House-Passed NDAA Includes Key Cyber Provisions
The House of Representatives' bill features supply chain risk measures and DOD cyber protections and operations.
On Friday, the U.S. House of Representatives passed their version of the National Defense Authorization Act for Fiscal Year 2020, H.R. 2500, by a vote of 220-197. Known as the NDAA, the annual legislation authorizes policy measures for the Defense Department. It varies from the Senate’s bill, S. 1790—passed on June 28—which the two legislative bodies will have to reconcile before sending a final NDAA to the president.
The U.S. military is “confronting unique, complex challenges and deserves our support,” the House Committee on Armed Services stated when it reported out the bill to the full House on June 19. “The committee further believes that a challenging global security environment requires new ways to more affordably manage strategic risk by prioritizing the relevant military capabilities and capacities necessary to meet our greatest threats,” the committee report noted.
As a growing number of threats continue to be cyber-related, the House NDAA includes cyber-related provisions to strengthen the military’s digital security posture, including measures to improve cyber operations, reduce supply chain risks and raise the security of defense software, among other provisions.
H.R. 2500 requires the DOD to report on the one-year-old unified combatant command cyber operations of under the U.S. Cyber Command, including the state of cyber mission force readiness, missions conducted along with estimated collateral effects, detectability or possible political retaliation from cyber operations. It allows the command to use specific operations and maintenance funds through 2022 in order to carry out capability development projects specifically related to cyber operations. The bill also directs the command to report to Congress how it is managing its cyber-related tools across a joint environment.
“The Committee supports the Department of Defense’s objective of building a superior cyber force, which includes the acquisition, development and sustainment of accesses and tools required to enable military cyber operations,” the committee report stated. “However, the committee notes with concern the potential that the nation’s cyber force could be hindered with tools and accesses being developed and stored by different components of the services and Department of Defense agencies and elements. For all the components under its authority, U.S. Cyber Command should maintain a comprehensive and dynamic inventory of subordinate elements’ accesses and tools, and emphasize the importance of sustaining these cyber-specific capabilities.”
Another part of H.R. 2500, section 853, squarely confronts cybersecurity risks and supply chain vulnerability issues within the military, emphasizing the role of defense contractors when providing hardware, software and supply chain services.
“Congress finds that to comprehensively address the supply chain vulnerabilities of the Department of Defense, defense contractors must be incentivized to prioritize security in a manner which exceeds basic compliance with mitigation practices relating to cybersecurity risk and supply chain security standards,” the bill stated. “Defense contractors can no longer pass unknown risks on to the Department of Defense but should be provided with the tools to meet the needs of the Department with respect to cybersecurity risk and supply chain security.”
The House NDAA instructed the DOD to promulgate policies “that move security from a cost that defense contractors seek to minimize to a key consideration in the award of contracts, equal in importance to cost, schedule and performance.”
The DOD is required to report on its cybersecurity synchronization efforts across the defense industrial base, including a list of its cybersecurity compliance programs, the status of standards and cybersecurity policy creation, and deconfliction of policies.
For the last several years, the DOD has been evaluating the cyber vulnerabilities of its major weapon systems, as directed by the 2016 NDAA. This year’s House NDAA has the DOD reporting on any evaluation that will not be completed in time, in addition to specifying how the DOD plans to address any cyber vulnerabilities of major weapon systems, the lessons learned and best practices of the evaluations. The bill also directs the secretary of defense to provide reports on the status of cybersecurity vulnerability testing of any software acquired through a major defense acquisition program.
Several of the bill’s acquisition-related provisions examine cybersecurity as it relates to software development. Among other measures, it sets requirements for software performance metrics. When specifying the capabilities of their software, contractors would have to include information on the speed of recovery from any outages or cybersecurity vulnerabilities.
Another acquisition-related section, regarding software acquisition training and management programs, includes language for the DOD to contract more with nontraditional defense entities, such as small businesses and minority institutions, and offers cybersecurity technical assistance in order to strengthen the cyber posture and planning of these entities.
It also includes language for the Small Business Administration (SBA) to increase its own cybersecurity infrastructure. The SBA has to give Congress a detailed account of its information technology equipment and whether or not any of it was manufactured by companies in China, Iran, Russia or North Korea.
H.R. 2500 lays out policies designed to deter Russian aggression in the Baltic region, including a comprehensive assessment by the secretaries of defense and state of the military requirements of Lithuania, Latvia, Estonia, NATO allies and other regional partners countering Russia. This includes any resource requirements or recommendations to conduct activities and training to the enhance cybersecurity and electronic warfare capabilities.
In addition, the House NDAA also aims to protect the nation’s science and technology research conducted at federally funded research and development centers, or FFRDCs. It requires the director of the Office of Science and Technology Policy to establish an interagency working group that will coordinate efforts to FFRDCs from foreign interference, cyber attacks, theft or espionage.
Also, the bill includes a provision for a Junior Reserve Officers’ Training Corps (JROTC) Computer Science and Cybersecurity Program to promote students’ readiness for careers in computer science and cybersecurity.