Following our recent overview of topics to watch in the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2024, available here, we continue our coverage with a “deep dive” into NDAA provisions related to cybersecurity and software security in each of the Senate and House bills.  For the past three years, the NDAA has dedicated a separate Title to cyber and cybersecurity, reflecting the increased importance of these issues in Department of Defense (“DoD”) operations.  As expected, both the Senate and House versions of the NDAA bill continue this tradition.  Many of the cyberspace related provisions in both chambers’ bills would have direct or indirect impacts on DoD contractors and other members of the Defense Industrial Base (“DIB”).  We summarize below the cyber-related provisions that are most likely to impact the DIB. 

Cyber Manpower and Structure

Both House and Senate cyber provisions spotlight the sources and capabilities of the human capital required by DoD to conduct the full range of cyber operations.  These provisions include:

Enhancing the Readiness and Effectiveness of the Cyber Mission Force.  The Senate bill kicks off its focus on the cyber workforce in Section 1701 of the bill, which would require DoD to improve the readiness and effectiveness of its Cyber Mission Force (“CMF”).  The CMF is the U.S. Cyber Command’s “action arm.”  It consists of 133 teams drawn from each of the Military Services.  These teams are responsible for assisting Cyber Command and Joint Force commanders in accomplishing their missions through three primary forms of operations:  Defensive Cyberspace Operations, Offensive Cyberspace Operations, and Department of Defense Information Network (“DoDIN”) Operations, which focus on the design, security, operation, and maintenance of the DoDIN and supporting networks.

Of particular importance, the bill would require a three-year pilot program under which U.S. Cyber Command would use contractor personnel to perform “critical CMF work roles,” including duties related to network operations, cyber tool development, and exploitation analysis.  This pilot program could provide an opportunity for the DIB to become more directly involved in CMF operations and evaluations.

CMF Occupational Resiliency.  Section 1534 of the House bill would require a DoD study of resources required to enhance and support the “occupational resiliency” of CMF personnel.  The provision defines “occupational resiliency” as the ability to mitigate the “unique psychological factors that contribute to the degradation of mental health and job performance” associated with assignment to the CMF.

Reviewing Cyberspace Operations Management.  Section 1533 of the House bill would require a comprehensive review by the Government Accountability Office (“GAO”) of DoD’s readiness to conduct cyberspace operations.  This assessment would include GAO’s determination of the number of personnel assigned to each DoD organization responsible for cyberspace operations who are fully trained and qualified to perform their duties. 

Independent Evaluation of Requirement for a United States Cyber Force.  Section 1708 of the Senate bill would require DoD to enter into an agreement with the National Academy of Public Administration (“NAPA”) to evaluate the advisability of establishing a separate Military Service, the “United States Cyber Force,” dedicated to operations in the cyber domain.  The concept of the Cyber Force as a separate branch of the armed forces appears to riff on the U.S. Space Force, established in 2019 and the NAPA study will likely include lessons learned from DoD efforts since that time to bring the Space Force up to full operational capability.

Civilian Cybersecurity Reserve Pilots.  Although they take somewhat different approaches, both the House and Senate would direct the establishment of a “Civilian Reserve” that could be “activated” to bolster the government’s cyber workforce.  Section 1216 of the Senate bill takes a “DoD-only” view and would direct the Secretary of the Army to pilot the formation of a Civilian Cybersecurity Reserve to provide manpower to U.S. Cyber Command to help preempt, defeat, deter, and respond to malicious cyber activity, conduct cyberspace operations, and secure the DoDIN.  By contrast, Chapter 104 of the House bill takes a “whole-of-government” slant, authorizing $30 million to remain available until FY 2025 for a “Digital Corps Reserve,” to be managed by the General Services Administration (“GSA”), with the mission of recruiting and managing a team of individuals with skills and credentials needed to address the digital and cybersecurity needs of all participating executive branch agencies.  Both sections would impose numerous requirements on the eligibility, hiring, employment, and security clearance status of “Reserve” members.

Next Generation Cyber Red Teams.  Section 1704 of the Senate bill would require DoD to modernize its “cyber red teams” by utilizing cyber threat intelligence and threat modeling, automation, artificial intelligence (AI) and machine learning capabilities, and data collection and correlation.  “Cyber red teams” are independent, multi-disciplinary groups of DoD personnel, akin to “ethical hackers,” charged to find and report vulnerabilities in DoD systems and networks so they can be addressed.  This provision is intended to ensure that DoD “cyber red teams” are equipped with the most advanced technology and skills training as they combat increasingly sophisticated cyber threats.

Support of Cyber Education and Workforce Development at Institutions of Higher Learning.  Section 1726 of the Senate bill would authorize $10 million for fiscal year 2024 for DoD to incentivize institutions of higher learning to offer recognized certifications and degrees in the cyber field, with a goal of developing a cadre of students with foundational skills in critical cyber operations and encouraging those students to commit to a period of military or civilian service with DoD. 

Authority to Accept Voluntary Services From Cybersecurity Experts.  Section 1521 of the House bill would allow U.S. Cyber Command to accept voluntary and uncompensated services from cybersecurity experts, notwithstanding the provisions of 31 U.S.C. § 1342 that prohibit the government from accepting voluntary services in most circumstances.   

Space Operations

Both bills highlight Congressional concerns at the intersection of cybersecurity and DoD’s increasing engagement in the space domain.  These provisions include:

Strategy on Cybersecurity Resiliency of DoD Space Enterprise.  Section 1720 of the Senate bill requires DoD to develop and implement a holistic strategy for cyber protection of its space enterprise, including the adoption of zero trust architecture on legacy and new space-based systems and deliberate planning to develop new capabilities to protect space-based systems against cyber threats.

Plan to Improve Threat-Sharing Arrangements with Commercial Space Operators.  Section 1609 of the House bill would address Congressional concerns about perceived physical and cyber vulnerabilities of commercial space providers that contract with DoD.  The House would direct the Assistant Secretary of the Air Force for Space Acquisition and Integration, in consultation with the Commander of U.S. Space Command, to develop a plan to expand existing threat-sharing arrangements with commercial space operators under contract with DoD.

Cyber Incident Reporting

Cyber Incident Reporting Requirement.  Section 1715(a) of the Senate bill would require DoD to issue new guidance to facilitate complete and timely cyber incident reporting and enable enterprise-wide visibility into such reports.  Section 1715(a) would also require the DoD Chief Information Officer to determine actions needed to encourage more complete and timely mandatory cyber incident reporting by the DOB.  In addition, Section 1715(b) would require DoD to assess the feasibility of establishing an Office of Cyber Statistics to track cyber incidents and measure DoD, and potentially DIB, responses to cyber threats, risks, and vulnerabilities.  These provisions add to the current flurry of the pending rulemakings, reports, and assessments to improve cybersecurity across the federal government, triggered by the Solar Winds, Microsoft, and Colonial Pipeline incidents.  For instance, as recently as October 3, 2023, the Federal Acquisition Regulatory Council published a proposed rule that would require government contractors to share information on cybersecurity threats and report cybersecurity incidents to the government within 8 hours of discovery (far sooner than DoD’s current 72-hour deadline).  This proposed rule would make compliance with these requirements material to eligibility for and payment under a government contract.

U.S. Cybersecurity Cooperation with Foreign Allies and Partners

Both the House and Senate bills incorporate provisions that would enhance U.S. cybersecurity cooperation with foreign allies and partners.  These provisions include:

Cybersecurity Cooperation With TaiwanMilitary and political strategists predict that any use of force by China against Taiwan is likely to begin with a large-scale cyberattack.  Section 1352 of the Senate bill and Section 1505 of the House bill would require DoD to expand cooperation with Taiwan on cybersecurity activities, including by conducting combined cybersecurity training activities and exercises.  The provisions direct DoD to leverage U.S. military and commercial cybersecurity technologies to harden and actively defend Taiwan’s networks and infrastructure.

Digital Connectivity and Cybersecurity Partnership and Fund.  Section 6306 of the Senate bill would establish a State Department program to help foreign allies and partners expand secure internet access and digital communications infrastructure and adopt cybersecurity common standards and best practices.  Section 6306(e) of the bill would authorize $100 million over fiscal years 2024 through 2028 to fund this foreign assistance.

Other Cybersecurity Provisions Likely to Affect the DIB

In addition to the provisions discussed above, both the Senate and House bills incorporate additional provisions related to cybersecurity of particular relevance to the DIB.  These include:

Memory-Safe Software Programming.  Section 1713 of the Senate bill would require DoD to implement National Security Agency (“NSA”) recommendations that DoD identify memory-related vulnerabilities in the software it develops, acquires, or uses, by requiring reliance on memory-safe software programming languages and testing.  The recommendations at issue were first set forth in a “Cybersecurity Information Sheet” issued by NSA in November 2022.  NSA found that most software vulnerabilities were based on memory safety issues such as “buffer overflow” where data is accessed outside the boundaries of an array, or the reallocation of memory after that memory has been freed.  Exploitation of these overflows could permit malicious actors to execute code on a computer that would not ordinarily be permitted.  The NSA noted that while software analysis tools can detect many instances of memory issues, and operating environment tools can also provide some protection, the inherent protections offered by memory safe software languages can prevent or mitigate most memory management issues. 

Inclusion of Semi-Conductor Manufacturers in Cybersecurity Collaboration Center.  Section 1707 of the Senate bill would establish a pilot program to assess the feasibility and advisability of improving the security of the semi-conductor supply chain by enabling collaboration between NSA’s Cybersecurity Collaboration Center (“CCC”) and U.S. semi-conductor manufacturers.

Cyber Intelligence Center.  Section 1702 of the Senate bill would require the establishment of a dedicated DoD cyber intelligence capability–potentially a Defense Cyber Intelligence Center under control of the Defense Intelligence Agency–to support U.S. Cyber Command and other DoD components in identifying cyber threat actors and their intentions and employing new technologies to combat them. 

Modernize DoD Information Network Boundary and Cross-Domain Defense.  Section 1712 of the Senate bill would require DoD to modernize its capabilities to defend all DoDIN boundaries and cross-domains against cyber-attacks.  This 5-year modernization program would expand an FY 2023 pilot focused on the enhanced defense of internet access points managed by the Defense Information Systems Agency. 

Establishing ICAM Initiative as a Program of Record.  Section 1719 of the Senate bill would require DoD to establish the Identity, Credential, and Access Management (“ICAM”) initiative as a program of record, with a view to correcting significant authentication and credentialing security weaknesses (including in the Public Key infrastructure program) identified in an April 2023 report to Congress.  The ICAM program would employ improved authentication technologies, such as biometric and behavioral authentication techniques and other non-password-based solutions, to screen more effectively those attempting to access DoD systems.

Protection of Personal Information of DoD Personnel from Foreign Adversaries.  Section 1728 of the Senate bill would call on GAO to assess and make recommendations for the improvement of DoD efforts to protect the personal information of DoD personnel, including location data generated by smart phones, to address the threat of foreign adversary interception and exploitation.   

Harmonization and Clarification of Strategic Cybersecurity Program.  Section 1501 of the House bill would establish a DoD “Strategic Cybersecurity Program” to safeguard the ability to conduct offensive cyber operations and ensure the cybersecurity of other critical missions.  The provision would require the Secretary of Defense to designate a senior DoD civilian leader to partner with the Director of NSA / Commander, U.S. Cyber Command, to conduct appropriate reviews of the acquisition and system engineering plans for systems and infrastructure related to Program missions, conduct end-to-end vulnerability assessments of Program missions, and prioritize and facilitate the remediation of such vulnerabilities.

Increase Funding for DoD Software Factories.  Section 277 of the House bill would increase by $10 million the funds currently authorized for DoD software factories.  As described in DoD’s “Software Modernization Implementation Plan” software factories are “collections of people, tools and processes that . . . deploy software to meet the needs of a specific community of end users while enabling continuous rollout and cutting-edge cyber resilience.”  One of the most prominent examples of a DoD software factory is the U.S. Air Force’s Kessel Run, established in 2017.  DoD’s software modernization plan calls for the establishment of additional DoD software factories; the funding Section 277 authorizes will assist DoD in realizing that objective.

Establishment of Military Pharmaceutical and Medical Vulnerability Monitoring Group.  Section 726 of the House bill would require DoD to establish a military pharmaceutical and medical device vulnerability working group composed of DoD military members and civilian employees.  The working group would be charged with, among other things, identifying cyber and electronic threats that could disrupt the effective operation of such DoD devices and compromise users’ private medical data, and developing a plan to mitigate these vulnerabilities by hardening devices against cyber-attack or interference.

Report on the Use of an Existing Contract to Use Cyber Capabilities to Protect DoD Assets and Networks.  Section 143 of the Senate bill would require a report to the congressional defense committee explaining DoD’s exercise of options on an existing contract for the cybersecurity protection of Defense Department assets and networks.  The report would include a discussion of the potential effects of DoD’s decision on competition among cybersecurity vendors, the risks and benefits associated with DoD’s reliance on an enterprise-wide cybersecurity solution from a single vendor, and a description of future plans to recompete the acquisition to allow multiple vendors to compete.

Federal Data Center Consolidation Initiative Amendments.  Section 11002 of the Senate bill would establish minimum requirements for new data centers under the Federal Data Center Enhancement Act of 2023 (“FDCEA”), including the requirement that all new data centers meet federal information security protection standards.  This provision would also require application of these minimum requirements to the operation of all current data centers.

As noted in our overview of topics to watch in the NDAA for FY 2024, these provisions remain subject to change (or elimination) as the House and Senate bills proceed through the conference process.  Covington’s Public Policy and Government Contracts teams will continue to track NDAA developments and provide follow-on analysis. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Stephanie Barna Stephanie Barna

Stephanie Barna draws on over three decades of U.S. military and government service to provide advisory and advocacy support and counseling to clients facing policy and political challenges in the aerospace and defense sectors.

Prior to joining the firm, Stephanie was a senior…

Stephanie Barna draws on over three decades of U.S. military and government service to provide advisory and advocacy support and counseling to clients facing policy and political challenges in the aerospace and defense sectors.

Prior to joining the firm, Stephanie was a senior leader on Capitol Hill and in the U.S. Department of Defense (DoD). Most recently, she was General Counsel of the Senate Armed Services Committee, where she was responsible for the annual $740 billion National Defense Authorization Act (NDAA). Additionally, she managed the Senate confirmation of three- and four-star military officers and civilians nominated by the President for appointment to senior political positions in DoD and the Department of Energy’s national security nuclear enterprise, and was the Committee’s lead for investigations.

Previously, as a senior executive in the Office of the Army General Counsel, Stephanie served as a legal advisor to three Army Secretaries. In 2014, Secretary of Defense Chuck Hagel appointed her to be the Principal Deputy Assistant Secretary of Defense for Manpower and Reserve Affairs. In that role, she was a principal advisor to the Secretary of Defense on all matters relating to civilian and military personnel, reserve integration, military community and family policy, and Total Force manpower and resources. Stephanie was later appointed by Secretary of Defense Jim Mattis to perform the duties of the Under Secretary of Defense for Personnel and Readiness, responsible for programs and funding of more than $35 billion.

Stephanie was also previously the Deputy General Counsel for Operations and Personnel in the Office of the Army General Counsel. She led a team of senior lawyers in resolving the full spectrum of issues arising from Army wartime operations and the life cycle of Army military and civilian personnel. Stephanie was also a personal advisor to the Army Secretary on his institutional reorganization and business transformation initiatives and acted for the Secretary in investigating irregularities in fielding of the Multiple Launch Rocket System and classified contracts. She also played a key role in a number of high-profile personnel investigations, including the WikiLeaks breach. Prior to her appointment as Deputy, she was Associate Deputy General Counsel (Operations and Personnel) and Acting Deputy General Counsel.

Stephanie is a retired Colonel in the U.S. Army and served in the U.S. Army Judge Advocate General’s Corps as an Assistant to the General Counsel, Office of the Army General Counsel; Deputy Staff Judge Advocate, U.S. Army Special Forces Command (Airborne); Special Assistant to the Assistant Secretary of the Army (Manpower & Reserve Affairs); and General Law Attorney, Administrative Law Division.

Stephanie was selected by the National Academy of Public Administration for inclusion in its 2022 Class of Academy Fellows, in recognition of her years of public administration service and expertise.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.