As has been the case for the past few years, cyber governance provisions were featured in this year's must-pass defense policy bill moving through Congress, but a bipartisan breach notification measure was dropped from the bill -- to the chagrin of its supporters.
The National Defense Authorization Act in recent years has been a key vehicle to advance cybersecurity initiatives, including the creation of a national cyber director in the White House and expanding authorities of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
In this year’s bill, cyber governance and workforce themes emerged as the U.S. works to define its detection, mitigation, and coordination around cyber threats following a year of increasingly high-profile attacks. The bill passed the House on Tuesday and Here are several cyber provisions in the final bill text that FCW will be watching:
Getting clarity on supply chain risks. The 2022 NDAA bill directs DOD’s comptroller to assess efforts to mitigate information and communications technology supply chain risks. There’s also a requirement related to assessing DOD’s policies and its ability to defend against ransomware attacks. A separate provision requires the commander of U.S. Cyber Command to set up a voluntary information sharing process with commercial IT and cybersecurity commands to protect against malicious foreign cyber actors. The commander would have to consult with the director of the Cybersecurity and Infrastructure Security Agency and make sure it doesn’t overlap with ongoing efforts between CISA and the National Security Agency.
Sizing up adversaries. According to a summary of the bill, DOD will have to assess the “current and emerging offensive cyber posture of adversaries” along with the military services’ offensive cyber operations plans during conflict.
CYBERCOM gets budget authority. The bill calls for U.S. Cyber Command’s commander to directly control the planning, programming, budgeting, and execution of resources for the Cyber Mission Forces.
Evaluating DOD’s cyber governance. Congress wants the defense secretary to lead a “comprehensive evaluation and review of the Department of Defense's current cyber governance construct” which includes conducting military cyberspace operations (e.g., offensive, defensive, and protective) and the operations of information networks, industrial control systems, weapons systems, and platforms.
Putting cyber and climate impacts on annual reports. According to the joint explanatory statement, the bill includes a provision to collect information on cyberattacks or disruptions and extreme weather in annual reports on national technology and industrial bases.
Cyber personnel review. Even though there have been ongoing reviews of the cybersecurity workforce, the 2022 NDAA would require, if adopted, the defense secretary to assess DOD’s “overall cyber and information operation civilian and military personnel and education requirements,” briefing Congress by Nov. 1, 2022. A report and implementation plan based on findings would be due Jan. 1, 2023.
What got nixed
This year, the bill most notably leaves out some recommendations, including mandatory breach notification that would require CISA to develop and establish standards and procedures for critical infrastructure owners and operators to report cybersecurity incidents.
“We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA,” said Rep. Bennie G. Thompson (D-Miss.), who chairs the House Committee on Homeland Security, and Rep. Yvette D. Clarke (D-N.Y.), who chairs the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, in a joint statement Dec. 7.
The chairs said the amendment’s exclusion, which passed the House version of the bill in September, “undermines national security.”
The bill also scraps the creation of a civilian cybersecurity reserve pilot program for Cyber Command and a National Digital Reserve Corps under the General Services Administration to address cyber needs in executive agencies. An axed proposal from the House would’ve helped set up a cyber counseling certification program with the Small Business Administration. That provision, had it made it into the final text, proposed to certify employees of small business development centers to provide cyber planning assistance to small business concerns.