By Cynthia Brumfield
CSO |
Last week, members of the US House of Representatives and Senate reconciled their versions of the annual must-pass National Defense Authorization Act (NDAA). Each year the NDAA contains a wealth of primarily military cybersecurity provisions, delivering hundreds of millions, if not billions, in new cybersecurity funding to the federal government. This year’s bill is no exception.
Titled the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, the legislation clocks in at over 4,408 pages. The entire package is worth $858 billion, an increase of 10.3%, or $80.4 billion, over FY2022 NDAA’s topline with a good chunk of that amount going to cybersecurity efforts.
After the bill’s passage, Representative Rep. Bennie G. Thompson (D-MS), chairman of the Committee on Homeland Security, said, “With respect to cybersecurity, I am pleased that we were able to reach an agreement on bipartisan provisions that originated in the Committee on Homeland Security. They include Congresswoman Slotkin’s legislation to reauthorize the Secret Service’s National Computer Forensics Institute, Congresswoman Luria’s bill to authorize DHS’s President’s Cup Cybersecurity Competition, and legislation authored by Congressman Swalwell aimed at improving DHS’s cybersecurity training to protect industrial control systems.”
In addition to the provisions cited by Thompson, the bill contains dozens of other subtitles and subsections that deal strictly with cybersecurity. Among the notable military-related cyber provisions in the bill are the following:
Although most of the cybersecurity provisions in the NDAA are related directly to military operations, some are not. Prominent among the non-military sections of the bill is the codification of the State Department’s Bureau of Cyberspace and Digital Policy, which is currently headed by the recently inaugurated Ambassador Nate Fink.
Some anticipated NDAA provisions were dropped in the reconciliation between the House and Senate versions of the legislation. Chief among the provisions that didn’t make the cut is one that was intended to establish a five-year term for the director of CISA, which was included in the House-passed version of the bill.
The final bill also excluded a provision from Representative Ritchie Torres (D-NY) that would have required DHS’s Cyber Safety Review Board (CSRB) to analyze the SolarWinds breach. Although a White House executive order instructed the CSFB to start its work by analyzing that incident, the board opted to study the Log4j vulnerability instead.
Finally, following pressure from trade sector groups, another provision dropped from the bill was a requirement that vendors provide a software bill of materials (SBOM) on the technology they offer government agencies. That provision was contained in the Senate version of the bill but was removed from the final bill as lawmakers yielded to private sector arguments that more time is needed to develop solutions that will better secure the country’s cybersecurity supply chain.
A Senate vote on the bipartisan reconciliation bill is scheduled for this week. After that, the bill heads to President Biden’s desk for his signature.
Copyright © 2022 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.
