Compromise Defense Policy Bill Elevates Cyber Command

The National Security Administration campus in Fort Meade, Md., where the US Cyber Command is located.

The National Security Administration campus in Fort Meade, Md., where the US Cyber Command is located. Patrick Semansky/AP File Photo

The bill, which could be voted on this week, also places restrictions on splitting CYBERCOM from NSA.

The final draft of an annual defense policy bill, released Wednesday, elevates U.S. Cyber Command to a full combatant command and sets strict conditions before it can be split from its sister intelligence agency, the National Security Agency.

CYBERCOM has been run in a “dual hat” system by the NSA director since its inception in 2010. The Obama administration has long considered splitting the two jobs to draw cleaner lines between the government’s military and intelligence cyber functions, but that move is opposed by many lawmakers, including Senate Armed Services Chairman John McCain, R.-Ariz., who says the military’s cyber defense will be damaged if it can’t rely on NSA expertise.

The compromise National Defense Authorization Act places a number of conditions on splitting the two, including certifying to congressional armed services committees that CYBERCOM’s weapons, capabilities, command and control systems, and staffing are all up to snuff. The split could also not happen before CYBERCOM reaches full operational capability, which is scheduled for 2018.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“If you break the dual-hatting, it’s way more complicated than that [regarding] infrastructure and other things,” a senior House Armed Services Committee aide told reporters Tuesday. “So we’re asking them, ‘before you go do that, tell us what all needs to be done so the functions are protected.’”

The compromise bill is expected to reach the House floor Friday and to be taken up by the Senate the following week, a senior committee aide said.

The bill also elevates CYBERCOM to a full unified combatant command on the level of U.S. Central Command or Southern Command.

CYBERCOM is officially a sub-unified command beneath U.S. Strategic Command in Omaha, Nebraska, though current CYBERCOM Chief Adm. Michael Rogers has said he often reports directly to the Pentagon.

The congressional line drawing comes amid turmoil between Rogers and Defense Secretary Ash Carter and Director of National Intelligence James Clapper who reportedly urged President Barack Obama to fire Rogers, in part because of slow progress in making CYBERCOM independent from NSA.

Meanwhile, President-elect Donald Trump is reportedly considering Rogers as a replacement for Clapper.  

The compromise NDAA also:

  • Gives the defense secretary authority to assign cyber experts to help secure the personal technology of DOD personnel who, based on their jobs, are “highly vulnerable to cyberattacks and hostile information collection activities.”
  • Requires the defense secretary to create overall standards for how military services manage “cyber opposition forces” who effectively play the bad guys in war games and ongoing testing of systems’ cyber vulnerabilities.
  • Loosens some salary restrictions for cyber personnel.
  • Expands a Navy pilot program that eases requirements to commission officers with cyber expertise to other military services.