The fiscal year (FY) 2022 National Defense Authorization Act (NDAA) passed the House of Representatives late Sept. 23 with a bipartisan 316-113 vote. Among the amendments are a number of tech provisions focusing heavily on cybersecurity, along with some focusing on the digital workforce, cloud, and AI.
The bulk of the relevant amendments were agreed to in four separate blocs by voice vote. Among the programs included were amendments that would limit the term of the director of the Cybersecurity and Infrastructure Security Agency (CISA), authorize the creation of a Cyber Incident Review Office, create a statutory framework for the Federal Risk and Authorization and Management Program (FedRAMP), and plenty more.
“I am once again incredibly proud of the work of the House Armed Services Committee, despite the ongoing challenges posed by the COVID-19 pandemic,” House Armed Services Committee Chair Adam Smith, D-Wash., said in a statement. “The FY22 NDAA is an excellent piece of legislation that makes transformational policy changes with direct benefits for our service members and their families.”
Here’s a rundown of the tech amendments that made the cut for the House version.
Many of the previously reported cybersecurity amendments made it into the final amended bill, including an amendment limiting the term of the CISA director to five years and another establishing a Cyber Incident Review Office.
In addition to limiting the term of the CISA director, the amendment also reaffirms that the position is presidentially appointed. The amendment was initially offered by Reps. Andrew Garbarino, R-N.Y., and Jim Langevin, D-R.I. The bill also authorized creating a Cyber Incident Review Office at CISA and requires any covered critical infrastructure (CI) owners and operators to refer cyber incidents to the office.
Other previously reported cyber amendments that were approved include:
- The authorization of CISA’s CyberSentry program, focused on the cybersecurity of industrial control systems (ICS);
- An amendment that would require CISA to update its incident response plan at least every two years;
- The codification of CISA’s National Cyber Exercise program; and
- One that would require the Department of Defense (DoD) to submit a report on how its Cybersecurity Maturity Model Certification (CMMC) program affects small businesses.
Beyond that, a pair of other cyber amendments include one that would require the Secretary of Defense to give Congress a report with cyber hygiene recommendations and another that would create a cyber counseling program for Small Business Development Centers (SBDCs).
The former would require the Defense Secretary’s report to include recommendations on cyber hygiene practices and requires DoD to assess the cyber hygiene of each of its components. The Government Accountability Office would then have to assess that report.
The cyber counseling certification program would be established at the nearly 1,000 SBDCs nationwide to help small businesses plan and implement cybersecurity measures. The amendment also gives the Small Business Administration the authority to reimburse SBDCs for the costs of the certifications, up to $350,000 each fiscal year.
Digital Workforce initiatives
The annual defense bill also included amendments aimed at bulking up the digital workforce, including a cyber apprenticeship program and the creation of a National Digital Reserve Corps.
The bill establishes a program between the Department of Veterans Affairs and CISA that would give armed service members and veterans transitioning to civilian life cybersecurity training. A cyber apprenticeship program would then be created at CISA. CISA Director Jen Easterly expressed her support for the program and similar programs on Sept. 23 at a Senate Homeland Security and Government Affairs hearing.
“We’ve already started talking about how we could implement apprenticeships at CISA,” Easterly said. “I think we need to be as creative as possible in all our approaches to deal with the deficit that we have across the country and then across the federal cyber workforce.”
The House also approved an amendment that has been opposed by the American Federation of Government Employees (AFGE) due to the lack of a public disclosure requirement. The amendment creates a National Digital Reserve Corps at the General Services Administration. Under the provision, private sector tech employees can spend up to 30 calendar days working on government digital, AI, and cybersecurity projects.
Two other amendments would require studies around the organization and hiring of digital and cyber talent.
One, offered by Rep. Langevin, would require the DoD to study “the best way to organize cyber roles around core functions.” The other – offered by Reps. Langevin; Chrissy Houlahan, D-Pa.; James Comer, R-Miss.; and Fred Keller, R-Pa. – would require an annual report from the Chief Human Capital Officers Council to Congress and the Office of Personnel Management on the barriers to agencies hiring qualified digital talent, as well as recommendations on addressing any challenges.
The bill also included an amendment that will extend a regional pilot cybersecurity program by two years. The Pilot Program on Regional Cybersecurity Training Center was initially included in the FY2019 NDAA and is overseen by the Army National Guard.
Cloud and AI
A few cloud and AI programs also made the cut via amendments.
Rep. Gerry Connolly, D-Va., included an amendment that would require the creation of a statutory framework for FedRAMP. According to the House Rules Committee summary, the goal of the amendment is to “make the program more accountable and transparent and help ensure that agencies’ processes of moving safely to the cloud are streamlined and efficient.”
A pair of amendments would focus on AI in the Pentagon. One would increase funding for the Soldier Lethality program to develop warfighter AI capabilities further. The other would require a report from the Secretary of Defense on the National Security Commission on AI’s recommendations to DoD and whether the Secretary plans on implementing the commission’s recommendations.
The bill will still need to pass the Senate before it can become law, so we’ll keep an eye on the status of these provisions and any more that get included as the Senate considers the bill.