House Armed Services Begins Its Mark Up of NDAA; Senate Files Its NDAA

The House and Senate’s NDAAs are full of cyber-related language, including a number of CSC recommendations.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Two weeks after the Senate Armed Services Committees marked up its FY 2021 National Defense Authorization Act (NDAA), the House Armed Services Committee began marking up its NDAA. This annual legislation sets cybersecurity and technology policy and funding levels for the Department of Defense and its myriad agencies that often later public and private sector policy directly or indirectly. The Senate also began consideration of its bill this week, and the House could follow suit on its package next month.

On 22 June, the Intelligence and Emerging Threats & Capabilities Subcommittee met and marked up their portion of the “National Defense Authorization Act for Fiscal Year 2021” (H.R.6395), but not all the bill text was released before the hearing. Nevertheless, in the summary of legislative language provided along with selected bill text, the subcommittee explained some of the cybersecurity provisions in the FY 2021 NDAA:

• Section 1621—Cyber Mission Forces and Cyberspace Operations Forces
  • This section would amend section 238 of title 10, United States Code, to reflect the need for consolidated budget displays for both the cyber mission forces, as well as the newly created cyber operations forces. Additionally, this would amend an existing requirement for the cyber and information technology budgets to be delivered to Congress in print and electronically, not later than 5 days after the release of the President’s budget request.
• Section 1623—Tailored Cyberspace Operations Organizations
  • This section would direct the Secretary of the Navy, in conjunction with the Chief of Naval Operations, to produce a study on the Navy Cyber Warfare Development Group, a small niche organization aligned to the Navy’s service cyber component. This section also would authorize other military services and U.S. Special Operations Command to create counterpart organizations to Navy Cyber Warfare Development Group.
• Section 1625—Department of Defense Cyber Workforce Efforts
  • This section would direct the Department of Defense Chief Information Officer to:
    • study and expand the model used at the National Security Agency(NSA) that authorizes NSA employees to use up to 140 hours of paid time toward NSA cyber education efforts in local communities. This would explicitly authorize select Department of Defense civilians who are part of the Cyber Excepted Service to utilize paid time toward wider national efforts aimed at addressing the cyber workforce shortage;
    • study and report, in conjunction with the military services, to the congressional defense committees on how the Training With Industry program can be strengthened and better utilized by the services; and
    • study the synchronization between NSA GenCyber program and the Centers for Academic Excellence and report to the congressional defense committees on how the two programs can be better integrated and harmonized.
• Section 1626—Reporting Requirements for Cross Domain Compromises and Exemptions to Policies for Information Technology
  • This section would direct the Secretary of Defense to report monthly to the congressional defense committees on all cross domain compromises within the Department of Defense Information Network. Additionally, this section would direct the Secretary of Defense to report biannually to the congressional defense committees on all current exemptions to information technology policies. The intent is to establish a baseline for legislative oversight on areas where the Department of Defense has accepted risk to its networks and systems.
• Section 1627—Assessing Private-Public Collaboration in Cybersecurity
  • This section would assess the impact of the current Pathfinder initiatives, prospects for making existing Pathfinder pilots more robust, and whether and how to expand Pathfinder or similar models of public-private collaboration to other critical infrastructure sectors, particularly systemically important critical infrastructure. Developing institutional support for Pathfinder-type initiatives not only creates opportunities for increased collaboration across critical sectors, as prioritized by Federal departments and agencies, but will also buttress and accelerate nascent efforts and increase their chances of success.
• Section 1628—Cyber Capabilities and Interoperability of the National Guard
  • This section would direct the Department of Defense to update existing policies to consider National Guard activities that could be performed and reimbursed under title 32, United States Code.
• Section 1629—Evaluation of Non-Traditional Cyber Support to the Department of Defense
  • This section would direct the Secretary of Defense to assess the feasibility and need for a cyber reserve force, the composition of a reserve force, and the structure of a reserve force (e.g., a retainer model, a non-traditional reserve, auxiliary model).

The full House Armed Services Committee will markup the entire bill on 1 July, and in advance of this hearing the full text of the bill (aka the Chair’s Mark) will likely be released. Traditionally, this markup takes the better part of a day. It is likely cybersecurity and technology matters will be discussed and details in the bill amended.

The “Senate Armed Services Committee released its text for the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049), and the Senate began consideration of the bill this week, with the invocation of cloture on the motion to proceed on 25 June by a 90-7 vote. The Committee also released the Committee Report to accompany S.4049, which summarizes the myriad cybersecurity and technology provisions, most of which are directed to the DOD, its contractors and suppliers.

The cybersecurity provisions in S.4049 would change, alter, or establish a range of programs and operations. The bill would modify the statutory duties of Department of Defense’s Principal Cyber Advisor to require that the person chosen for this role is a civilian at the Pentagon who holds a position requiring Senate confirmation. The DOD would need to develop and implement a framework for forward hunt operations (i.e. offensive cyber operations) to address some of the issues the committee’s oversight turned up. The focus on this exercise would be to get a better understanding on the utility and life span of intelligence gained through such operations. The Pentagon’s reporting duties after executing an offensive or defensive cyber operation would be expanded to include nations and entities with whom the United States is not at war. The Committee expanded the DOD’s required briefings on cyber operations, expressing frustration with the Department’s “unwillingness to keep the committee apprised of cyber operations conducted to gain access to adversary systems, including those conducted pursuant to standing military plans against military targets.”

There is language mandating that the DOD begin the process of harmonizing the Pentagon’s cyber capabilities and those provided by private sector contractors, much of which overlaps in the view of the committee. Cyber Command would receive expanded but necessarily acquisition authority as the service branches are to remain the entities undertaking large procurements. The Principal Cyber Advisor and head of Cyber Command would need to assess how well the DOD manages inter-agency conflict in the Pentagon and among Intelligence Community agencies in managing the process by which cyber operations are designed and executed, suggesting there is significant internal friction among the stakeholders. The DOD would need to conduct a pilot on the feasibility of adopting and using a commercial practice of speed-based cybersecurity metrics. The Pentagon would also need to better integrate its data collection and data analysis regarding potentially malicious or illegal activities by DOD employees and contractors (i.e. so-called insider threat).

The DOD would need “to develop a comprehensive plan, by February 1, 2021, for the deployment of commercial-off-the-shelf solutions on supplier networks to monitor the public-facing Internet attack surface of members of the defense industrial base (DIB)” that is intended to supplement the DOD’s new Cybersecurity Maturity Model Certification and other DOD efforts to shore up the cybersecurity of its contractors. The bill would grant a DOD request to receive the authority to immediately react and respond to reported threats and penetrations to “operationally critical” DOD contractors’ systems and networks. The DOD would need “to conduct a baseline review of the Joint Regional Security Stacks (JRSS) activity to determine whether the initiative should continue, but as a program of record, or should be replaced by an improved design and modern technology.” The DOD would also receive limited flexibility to use Operation and Maintenance (O&M) “for cyber operations-peculiar capability development projects.” The committee also conditioned the availability of certain Office of the Secretary of Defense travel on fulfilling a requirement in the current year’s NDAA to submit “a report for the structuring and manning of information operations capabilities and forces” in the DOD, develop “a strategy for operations in the information environment” and to “conduct an information operations posture review.”

The Cyberspace Solarium Commission (CSC) would have its mandate extended so it could monitor, assess, and report on the implementation of its 75 recommendations made in March 2020. The bill includes a number of CSC recommendations, including:

• Adding “a force structure assessment of the Department of Defense’s Cyber Operations Forces to future cyber posture reviews.”
• “a report to the congressional defense committees, detailing the actions that the Secretary will undertake to ensure that the Commander, U.S. Cyber Command, has enhanced authority, direction, and control of the Cyber Operations Forces and of the equipment budget that enables Cyber Operations Forces’ operations and readiness, beginning with fiscal year 2024 budget request.”
• Assessing “options for establishing a cyber reserve force.”
• A comprehensive plan for “[e]nsuring cyber resiliency of nuclear command and control system”
• Requiring “the Secretary of Defense to establish policies and requirements for each major weapon system, and the priority critical infrastructure essential to the proper functioning of major weapon systems in broader mission areas, to be re-assessed for cyber vulnerabilities.”
• Mandating that the Secretary of Defense “establish a threat intelligence sharing program to share threat intelligence with and obtain threat intelligence from the defense industrial base.”
• Requiring the Pentagon “to conduct an assessment of the adequacy of threat hunting elements of the Cyber Maturity Model Certification (CMMC) program and the need for continuous threat monitoring operations.”
• Addressing “the risks to National Security Systems (NSSs) posed by quantum computing by requiring the Secretary of Defense to: (1) Complete an assessment of current and potential threats to critical NSSs and the standards used for quantum-resistant cryptography; and (2) Provide recommendations for research and development activities to secure NSSs.”
• Study the feasibility of establishment of a National Cyber Director.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Markus Spiske from Pexels