Senate Passes $768 Billion NDAA With Cyber ProvisionsLawmakers: Defense Policy Bill to More 'Empower' and 'Expand' CISA After SolarWinds
The must-pass annual defense spending bill, authorizing nearly $770 billion in funding for the Pentagon, passed the Senate in a bipartisan vote on Wednesday, with several cybersecurity provisions, including measures to "empower and expand" the U.S. Cybersecurity and Infrastructure Security Agency.
Noticeably missing in the National Defense Authorization Act draft legislation, however, is a cyber incident reporting mechanism that, through an amendment pushed by key Senate leaders, would have found critical infrastructure providers reporting cyberattacks within 72 hours of detection, along with payments made to ransomware gangs, within 24 hours. The measure was nixed from the bill following eleventh-hour disagreements along party lines.
The robust legislative package, which cleared the House earlier this month, passed the Senate by a vote of 89-10, and now heads to President Joe Biden's desk, where it's expected to be signed into law.
Lawmakers claim the bill is the widest expansion of CISA through legislation since the SolarWinds incident. Among other features, the NDAA authorizes CISA's program to monitor IT and OT networks of critical infrastructure partners and codifies a program providing businesses and state and local governments with model exercises to test their critical infrastructure.
In a statement on the passage, Senate Minority Leader Mitch McConnell, R-Ky., said, "I've talked for weeks about the importance of this legislation, given the global threats and international challenges that face our nation - from China to Russia to the fight against terrorists in the Middle East."
Rep. Adam Smith, D-Wash., chairman of the House Armed Services Committee, said in a statement last week, "This bill represents compromise between both parties and chambers - as a result, every single member involved has something in it they like and something that didn't get into the bill that they wish had. This year's procedural realities made the entire process exponentially more difficult."
Some security experts say the defense bill places a greater emphasis on cybersecurity, but "lacks teeth." Frank Downs, a former offensive analyst for the National Security Agency, says the NDAA is "behind the times in meaningful relevance."
Downs, who serves as director of proactive services for the security firm BlueVoyant, says one of the bill's requirements - for CISA to update its incident response plans every two years - "undermines any confidence that the organization may already have been updating the IRP appropriately."
"It is always interesting to see what issues make it out of committee and into law, especially one as large as the annual NDAA, [with] over three-quarters of a trillion dollars this year," says Bill Lawrence, a former cybersecurity instructor at the U.S. Naval Academy and currently CISO of the firm SecurityGate. "Missing from the bill is the controversial cyber incident reporting measure that would have made companies report breaches or ransomware attacks."
Lawrence highlights companies' qualms with the measure, saying some smaller organizations lack a 24/7 security operations center, limiting their ability to tip off the U.S. government.
Atop key cybersecurity and emerging technology funding, the bill amends the military justice system and includes a pay increase for military service members and DOD civilian employees, among other measures, including military aid for Ukraine.
According to a summary of the bill, this NDAA includes a nearly 25% increase in investments for defensewide research and technology development.
Per the summary, the bill also:
- Empowers the commander of U.S. Cyber Command, Gen. Paul M. Nakasone, with executive budget authority;
- Authorizes CISA's CyberSentry program, a voluntary effort to enhance the resilience of organizations that provide critical infrastructure, including the use of sensors to monitor the IT and OT networks to detect cybersecurity threats;
- Codifies CISA's National Cyber Exercise Program, which allows the agency to test the U.S. response plan for major incidents; its models can be provided to state/local governments;
- Requires the DOD to compile a report on how small businesses are affected by its Cybersecurity Maturity Model Certification, or CMMC, program;
- Modernizes the relationship between the DOD's CIO and the NSA's "components responsible for cybersecurity";
- Establishes a program office within Joint Forces Headquarters to centralize the management of cyber threat information products;
- Mandates the first taxonomy of cyber weapons and cyber capabilities;
- Requires Defense Secretary Lloyd Austin to create a "software development and acquisition cadre";
- Establishes pilot programs for the deployment of 5G wireless infrastructure on military installations;
- Requires the use of protective domain name systems across DOD - a service that CISA previously said it would be rolling out for federal agencies;
- Requires CISA to update its incident response plan at least every two years;
- Directs the DOD to prepare several reports on China's activities - including security developments and emerging technologies;
- Requires DOD's Austin to review ways the department can use AI and digital technology and to designate the first-ever chief digital recruiting officer.
Reporting & FISMA Update
A notable provision absent from the final version was the inclusion of a Senate-approved bill to reform the Federal Information Security Management Act, or FISMA, last amended in 2014, which governs how agencies develop, document and implement security programs that support their operations.
But the Office of Management and Budget, or OMB, issued updated FISMA guidance earlier this month - which includes elements of the May executive order on cybersecurity, zero trust guidance, third-party penetration testing of agency networks, and an implementation plan for CISA's new Incident Response Playbook.
On the incident reporting side, the bipartisan measure stalled after Sen. Rick Scott, R-Fla., introduced a competing NDAA amendment that narrowed the scope of the reporting requirements and excluded small and medium-sized businesses (see: Cyber Incident Reporting Mandate Excluded From Final NDAA).
Negotiators did not agree on the verbiage until the congressional deadline had passed.