NDAA Markup Finishes In House

Appropriations, Budget, Cybersecurity, data security, DOD, FY 2021, NDAA, NSA, People's Republic of China, Russia, Telecommunications 6 Minutes
The House’s NDAA was moved out of committee and it would alter a range of technology programs and initiatives at the Pentagon. The bill may be considered by the full House later this month.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The House Armed Services Committee marked up and reported out the “National Defense Authorization Act for Fiscal Year 2021” (NDAA) (H.R.6395), three weeks after the Senate Armed Services Committee did the same with its NDAA. The two packages authorize very similar top-line funding for the Department of Defense (DOD) and non-DOD defense programs (most of which are the Department of Energy’s nuclear weapons programs) that largely meets the Trump Administration’s overall funding request of roughly $731 billion, including $69 billion for Overseas Contingency Operations (OCO). And, the annual authorization package is full of technology provisions that affect the DOD, related agencies, private sector contractors, and other nations. The House may take up H.R.6395 this month, which will likely result in more changes being made to the package.

Chair Adam Smith (D-WA) released his Mark (i.e. the full text of his proposed FY 2021 NDAA that served as the base text for the markup). This bill also added sections that were not included in the subcommittee marks, and with respect to cyber-policy, the Chair’s Mark added two provisions:

  • Section 1622—Cyberspace Solarium Commission
    • This section would modify section 1652 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232) to update the Cyberspace Solarium Commission’s membership. Additionally, this section would permit the organization to extend further for the purposes of providing regular updates to the legislative and executive branches on the implementation of the Commission’s findings. 
  • Section 1624—Responsibility for the Sector Risk Management Agency Function of the Department of Defense
    • This section would assign full responsibility for certification, coordination, harmonization, and deconfliction of the various efforts, initiatives, and programs that the Department of Defense manages in the furtherance of its responsibilities as the Sector-Specific Agency (SSA) for the Defense Industrial Base to the Principal Cyber Advisor. Presently, the Department is the only SSA that has not unified its various physical and cybersecurity efforts under one organization. For the purposes of carrying out its SSA mission, the Principal Cyber Advisor will be tasked with the management of all functions associated with SSAs under Presidential Policy Directive-21.

The Chair’s Mark has a number of cybersecurity provisions in the Committee Report:

  • [T]he committee directs the Under Secretary of Defense for Acquisition and Sustainment to submit a report to the congressional defense committees by January 15, 2021, regarding the Cybersecurity Maturity Model Certification (CMMC) program.
  • Consistent with draft regulation issued in November 2019, and the anticipated August 2020 regulation related to this statute, the committee directs the Secretary of Defense, in coordination with the Secretary of Commerce, to provide a briefing to the House Committee on Armed Services not later than December 1, 2020, on the implementation status of the full requirements in section 889 of the FY 2019 NDAA that effectively bans Huawei, ZTE, Hytera, Hikvision, or Dahua systems or equipment from DOD and federal government systems and networks.

Intelligence and Emerging Threats and Capabilities Subcommittee’s Mark contains the following Committee Report language:

  • [T]he committee directs the Secretary of Defense, in coordination with the Department of Defense Chief Information Officer, to provide a report to the House Committee on Armed Services not later than March 31, 2021, on the status of the Department’s implementation of the [21st Century Integrated Digital Experience Act (IDEA) (P.L. 115-336)] across the defense enterprise.
  • The committee directs the Chief Information Officer of the Department of Defense, in coordination with chief information officers of the military services, to provide a briefing to the House Committee on Armed Services, not later than September 1, 2021, on the processes in place for asset discovery and management of hardware and software products.
  • [T]he committee directs the Comptroller General of the United States to provide a report to the House Committee on Armed Services by September 1, 2021, to examine the issue of internet architecture security.

The Committee adopted hundreds of amendments during its hours long markup, some of which pertained to defense technology issues. The Committee wrote this summary of selected provisions adopted in this package in the jurisdiction of the Intelligence & Emerging Threats and Capabilities Subcommittee offered by a range of Members:

  • Amends Sec. 1286 of the FY 2019 NDAA by adding to the requirements a publication deadline and public release of a list of Chinese and Russian academic institutions with a history of improper technology transfer and other malign behavior.
  • Directs the Secretary of Defense to provide a briefing to the House Committee on Armed Services, not later than 1 December 2020, on the information environment segmentation methodology framework.
  • Requires a GAO study of DOD’s Cyber vulnerability assessment efforts.
  • Requires DOD to submit a report to Congress on DOD components cyber hygiene practices and directs the GAO to review that report and brief the Committees on its findings.
  • To provide a briefing to HASC on improving the cybersecurity of disadvantaged small businesses in the defense industrial base.
  • National Security Commission on Artificial Intelligence (NSCAI) recommendations including
    • “a  steering  committee  on  emerging  technology  and  national  security  threats;”
    • “the  Secretary  of  Defense  shall  develop  and  implement  a  program  to  provide  covered  human  resources  personnel  with  training  in  the  fields  of  software  development,  data  science,  and  artificial  intelligence,  as  such  fields  related  to  the  duties  of  such  personnel;”
    • “a  pilot  program  under which applicants for technical positions within the Department  of  Defense  will  be  evaluated,  in  part,  based  on  electronic  portfolios  of  the  applicant’s  work;”
  • Briefing on use of Artificial Intelligence to analyze beneficial ownership of defense contractors
  • Establishes a National Artificial Intelligence Initiative
  • GAO Study and Report on Electronic Continuity of Operations on the Department of Defense
  • Package of recommendations on artificial intelligence (AI) and emerging technologies from the National Security Commission on Artificial Intelligence (NSCAI), including:
    • a program under which qualified professors and students may be employed on a part-time or term basis in an organization of the Defense science and technology enterprise for the purpose of conducting a research project
    • an advisory panel on microelectronics leadership and competitiveness
    • the Joint Artificial Intelligence Center…shall conduct an assessment to determine whether the Department of Defense has the ability to ensure that any artificial intelligence technology acquired by the Department is ethically and responsibly developed.
  • Amending report language on “Ties between Russia and China” to include assessment on defense cooperation and coordination between Russia and China
  • Requires a report on the applicability of using automated technologies related to computer aided manufacturing software and similar manufacturing technologies to address repair part obsolesce issues and part obsolesce issues and parts shortages across the organic industrial base.
  • To require a plan on spectrum information technology modernization and a program to identify and mitigate vulnerabilities in the military’s telecommunications infrastructure
  • The DOD lacks a similar comprehensive understanding of the Internet-connected assets and attack surface across the DOD enterprise. Amends existing DRL to require a briefing on the current and planned capabilities and concept of operations for Internet operations management.

The Committee also offered summaries of the following provisions adopted across three amendments:

  • Chair’s Mark En Bloc #1
    • Report on Supply Chain Security Cooperation with Taiwan
    • Directs the United States-China Economic and Security Review Commission to brief the committee on any plans, opportunities, and/or challenges the Commission has for sharing its expertise and cooperation with similar organizations among U.S. partners and allies
    • Encourages the Secretary of Defense to take into account the security risks, including threats to operational and information security, of 5G and 6G telecommunications networks in all future overseas stationing decisions
  • Chair’s Mark En Bloc #2
    • Cyber Threat Information Collaboration Environment (JCE)
    • Establishment of the Integrated Cyber Center
    • Cybersecurity Threat Hunting and Sensing, Discovery, and Mitigation
    • The  DOD “shall  establish  a  threat  intelligence  program  to  share  with  and  obtain  from  the  defense  industrial  base  information  and  intelligence  on  threats  to  national  security” that would include cybersecurity incident reporting for defense contractors
    • Requires a study and recommendations from NIST on China’s influence in international standards setting bodies for emerging tech.
    • Requirement to Buy Certain Satellite Component from National Technology and Industrial Base
    • Sense of Congress on the intent and implementation of the Section 889 of the FY19 National Defense Authorization Act pertaining to the prohibition on certain telecommunications and video surveillance services or equipment
    • Extends and modernizes required reporting by the Department of Defense on Chinese Communist Party military companies operating in the United States
  • Chair’s Mark En Bloc #3
    • DRL requiring a briefing from USD(A&S) on how DOD and the CMMC-AB plan to mitigate potential organizational conflicts of interest [between] contractors and third-party assessment organizations performing CMMC certifications
    • To provide assistance to small manufacturers in the defense industrial supply chain with improving cybersecurity
    • GAO Report on GSA e-commerce Portal Data Usage and Competition

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s