Defense authorization bill includes billions for cyber, intelligence matters

WLDavies/Getty Images

Featured eBooks
Future-Ready Workforce
Read Now

Health Tech

Read Now

AI Applications

Read Now
Insights & Reports
The Federal Threat: 98% of npm & PyPI Malware Neutralized With a Source-First Approach
Presented By Chainguard
Download Now
AI for Government Legal Teams: What’s Possible
Presented By Filevine
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

The NDAA notably deviates partly from President Donald Trump’s national security strategy, which seeks some distance between the U.S. and Europe. It also makes a sweeping regulatory harmonization demand.

The massive annual defense bill up for consideration this week infuses billions of dollars into various defense and intelligence agencies’ cybersecurity portfolios, a sign that cyber threats from foreign adversaries are now a regularly occurring consideration for the nation’s defense budget.

The finalized National Defense Authorization Act for FY26, released Sunday evening, would provide U.S. Cyber Command — the digital combatant command that shares space with the NSA — some $73 million for cyberspace operations, around $30 million for unnamed activities and $314 million for operations and maintenance at its headquarters. 

It also appears to preserve the dual-hat leadership structure of Cybercom and NSA — traditionally co-led by the same four-star general — with language that prevents Defense Department funding from being used to “reduce or diminish” responsibilities, oversight and authorities given to the Cybercom director. Whether to keep the dual-hat has been an ongoing debate for years among defense and cyber practitioners.

More broadly, billions of dollars are devoted to DOD-wide cyberspace activities, training and maintenance across all major branches, like the Army, Air Force and Marines. 

The bill also makes a sweeping demand for the Defense Department to harmonize all of its cybersecurity regulations by June of next year, including requirements for defense industrial base providers.

“The harmonization required … shall ensure that processes and governance structures exist and are sufficient to identify and eliminate duplicative and inconsistent cybersecurity requirements and cybersecurity requirements unique to single contracts,” it says. That measure reflects months of internal Pentagon IT efforts to overhaul longstanding acquisitions processes for cyber and tech providers.

Some cyber components of the bill appear to contrast with a recent Trump administration national security strategy, which seeks to draw more attention to Western Hemisphere matters and partly decouple U.S. engagements with Europe.

Chief among those differing NDAA components is support of cybersecurity infrastructure in the Western Balkans. The text directs several agencies, including the State Department, to draw up an overview of interagency efforts to shore up cyber resilience in the region.

A related measure requires DOD and the Office of the Director of National Intelligence to study malign influence operations conducted by Russia and China and explicitly seeks findings on efforts that “harm the interests of the United States and North Atlantic Treaty Organization member and partner states in the Western Balkans.”

A separate but related provision also orders an assessment of Russian cyberwarfare and any “influence operations or campaigns by Russia targeting the United States, any military alliances and partnerships of which the United States is a member” or U.S. treaty allies.

Notably, within 90 days of its passage, the NDAA requires the defense secretary to ensure mobile phones of senior officials and others who perform sensitive national security functions meet “enhanced” cybersecurity protections. 

That phone measure comes after a recent inspector general report found that Defense Secretary Pete Hegseth’s use of encrypted messaging app Signal to share information on strikes in Yemen could have put American servicemembers in danger if the messages were intercepted. The texts were discovered when The Atlantic’s top editor was inadvertently added to a group chat of current officials earlier this year.

The defense bill also prohibits individuals physically located in certain nations from accessing DOD cloud resources. A ProPublica report from July highlighted a Microsoft program that allows foreign engineers to indirectly interact with U.S. military systems through American “escort” intermediaries. Microsoft quickly responded and said it would end those relationships.

Another stand-out measure would require the Election Assistance Commission to provide penetration testing on election systems, namely voting systems’ software and hardware, within 6 months of the NDAA’s passage, leaving about half a year before major midterm elections mount.

One provision, lifted from a House draft crafted earlier this year, requires the Pentagon to create and maintain a database of all commercial vendors involved in clandestine military operations, a move aimed at tightening oversight and reducing counterintelligence risks across the U.S. defense ecosystem.

The defense bill also puts much emphasis on AI and cybersecurity adoption. Among several relevant provisions, one measure requires the defense secretary to “develop a framework for the implementation of cybersecurity and physical security standards and best practices relating to covered artificial intelligence and machine learning technologies to mitigate risks to the Department of Defense from the use of such technologies.”

NEXT STORY: Trump’s national security strategy wants spy agencies to watch world supply chains