Breach Notification , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
Biden Signs Into Law NDAA With Several Cyber Provisions
Cyberspace Solarium Commission Ends, Will Continue Under Think TankU.S. President Joe Biden on Monday signed into law the National Defense Authorization Act for fiscal year 2022, which contains some $768 billion in defense spending - 5% more than 2021 - and several cybersecurity provisions.
See Also: A Strategic Roadmap for Zero Trust Security Implementation
The NDAA - which sets budgets for the Department of Defense and national security programs for the Department of Energy - passed the Congress earlier this month and, in addition to providing cybersecurity and emerging technology funding, it amends the military justice system, includes a pay increase for service members and DOD civilian employees, and offers military aid for Ukraine as tensions mount on the country's eastern border.
Lawmakers also say the bill is the widest expansion of the Cybersecurity and Infrastructure Security Agency through legislation since the SolarWinds incident occurred in late 2020. Among other features, the NDAA authorizes CISA's program to monitor IT and OT networks of critical infrastructure partners and codifies a program providing businesses and state and local governments with model exercises to test their critical infrastructure (see: Senate Passes $768 Billion NDAA With Cyber Provisions).
In a statement issued after the signing, Biden said, "The [NDAA] provides vital benefits and enhances access to justice for military personnel and their families, and includes critical authorities to support our country’s national defense."
Lawmakers, Experts Discuss
When the bill cleared the Senate earlier this month, Minority Leader Mitch McConnell, R-Ky., said, "I've talked for weeks about the importance of this legislation, given the global threats and international challenges that face our nation - from China to Russia to the fight against terrorists in the Middle East."
Nevertheless, some cybersecurity experts say the bill - which was subject to partisan debate - "lacks teeth." Frank Downs, a former offensive analyst for the National Security Agency who is currently the director of proactive services for the security firm BlueVoyant, told ISMG this month that the NDAA is "behind the times in meaningful relevance."
And Bill Lawrence, a former cybersecurity instructor at the U.S. Naval Academy and currently CISO of the firm SecurityGate, told ISMG, "Missing from the bill is the controversial cyber incident reporting measure that would have made companies report breaches or ransomware attacks."
The incident reporting provision - which had earned bipartisan support in the wake of high-profile cyberattacks throughout 2021 - was cut from the NDAA at the eleventh hour as congressional negotiators could not come to terms on the verbiage (see: Cyber Incident Reporting Mandate Excluded From Final NDAA).
The original proposal, added to the package by Senate leaders as an amendment, would have found critical infrastructure providers reporting cyberattacks within 72 hours of detection, and reporting payments made to ransomware gangs within 24 hours. It drew from stand-alone legislation originally introduced by Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich., and the committee's ranking member, Rob Portman, R-Ohio.
Negotiations reportedly stalled after Sen. Rick Scott, R-Fla., introduced a competing amendment that limited the number of entities that would have to report attacks. The bill's deadline reportedly passed before negotiators agreed on the terms.
Rep. Adam Smith, D-Wash., chairman of the House Armed Services Committee, said in a statement when the bill cleared the House: "This bill represents compromise between both parties and chambers. As a result, every single member involved has something in it they like and something that didn't get into the bill that they wish had. This year's procedural realities made the entire process exponentially more difficult."
Cyber Components
Proposals to reform the Federal Information Security Modernization Act and the Federal Risk and Authorization Management Program were also not included in the bill. The 2022 version does, however:
- Empower the commander of U.S. Cyber Command with executive budget authority;
- Authorize CISA's CyberSentry program - a voluntary effort to enhance the resilience of organizations providing critical infrastructure;
- Codify CISA's National Cyber Exercise Program, which allows the agency to test the U.S. response plan for major incidents;
- Require the DOD to compile a report on how small businesses are affected by its Cybersecurity Maturity Model Certification program;
- Modernize the relationship between the DOD's CIO and the NSA's "components responsible for cybersecurity";
- Establish a program office within Joint Force Headquarters to centralize the management of cyberthreat information products;
- Mandate the first taxonomy of cyber weapons and cyber capabilities;
- Require the defense secretary to create a "software development and acquisition cadre";
- Establish pilot programs for the deployment of 5G wireless infrastructure on military installations;
- Require the use of protective domain name systems across DOD;
- Require CISA to update its incident response plan at least every two years;
- Direct DOD to prepare several reports on China's activities - including security developments and emerging technologies;
- Require the defense secretary to review how the department can use AI and digital technology and to designate a chief digital recruiting officer.
Cyberspace Solarium Commission
The Cyberspace Solarium Commission, a federally backed effort to boost the nation's cyber resilience that was spearheaded in 2019, ceased activity last Tuesday after its terms from the 2019 NDAA expired.
The commission, co-chaired by Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., issued a comprehensive report on the nation's cybersecurity. The report details some 40 measures ultimately codified into law, including the formation of the Office of the National Cyber Director, now occupied by Chris Inglis, who serves as the nation's chief cybersecurity strategist and principal adviser to President Biden.
King and Gallagher spoke with reporters last week on the commission's work, saying its efforts will continue through a nonprofit think tank, Solarium 2.0, at the Foundation for the Defense of Democracies. Both lawmakers will continue on as chairmen.
Speaking with Politico, King said: "I don't think there's any doubt that the commission's imprimatur … had a significant impact on our ability to get considered - not necessarily to get passed, but to get to the level of, 'Oh, yeah, this is something we've got to talk about.'"