The Fiscal Year (FY) 2023 National Defense Authorization Act (NDAA) bill released by the House Rules Committee late Tuesday evening features numerous provisions designed to bolster cyber capabilities and operations not only at the Defense Department (DoD), but at other Federal agencies as well.
“We are pleased to announce we’ve come to a bipartisan, bicameral agreement on this year’s National Defense Authorization Act,” said Reps. Adam Smith, D-Wash., and Mike Rogers, R-Ala., and Sens. Jack Reed, D-R.I., and Jim Inhofe, R-Okla.
“This year’s agreement continues the Armed Services Committees’ 62-year tradition of working together to support our troops and strengthen America’s national security,” they said. “We urge Congress to pass the NDAA quickly and the president to sign it when it reaches his desk.”
The House is expected to take up the bill on Dec. 8, with the Senate on tap to consider it sometime next week.
Cyber Funding Inclusions
The FY2023 NDAA would authorize a number of funding increases designed to beef up cyber operations in response to the cyber threat environment.
Among the cyber funding provisions is a $44.1 million investment to support the U.S. Cyber Command’s (CYBERCOM) Hunt Forward Operations, as well as an increase of $56.4 million for CYBERCOM Joint Cyber Warfighting Architecture development.
The bill also authorizes an increase of $25 million for the Air Force Cyber Resilience for Weapons Systems (CROWS), and $20 million for establishment and initial operations of the Nuclear Command, Control, and Communications Rapid Engineering Architecture Collaboration Hub (REACH).
As for strengthening the DoD’s cyber posture, the bill authorizes:
- An increase of $10 million to support cyber consortium seed funding;
- An increase of $20 million for the National Security Agency Center of Academic Excellence cybersecurity workforce pilot program;
- An increase of $20 million for the Defense Advanced Research Projects Agency’s (DARPA) enhanced non-kinetic/cyber modeling and simulation activities;
- An increase of $168 million for Cyber Mission Force operational support, including intelligence support to cyberspace operations; and
- An increase of $50 million for artificial intelligence systems and applications development at CYBERCOM.
Aside from specific funding increases, the FY2023 NDAA also features a long list of cyber to-do’s to improve Federal cybersecurity across the board.
For example, the bill “requires a five-year roadmap and implementation plan for rapidly adopting artificial intelligence applications to the warfighter cyber missions within the DoD,” according to the Senate Armed Services Committee summary of the bill.
Additionally, it requires a strategy for cyber and electronic warfare “conducted by and through deployed military and intelligence assets operating in the radiofrequency domain to provide strategic, operational, and tactical effects in support of combatant commanders.”
Along the lines of election security, the bill directs a biennial, unclassified report through the 2032 election cycle on CYBERCOM efforts to counter election threats and ensure election security.
It also requires the secretary of the Navy to establish a cyber operations designator and rating, as well as the establishment of a program executive office to manage and provide oversight of the implementation and integration of the Joint Cyber Warfighting Architecture.
Notably, the bill also increases the number of Assistant Secretaries of Defense (ASD) to 19 and designates one of the new ASD positions specifically for cyber policy.
These represent just some of the variety of cyber provisions in the bill. The NDAA has already been the subject of intense negotiations between House and Senate leadership on both sides of the aisle, so the bill that landed last night already reflects an agreement between the parties on major issues.
However, not everything cyber made the cut. The version of the FY2023 NDAA passed by the House in July featured legislation offered by Rep. Jim Langevin, D-R.I., that would create a class of “systemically important” critical infrastructure providers. This provision appears to be left out of the bill released last night.