Defense bill includes key cyber provisions

The Senate version of the National Defense Authorization Bill passed Dec. 1 includes important provisions designed to produce more robust cyber tools for defending DOD networks and gateways.

The passage of the bill ended days of verbal battle sparked by language in the bill that gave broad powers for military detainment of suspected terrorists without due process, including American citizens.

The contested provision, which could have allowed American citizens to be detained on U.S. soil and held indefinitely without charge or trial, was modified in a bipartisan compromise amendment that passed 99-1 on Thursday night. The compromise came after three other amendments seeking to modify or remove the language failed.

The bill, which grants $662 billion in budget authority and guides policy for the Defense Department for fiscal 2012, passed by a margin of 93 to 7 and contains a number of provisions pertaining to defense IT, cybersecurity and the defense contracting and acquisition communities.

Now that the bill has passed, it will go to a House-Senate conference committee next week to bridge differences in their respective versions, and then to the White House.

“This is the best we could do, and it’s the cleanest we could do,” and the bill needs to go to conference, said Carl Levin (D-Mich.), Senate Armed Forces Committee chairman.

The bill contains several measures pertaining to technology and procurement, including a controversial cap on government-funded executive pay of defense contractors and rules that put contractors on the hook for counterfeit parts and products that end up in the supply chain of military weapons systems and other goods.

Trey Hodgkins, senior vice president for national security and procurement policy at TechAmerica, an industry trade organization, said the counterfeit parts legislation has some of the bill’s biggest impact on defense IT.

Key Provisions

Among the bill’s other provisions are rules designed to steel cyber defenses, improve intelligence-sharing capabilities throughout the department, implement open-source IT solutions and modernize DOD’s complex and antiquated business systems.

According to the bill, the Defense Secretary will be held responsible for developing and implementing a plan to augment DOD’s cybersecurity strategy by acquiring advanced tools for discovering and isolating intrusions and protecting DOD networks and gateways.

That section of the bill also calls for beefed up security capabilities for the Defense Information Systems Agency and the U.S. Cyber Command as well as for DOD’s host-based security systems.

DOD is to use commercial solutions for the cyber capabilities whenever possible, according to section 913 of the bill.

The NDAA includes a section titled “program in support of DOD policy on sustaining and expanding information sharing,” although in that particular section, 932, the bulk of content refers to capabilities to protect internal information and detect and prevent any personnel exporting information from classified networks or other internal security threats.

However, two other separate sections (923 and 924) do contain language targeting improved information-sharing capabilities: an open-source ozone widget framework to be facilitated by DISA, and plans for enhanced search capacity for the Defense Intelligence Information Enterprise (DI2E), used by the federal intelligence community.

Under section 923’s guidance, DISA will be responsible for “implementing a mechanism to publish and maintain on the public Internet…the information on, and resources for, the ozone widget framework,” permitting individuals and companies to develop and field open-source tools and applications for DOD. Those resources will include programming interface specifications, a developer’s toolkit and source code – which also must be open to outside contribution of potential improvements.

The DI2E provisions include a pilot program for the intelligence community that will demonstrate lightning-fast, enterprise-wide query capabilities across “numerous, large, distributed” databases. The pilot would incorporate the required multiple levels of security and operate on both structured and unstructured data, according to the bill. A report on the pilot program will be due to Congress by Nov. 1, 2012.

Finally, the bill is taking aim at DOD’s numerous, redundant business systems, calling on the DOD deputy chief management office to establish an investment review board and management process by March 15, 2012 that will review all facets of DOD’s business systems. The board is designed to include seats at the table for the Joint Chiefs of Staff, the DOD CIO and other DOD agencies.

The goal will be “a target systems environment, aligned to the business enterprise architecture, for each of the major business processes conducted by DOD as determined” by the DCMO, per section 1002 of the legislation.