Americas

  • United States

Asia

Oceania

Contributing Writer

U.S. NDAA heads into the home stretch with significant cybersecurity amendments pending

News Analysis
Jul 12, 20227 mins
ComplianceCSO and CISO

The main defense spending bill might enact the most significant pieces of U.S. cybersecurity legislation this year.

United States Capitol Building / Congress / legislation in a digital landscape
Credit: mcdustelroy / DKosig / Getty Images

In late June, the House Armed Services Committee approved its version of the National Defense Authorization Act (NDAA) for the Fiscal Year 2023 with a $37 billion funding increase over what President Joe Biden requested. This week the whole House will debate the must-pass funding legislation.

The NDAA, enacted every year to fund the U.S. military, has in previous years been a vehicle through which a wide swath of cybersecurity legislation has passed, given the struggles that standalone cybersecurity bills experienced. According to the nonprofit research organization Third Way, from 2017 to 2021, Members of Congress included 290 cyber-related provisions in the NDAAs, with the latter two NDAAs accounting for 60% of those provisions.

The 179 cyber provisions in the 2020 and 2021 NDAAs far outpaced the 14 cybersecurity bills that the 116th Congress passed (two of which were those NDAAs). In addition, starting around 2020, the number of cyber provisions not related to the Department of Defense (DoD) began increasing, addressing supply-chain security and industrial policy, critical infrastructure protection, and election security. Although no comparable analysis is available for the fiscal year 2022 NDAA, a scan of the final text of that bill reveals well over 30 separate sections devoted to cybersecurity.

The fiscal year 2023 NDAA is likewise shaping up to be a significant cybersecurity legislative vehicle, although as voted out by the Armed Service Committee, slightly less cybersecurity-focused than in years past, with 29 sections focused on cybersecurity, most but not all related to armed services. The task now is for the House to sift through 1,200 amendments, 38 of which relate to cybersecurity.

The following are the key non-military cybersecurity provisions in the version of the bill headed to the House floor and the most important cybersecurity amendments to look out for once the dust has settled after the floor vote.

Key non-military cybersecurity provisions voted out by the committee

  • Report on Cybersecurity Roles and Responsibilities of the Department of Homeland Security, which would require a report to be delivered not later than one year after the date of the enactment of the Act from the secretary of Homeland Security, in coordination with the director of the Cybersecurity and Infrastructure Security Agency (CISA), on the roles and responsibilities of the Department of Homeland Security (DHS) and its components relating to cyber incident response.
  • Review of Cyber-Related Matters at the Department of the Treasury, which would require the secretary of the Treasury to complete a comprehensive review of the Department of the Treasury’s efforts dedicated to enhancing cybersecurity capability, readiness, and resilience of the financial services sector. The review would be due not later than 270 days after the date of the enactment of the Act.

Langevin-backed amendments

Many cybersecurity amendments pending a House vote come from a congressional leader on cybersecurity, Representative Jim Langevin (D-RI), who helped lead the House Armed Services’ cyber subcommittee for 11 years and served as a top member of the highly influential Cyberspace Solarium Commission. Langevin, who is retiring at the end of the year, introduced the following amendments:

  • Systemically Important Critical Infrastructure, which designates certain critical infrastructure entities as systemically important to the continuity of national critical functions and establishes unique benefits and requirements for such entities, one of the goals of the Solarium Commission. The amendment further establishes an interagency council for critical infrastructure cybersecurity coordination to harmonize future cybersecurity policy and requirements developed by federal agencies. This amendment aligns with what CISA Director Jen Easterly calls “primary systemically important entities.”
  • Office of Cybersecurity Statistics, another goal of the Solarium Commission, would require CISA to collect, process, analyze, and disseminate essential statistical data on cybersecurity, cyber incidents, and the cyber ecosystem to the American public, congress, other federal agencies, state and local governments, and the private sector.
  • CISA Clearinghouse on Commercial Satellite Systems is a bipartisan amendment from Langevin and several of his House colleagues that requires CISA to collect, process, analyze, and disseminate essential statistical data on cybersecurity, cyber incidents, and the cyber ecosystem to the American public, congress, other federal agencies, state and local governments, and the private sector. It also requires Government Accountability Office (GAO) to study and report on federal actions to support the cybersecurity of commercial satellite systems, including for critical infrastructure sectors.
  • CISA Leadership Act, another bipartisan amendment backed by Langevin and several colleagues, establishes a five-year term limit and specifies the appointment process for the director of CISA.

SolarWinds investigation and digital reserve corps are among other amendments

Other noteworthy amendments to the NDAA include:

  • SolarWinds investigation is an amendment sponsored by Ritchie Torres (D-NY) that requires the director of CISA to conduct an investigation on the SolarWinds incident to evaluate its impact and issue a report to congress on the findings and recommendations to address security gaps, improve incident response efforts, and prevent similar cyber incidents. The amendment also calls for a GAO report on the Cyber Safety Review Board established under Executive Order 14028.
  • Foreign Sovereign Immunities Act is a bipartisan amendment backed by nearly two dozen members that creates a cyberattack exception under the Foreign Sovereign Immunities Act to protect U.S. nationals against foreign state-sponsored cyberattacks on critical infrastructure sectors.
  • A new section for Strengthening Cybersecurity for the Financial Sector Act is an amendment backed by Representative Bill Foster (D-IL) that would empower the National Credit Union Administration (NCUA) to oversee the cybersecurity practices of third-party vendors employed by the entities under their purview.
  • SBA Cybersecurity Planning Assistance is a bipartisan amendment by Representative Andrew Garbarino (D-NY) and Chrissy Houlahan (R-PA) that requires the Small Business Administration (SBA) to establish a program for certifying at least 5% or 10% of the total number of employees of a small business development center to provide cybersecurity planning assistance to small businesses.
  • National Digital Reserve Corps is a bipartisan amendment backed by 22 members that establishes the National Digital Reserve Corps to allow private-sector cybersecurity, AI and digital experts to work for the federal government temporarily.
  • Center of Academic Excellence in Cyber Education support is a bipartisan amendment that directs the secretary of defense to establish a program to provide financial support for the pursuit of programs of education at institutions of higher education that have been designated as a Center of Academic Excellence in Cyber Education. Recipients of the financial support will incur a post-award employment obligation for a period equal to the length of the scholarship in a cyber or digital technology relation mission of the Department of Defense.

“I think a good number [of the amendments] will make it into the bill,” Mark Montgomery, executive director of the CSC 2.0 Project, the successor to the influential Cyberspace Solarium Commission, tells CSO. He also thinks that when the chaos of the amendment process clears, this year’s NDAA will be on track with previous years’ defense spending bills regarding the sheer volume of cybersecurity-related provisions. “I think more will get done in the NDAA than everywhere else combined,” he says.

Mary J. Hildebrand, partner, founder and chair of the Privacy and Cybersecurity practice at Lowenstein Sandler, thinks the NDAA will likely deliver “a lot of really good ideas. For example, “I like the idea of establishing the national digital reserve corp to allow the private sector, cybersecurity, AI and digital experts to work for the federal government temporarily,” she tells CSO. “I like that a lot because that would hopefully give [the government] access to the best and the greatest and the latest.”

Once the House passes its version of the Fiscal Year 2023 NDAA, the bill heads to the Senate for reconsolidation with that body’s version of the bill. A completed NDAA is expected by the end of September, ready for the President’s signature.