Why Certain Cybersecurity Provisions Made it into the NDAA and Others Didn’t  

Orhan Cam/Shutterstock.com

An effort to establish a public-private collaboration environment was cut from the final bill but a controversial insurance provision was retained. 

Key lawmakers in the House and Senate celebrated the inclusion of cybersecurity provisions they shepherded into the final annual National Defense Authorization Act. But there were other measures they viewed as crucial that didn’t survive—some of which were stymied by the pandemic’s challenges.

The NDAA conference report approved by a veto-proof majority in the House Tuesday calls for a Senate-confirmed national cyber director within the Executive Office of the President and new powers for the Cybersecurity and Infrastructure Security Agency. CISA would be able to issue administrative subpoenas to internet service providers for the identities and contact information of entities under threat. It would also be allowed to conduct threat hunting on federal agencies’ information systems and help federal agencies by installing sensors or providing information technology if they request it.

But other measures in the version of the NDAA that passed the House in July were removed after the lawmakers’ bicameral conference to reconcile it with the Senate-passed version.

Two such efforts, championed by Rep. Jim Langevin, D-R.I., were among those. Langevin is chairman of the House Armed Services Committee’s panel on intelligence and emerging threats and capabilities and a member of the congressionally mandated Cyberspace Solarium Commission. He pushed for the creation of a joint collaborative environment where public and private-sector entities would share intelligence and ultimately have the ability through a common cloud habitat to conduct analysis and get ahead of cyber threats. The other big push was for the Secretary of Homeland Security to establish requirements for certain private-sector critical infrastructure entities to report cyber incidents through DHS’ National Cybersecurity and Communications Integration Center.

Although both of these measures arose from recommendations of the commission—which included representation from across the political spectrum and members of Congress, the administration and the private sector—industry groups opposed the cyber incident reporting provision.

The White House also took issue with the joint collaborative environment, citing potential harm to the intelligence community’s sources and methods.      

A Democratic aide familiar with the conference negotiations said, particularly with the joint collaborative environment, it came down to a lack of time and the ability to reach the right offices in the middle of a pandemic.

“We kind of ran out of time to get it fully socialized in the Senate amongst all the other stuff that was there,” the aide told Nextgov. “The sense that we certainly have at the end of this is that this is not the end of the conversation by any means.”

The aide said sources and methods did come up, as well as questions about privacy but that “normally we could work through and say well this is how it is going to fit into protections from [the Cybersecurity Information Sharing Act of 2015]" or that the effort is about having a way to voluntarily share material for analysis “that isn’t Outlook attachments.” 

There will probably also be the need to determine one agency—CISA or the National Security Agency, for example—that would be in charge of the environment, rather than having it be a shared domain, when the issue is revisited, and supporters circle back with the Biden administration, the aide said. 

The aide also added that the opposition expressed by the current White House “really read to us like an artifact from prior versions, not something that was super relevant to the actual legislative text that was in the NDAA when it passed the House.” The NSA and CISA, as well as the Office of the Director of National Intelligence, have all expressed the desire to share more of their intelligence with the private sector.   

Provisions—including the incident reporting requirement—where multiple agencies and committees have jurisdiction are particularly complex and would benefit from more time, the aide said.

Another example of this regards the commission’s recommendations around cybersecurity insurance. The House NDAA included a provision, retained in the final conference report, that calls for a Government Accountability Office report on the state of cybersecurity insurance. Federal contractors came out against this provision, but the aide said it’s an issue where, had there been time to consult more closely with the financial services committees, even more—having a federally funded research development corporation certify cyber insurance products, for example—could have been done.

“I think that having the GAO report will help enormously, but we're probably gonna have to come back, reattack that a bit,” the aide said, adding that in general, “The fact that we got as much done as we did is, is actually much better than I thought it would be before the pandemic and way better than I thought after the pandemic.” 

But not all the House provisions can be resolved simply with more time and access to members.

An amendment from then-Rep. Cedric Richmond, D-La., called for the director of CISA to be appointed to five-year terms. The aide said the idea here was to give the CISA director, like that of the FBI, a certain amount of immunity from presidential caprice—an issue that was on full display as President Donald Trump fired former CISA Director Christopher Krebs over his statements about the election. But while other key committee leaders agreed to this, the aide said others did not. The aide said the opposing position was not related to the controversy over the election, but rather a reluctance to handcuff the president, no matter the administration.      

An impending shift in administrations likely led to the exclusion in the final NDAA of a ban on the popular video-sharing app TikTok for federal employees. 

Federal agencies also won’t have to abide by a ban on foreign-made drones, which was included in the House version of the NDAA. The conference report instead calls for the Defense Secretary to share information about drone-related threats with agencies and report to Congress on such information sharing by Oct. 2021. 

Other overwhelmingly bipartisan initiatives in the House and Senate versions of the NDAA that did make it into the final bill were cybersecurity education and workforce development measures, including a call for the National Institute of Standards and Technology to develop metrics to assess existing efforts; and a Defense review of software criteria that would inform an Office of Management and Budget pilot that could shake up the procurement of code across the government.  

Also, included in the final bill is a provision that would create a fund for the development of Open Radio Access Network technology—supporters of which argue will eventually provide alternatives to Chinese suppliers Huawei and ZTE.

“For too long we’ve called for our allies and trading partners to reject Huawei digital infrastructure – without providing competitively-priced, innovative alternatives that address their needs. I’m pleased to see my bipartisan, bicameral legislation included in this year’s defense funding bill,” Sen. Mark Warner, D-Va., who has been leading the effort, said in an email. 

Finally, the NDAA conference report extends the Solarium Commission’s remit for another year and a half. 

Trump’s OMB has officially expressed the administration’s intention to recommend a presidential veto of the bill, and specifically opposes the commission’s most high-profile recommendation: the creation of the national cyber director’s office. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.