Overhauling FedRAMP is just one of a list of ways the NDAA could affect civilian government tech.
An amendment that would codify the Federal Risk and Authorization Management Program, with some major new stipulations, is one of several areas where the next National Defense Authorization Act could shake up technology policy across the federal government and private industry.
Lawmakers again took the opportunity to attach all manner of amendments that affect agencies and programs outside the Defense Department to what is considered must-pass legislation.
Both chambers passed their versions of the annual authorization bill in July, and the House and Senate Armed Services Committees must now work in conference to iron out the differences in the two final bills. The White House already issued a July 21 veto threat for the House version, including an objection to a provision to rename military installations commemorating members of the Confederacy. The Senate version passed with similar language, though the vote came in at 86-14—a veto-proof majority.
Here is a sample of what each side is bringing to the table to govern emerging technology opportunities and challenges now that the dust has settled from the amendment storm.
FedRAMP Reconstruction and Modernization
The House NDAA includes the full text of the FedRAMP Authorization Act, which passed the House in February, as an amendment from Rep. Gerry Connolly, D-Va., chairman of the House Subcommittee on Government Operations.
Through FedRAMP, instituted by the General Services Administration, cloud service providers can obtain certificates of security through a joint authorization board that theoretically pre-approves them to fulfill contracts across the government. But, the streamlining ambition has not been fully realized as individual agencies have their own security review avenues.
The Connolly measure would establish FedRAMP in statutes and deliver a lot of what industry has been asking for in the way of reciprocity for security validations from one agency to another.
There shall be a “presumption of adequacy” regarding the JAB’s authorization to operate, reads the legislation’s instruction to the heads of federal agencies.
The bill also calls for the administrator of GSA to hire staff as needed for a program management office in order to implement measures to automate the process and establish continuous monitoring. GSA is already moving in this direction. And the Defense Department, which has already committed to FedRAMP reciprocity, is leading its own revolution in facilitating continuous authority to operate. Bringing the rest of the federal government legally into the fold has significant implications for broader cloud adoption.
The standalone House-passed bill was referred to the Senate Homeland Security and Governmental Affairs Committee—another avenue for it to eventually become law.
Connolly also squeezed in an amendment that would make permanent a pilot program at the U.S. Patent and Trademark Office initiated under the Telework Enhancement Act of 2010.
Agencies in general should consider how cloud migration—along with artificial intelligence and better modeling and simulation means—might factor into plans they would have to submit to the National Telecommunications Information Administration for more efficient spectrum management. Incumbent federal users of the nation’s airwaves are under pressure to release more of the finite resource for commercial purposes, and section 1084 of the Senate bill includes a plan for the agency to incorporate modernized infrastructure in its work administering it.
From Phone to Drone, More Bans on China-Based Tech
The fear of China dominating the U.S. through emerging technology is a central theme of the NDAA in both chambers.
An amendment included by Rep. Tom Malinowski, D-N.J., would buttress actions the Commerce Department took July 20. Commerce added 11 Chinese companies to its Entities List, forbidding U.S. engagement with them on account of human rights violations involving ethnic minority Uighers. President Trump has made the Commerce Department reverse such a listing—against Chinese telecom ZTE— in the past. Other successful amendments would bar federal employees from installing the recreational video application TikTok on government-issued devices and stop federal agencies from procuring foreign-made drones that threaten national security, including those from China.
TikTok critics fear its ownership by Chinese company ByteDance can help facilitate massive data collection by Beijing. A bill introduced by Sen. Josh Hawley, R-Mo., banning use of the app on federal devices passed unanimously through the Committee on Homeland Security and Governmental Affairs July 22. Rep. Ken Buck, R-Colo. attached an amendment with the same goal to the House NDAA. While President Trump’s larger moves against TikTok will likely face legal challenges, the NDAA’s coming instructions for the federal workforce on the issue seem in place.
Federal agencies use unmanned aircraft systems for cartography, surveillance and in emergencies to provide disaster relief and conduct search and rescue missions. Some authorities are using drones, which can be equipped with thermal sensors and megaphones to enforce social distancing during the pandemic. But more than 70% of the drones being sold in the U.S. are produced by the Chinese company DJI, which reportedly donated 100 drones to 43 agencies and 22 states.
Drone watchers would have seen such a ban coming. In October 2019, the Department of Interior grounded all of its newly acquired DJI drones. The Department of Homeland Security had earlier warned the private sector their data was vulnerable if they used the Chinese drones, and the Defense Department had stopped troops from using them too.
An amendment included in the House NDAA by Rep. Mike Gallagher, R-Wis., co-chair of the esteemed Cyberspace Solarium Commission, would apply the procurement ban across the federal government.
The Solarium Commission Wants a National Cyber Director
Two years ago, the 2019 NDAA established the nonpartisan Cyberspace Solarium Commission—comprising members of Congress, the administration and the private sector—to come to an agreement about how the U.S. should defend against serious cyberattacks. In March, the commission revealed a comprehensive report of more than 80 recommendations with the express intention of making many of them law through this year’s NDAA process.
The commission’s primary recommendation is the establishment of a Senate-confirmed national cyber director with an office within the Executive Office of the President. The individual would be the head cyber adviser to the president, coordinate defensive cyber strategy and policy across the government, and be the chief U.S. representative and spokesperson for cybersecurity. Sen. Angus King, I-Maine, co-chair of the commission said the position would provide the president with “one throat to choke” and encourage accountability.
But the Senate NDAA, stopped short of including the recommendation, calling instead for a report on whether it would be feasible. On the House side, commission member Rep. Jim Langevin, D-R.I., successfully attached an amendment with the recommendation to the bill. During a hearing of the House Oversight Committee on the Solarium Commission’s proposal, some lawmakers withheld their support over concerns creation of the cyber director’s office—to be staffed with about 75 full-time employees—would be fiscally wasteful.
What Else the Solarium Commission Wants: Public-Private Partnership
Apart from the national cyber director, plenty of other Solarium Commission recommendations made it into the House and Senate NDAAs. The prospects for many of them look good, with similar language in both chambers’ bills. But the White House veto threat flagged language in a key cyber intel sharing provision.
The Solarium Commission is mostly betting on the public and private sectors working more closely together, especially as facilitated by the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency. In this vein, an amendment from Rep. Dutch Ruppersberger, D-Md., calls for a gap analysis at the agency to inform where it needs more resources, including personnel; amendments from Rep. Cedric Richmond, D-La., would institute a fixed five-year term with minimum requirements for the CISA director, establish a joint planning office for coordination on readiness among federal, state and local governments and critical infrastructure owners and operators, and require DHS to establish a cyber incident reporting program; and a Langevin amendment would give CISA the authority to subpoena internet service providers for identifying information of customers that appear to be under cyberattack so they can be warned. The subpoena authority is also included in the core text of the Senate NDAA.
An amendment from Rep. Sheila Jackson Lee, D-Texas, would also require the homeland security secretary to develop a strategy for all U.S.-based email providers to implement the Domain-based Message Authentication, Reporting, and Conformance standard. DMARC adherence has been mandatory for federal agencies since October 2017. The Solarium Commission argues the recommendation will scale the blocking of email from fraudulent domains and diminish the success of phishing attacks.
But there may be limits to all the proposed public-private collaboration at CISA. The White House takes issue with section 1631 of the House bill, which calls for the homeland security secretary to develop an information collaboration environment where private-sector stakeholders could access classified data, at the discretion of the secretary in consultation with the defense secretary. The White House advisers say the section does “not adequately reflect the Director of National Intelligence’s statutory responsibility to protect intelligence sources and methods with regard to cybersecurity threat intelligence related to information systems operated by agencies within the Intelligence Community.”
Other Solarium Commission recommendations included as House NDAA amendments authorize CISA to help federal agencies who ask for assistance in meeting Federal Information Security Modernization Act requirements and other agency functions, and to continuously hunt for cyber threats on the .gov domain.
In the Senate, an amendment included by Sens. Gary Peters, D-Mich., Ron Johnson, R-Wis., and Ben Sasse, R-Neb., tasks the president with creating a plan for the continuity of the economy in preparation for an event that severely degrades economic activity in the country, including a cyberattack. Under the amendment, the president must consult with the leaders of relevant agencies and economic sectors to come up with a plan to keep things running and submit it to Congress within two years. The plan would include consideration of ways to extend financial support to key participants in the economy.
Other Strictly Cyber Things: Cash, Workforce, States
It’s challenging to find cybersecurity measures in the bills that aren’t somehow connected to the Cyberspace Solarium Commission. An amendment from Sen. Roger Wicker, R-Miss., chairman of the Senate’s Committee on Commerce, Science and Transportation, is the offshoot of a cybersecurity moonshot initiative, which the commission recommends investing in. It would crowdsource high-priority breakthroughs in cybersecurity by establishing prize challenges.
Another Wicker-led bipartisan measure included in the Senate bill is the Harvesting American Cybersecurity Knowledge through Education (HACKED) Act. “This legislation would strengthen America’s cybersecurity workforce in both the public and private sectors by bolstering existing science education and cybersecurity programs within the National Institute of Standards and Technology, National Science Foundation, National Aeronautics and Space Administration, and the Department of Transportation,” reads a press release on the bill’s introduction. It requires the NIST director to develop metrics to measure the success of federally funded cyber workforce programs based on their outcomes.
Language in the Senate’s NDAA also allows for the directors of the Office of Management and Budget and NIST to establish an exchange program where employees working in roles outlined in NIST’s National Initiative for Cybersecurity Education could go between NIST and private sector institutions.
And from the Homeland Security and Governmental Affairs Committee, Sen. Maggie Hassan, D-N.H., sponsored an amendment in the bill that would require DHS to establish a federally funded cybersecurity coordinator in every state.
Authorizes Real Intelligence with 5G Virtualization and Whistleblower Rights
The Senate’s NDAA contains its entire Intelligence Authorization Act. The House Intelligence Authorization Act passed out of committee July 31. Members of the House and Senate Intelligence committees may also be brought into the conferencing process with members of the House and Senate Armed Services committees to reconcile differences.
Both intelligence authorization bills include a plan to enable competition against Chinese firms Huawei and ZTE in the development of fifth-generation networks. The idea is to eliminate reliance on the hardware those firms provide by turning their functions into independent software-defined operations. Various components of the network would be connected through open, interoperable interfaces, allowing a multitude of vendors to participate, instead of through proprietary links to the hardware. Among other things, the bills call for the authorization of $750 million over 10 years in appropriations to create a Treasury fund from which grants would be issued to develop the technology, and increased participation of U.S. entities in relevant standards-setting bodies.
The House and Senate Intelligence Authorization bills also both include protections for whistleblowers. Sen. Ron Wyden, D-Ore., was alone in voting against the Intelligence Authorization Act advancing out of committee, due to issues of overclassification of information in general. But in a statement following the vote he praised measures in the bill seeking to limit revocation of security clearances as reprisal for disclosures.
Sen. Mark Warner, D-Va., ranking member of the Senate Intelligence Committee, also highlighted the whistleblower protections, but included language that would require contracted employees to provide written consent for the federal government to share certain derogatory information about themselves with the chief security officer of their employer, as a condition of accepting a security clearance with the federal government. Warner’s spokesperson said this was to prevent the circulation of “bad apples like Edward Snowden.”
A Connolly amendment to the House NDAA would make it clear that whistleblower protections also apply to subcontractors and subgrantees for disclosures of gross mismanagement or waste of federal funds.
Industries of the Future
Speaking of funds, senators voted for the director of the Office of Science and Technology Policy to come up with a plan to double baseline investments in emerging technologies such as artificial intelligence and quantum information science by 2022 and to specifically increase civilian investments in such industries to $10 billion by 2025. The Senate’s NDAA leaves it up to the director to further define these industries of the future with the help of a designated government council, but there is a focus on physical, foundational technology components in both the House and Senate bills.
The Senate bill for example calls on the director of national intelligence to report on critical technology trends in the development of microchips, semiconductors and their related supply chains, in addition to artificial intelligence. It also outlines a semiconductor manufacturing incentive program, under which the commerce secretary would issue grants of up to $3 billion to entities that have “a documented interest in constructing, expanding, or modernizing” related facilities, for example. Rep. Doris Matsui, D-Calif., successfully attached identical language on the House side.
Artificial Intelligence Good, Deepfakes Bad
Lawmakers are smitten with artificial intelligence, but they also recognize the potential dangers of the technology.
The House NDAA includes the National Artificial Intelligence Initiative Act, a bipartisan measure introduced in March. Under the bill, the director of the Office of Science and Technology Policy would establish a coordination office to be known as the “National Artificial Intelligence Initiative Office” and the federal government would leverage its investments toward fulfilling the initiative. The energy secretary would determine the members of an advisory committee and in doing so, consider members of Congress, industry and academic institutions. Nonfederal members of the committee would have their travel and daily expenses paid.
The AI initiative would allow agency heads to fund research institutions. It specifically authorizes about $7 billion in appropriations over five years for Energy, the National Science Foundation and the NIST to partner with other parts of the government and the private sector on research on questions like how to ensure the technology is trustworthy.
The House NDAA would also create a national cloud for artificial intelligence research that Rep. Anna Eshoo, D-Calif., an original sponsor of the legislation, told Nextgov is needed because “for the U.S. to maintain its global leadership in AI, researchers must be enabled to access high-power computing, large datasets, and educational resources.”
Smaller efforts on the House side would also leverage artificial intelligence to help with addressing health issues affecting veterans through a research program at Energy.
But lawmakers are especially wary of how artificial intelligence can be used in the creation of fake media. Famous examples include spurious videos of politicians, but the technology can also be used to forge documents and in other malfeasance.
An amendment from Rep. Derek Kilmer, D-Wash., would have the Science and Technology Directorate at DHS report on the state of digital content forgery technology, and one from the Rep. Yvette Clarke, D-N.Y., would instruct the director of national intelligence to report on the defense and military implications of deepfake videos.
Senators also want to know how deepfakes threaten U.S. national security, but they’re asking DHS to do an annual study on this.
Quantum Computing and Beyond
While we’re on the topic of overlapping report requests, the White House’s veto threat argues that work NIST is already doing on quantum computing technology would be undermined by the House bill asking the Defense Department to report on how the technology threatens national security.
But lawmakers are already also looking beyond the current reaches of the technology for ways it might help secure critical infrastructure. The Senate bill includes a provision requiring the administrator for nuclear security, in consultation with the energy secretary, to work through the National Academy of Science “to review the future of computing beyond exascale computing to meet national security needs at the National Nuclear Security Administration.”
New Rules for Acquisition
Last, but most certainly not least, both versions of the bill include a few provisions related to transparency and accountability in the way the federal government acquires its technology goods and services.
On the House side, an amendment from Rep. Jim Hagedorn, R-Minn., calls on the Small Business Administration to write rules that would eventually be reflected in Federal Acquisition Regulations to require a contracting officer to consider the past performance of first-tier subcontractors in the same way they would for prime contractors.
On the Senate side, an amendment from Sen. Mike Enzi, R-Wyo., would require the defense secretary to list on the publicly accessible Beta.sam.gov site any consortia it uses to announce or otherwise make available contracting opportunities using other transaction authority—i.e. transaction authority outside the confines of Federal Acquisition Regulations. An Enzi press release said this is needed because smaller contractors often aren’t aware of opportunities, putting them at a disadvantage.
Defense officials are also called on in the Senate bill to develop a code-review process to implement a pilot project at the Office of Management and Budget that could drastically change current software acquisition dynamics.
The pilot is part of an OMB policy aimed at creating a culture of software use that saves taxpayers money, reduces vendor lock-in and fosters innovation. It requires agencies commissioning new custom software, to release at least 20% of the new custom-developed code as open source software for three years. Under the August 2016, “Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software,” federal agencies and prospective vendors alike would be able to see more of the code already in use across the government and build on top of it, instead of wastefully duplicating efforts. The code-review process called for in the NDAA is meant to balance this new, open, collaborative system with security.
Mila Jasper contributed to the reporting of this article.