Defense Cybersecurity Provisions in the Final 2022 National Defense Authorization Act

Every fiscal year (FY) the U.S. Congress drafts, debates and eventually passes a National Defense Authorization Act (NDAA) covering wide-ranging provisions for the Department of Defense (DOD) and defense-related activities in other federal departments. It is also common for Congress to include provisions that address technology, acquisitions and other contracting policy priorities in the annual NDAA that drive policy and practice at the DOD and across federal agencies.

Follow the Bouncing Bill

Following the progress of this year’s Defense Authorization bill has been a lot like watching a tennis match, with different forms of the bill being introduced and moving between the two chambers of Congress before settling on a dominant version. Passed by the House of Representatives on December 7, 2021, S. 1605 effectively replaces  the House’s own version, H.R. 4350, which they initially passed in September before scrapping it in favor of S. 1605. Interestingly, H.R.4350 was anticipated by many to be the “official” bill that the Senate was looking to pass until last week . . . so much so that I looked at the cybersecurity elements of H.R. 4350 in a previous article. To make following its progress even more curious, S. 1605 itself became a surrogate-by-amendment for the Senate’s original NDAA bill, S. 2792, which was introduced in the Senate in September and effectively sat until the Senate started debating H.R 4350 months later.

As of this writing, S. 1605 has been passed by both chambers and is in reconciliation. Given its progression through both chambers, I am hopeful that what has passed is effectively the final bill.

DOD Cybersecurity Provisions in the FY 2022 NDAA (S. 1605)

The cybersecurity provisions listed here are specific to the Department of Defense. There are also a handful of other provisions included in S. 1605 that apply to other agencies, primarily the Cybersecurity and Infrastructure Security Agency. It is also worth mentioning that not all of the cybersecurity provisions in H.R. 4350 made it into S. 1605 and vice-versa. As is the case in these bills, some provisions in S. 1605 were not in HR. 4350. 

Select DOD cybersecurity provisions in S. 1605 include:

Sec. 1501 Development of Taxonomy Of Cyber Capabilities

• Directs DOD to develop a taxonomy of cyber capabilities, including software, hardware, middleware, code, and other information technology, designed for use in cyber effects operations.

Sec. 1504 Evaluation of DOD Cyber Governance

• Directs the DOD to complete an evaluation and review of the Department’s current cyber governance construct, including assessing performance in carrying out its current cyber strategy;  current institutional constructs, delineation of responsibilities, roles and responsibilities; policy, legislative, and regulatory regimes; integration and coordination of cyberspace activities with other aspects of information operations; and DOD's posture for building and retaining the necessary cyber requisite workforce. 

Sec. 1505 Operational Technology and Mission-relevant Terrain in Cyberspace

• Directs the DOD to complete a mapping of mission-relevant terrain in cyberspace for Defense Critical Assets and Task Critical Assets at sufficient granularity to enable mission thread analysis and situational awareness, including identification of access vectors; network topologies; reliant weapon systems; and cybersecurity defenses across information and operational technology.
• Directs the Combatant Commands to develop, institute, and modify their internal processes, responsibilities, and functions to enable effective mission thread analysis, cyber situational awareness, and effective cyber defense of Defense Critical Assets and Task Critical Assets.
• Directs the DOD Chief Information Officer (CIO) to establish or change policies, control systems standards, risk management framework and authority-to-operate policies, and cybersecurity reference architectures to provide baseline cybersecurity requirements for operational technology across the Department of Defense Information Network (DODIN).
• Directs the USCYBERCOM to update the mission, scope, and posture of Joint Forces Headquarters-Department of Defense Information Network (JFHQ-DODIN) to ensure appropriate visibility of operational technology and weapon systems and that United States Cyber Command (USCYBERCOM) can effectively defend such operational technology. This includes having established processes for incident and compliance reporting; ensuring compliance with DOD cybersecurity policy; and ensuring that cyber vulnerabilities, attack vectors, and security violations are appropriately managed.
• Directs the USCYBERCOM to ensure that operational technology cyber defense is appropriately incorporated into training for the Cyberspace Operations Forces, including the development of a joint training curriculum, tradecraft and operational constructs for operational technology-focused Cyberspace Operations Forces.
• Directs the military departments (MILDEPS) to make necessary investments in operational technology in the forces, facilities, critical infrastructure, and weapon systems for the cyber-defense of such operational technology.
• Directs the Secretary of Defense to assess and finalize the Office of the Secretary of Defense (OSD) components’ roles and responsibilities for the cybersecurity of operational technology across the Department; and the need for funding for remediation of cybersecurity gaps in DOD operational technology. DOD must also make relevant modifications to the DOD’s mission assurance construct.

Sec. 1506 Cyber Personnel Requirements

• Directs the Under Secretary of Defense (USD) for Personnel and Readiness and the DOD CIO to determine the overall workforce requirement for DOD cyberspace and information warfare military personnel across the active and reserve components (other than the Coast Guard), including necessary civilian personnel. 
• Directs the USD and CIO to develop a talent management strategy that covers accessions, training, and education; and to assess current and future cyber education curriculum and requirements for military and civilian personnel.

Sec. 1507 Assignment of Cyber Budget Responsibilities to the Commander of U.S. Cyber Command

• Makes the Commander of the USCYBERCOM responsible for directly controlling and managing the planning, programming, budgeting, and execution of resources to train, equip, operate, and sustain the Cyber Mission Forces.

Sec. 1508 Coordination between U.S. Cyber Command and Private Sector

• Directs the USCYBERCOM to establish a voluntary process to engage with private sector information technology and cybersecurity entities to explore and develop methods and plans for coordinated efforts and assistance, integrated with existing collaboration efforts, to defend against foreign malicious cyber actors.

Sec. 1509 Assessment of Adversary Cyber Posture and development of U.S. Offensive Capabilities

• Requires the DOD and USCYBERCOM to jointly sponsor or conduct an assessment (to include an appropriate war-game or tabletop exercise) of the current and emerging offensive and defensive cyber posture of U.S. adversaries and the current operational assumptions and plans of the Armed Forces for offensive cyber operations during potential crises or conflict.

Sec. 1510 Assessing Capabilities to Counter Ransomware

• Directs the DOD to conduct a comprehensive assessment of the policy, capacity, and capabilities of the DOD to diminish and defend from the threat of ransomware attacks. This includes an assessment of the current and potential threats and risks to national and economic security, and an assessment of current potential DOD efforts and capabilities to deter and counter threats.

Sec. 1511 Comparative Analysis of Cybersecurity Capabilities 

• Directs the National Security Agency (NSA) and Defense Information Systems Agency (DISA) to conduct a comparative analysis of the cybersecurity tools, applications, and capabilities offered by the following solutions on the Defense Enterprise Office Solution (DEOS) and Enterprise Software Agreement (ESA) contracts:
  • Cloud-based productivity and collaboration suites
  • The identity, credential, and access management (ICAM) system and its capabilities to enforce the principle of least privilege access 
  • Artificial Intelligence and Machine Learning (AI and ML) capabilities, and the ability to host government or third party AI and ML algorithms
  • Network consolidation and segmentation capabilities
  • Automated orchestration and interoperability capabilities

Sec. 1521 Enterprise-Wide Procurement of Cyber Data Products and Services

• Requires the DOD to designate an executive agent for the department-wide procurement of cyber data products and services. This includes establishing a program management office for the procurement, needs assessment, market research, and technical and contract requirements for cyber data products and services – including those to support cyberspace topology and identification of adversary threat activity and infrastructure.

Sec. 1522 Legacy Information Technologies and Systems Accountability

• Directs the Secretaries of the Army, Navy, and Air Force to each identify legacy applications, software, and information technology within their respective departments and eliminate any such application, software, or information technology that is no longer required.

Sec. 1524 Protective Domain Name System within DOD 

• Requires each DOD component to use a Protective Domain Name System (PDNS) instantiation offered by the department.

Sec. 1527 Cyber Data Management

• Directs the USCYBERCOM and MILDEPS to: access, acquire, and use mission-relevant data to support offensive cyber, defensive cyber, and DODIN operations from the intelligence community, other elements of the DOD, and the private sector; develop policy, processes, and operating procedures governing the use and management of various mission-relevant data; pilot efforts to develop operational workflows and tactics, techniques, and procedures for the operational use of mission-relevant data; and evaluate relevant data management platforms.

Sec. 1528 Zero Trust Strategy, Principles, Model Architecture, and Implementation Plans

• Requires the DOD CIO and USCYBERCOM to develop a zero trust (ZT) strategy, principles, and a model architecture to be implemented across the DODIN, including operational technology, critical data, infrastructures, weapon systems, and classified networks. The ZT strategy and architecture would encompass cloud environments; identity, credential, and access management; macro and micro network segmentation; end-to-end encryption; least privilege access; and other ZT principles. 
• Directs DOD to assess the utility of the Joint Regional Security Stacks (JRSS), automated continuous endpoint monitoring program, assured compliance assessment solution, the current Comply-to-Connect Plan, and the defenses at the Internet Access Points for their relevance and applicability to the ZT architecture and opportunities for integration or divestment.
• Directs the DOD to implement cybersecurity training on zero trust at the executive level, cybersecurity practitioner level, and general user level. 
• Directs the DOD to conduct outreach to industry, academia, international partners, and other federal departments and agencies on issues relating to deployment of zero trust architectures.

Sec. 1529 Demonstration Program for Automated Security Validation Tools

• Directs DISA to complete a demonstration program to assess an automated security validation capability for mitigating cyber hygiene challenges; assessing weapon systems resiliency; and quantifying enterprise security effectiveness to inform future acquisition decisions.

Sec. 1531 Digital Development Infrastructure Plan and Working Group

• Directs the Secretary of Defense to establish a DOD working group on digital development infrastructure implementation to develop a plan for establishing a modern information technology infrastructure that supports state of the art tools and modern processes to enable effective and efficient development, testing, fielding, and continuous updating of artificial intelligence capabilities.

Sec. 1533 Report on the Cybersecurity Maturity Model Certification (CMMC) Program

• Directs the DOD to report on the CMMC program in consideration of the recent internal program review. The report must include: 
  • Programmatic changes to address plans and recommendations of the Secretary of Defense and from the internal program review 
  • Strategy and process for CMMC rulemaking 
  • Budget and resources required 
  • Plans for communication and coordination CMMC program plans with the defense industrial base 
  • Coordination needed within DOD and between federal agencies 
  • The applicability of program requirements to universities and DOD academic partners and a plan for communication and coordination with partners 
  • Plans and explicit public announcement of processes for reimbursement of cybersecurity compliance expenses for small and non-traditional businesses in the defense industrial base 
  • Plans for ensuring that first-time DOD contract-bidders are not required to expend funds to acquire cybersecurity capabilities and a certification as a precondition for bidding on such a contract without reimbursement if they do not receive a contract award
  • Plans for reimbursement of compliance expenses for small and non-traditional businesses and for reimbursing CMMC expenses for first-time DOD contract-bidders if they do not receive a contract award
  • Roles and responsibilities of prime contractors for assisting and managing cybersecurity performance of subcontractors.

(Read about DOD’s latest revisions to CMMC here.)