NDAA Negotiations Will Determine Success of Several Cyber Solarium Goals

traffic_analyzer/Getty Images

Influence from major industry threatens once again to thwart lawmakers’ attempts to realize their policymaking goals through the annual defense authorization bill.

The most ambitious recommendations of a congressionally mandated commission on improving the nation’s cybersecurity will likely be reduced to—at most—just another report on the issue, but there are still a number of consequential provisions being considered for inclusion in this year’s National Defense Authorization Act.

Congress created the Cyberspace Solarium Commission in the 2019 NDAA. The group, which included lawmakers from across the political spectrum, as well as leaders from the federal government and major industry representatives, agreed on a path forward for cybersecurity, as articulated in a March 2020 report detailing 75 recommendations. Lawmakers on the commission committed to including as many of the recommendations as possible in subsequent NDAAs. 

This year, as industry groups continue efforts to defeat the commission’s NDAA contributions, some big tech companies are making a concerted push to increase the government’s acquisition of information and communications technology by supporting provisions to cultivate faster procurement practices. 

One often cited example of such practices is the use of contracting vehicles such as Other Transaction Authority agreements. These agreements allow acquisitions personnel to bypass Federal Acquisition Regulations, on which the implementation of President Joe Biden’s May, 2021 executive order on cybersecurity heavily relies

But not all of the Solarium Commission’s material recommendations are entirely doomed. The last vestiges of the group’s surviving proposals may yet come to fruition, along with two significant related provisions included in the House bill by lawmakers outside the Solarium Commission’s circle. 

Congressional members of the Solarium Commission—outgoing Rep. Jim Langevin, D-R.I., Rep. Mike Gallagher, R-Wis., and Sen. Angus King, I-Maine—along with outgoing Rep. John Katko, R-N.Y., formed the main driving force that established the Office of the National Cyber Director and increased funding and authorities for the Cybersecurity and Infrastructure Security Agency in previous years.

Linchpin Solarium proposal getting scrapped

But a proposal at the center of of the Solarium commission’s report—that a set of “Systemically Important Critical Infrastructure” entities put essential protections in place and allow government visibility into their operations in exchange for a legal-liability shield and federal assistance in the event of a cyberattack—appears headed for the wastebasket in this year’s NDAA negotiations.

“We're trying to make it so that they at least [call for] a study on what the right elements are, that should be SICI, so that people understand who we're talking about, and I don't even know if that'll happen,” Mark Montgomery, senior fellow at the Foundation for Defense of Democracies, told Nextgov, referring to sec. 1507 of the House bill, which he said is the version House lawmakers are using in negotiations with senators. 

Montgomery—a former aide to the late Sen. John McCain who served as executive director of the Solarium Commission over its two-year duration—has continued working through the think tank with Solarium lawmakers on turning the commission’s recommendations into law. 

Despite initial sign-off from private-sector leaders on the Solarium proposal, “industry is just generally opposed to [the SICI initiative],” he said. 

Montgomery said he was particularly frustrated by the finance sector’s opposition to inclusion of the legislation in the NDAA, noting such entities’ dependence on major information technology providers, which—unlike finance, healthcare and other sectors of critical infrastructure—are generally unregulated for cybersecurity.  

“It's causing us to obviously miss fixing the cloud service providers,” he said. “We have a big chunk of the ecosystem out there without any kind of floor on cybersecurity.” 

Software industry trying to control the federal acquisition process

In a Sept. 14 letter to lawmakers, trade associations—collectively representing big information and communications technology companies like Microsoft, as well as internet service providers like AT&T—opposed Sec. 6722 of the House bill. That provision was also inspired by a Solarium Commission recommendation, along with requirements stemming from Biden’s May 2021 executive order responding to the infamous SolarWinds hacking campaign. It instructs DHS to guide agencies toward asking prospective contractors to submit a software bill of materials, or SBOM

And an Oct. 20 letter to lawmakers from the Alliance for Digital Innovation—which represents AWS, Google Cloud, VMWare and several cybersecurity companies—urged Congress “to remove the SBOM language from the NDAA and give industry and agencies more time to develop solutions that will better secure the country’s cybersecurity supply chain.”

A major focus of that executive order was on agencies securing their software supply chains by gaining visibility into the practices of software vendors like SolarWinds. The Office of Management and Budget allowed agencies to ask for evidence, such as SBOMs, to support security claims from their vendors, but OMB, along with the National Institute of Standards and Technology, suggested agency procurement officers err on the side of taking vendors at their word. Changes are coming soon to Federal Acquisitions Regulations under the Biden order. 

Some argue documenting the providers’ claims could be enough to hold them accountable in the event of an incident and thereby incentivize secure software development practices. Rep. Bill Foster, D-Ill.—chair of the oversight and research and technology panels on the House Science Committee—would like for at least the National Credit Union Administration to take a more proactive approach. Foster managed to attach an amendment to the House bill that would “empower NCUA to oversee the cybersecurity practices of third party vendors employed by the entities under their purview,” according to a list of approved amendments provided by the House Armed Services Committee.

The chorus call for SBOMS grew after SolarWinds hackers compromised at least nine federal agencies and 100 companies. Although CISA was initially tasked by the Biden order to autopsy the event, the agency’s Cyber Safety Review Board instead examined the implications of security vulnerabilities discovered in the popular open-source library Log4J. 

A provision sponsored by Rep. Ritchie Torres, D-N.Y.—Sec. 5213 of the House bill—would ensure CISA dissects the SolarWinds event for a full understanding of the hackers’ reach into agencies’ networks and lessons to mitigate the impact of similar attacks in the future.  

Industry trying to get inside the federal workforce

ADI’s Oct. 20 letter also supported changes to the Federal Risk and Authorization Management Program for cloud services—Sec. 5911 in the House bill—and inclusion of the AGILE Procurement Act, which would fast track agencies’ software acquisition. 

The aim of the Agile Procurement Act, which is not currently included in the NDAA legislation, is  “to foster more resilient supply chains, provide access to a wider pool of qualified vendors and increase opportunities for participation of new, small and nontraditional businesses in the procurement process, in addition to addressing other barriers,” according to the bill text. 

The ADI letter also pushed for workforce development programs that would allow industry personnel to do short term stints in the federal government, including as procurement officials.

The American Federation of Government Employees is adamantly opposed to the National Digital Reserve Corps—included in the House bill by Rep. Tony Gonzales, R-Texas—and other provisions that aim to improve the technological proficiency of the federal government by allowing such stints within agencies. The union argues such programs don’t consider the needs of federal agencies, while bypassing rules on competitive hiring practices and creating potential conflicts of interest stemming from a lack of public disclosure.

“The House has one where it's defined by the [General Services Administration], and I have a real problem with that, because I think it should be within the executive agency itself to determine 'do they really have a need for someone with certain skills and for what period of time,'” John Anderson, a lobbyist for the union, told Nextgov, referring to the Gonzales provision. 

In previous years, Anderson described the proposed GSA-run digital service corps as a boondoggle that would “be no more than an opportunity for private interests to obtain inside information from the government and train its workforce through access to governmental programs, without having to compete for a contract to work on those programs.”

This year, a Senate amendment sponsored by Sens. Jackie Rosen, D-Nev., and Marsha Blackburn, R-Tenn.—which would create a similar workforce program at CISA to be activated in response to cybersecurity incidents—was among those included for the upcoming negotiation process with the House, according to a list provided by Senate Armed Services Committee staff.

Solarium Commission recommendations still viable 

Also up for debate, as lawmakers look to reconcile House and Senate versions of the Defense bill, are provisions that would codify a bureau of cybersecurity at the State Department through the Cyber Diplomacy Act and establish a five-year term limit and appointment processes for the CISA director.

The latter of those—sponsored by New York Republican Rep. Andrew Garbarino—could be especially important for CISA’s election security and disinformation-control responsibilities. This was highlighted by then-President Donald Trump’s firing of former CISA Director Chris Krebs, after he refused to cave under pressure to say there were irregularities with Democrats’ victory in the 2020 presidential election.

Lawmakers will also consider Sec. 1504 of the House bill, which instructs the secretary of Homeland Security to establish a cyber threat information collaboration environment, wherein public and private-sector entities “may” contribute, collect and analyze information through the use of a variety of tools, including sensors, which the government would pay for.

The provision would give the DHS secretary the ultimate power to decide which private-sector entities could have access to classified information shared by the National Security Agency and others in the intelligence community. The national cyber director would have a leading role in designing the environment and would be able to appoint advisors from the private sector to guide him on the issue.

At this stage, Senate leaders have whittled down a list of more than 900 amendments their colleagues proposed for the House bill to about 75 and are moving forward with the process of reconciling the chambers’ two versions into a final bill for the president’s signature. Lawmakers will have their hands full when they return from a recess for the midterm elections next week.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.