Following our recent overview of topics to watch in the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2024, available here, we continue our coverage with a “deep dive” into NDAA provisions related to cybersecurity and software security in each of the Senate and House bills. For the past three years, the NDAA has dedicated a separate Title to cyber and cybersecurity, reflecting the increased importance of these issues in Department of Defense (“DoD”) operations. As expected, both the Senate and House versions of the NDAA bill continue this tradition. Many of the cyberspace related provisions in both chambers’ bills would have direct or indirect impacts on DoD contractors and other members of the Defense Industrial Base (“DIB”). We summarize below the cyber-related provisions that are most likely to impact the DIB.
Cyber Manpower and Structure
Both House and Senate cyber provisions spotlight the sources and capabilities of the human capital required by DoD to conduct the full range of cyber operations. These provisions include:
Enhancing the Readiness and Effectiveness of the Cyber Mission Force. The Senate bill kicks off its focus on the cyber workforce in Section 1701 of the bill, which would require DoD to improve the readiness and effectiveness of its Cyber Mission Force (“CMF”). The CMF is the U.S. Cyber Command’s “action arm.” It consists of 133 teams drawn from each of the Military Services. These teams are responsible for assisting Cyber Command and Joint Force commanders in accomplishing their missions through three primary forms of operations: Defensive Cyberspace Operations, Offensive Cyberspace Operations, and Department of Defense Information Network (“DoDIN”) Operations, which focus on the design, security, operation, and maintenance of the DoDIN and supporting networks.
Of particular importance, the bill would require a three-year pilot program under which U.S. Cyber Command would use contractor personnel to perform “critical CMF work roles,” including duties related to network operations, cyber tool development, and exploitation analysis. This pilot program could provide an opportunity for the DIB to become more directly involved in CMF operations and evaluations.
CMF Occupational Resiliency. Section 1534 of the House bill would require a DoD study of resources required to enhance and support the “occupational resiliency” of CMF personnel. The provision defines “occupational resiliency” as the ability to mitigate the “unique psychological factors that contribute to the degradation of mental health and job performance” associated with assignment to the CMF.
Reviewing Cyberspace Operations Management. Section 1533 of the House bill would require a comprehensive review by the Government Accountability Office (“GAO”) of DoD’s readiness to conduct cyberspace operations. This assessment would include GAO’s determination of the number of personnel assigned to each DoD organization responsible for cyberspace operations who are fully trained and qualified to perform their duties.
Independent Evaluation of Requirement for a United States Cyber Force. Section 1708 of the Senate bill would require DoD to enter into an agreement with the National Academy of Public Administration (“NAPA”) to evaluate the advisability of establishing a separate Military Service, the “United States Cyber Force,” dedicated to operations in the cyber domain. The concept of the Cyber Force as a separate branch of the armed forces appears to riff on the U.S. Space Force, established in 2019 and the NAPA study will likely include lessons learned from DoD efforts since that time to bring the Space Force up to full operational capability.
Civilian Cybersecurity Reserve Pilots. Although they take somewhat different approaches, both the House and Senate would direct the establishment of a “Civilian Reserve” that could be “activated” to bolster the government’s cyber workforce. Section 1216 of the Senate bill takes a “DoD-only” view and would direct the Secretary of the Army to pilot the formation of a Civilian Cybersecurity Reserve to provide manpower to U.S. Cyber Command to help preempt, defeat, deter, and respond to malicious cyber activity, conduct cyberspace operations, and secure the DoDIN. By contrast, Chapter 104 of the House bill takes a “whole-of-government” slant, authorizing $30 million to remain available until FY 2025 for a “Digital Corps Reserve,” to be managed by the General Services Administration (“GSA”), with the mission of recruiting and managing a team of individuals with skills and credentials needed to address the digital and cybersecurity needs of all participating executive branch agencies. Both sections would impose numerous requirements on the eligibility, hiring, employment, and security clearance status of “Reserve” members.
Next Generation Cyber Red Teams. Section 1704 of the Senate bill would require DoD to modernize its “cyber red teams” by utilizing cyber threat intelligence and threat modeling, automation, artificial intelligence (AI) and machine learning capabilities, and data collection and correlation. “Cyber red teams” are independent, multi-disciplinary groups of DoD personnel, akin to “ethical hackers,” charged to find and report vulnerabilities in DoD systems and networks so they can be addressed. This provision is intended to ensure that DoD “cyber red teams” are equipped with the most advanced technology and skills training as they combat increasingly sophisticated cyber threats.
Support of Cyber Education and Workforce Development at Institutions of Higher Learning. Section 1726 of the Senate bill would authorize $10 million for fiscal year 2024 for DoD to incentivize institutions of higher learning to offer recognized certifications and degrees in the cyber field, with a goal of developing a cadre of students with foundational skills in critical cyber operations and encouraging those students to commit to a period of military or civilian service with DoD.
Authority to Accept Voluntary Services From Cybersecurity Experts. Section 1521 of the House bill would allow U.S. Cyber Command to accept voluntary and uncompensated services from cybersecurity experts, notwithstanding the provisions of 31 U.S.C. § 1342 that prohibit the government from accepting voluntary services in most circumstances.
Both bills highlight Congressional concerns at the intersection of cybersecurity and DoD’s increasing engagement in the space domain. These provisions include:
Strategy on Cybersecurity Resiliency of DoD Space Enterprise. Section 1720 of the Senate bill requires DoD to develop and implement a holistic strategy for cyber protection of its space enterprise, including the adoption of zero trust architecture on legacy and new space-based systems and deliberate planning to develop new capabilities to protect space-based systems against cyber threats.
Plan to Improve Threat-Sharing Arrangements with Commercial Space Operators. Section 1609 of the House bill would address Congressional concerns about perceived physical and cyber vulnerabilities of commercial space providers that contract with DoD. The House would direct the Assistant Secretary of the Air Force for Space Acquisition and Integration, in consultation with the Commander of U.S. Space Command, to develop a plan to expand existing threat-sharing arrangements with commercial space operators under contract with DoD.
Cyber Incident Reporting
Cyber Incident Reporting Requirement. Section 1715(a) of the Senate bill would require DoD to issue new guidance to facilitate complete and timely cyber incident reporting and enable enterprise-wide visibility into such reports. Section 1715(a) would also require the DoD Chief Information Officer to determine actions needed to encourage more complete and timely mandatory cyber incident reporting by the DOB. In addition, Section 1715(b) would require DoD to assess the feasibility of establishing an Office of Cyber Statistics to track cyber incidents and measure DoD, and potentially DIB, responses to cyber threats, risks, and vulnerabilities. These provisions add to the current flurry of the pending rulemakings, reports, and assessments to improve cybersecurity across the federal government, triggered by the Solar Winds, Microsoft, and Colonial Pipeline incidents. For instance, as recently as October 3, 2023, the Federal Acquisition Regulatory Council published a proposed rule that would require government contractors to share information on cybersecurity threats and report cybersecurity incidents to the government within 8 hours of discovery (far sooner than DoD’s current 72-hour deadline). This proposed rule would make compliance with these requirements material to eligibility for and payment under a government contract.
U.S. Cybersecurity Cooperation with Foreign Allies and Partners
Both the House and Senate bills incorporate provisions that would enhance U.S. cybersecurity cooperation with foreign allies and partners. These provisions include:
Cybersecurity Cooperation With Taiwan. Military and political strategists predict that any use of force by China against Taiwan is likely to begin with a large-scale cyberattack. Section 1352 of the Senate bill and Section 1505 of the House bill would require DoD to expand cooperation with Taiwan on cybersecurity activities, including by conducting combined cybersecurity training activities and exercises. The provisions direct DoD to leverage U.S. military and commercial cybersecurity technologies to harden and actively defend Taiwan’s networks and infrastructure.
Digital Connectivity and Cybersecurity Partnership and Fund. Section 6306 of the Senate bill would establish a State Department program to help foreign allies and partners expand secure internet access and digital communications infrastructure and adopt cybersecurity common standards and best practices. Section 6306(e) of the bill would authorize $100 million over fiscal years 2024 through 2028 to fund this foreign assistance.
Other Cybersecurity Provisions Likely to Affect the DIB
In addition to the provisions discussed above, both the Senate and House bills incorporate additional provisions related to cybersecurity of particular relevance to the DIB. These include:
Memory-Safe Software Programming. Section 1713 of the Senate bill would require DoD to implement National Security Agency (“NSA”) recommendations that DoD identify memory-related vulnerabilities in the software it develops, acquires, or uses, by requiring reliance on memory-safe software programming languages and testing. The recommendations at issue were first set forth in a “Cybersecurity Information Sheet” issued by NSA in November 2022. NSA found that most software vulnerabilities were based on memory safety issues such as “buffer overflow” where data is accessed outside the boundaries of an array, or the reallocation of memory after that memory has been freed. Exploitation of these overflows could permit malicious actors to execute code on a computer that would not ordinarily be permitted. The NSA noted that while software analysis tools can detect many instances of memory issues, and operating environment tools can also provide some protection, the inherent protections offered by memory safe software languages can prevent or mitigate most memory management issues.
Inclusion of Semi-Conductor Manufacturers in Cybersecurity Collaboration Center. Section 1707 of the Senate bill would establish a pilot program to assess the feasibility and advisability of improving the security of the semi-conductor supply chain by enabling collaboration between NSA’s Cybersecurity Collaboration Center (“CCC”) and U.S. semi-conductor manufacturers.
Cyber Intelligence Center. Section 1702 of the Senate bill would require the establishment of a dedicated DoD cyber intelligence capability–potentially a Defense Cyber Intelligence Center under control of the Defense Intelligence Agency–to support U.S. Cyber Command and other DoD components in identifying cyber threat actors and their intentions and employing new technologies to combat them.
Modernize DoD Information Network Boundary and Cross-Domain Defense. Section 1712 of the Senate bill would require DoD to modernize its capabilities to defend all DoDIN boundaries and cross-domains against cyber-attacks. This 5-year modernization program would expand an FY 2023 pilot focused on the enhanced defense of internet access points managed by the Defense Information Systems Agency.
Establishing ICAM Initiative as a Program of Record. Section 1719 of the Senate bill would require DoD to establish the Identity, Credential, and Access Management (“ICAM”) initiative as a program of record, with a view to correcting significant authentication and credentialing security weaknesses (including in the Public Key infrastructure program) identified in an April 2023 report to Congress. The ICAM program would employ improved authentication technologies, such as biometric and behavioral authentication techniques and other non-password-based solutions, to screen more effectively those attempting to access DoD systems.
Protection of Personal Information of DoD Personnel from Foreign Adversaries. Section 1728 of the Senate bill would call on GAO to assess and make recommendations for the improvement of DoD efforts to protect the personal information of DoD personnel, including location data generated by smart phones, to address the threat of foreign adversary interception and exploitation.
Harmonization and Clarification of Strategic Cybersecurity Program. Section 1501 of the House bill would establish a DoD “Strategic Cybersecurity Program” to safeguard the ability to conduct offensive cyber operations and ensure the cybersecurity of other critical missions. The provision would require the Secretary of Defense to designate a senior DoD civilian leader to partner with the Director of NSA / Commander, U.S. Cyber Command, to conduct appropriate reviews of the acquisition and system engineering plans for systems and infrastructure related to Program missions, conduct end-to-end vulnerability assessments of Program missions, and prioritize and facilitate the remediation of such vulnerabilities.
Increase Funding for DoD Software Factories. Section 277 of the House bill would increase by $10 million the funds currently authorized for DoD software factories. As described in DoD’s “Software Modernization Implementation Plan” software factories are “collections of people, tools and processes that . . . deploy software to meet the needs of a specific community of end users while enabling continuous rollout and cutting-edge cyber resilience.” One of the most prominent examples of a DoD software factory is the U.S. Air Force’s Kessel Run, established in 2017. DoD’s software modernization plan calls for the establishment of additional DoD software factories; the funding Section 277 authorizes will assist DoD in realizing that objective.
Establishment of Military Pharmaceutical and Medical Vulnerability Monitoring Group. Section 726 of the House bill would require DoD to establish a military pharmaceutical and medical device vulnerability working group composed of DoD military members and civilian employees. The working group would be charged with, among other things, identifying cyber and electronic threats that could disrupt the effective operation of such DoD devices and compromise users’ private medical data, and developing a plan to mitigate these vulnerabilities by hardening devices against cyber-attack or interference.
Report on the Use of an Existing Contract to Use Cyber Capabilities to Protect DoD Assets and Networks. Section 143 of the Senate bill would require a report to the congressional defense committee explaining DoD’s exercise of options on an existing contract for the cybersecurity protection of Defense Department assets and networks. The report would include a discussion of the potential effects of DoD’s decision on competition among cybersecurity vendors, the risks and benefits associated with DoD’s reliance on an enterprise-wide cybersecurity solution from a single vendor, and a description of future plans to recompete the acquisition to allow multiple vendors to compete.
Federal Data Center Consolidation Initiative Amendments. Section 11002 of the Senate bill would establish minimum requirements for new data centers under the Federal Data Center Enhancement Act of 2023 (“FDCEA”), including the requirement that all new data centers meet federal information security protection standards. This provision would also require application of these minimum requirements to the operation of all current data centers.
As noted in our overview of topics to watch in the NDAA for FY 2024, these provisions remain subject to change (or elimination) as the House and Senate bills proceed through the conference process. Covington’s Public Policy and Government Contracts teams will continue to track NDAA developments and provide follow-on analysis.