Following our recent overview of topics to watch in the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2024, available here, we continue our coverage with a “deep dive” into NDAA provisions related to cybersecurity and software security in each of the Senate and House bills.  For the past three years, the NDAA has dedicated a separate Title to cyber and cybersecurity, reflecting the increased importance of these issues in Department of Defense (“DoD”) operations.  As expected, both the Senate and House versions of the NDAA bill continue this tradition.  Many of the cyberspace related provisions in both chambers’ bills would have direct or indirect impacts on DoD contractors and other members of the Defense Industrial Base (“DIB”).  We summarize below the cyber-related provisions that are most likely to impact the DIB. 

Cyber Manpower and Structure

Both House and Senate cyber provisions spotlight the sources and capabilities of the human capital required by DoD to conduct the full range of cyber operations.  These provisions include:

Enhancing the Readiness and Effectiveness of the Cyber Mission Force.  The Senate bill kicks off its focus on the cyber workforce in Section 1701 of the bill, which would require DoD to improve the readiness and effectiveness of its Cyber Mission Force (“CMF”).  The CMF is the U.S. Cyber Command’s “action arm.”  It consists of 133 teams drawn from each of the Military Services.  These teams are responsible for assisting Cyber Command and Joint Force commanders in accomplishing their missions through three primary forms of operations:  Defensive Cyberspace Operations, Offensive Cyberspace Operations, and Department of Defense Information Network (“DoDIN”) Operations, which focus on the design, security, operation, and maintenance of the DoDIN and supporting networks.

Of particular importance, the bill would require a three-year pilot program under which U.S. Cyber Command would use contractor personnel to perform “critical CMF work roles,” including duties related to network operations, cyber tool development, and exploitation analysis.  This pilot program could provide an opportunity for the DIB to become more directly involved in CMF operations and evaluations.

CMF Occupational Resiliency.  Section 1534 of the House bill would require a DoD study of resources required to enhance and support the “occupational resiliency” of CMF personnel.  The provision defines “occupational resiliency” as the ability to mitigate the “unique psychological factors that contribute to the degradation of mental health and job performance” associated with assignment to the CMF.

Reviewing Cyberspace Operations Management.  Section 1533 of the House bill would require a comprehensive review by the Government Accountability Office (“GAO”) of DoD’s readiness to conduct cyberspace operations.  This assessment would include GAO’s determination of the number of personnel assigned to each DoD organization responsible for cyberspace operations who are fully trained and qualified to perform their duties. 

Independent Evaluation of Requirement for a United States Cyber Force.  Section 1708 of the Senate bill would require DoD to enter into an agreement with the National Academy of Public Administration (“NAPA”) to evaluate the advisability of establishing a separate Military Service, the “United States Cyber Force,” dedicated to operations in the cyber domain.  The concept of the Cyber Force as a separate branch of the armed forces appears to riff on the U.S. Space Force, established in 2019 and the NAPA study will likely include lessons learned from DoD efforts since that time to bring the Space Force up to full operational capability.

Civilian Cybersecurity Reserve Pilots.  Although they take somewhat different approaches, both the House and Senate would direct the establishment of a “Civilian Reserve” that could be “activated” to bolster the government’s cyber workforce.  Section 1216 of the Senate bill takes a “DoD-only” view and would direct the Secretary of the Army to pilot the formation of a Civilian Cybersecurity Reserve to provide manpower to U.S. Cyber Command to help preempt, defeat, deter, and respond to malicious cyber activity, conduct cyberspace operations, and secure the DoDIN.  By contrast, Chapter 104 of the House bill takes a “whole-of-government” slant, authorizing $30 million to remain available until FY 2025 for a “Digital Corps Reserve,” to be managed by the General Services Administration (“GSA”), with the mission of recruiting and managing a team of individuals with skills and credentials needed to address the digital and cybersecurity needs of all participating executive branch agencies.  Both sections would impose numerous requirements on the eligibility, hiring, employment, and security clearance status of “Reserve” members.

Next Generation Cyber Red Teams.  Section 1704 of the Senate bill would require DoD to modernize its “cyber red teams” by utilizing cyber threat intelligence and threat modeling, automation, artificial intelligence (AI) and machine learning capabilities, and data collection and correlation.  “Cyber red teams” are independent, multi-disciplinary groups of DoD personnel, akin to “ethical hackers,” charged to find and report vulnerabilities in DoD systems and networks so they can be addressed.  This provision is intended to ensure that DoD “cyber red teams” are equipped with the most advanced technology and skills training as they combat increasingly sophisticated cyber threats.

Support of Cyber Education and Workforce Development at Institutions of Higher Learning.  Section 1726 of the Senate bill would authorize $10 million for fiscal year 2024 for DoD to incentivize institutions of higher learning to offer recognized certifications and degrees in the cyber field, with a goal of developing a cadre of students with foundational skills in critical cyber operations and encouraging those students to commit to a period of military or civilian service with DoD. 

Authority to Accept Voluntary Services From Cybersecurity Experts.  Section 1521 of the House bill would allow U.S. Cyber Command to accept voluntary and uncompensated services from cybersecurity experts, notwithstanding the provisions of 31 U.S.C. § 1342 that prohibit the government from accepting voluntary services in most circumstances.   

Space Operations

Both bills highlight Congressional concerns at the intersection of cybersecurity and DoD’s increasing engagement in the space domain.  These provisions include:

Strategy on Cybersecurity Resiliency of DoD Space Enterprise.  Section 1720 of the Senate bill requires DoD to develop and implement a holistic strategy for cyber protection of its space enterprise, including the adoption of zero trust architecture on legacy and new space-based systems and deliberate planning to develop new capabilities to protect space-based systems against cyber threats.

Plan to Improve Threat-Sharing Arrangements with Commercial Space Operators.  Section 1609 of the House bill would address Congressional concerns about perceived physical and cyber vulnerabilities of commercial space providers that contract with DoD.  The House would direct the Assistant Secretary of the Air Force for Space Acquisition and Integration, in consultation with the Commander of U.S. Space Command, to develop a plan to expand existing threat-sharing arrangements with commercial space operators under contract with DoD.

Cyber Incident Reporting

Cyber Incident Reporting Requirement.  Section 1715(a) of the Senate bill would require DoD to issue new guidance to facilitate complete and timely cyber incident reporting and enable enterprise-wide visibility into such reports.  Section 1715(a) would also require the DoD Chief Information Officer to determine actions needed to encourage more complete and timely mandatory cyber incident reporting by the DOB.  In addition, Section 1715(b) would require DoD to assess the feasibility of establishing an Office of Cyber Statistics to track cyber incidents and measure DoD, and potentially DIB, responses to cyber threats, risks, and vulnerabilities.  These provisions add to the current flurry of the pending rulemakings, reports, and assessments to improve cybersecurity across the federal government, triggered by the Solar Winds, Microsoft, and Colonial Pipeline incidents.  For instance, as recently as October 3, 2023, the Federal Acquisition Regulatory Council published a proposed rule that would require government contractors to share information on cybersecurity threats and report cybersecurity incidents to the government within 8 hours of discovery (far sooner than DoD’s current 72-hour deadline).  This proposed rule would make compliance with these requirements material to eligibility for and payment under a government contract.

U.S. Cybersecurity Cooperation with Foreign Allies and Partners

Both the House and Senate bills incorporate provisions that would enhance U.S. cybersecurity cooperation with foreign allies and partners.  These provisions include:

Cybersecurity Cooperation With TaiwanMilitary and political strategists predict that any use of force by China against Taiwan is likely to begin with a large-scale cyberattack.  Section 1352 of the Senate bill and Section 1505 of the House bill would require DoD to expand cooperation with Taiwan on cybersecurity activities, including by conducting combined cybersecurity training activities and exercises.  The provisions direct DoD to leverage U.S. military and commercial cybersecurity technologies to harden and actively defend Taiwan’s networks and infrastructure.

Digital Connectivity and Cybersecurity Partnership and Fund.  Section 6306 of the Senate bill would establish a State Department program to help foreign allies and partners expand secure internet access and digital communications infrastructure and adopt cybersecurity common standards and best practices.  Section 6306(e) of the bill would authorize $100 million over fiscal years 2024 through 2028 to fund this foreign assistance.

Other Cybersecurity Provisions Likely to Affect the DIB

In addition to the provisions discussed above, both the Senate and House bills incorporate additional provisions related to cybersecurity of particular relevance to the DIB.  These include:

Memory-Safe Software Programming.  Section 1713 of the Senate bill would require DoD to implement National Security Agency (“NSA”) recommendations that DoD identify memory-related vulnerabilities in the software it develops, acquires, or uses, by requiring reliance on memory-safe software programming languages and testing.  The recommendations at issue were first set forth in a “Cybersecurity Information Sheet” issued by NSA in November 2022.  NSA found that most software vulnerabilities were based on memory safety issues such as “buffer overflow” where data is accessed outside the boundaries of an array, or the reallocation of memory after that memory has been freed.  Exploitation of these overflows could permit malicious actors to execute code on a computer that would not ordinarily be permitted.  The NSA noted that while software analysis tools can detect many instances of memory issues, and operating environment tools can also provide some protection, the inherent protections offered by memory safe software languages can prevent or mitigate most memory management issues. 

Inclusion of Semi-Conductor Manufacturers in Cybersecurity Collaboration Center.  Section 1707 of the Senate bill would establish a pilot program to assess the feasibility and advisability of improving the security of the semi-conductor supply chain by enabling collaboration between NSA’s Cybersecurity Collaboration Center (“CCC”) and U.S. semi-conductor manufacturers.

Cyber Intelligence Center.  Section 1702 of the Senate bill would require the establishment of a dedicated DoD cyber intelligence capability–potentially a Defense Cyber Intelligence Center under control of the Defense Intelligence Agency–to support U.S. Cyber Command and other DoD components in identifying cyber threat actors and their intentions and employing new technologies to combat them. 

Modernize DoD Information Network Boundary and Cross-Domain Defense.  Section 1712 of the Senate bill would require DoD to modernize its capabilities to defend all DoDIN boundaries and cross-domains against cyber-attacks.  This 5-year modernization program would expand an FY 2023 pilot focused on the enhanced defense of internet access points managed by the Defense Information Systems Agency. 

Establishing ICAM Initiative as a Program of Record.  Section 1719 of the Senate bill would require DoD to establish the Identity, Credential, and Access Management (“ICAM”) initiative as a program of record, with a view to correcting significant authentication and credentialing security weaknesses (including in the Public Key infrastructure program) identified in an April 2023 report to Congress.  The ICAM program would employ improved authentication technologies, such as biometric and behavioral authentication techniques and other non-password-based solutions, to screen more effectively those attempting to access DoD systems.

Protection of Personal Information of DoD Personnel from Foreign Adversaries.  Section 1728 of the Senate bill would call on GAO to assess and make recommendations for the improvement of DoD efforts to protect the personal information of DoD personnel, including location data generated by smart phones, to address the threat of foreign adversary interception and exploitation.   

Harmonization and Clarification of Strategic Cybersecurity Program.  Section 1501 of the House bill would establish a DoD “Strategic Cybersecurity Program” to safeguard the ability to conduct offensive cyber operations and ensure the cybersecurity of other critical missions.  The provision would require the Secretary of Defense to designate a senior DoD civilian leader to partner with the Director of NSA / Commander, U.S. Cyber Command, to conduct appropriate reviews of the acquisition and system engineering plans for systems and infrastructure related to Program missions, conduct end-to-end vulnerability assessments of Program missions, and prioritize and facilitate the remediation of such vulnerabilities.

Increase Funding for DoD Software Factories.  Section 277 of the House bill would increase by $10 million the funds currently authorized for DoD software factories.  As described in DoD’s “Software Modernization Implementation Plan” software factories are “collections of people, tools and processes that . . . deploy software to meet the needs of a specific community of end users while enabling continuous rollout and cutting-edge cyber resilience.”  One of the most prominent examples of a DoD software factory is the U.S. Air Force’s Kessel Run, established in 2017.  DoD’s software modernization plan calls for the establishment of additional DoD software factories; the funding Section 277 authorizes will assist DoD in realizing that objective.

Establishment of Military Pharmaceutical and Medical Vulnerability Monitoring Group.  Section 726 of the House bill would require DoD to establish a military pharmaceutical and medical device vulnerability working group composed of DoD military members and civilian employees.  The working group would be charged with, among other things, identifying cyber and electronic threats that could disrupt the effective operation of such DoD devices and compromise users’ private medical data, and developing a plan to mitigate these vulnerabilities by hardening devices against cyber-attack or interference.

Report on the Use of an Existing Contract to Use Cyber Capabilities to Protect DoD Assets and Networks.  Section 143 of the Senate bill would require a report to the congressional defense committee explaining DoD’s exercise of options on an existing contract for the cybersecurity protection of Defense Department assets and networks.  The report would include a discussion of the potential effects of DoD’s decision on competition among cybersecurity vendors, the risks and benefits associated with DoD’s reliance on an enterprise-wide cybersecurity solution from a single vendor, and a description of future plans to recompete the acquisition to allow multiple vendors to compete.

Federal Data Center Consolidation Initiative Amendments.  Section 11002 of the Senate bill would establish minimum requirements for new data centers under the Federal Data Center Enhancement Act of 2023 (“FDCEA”), including the requirement that all new data centers meet federal information security protection standards.  This provision would also require application of these minimum requirements to the operation of all current data centers.

As noted in our overview of topics to watch in the NDAA for FY 2024, these provisions remain subject to change (or elimination) as the House and Senate bills proceed through the conference process.  Covington’s Public Policy and Government Contracts teams will continue to track NDAA developments and provide follow-on analysis. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Robert Huffman Robert Huffman

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance…

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance, contract claims and disputes, and intellectual property (IP) matters related to U.S. government contracts.

Bob has leading expertise advising companies that are defending against investigations, prosecutions, and civil suits alleging procurement fraud and false claims. He has represented clients in more than a dozen False Claims Act qui tam suits. He also represents clients in connection with parallel criminal proceedings and suspension and debarment.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including cybersecurity, the Buy American Act/Trade Agreements Act (BAA/TAA), and counterfeit parts requirements. He also has extensive experience litigating contract and related issues before the Court of Federal Claims, the Armed Services Board of Contract Appeals, federal district courts, the Federal Circuit, and other federal appellate courts.

In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial items and services. He handles IP matters involving government contracts, grants, Cooperative Research and Development Agreements (CRADAs), and Other Transaction Agreements (OTAs).

Photo of Michele Pearce Michele Pearce

Michele Pearce has wide-ranging experience working on national security issues throughout her two decades of military and government service. She provides advisory and advocacy support and counseling to clients facing policy and political challenges in the aerospace and defense sectors.
Before joining Covington…

Michele Pearce has wide-ranging experience working on national security issues throughout her two decades of military and government service. She provides advisory and advocacy support and counseling to clients facing policy and political challenges in the aerospace and defense sectors.
Before joining Covington, Michele held several senior staff positions within the Department of Defense (DoD) and Congress. Most recently, she served as General Counsel (Acting) of the Department of the Army, providing legal and policy advice to the Secretary of the Army and other service leadership. In this role, Michele was responsible for legal matters related to modernizing acquisition and contracting practices to meet emerging threats, implementing AI and hypersonic systems, and reforming ethics and diversity and inclusion programs.

Prior to her role in the Army, Michele served as Deputy General Counsel (Legislation) at DoD. She was the principal legal advisor to DoD officials, including the Secretary of Defense, Deputy Secretary of Defense, and General Counsel on matters concerning legislation, investigations, and the Department’s Legislative Review Program, which considers more than 400 legislative proposals annually.

Michele also has significant Capitol Hill experience. She was a Senior Defense Advisor to Senator Susan Collins (R-ME), advising on legal and budgetary matters related to authorizations and appropriations for the Departments of Defense, Homeland Security, and Veterans Affairs. Michele also served as Staff Lead/Counsel on the House Armed Services Committee, where she managed one of the largest subcommittees in Congress with a multi-billion dollar budget focused on operations and maintenance activities across DoD. She also served as Staff Lead of the Oversight and Investigations Subcommittee and as Counsel and Professional Staff of the Military Personnel Subcommittee.

Michele also previously served as an Advisor to Andrew Effron, Chief Judge of the U.S. Court of Appeals for the Armed Forces; Military Assistant to the Secretary of the Air Force; Associate Deputy General Counsel for Personnel and Health Policy at DoD; and as an Air Force Judge Advocate General.

Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Stephanie Barna Stephanie Barna

Stephanie Barna draws on over three decades of U.S. military and government service to provide advisory and advocacy support and counseling to clients facing policy and political challenges in the aerospace and defense sectors.

Prior to joining the firm, Stephanie was a senior…

Stephanie Barna draws on over three decades of U.S. military and government service to provide advisory and advocacy support and counseling to clients facing policy and political challenges in the aerospace and defense sectors.

Prior to joining the firm, Stephanie was a senior leader on Capitol Hill and in the U.S. Department of Defense (DoD). Most recently, she was General Counsel of the Senate Armed Services Committee, where she was responsible for the annual $740 billion National Defense Authorization Act (NDAA). Additionally, she managed the Senate confirmation of three- and four-star military officers and civilians nominated by the President for appointment to senior political positions in DoD and the Department of Energy’s national security nuclear enterprise, and was the Committee’s lead for investigations.

Previously, as a senior executive in the Office of the Army General Counsel, Stephanie served as a legal advisor to three Army Secretaries. In 2014, Secretary of Defense Chuck Hagel appointed her to be the Principal Deputy Assistant Secretary of Defense for Manpower and Reserve Affairs. In that role, she was a principal advisor to the Secretary of Defense on all matters relating to civilian and military personnel, reserve integration, military community and family policy, and Total Force manpower and resources. Stephanie was later appointed by Secretary of Defense Jim Mattis to perform the duties of the Under Secretary of Defense for Personnel and Readiness, responsible for programs and funding of more than $35 billion.

Stephanie was also previously the Deputy General Counsel for Operations and Personnel in the Office of the Army General Counsel. She led a team of senior lawyers in resolving the full spectrum of issues arising from Army wartime operations and the life cycle of Army military and civilian personnel. Stephanie was also a personal advisor to the Army Secretary on his institutional reorganization and business transformation initiatives and acted for the Secretary in investigating irregularities in fielding of the Multiple Launch Rocket System and classified contracts. She also played a key role in a number of high-profile personnel investigations, including the WikiLeaks breach. Prior to her appointment as Deputy, she was Associate Deputy General Counsel (Operations and Personnel) and Acting Deputy General Counsel.

Stephanie is a retired Colonel in the U.S. Army and served in the U.S. Army Judge Advocate General’s Corps as an Assistant to the General Counsel, Office of the Army General Counsel; Deputy Staff Judge Advocate, U.S. Army Special Forces Command (Airborne); Special Assistant to the Assistant Secretary of the Army (Manpower & Reserve Affairs); and General Law Attorney, Administrative Law Division.

Stephanie was selected by the National Academy of Public Administration for inclusion in its 2022 Class of Academy Fellows, in recognition of her years of public administration service and expertise.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national…

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and federal supply chain security. Ryan also advises on government cost accounting, FAR and DFARS compliance, public policy matters, and agency disputes. He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.