DoD and Contractor Impacts of Cyber Policy Mandates in the FY 2023 NDAA

Published: February 24, 2023

Federal Market Analysis8(a) ProgramContracting TrendsCybersecurityNational Defense Authorization ActPolicy and LegislationSmall Business

Cyber requirements in the fiscal year 2023 National Defense Authorization Act impact Defense-wide IT policies, technology adoption and contractors.

Continuing our series highlighting the procurement and technology provisions in the FY 2023 National Defense Authorization Act (NDAA), this post focuses on several requirements addressing Department of Defense (DoD) cybersecurity-related strategies and policies, including policies affecting technology adoption and defense industrial base cybersecurity.

DoD Cyber Strategy Alignment

Section 1506 requires the Under Secretary of Defense for Policy to coordinate with the commanders of the combatant commands and the Director of the Joint Staff to align the DoD Cyber International Strategy with the 2022 National Defense Strategy and FY 2023 Department of Defense Cyber Strategy. The alignment is to include efforts to: build DoD capacity to support international strategy policy engagements with U.S. allies and partners; coordinate and align cyberspace operations; cultivate operational and intelligence-sharing partnerships; secure networks, infrastructure, and systems for the Joint Force; and set priorities, funding requirements, and efficacy metrics to drive investments in cyberspace security tools, technologies, and capacity-building efforts.

Assessment of Defense Industrial Base Cybersecurity   

Section 1526 requires the DoD Deputy Secretary to conduct two assessments before the DoD may use the final 25% of their FY 2023 Defense-wide Operation and Maintenance (O&M) budget. The first is to assess the framework for cybersecurity of the defense industrial base (DIB) required by section 1648 of the FY 2020 NDAA to determine whether the current framework and plans are sufficient. Covered topics include expanding the DoD’s use of internal secure cloud environments for DIB contractors to perform software development and DoD data access; enabling contractors to access DoD-provided cybersecurity-as-a-service offerings; limiting program information available to subcontractors based on necessary for contract performance; and ways to rationalize and integrate the various DoD DIB cybersecurity programs and activities.

Review of DoD Official Roles and Responsibilities for Cyber, IT and Budget

The second assessment required by Section 1526 is to review of roles, responsibilities and supporting policies for key DoD cyber, IT and budget officials, namely the DoD Principal Cyber Advisor (PCA), the DoD Chief Information Officer (CIO), the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)), the Under Secretary of Defense for Policy (USD (P)), and the Under Secretary of Defense for Intelligence and Security (USD (I&S)), and the Under Secretary of Defense (Comptroller). This assessment addresses requirements in section 1724 of the FY 2021 NDAA.

Big Data for Cyber/IT Budget Analysis

Section 1552 Directs the DoD Chief Information Officer (CIO), in coordination with the Chief Digital and Artificial Intelligence Officer, to complete a pilot demonstration program applying advanced data analytics to the FY 2024 budget data of a military department to identify “total cyber and information technology spending and the distribution of such resources across budget line items . . . in a manner that would indicate that funds included in such line items will be expended on cyber and information technology activities.” In other words, Congress wants the DoD to test using big data analytics to help improve the accuracy and traceability of their cybersecurity and IT budget allocations and decisions.

Adoption of Artificial Intelligence for DoD Cyber Operations

Section 1554 directs the Commander of the U.S. Cyber Command (USCYBERCOM) and the DoD Chief Information Officer (CIO) to “develop a five-year roadmap and implementation plan for rapidly adopting and acquiring Artificial Intelligence (AI) systems” for use in DoD cyber missions, including using AI to advance DoD cybersecurity; uses of AI for cyber effects operations; assessing and mitigating vulnerabilities of AI systems to attacks; and defending against adversary AI-based cyber-attacks.

The plan is to address ways the DoD will “develop, acquire, adopt, and sustain the AI systems, applications, data, and processing;” the roles and responsibilities of various DoD officials in adopting and acquiring AI systems; currently deployed AI systems, applications, ongoing prototypes, and data; current AI capability and skill gaps to be addressed; long-term technology gaps for AI research to fulfill the DoD cyber warfighter mission; and the threat posed by adversaries’ use of AI to the DoD cyberspace operations, networks and systems in the next five years, including DoD actions planned to address that threat. In addition to a detailed schedule with target milestones, investments, and required expenditures, the roadmap is to include any additional funding, authorities, and policies required.

As these mandates are fulfilled, we should expect to see a continued evolution of DoD cyber strategies, operational approaches, technology investments, and (hopefully) some greater budget clarity and transparency. Time will tell.