Homeland Security Cybersecurity Provisions in the 2022 National Defense Authorization Act

Just before the holidays, Congress passed the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2022, covering wide-ranging provisions for the Department of Defense (DOD) and defense-related activities in other federal departments. Previously, I have looked at the major DOD cybersecurity provisions in the FY 2022 NDAA, but legislators did not stop there.

DHS Cybersecurity Provisions in the FY 2022 National Defense Authorization Act

Congress has often used the annual NDAA as a means to address policy, technology and acquisitions issues beyond the DOD. This is true for cybersecurity in this year’s bill, with most of the non-Defense provisions focused on the Department of Homeland Security (DHS) and in particular the Cybersecurity and Infrastructure Security Agency (CISA).

Select DHS cybersecurity provisions in the FY 2022 NDAA include:

Sec. 1541 Capabilities to Identify Threats to Industrial Control Systems

• Directs CISA to maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure, i.e. industrial control systems. Elements are to include threat hunting and incident response capabilities; vulnerability information to the industrial control systems community; and cybersecurity technical assistance to industry end-users, product manufacturers.

Sec. 1542 Mitigating Cybersecurity Vulnerabilities

• Gives CISA the authority to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities to information systems and industrial control systems, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.’’

Sec. 1544 Competition for Remediating Cybersecurity Vulnerabilities

• Authorizes the DHS Under Secretary for Science and Technology (S&T) to establish an incentive-based program that allows industry, individuals, academia, and others to compete in identifying remediation solutions for cybersecurity vulnerabilities to information systems and industrial control systems, including supervisory control and data acquisition systems.

Sec. 1545 Strategy to Aid Non-federal Governments

• Directs CISA to develop and make publicly available a Homeland Security strategy to improve the cybersecurity of state, local, tribal, and territorial governments, including the ways in which the federal government should support these efforts.

Sec. 1547 National Cyber Exercise Program

• Establishes within CISA the National Cyber Exercise Program to evaluate the National Cyber Incident Response Plan, and other related plans and strategies. The program’s purpose is to provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements. The program is to aid governments and private entities with the design, implementation, and evaluation of evaluation exercises and to provide model exercises that these entities can adapt for their use.

Sec. 1548 CyberSentry Program

• Establishes the CyberSentry program within CISA, authorizing CISA to enter into strategic partnerships with critical infrastructure owners and operators to provide them with continuous monitoring and detection of cybersecurity risks to their industrial control systems and supporting information systems. CISA is also authorized to leverage relevant sensitive or classified intelligence about cybersecurity risks to advise critical infrastructure owners and operators regarding mitigation measures and share information as appropriate.

Sec. 1549 Strategic Assessments Relating to Innovation and Cybersecurity Threats

• Expands the responsibilities of the CISA Director to conduct and report on periodic strategic assessments of CISA cybersecurity related programs and activities to ensure that they “contemplate the innovation of information systems and changes in cybersecurity risks and cybersecurity threats.’’

Sec. 1550 Pilot Partnerships with Internet Companies to Disrupt Cyber Adversaries

• Directs CISA to launch a pilot program to assess the feasibility and advisability of entering into public-private partnerships with internet ecosystem companies to facilitate (within the bounds of applicable laws and companies’ policies, etc.) actions by these companies to discover and disrupt malicious cyber actors’ use of company platforms, systems, services, and infrastructure.

Sec. 1551 United States-Israel Cybersecurity Cooperation Grants

• Updates agreements between the governments of the U.S. and Israel on Cooperation in Science and Technology for Homeland Security Matters. It establishes a grant program at DHS for cybersecurity research and development and demonstration and commercialization of cybersecurity technology for joint efforts between U.S. and Israeli entities. The NDAA authorizes (not appropriates) $6 million for each fiscal year from 2022 through 2026 and requires 50% cost-sharing by non-federal sources.