While a good bit of the focus on the conferenced version of the fiscal year (FY) 2022 National Defense Authorization Act has centered around the lack of incident reporting and other legislative items that were cut from the bill, the defense spending bill that passed the House of Representatives last week continues to retain a variety of important cybersecurity and tech-related provisions.
Among those provisions making the cut are investments and changes in cyber operations and cyber forces, as well as Department of Defense (DoD) cybersecurity. The bill also includes research funding and recommendations from the National Security Commission on AI (NSCAI).
“This bill represents compromise between both parties and chambers,” House Armed Services Committee Chair Adam Smith, D-Wash., said in a release last week. “When we get to the end of this arduous process, we often forget the hundreds of provisions we came to agreement on and focus solely on where we could not come to agreement. Ultimately, our responsibility as a Congress to provide for the common defense supersedes these areas of disagreement, making the substance of this bill and its signature into law critical.”
Cyber Inclusions
The bill includes a number of provisions designed to beef up cyber operations and forces, enhance DoD cybersecurity, and improve broader Federal cybersecurity as a whole.
As the conferenced bill represents what lawmakers from both parties and chambers could agree upon, some of the previously reported cyber provisions included in the version of the NDAA passed by the House in September remain in the current version of the legislation, including:
- The authorization of the Cybersecurity and Infrastructure Security Agency’s (CISA) CyberSentry program, focused on the cybersecurity of industrial control systems (ICS);
- An amendment that would require CISA to update its incident response plan at least every two years;
- The codification of CISA’s National Cyber Exercise program; and
- A provision that would require the Department of Defense (DoD) to submit a report on how its Cybersecurity Maturity Model Certification (CMMC) program affects small businesses.
These provisions largely focus on Federal cybersecurity, and a summary of the bill says the totality of the legislation “initiates the widest empowerment and expansion of CISA through legislation since the SolarWinds incident.”
The bill also requires the use of protective domain name systems (DNS) across DoD. CISA previously announced that it will be rolling a out protective DNS service for all Federal agencies free of charge next year.
The conferenced NDAA bill also gives United States Cyber Command (CYBERCOM) Commander Gen. Paul Nakasone executive budget authority, “modernizes the relationship” between DoD CIO and the National Security Agency’s cyber components, and establishes a program that would centralize DoD cyber threat information products within the Joint Forces Headquarters-DoD Information Network.
Other Tech Provisions
As far as the wealth of non-cyber tech provisions in the bill, lawmakers included recommendations from the NSCAI – such as a previously House-passed bill requiring the Office of Personnel Management (OPM) to set up software and data positions – and also authorizes a nearly 25 percent bump in defense-wide research and development (R&D).
One of the NSCAI’s recommendations was for the director of OPM to establish one or more digital occupational series. The House passed a version of this recommendation as a standalone bill in October, which would give the OPM director 270 days to establish occupational series for Federal software and data positions. With no movement on the bill from the Senate side, lawmakers tacked the widely uncontroversial and bipartisan legislation – passed the House with a 416-9 vote – onto the NDAA.
Other NSCAI recommendations that made it into the bill include requiring Defense Secretary Lloyd Austin to review potential ways the DoD can utilize AI and digital tech, the creation of a pilot program that would facilitate a more agile acquisition process for DoD, and directing Austin to designate the first-ever chief digital recruiting officer that would be charged with recruiting civilians to the Federal digital workforce.
The funding bump for defense-wide R&D represents a $5.8 billion increase in funding above what President Biden requested in his budget or a 24.7 percent increase. The bill also doubles what Biden requested for activities at Historically Black Colleges and Universities (HBCUs), funding those activities by $42.1 million more than the amount Biden requested. Under the conferenced version of the bill, Defense Secretary Austin would also be tasked with developing a plan on how to more effectively promote and support defense research at Minority Serving Institutions.
Next Steps
These provisions represent just some of the variety of tech and cyber provisions in the bill. While the legislation has already made its way through the House, the bill still awaits Senate action. The conference agreement itself was born out of a wealth of Senate disagreements over how to proceed with the bill and its amendment process. The conference agreement, in theory, will allow for an easier passage in the upper chamber.
The Senate will continue taking action on the bill this week.
