House puts NBIB shift under scrutiny in draft defense bill

Priorities are shifting as Democrats roll out their first House defense bill in nearly a decade.

House Democrats get to put their stamp on the annual bill authorizing defense programs for the first time in a long time.The first look at the House 2020 defense bill released June 3 comes from the Emerging Threats and Capabilities subcommittee and puts more oversight on the National Background Investigations Bureau’s move from the Office of Personnel Management to the Defense Department.

A House Armed Services Committee staffer told reporters during a media briefing June 3 that "saying there’s a transfer is different than how that all plays out in practice." The committee’s primary concerns are protecting civil liberties, such as privacy, and separating security and intelligence functions as the NBIB shifts to the Defense Security Service (soon to be the Defense Counterintelligence and Security Agency).

The draft of the subcommittee's legislation also emphasizes tightening cybersecurity of weapons and industrial control systems.

Multiple watchdog and internal reports found that DOD's weapons and other mission systems were riddled with cyber vulnerabilities. The committee hopes to remedy that by mandating evaluations of cyber vulnerabilities of each major weapon system by December 31 and requiring notification and justification for not meeting the deadline. The defense undersecretary for acquisition and sustainment would also have to report on mitigation efforts.

Additionally, DOD may have to be more accountable when it comes to endpoint security. The Committee noted in its draft direct reporting language that DOD "still lags the private sector in accounting for endpoints connected to the Department of Defense Information Network."

As a result, the committee directs the DOD CIO to submit a report by Feb. 1, 2020 on the implementation plan with a detailed assessment on progress made, challenges encountered when trying to account for endpoints connected to the DODIN, and an overview of how "comply-to-connect" and "continuous monitoring" relate to the overall cybersecurity strategy.

The draft bill mandates DOD submit a comprehensive report on the Defense Industrial Base’s cybersecurity efforts to defense committees by May 1, 2020.