NDAA markup includes slew of new cyber provisions

The next defense spending bill could have a slew of new cyber provisions aimed at streamlining the Defense Department’s collaboration with the rest of government regarding cyber threats.

The House Armed Services Committee's Subcommittee on Emerging Threats and Capabilities released a markup of the 2019 National Defense Authorization Act on April 26 that includes a range of cyber provisions and recommendations focusing on expanding cyber forces, protecting critical infrastructure and consolidating cyber responsibilities.

Key provisions include:

Studying state cyber teams. The markup calls for Departments of Defense and Homeland Seucurity to jointly study and report on the viability of a cyber civil support teams in each state. Teams would include members of the military’s reserve components and serve under state governors’ command and control “to prepare for and respond to cyber incidents, cyber emergencies, and cyber attacks.”

Protecting critical infrastructure with more hackathons. The Defense Digital Service would be included in a pilot program to facilitate collaboration by having the DOD provide technical personnel to DHS and unify government efforts regarding critical infrastructure protection against cyber threats. The committee noted DDS’ past success with the “Hack the Pentagon” program and cited expanding the use of bug bounty programs as reason to add the agency to the pilot.

Boosting breach notification requirements. DOD would have to “promptly” notify congressional oversight committees following any breach that involved “a significant loss of personally identifiable information of civilian or uniformed members of the Armed Forces in classified or unclassified formats.”

Prioritizing tech needs at DOD installations. The committee recommended the Defense Innovation Unit Experimental prioritize critical technological needs at DOD installations and “invest in the rapid insertion of innovative installation capabilities.” DIUx’s director would be required to brief the House Armed Services Committee on this work by Oct. 1.

Fully integrating DIUx’s Silicon Valley vibe into defense labs. DOD’s laboratories should have a tighter relationship with innovation hubs, such as DIUx, the Strategic Capabilities Office and the Defense Advanced Research Projects Agency. The Defense undersecretary for research and engineering would have to brief the HASC by Oct. 1 with a plan and timeline on increasing labs’ reach in commercial innovation spaces. 

Mapping cyber vulnerabilities in weapons systems. The defense secretary would need to provide a “consolidated display for cyber vulnerability evaluations and mitigation activities for each major weapon system beginning in fiscal year 2021,” including each system’s status, funding requirements and planned activities descriptions.

Cyber Command absorbing (some of) DISA’s responsibilities. The U.S. Cyber Commander would take over the Defense Information Systems Agency commander’s responsibilities pertaining to protection of the Joint Force Headquarters-DOD’s information networks (DODIN) by Sept. 30, according to the provision. FCW previously reported on the proposed slow transfer of DISA’s purview to Cyber Command.

The markup will be considered by the full committee on May 9.