Key Defense Cybersecurity Provisions in the FY 2024 NDAA

Recently other GovWin analysts and myself have been highlighting procurement and technology provisions in the FY 2024 National Defense Authorization Act (NDAA). This annual legislation regularly includes broad provisions to address technology, acquisitions and policy issues within the Department of Defense (DoD) as well as other entities within the federal government. This article highlights select cybersecurity provisions in the FY 2024 NDAA that directly impact the DoD cybersecurity landscape, including contracted support and solutions providers.

Updates to the DoD’s Strategic Cybersecurity Program (Sec. 1502)

This directs actions to be taken for the harmonization and clarification of the Strategic Cybersecurity Program, including designating leadership responsibilities with the Office of the Secretary of Defense (OSD) and the program office within the Cybersecurity Directorate of the National Security Agency (NSA), the budget and other authorities of the DoD Chief Information Officer (CIO), and the authorities and participation from various DoD entities.

The program scope includes all systems, critical infrastructure, kill chains, and processes, including those in development, which comprise the DoD missions of nuclear deterrence and strike; select long-range conventional strike; offensive cyber operations; and homeland missile defense. Activities include conducting/ensuring end-to-end vulnerability assessments, including weapons systems and critical infrastructure; remediation of identified vulnerabilities; reviews of program acquisition and system engineering plans; risk assessments of vulnerabilities and cyberattack vectors; evaluation of DoD cyber protection teams; etc. The CSP leadership is required to report to Congress on program activities by the end of each calendar year.

Development of Cyber Support Mechanisms for Geographic Combatant Commands (Sec. 1506)

This requires U.S. Cyber Command (USCYBERCOM) to work with combatant commands to develop cyber support mechanisms to enhance the cyber capabilities, planning capacity, integration of cyber capabilities into operational support, and prioritize risks and vulnerabilities specific to a command’s area of responsibility.

Advancing DoD Cyber Red Teams (Sec. 1507)

Requires DoD to assess the progress in implementing previously identified improvements to DoD cyber red teams and to develop plans – including funding, resources, personnel, infrastructure, authorities or training – to ensure cyber red teams achieve sufficient capacity and capability to meet current and projected demands.

Cybersecurity Enhancements for Nuclear Operations (Sec. 1512)

Establishes a cross-functional team focused on threat-driven cyber defense for the systems and networks that support nuclear command, control, and communications (NC3). The bill authorizes nearly $112M in FY 2024 to support NC3 Advanced Concepts, Commercial Development and Prototyping, and Integration activities.

Improving Semiconductor Supply Chain Cybersecurity (Sec. 1513)

Launches a pilot program under which the Cybersecurity Collaboration Center of the NSA to assess the feasibility and advisability of improving the cybersecurity of the semiconductor supply chain, including the cybersecurity of their design, manufacturing, assembly, packaging, and testing.

Leveraging MOSAICS Program Data and Technology for Critical Infrastructure Protection (Sec. 1514)

Authorizes the DoD to transfer to eligible private sector entities data and technology developed under the More Situational Awareness for Industrial Control Systems (MOSAICS) Joint Capabilities Technology Demonstration program to enhance cyber threat detection and protection of critical industrial control system assets used for electricity distribution.

Modernizing Network Boundary and Cross-Domain Defense (Sec. 1515)

Expands the FY 2023 pilot modernization program to update network boundary and cross-domain defense against cyber-attacks. The DoD is to complete deployment of modernized network boundary defense capabilities to Defense Information Systems Agency (DISA) and DoD-wide Internet access points by the end of FY 2026, the Secret Internet Protocol Router (SIPR) network by the end of FY 2027, and to any remaining classified or other networks by the end of FY 2028.

Elevating Identity, Credential, and Access Management Activities (Sec. 1516)

Establishes a new program of record to implement improved authentication technologies, such as biometric and behavioral authentication techniques and other non-password-based solutions. The program goal is to correct weaknesses in authentication and credentialing security and encompasses DoD’s Public Key Infrastructure. As part of the effort, the DoD CIO will designate the Tier 1 level data attributes to be used as a baseline set of standardized attributes for identity, credential, and access management, Defense-wide.

Assuring Critical Infrastructure Support for Military Installations (Sec. 1517)

Establishes the Assuring Critical Infrastructure Support for Military Contingencies Pilot Program to conduct cyber resiliency and reconstitution stress test scenarios to assess how to prioritize restoration of power, water, and telecommunications for a military installation in the event of a significant cyberattack on regional critical infrastructure.

Emerging Cyber Data Solutions (Sec. 1522)

Amends Section 1521(a) of FY 2022 NDAA which established a program management office for the procurement of cyber data products and services, to now include within its scope, “Evaluating emerging cyber technologies, such as artificial intelligence-enabled security tools.’’

Training to Enhance the Readiness and Effectiveness of Cyber Mission Forces (Sec. 1535)

Directs USCYBERCOM to conduct a pilot program under which they would contract with skilled contractors to provide services around critical work roles within the Cyber Mission Force, for the purpose of enhancing its readiness and effectiveness.

Implementing User Activity Monitoring and Least Privilege Access Controls (Sec. 1537)

Requires all DoD components to fully implement user activity monitoring and least privilege access controls for their personnel, including employees and contractors, who are granted access to classified information and classified networks. This includes implementing automated controls to detect and prohibit improper use of privileged access and conducting insider threat testing using threat-realistic tactics, techniques, and procedures at least once every two years.

Using Cybersecurity Supply Chain Risk Management Tools in Military Construction Projects (Sec. 2809)

In carrying out military construction projects for energy resilience, energy security, and energy conservation, the NDAA requires the DoD to incorporate into a project connected to a DoD Information Network, cybersecurity supply chain risk management tools and solutions to provide continuous analysis, monitoring, and mitigation of cyber vulnerabilities. In doing so, the DoD should consider use of commercially available cybersecurity supply chain risk management tools and solutions.