Industry Groups Ask Lawmakers to Remove Core Cybersecurity Provisions from NDAA 

If it were up to the Information Technology Industry Council and other industry associations, the next National Defense Authorization Act would exclude bipartisan provisions for the government to establish intelligence sharing and threat hunting programs in collaboration with the private sector. 

“ARWG urges conferees to not include Sections 1634 and 1637 of the House bill and Sections 1631, 1632, 1635, and 3131 of the Senate legislation, as passed by the House or Senate, respectively, in the final NDAA,” reads a Sept. 24 letter ITI and other members of the Acquisition Reform Working Group sent to the chair and ranking members of the House and Senate Armed Services Committees.

ARWG includes the American Council of Engineering Companies, Associated General Contractors of America, Computing Technology Industry Association, National Defense Industrial Association, ITI and the United States Chamber of Commerce. 

The sections of the House- and Senate-passed versions of the NDAA identified by the groups are based on recommendations from the Cyberspace Solarium Commission, a congressionally appointed group that includes Republican, Democrat and Independent lawmakers as well as key members of the administration and private sector leaders. Its recommendations earlier this year promised a consensus path forward for cybersecurity policy that appears to be fracturing in advance of the commission’s goal of including as many of them as possible in the annual defense bill. 

Core to the Solarium Commission’s approach is increased collaboration between the public and private sectors. But a White House veto threat issued in response to the House bill said provisions calling for the government to share information with the private sector didn’t sufficiently consider the sensitive nature of such intelligence, and now the industry side is also finding faults with the sharing and access provisions.

“The Industry urges defense authorizers to ensure that any expanded or new authorities for network information, reporting, or access included as part of this or other legislation are narrowly focused on securing government systems and information,” the letter reads. “Such authorities should not cover private sector commercial networks that are unrelated to the performance of defense or government contracts, must not harm or unnecessarily impede the global business operations of the wide range of companies that do business with the Department, and should safeguard proprietary information, equipment, and functionality of networks, while addressing liability and just cause concerns.”

The cybersecurity-related NDAA sections opposed by the industry group would specifically establish programs for defense industrial base threat hunting, sensing, discovery, mitigation and assessment; critical infrastructure cyber incident reporting procedures across all sectors; defense industrial base participation in cybersecurity threat intelligence sharing; expansion of authority for access and information relating to cyberattacks on operationally critical contractors of the armed forces; and reporting on network penetrations of contractors and subcontractors.  

Among other things, the industry groups also oppose provisions requiring disclosure and record keeping on beneficial owners of corporations, the past performance of small business in evaluating joint venture offers from prime contractors, and contracting with persons with willful or repeated violations of the Fair Labor Standards Act of 1938. They argue the provisions are either duplicative, too costly, or both.