House passes NDAA compromise bill

The bill, which supports $778 billion for national security spending, was filed in lieu of a traditional conference report and combines the text passed by the Senate Armed Services Committee in July and the House bill passed in September.

Pentagon (DoD photo by Master Sgt. Ken Hammond, U.S. Air Force)

In a race to pass the 2022 National Defense Authorization Act before the New Year, the congressional defense committees pushed out a compromise version of the bill on Dec. 7 that authorizes $740 billion spending level for the Defense Department in fiscal 2022.

The bill passed the House of Representatives on a vote of 363 to 70 on Tuesday night. The move now moves to the Senate, which, in a break with typical practice, never passed its own version of the NDAA ahead of the conference process.

The bill, which supports $778 billion for national security spending, was filed in lieu of a traditional conference report and combines the text passed by the Senate Armed Services Committee in July and the House bill passed in September.

The major, must-pass policy bill has hit a number of roadblocks this year, but the final version has some key initiatives and potential changes for the way the Defense Department handles budget IT, acquisition requirements, and even calls for a joint zero trust strategy. Here are some highlighted provisions:

Eyes on finance IT. The bill includes a provision, originally in the Senate bill, that requires DOD’s comptroller, chief information officer, and chief data officer to devise a plan to consolidate IT systems, including those used by the military departments and defense agencies, used to manage data and that are a part of the planning, programming, budget, and execution (PPBE) process. The plan would also include an assessment on which systems should be eliminated or retired. A separate provision calls for a commission of 14 non-federal government employees to evaluate the PPBE process which has been criticized for inhibiting DOD’s ability to quickly buy technology. An initial commission report would be due Feb. 6, 2023.

The National Guard gets a boost as cyber support. One provision expands the National Guard’s role as cybersecurity support, which can include things like running cyber assessments, to owners of critical infrastructure.

Duplicative IT contracts. The bill includes a provision from the House that would require a report to Congress by May 31, 2022 on DOD’s efforts to “reduce duplicative information technology contracts.”

Changes to the JROC. The undersecretary of defense for research and engineering would become the chief technical advisor to the Joint Requirements Oversight Council, if adopted, to “include more technical rigor and realism in the development and approval of requirements, so that acquisition programs are not initiated in a manner that leads to technical failures or excessive costs,” according to the joint explanatory statement.

Changes to principal cyber advisor. The bill also includes a provision that modifies the Pentagon deputy principal cyber advisor position to be someone plucked from the Office of the Undersecretary of Defense for Policy along with a request for a congressional briefing on “alternate reporting structures” for the principal and deputy cyber advisor roles.

Microelectronics. The bill mandates creation of a microelectronics research network originally outlined in the Creating Helpful Incentives to Produce Semiconductors for America (CHIPS) Act. The bill also includes a separate provision that requires defense contractors to name printed circuit board sources in select systems.

Fast-tracking emerging tech acquisitions. If the bill is adopted, DOD will have to create a pilot program focused on developing and implementing “unique acquisition mechanisms for emerging technologies in order to increase the speed of transition of emerging technologies into acquisition programs or into operational use.” According to the bill, the pilot program would include four new projects in such areas as offensive missile capabilities, space-based assets, personnel and quality of life improvement, and energy generation and storage.

Measuring the weight of CMMC. The bill also includes a provision that mandates DOD assess the impact of the Cybersecurity Maturity Model Certification program on small businesses. The provision was originally in the House version of the bill. A separate provision requires DOD to submit its plans for the Secretary for the Cybersecurity Maturity Model Certification Framework “in consideration of the recent internal review of the program and recent efforts by the Secretary to improve the cybersecurity of the defense industrial base,” according to the joint explanatory statement document.

A joint zero trust strategy. If adopted, the bill also requires DOD to develop joint zero trust and data management strategies as well as model architecture for the Defense Department’s Information Network (DODIN).