including mitigating the risk to the DOD from cyber attacks against mobile devices. The SECDEF shall evaluate each of the following technologies: (1) Anonymizing-enabling technologies, including dynamic selector rotation, un-linkable payment structures, and anonymous onboarding; (2) Network-enabled full content inspection; (3) Mobile-device case hardware solutions; (4) On-device virtual private networks; (5) Protected Domain Name Server infrastructure; (6) Extended coverage for mobile device endpoint detection; (7) Smishing, phishing, and business text or email compromise protection leveraging generative artificial intelligence; (8) Any other emerging or established technologies determined appropriate by the Secretary.
- Limitation on availability of funds for the Joint Cyber Warfighting Architecture (Sec. 1545) – Of the funds authorized to be appropriated by this Act for FY 2025 for the Joint Cyber Warfighting Architecture (JCWA), not more than 95 percent may be obligated or expended until the Commander of USCYBERCOM provides to the congressional defense committees a plan to move to the Next Generation JCWA. The required plan shall include the following: (A) Details for ceasing or minimizing continued development on the current JCWA components, including timelines to stabilize the current architecture within 12 to 18 months and resources available across the future years defense plan, and (B) Scoping and a preliminary baseline plan for a revised Next Generation JCWA program, including timelines, coordination with the military departments, descriptions of proposed new capability sets, mapping of current JCWA capabilities to proposed new capabilities, and additional authority or resource needs beyond those available under the rephrasing of the program.
- Cyber Intelligence Capability (Sec. 1612) – By October 1, 2026, the SECDEF, in consultation with the Director of National Intelligence, shall ensure that the DOD has a dedicated cyber intelligence capability in support of the military cyber operations requirements for DOD warfighting missions with respect to foundational, scientific and technical, and all-source intelligence on cyber technology development, capabilities, concepts of operation, operations, and plans and intentions of cyber threat actors. Initial efforts are to be funded out of the USCYBERCOM budget under the Military Intelligence Program (MIP), with dedicated budget funding necessary for this capability to begin with the FY 2027 budget request.
- Establishment of Artificial Intelligence Security Center (Sec. 6504) – Directs the National Security Agency (NSA) to establish an Artificial Intelligence Security Center within their Cybersecurity Collaboration Center to develop guidance to prevent or mitigate counter-artificial intelligence techniques and to promote secure AI adoption practices for managers of national security systems and elements of the defense industrial base (DIB).
- Measures to Protect Department Devices from the Proliferation and Use of Foreign Commercial Spyware (Sec. 7302) – Directs the SECDEF to: (A) issue standards, guidance, best practices, and policies for DOD and USAID personnel to protect covered devices from being compromised by foreign commercial spyware; (B) survey the processes used by the DOD and USAID to identify and catalog instances where a covered device was compromised by foreign commercial spyware over the prior 2 years and it is reasonably expected to have resulted in an unauthorized disclosure of sensitive information; and (C) report to Congress on the measures in place to identify and catalog instances of such compromises. The term ‘‘covered device’’ means any electronic mobile device, including smartphones, tablet computing devices, or laptop computing device, that is issued by the DOD for official use.
Several of these provisions will drive DOD activities and budget investments of interest to industry, as well as formal contract solicitations for cybersecurity products and services, e.g., security for mobile devices, etc. Other provisions are more policy and organizational in nature, but these too should be monitored by contractors for potential opportunities as these efforts take shape and mature.