The U.S. Congress recently voted to override President Trump's veto of the 2021 National Defense Authorization Act by a vote of 81-13.
The bill includes dozens of cybersecurity provisions, as well as the restoration of the position of National Cyber Director at the White House.
Twenty-seven of the information security provisions come directly from Cyberspace Solarium Commission (CSC) recommendations for improving U.S. cybersecurity posture. Keep reading for specifics.
[Related Podcast: The Solarium Commission's New Recommendations based on lessons from the pandemic]
New qualifications for Director of CISA
The bill also includes new qualifications for becoming Director of the Cybersecurity and Infrastructure Security Agency (CISA).
Future directors must have "extensive knowledge in cybersecurity, infrastructure security and security risk management. And they must also have at least five years of experience in fostering coordination and collaboration between the federal government, the private sector and other entities on issues related to cybersecurity, infrastructure security or security risk management."
This is big news, as CISA has been without a director since November, when the Trump administration fired Christopher Krebs.
Restoring National Cyber Director position to the White House
A bipartisan group of leaders in Congress called the security provisions a big step forward for addressing the current cybersecurity needs of the United States.
Senator Angus S. King and Representative Mike Gallagher, who focus on cybersecurity matters, had this to say when the bill passed:
"The inclusion of the National Cyber Director (NCD) housed in the Executive Office of the President (EOP) is a real game changer. The NCD will be the President's principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector. We thank all members of congress and especially Senator Mike Rounds (R-S.D.) for his leadership in getting this provision into the final conference report."
Senator Ben Sasse also shared his thoughts about the bill and how it will benefit the U.S. in years to come.
"Superpowers can't lose cyberwars and stay on top. Dominance in the cyber domain will dictate outcomes of modern wars. The inclusion of over two dozen of our Commission's recommendations, as well as the establishment of a National Cyber Director, puts us on a stronger path to dominance. We've got a lot more work ahead, but can be proud of our progress."
27 cybersecurity provisions included in the befense Bill
Here are 27 cybersecurity provisions in the defense bill, most of which come directly from the Cyberspace Solarium Commission's recommendations.
- Strengthening Federal Networks: Authorizes CISA to conduct unalerted threat hunting on federal networks.
- Improvement Relating to the Quadrennial Cyber Posture Review: Directs DoD to conduct a force structure assessment of the Cyber Mission Force to ensure sufficient force structure and capabilities for the current threat and mission; this will include an assessment for the combat support agencies that support the cyber mission.
- Modification of acquisition authority of Commander of United States Cyber Command: Amends FY16 NDAA to change the acquisition authority of USCC. (related to 1746)
- Modification of Requirements Relating to the Strategic Cyber Security Program and the Evaluation of Cyber Vulnerabilities of Major Weapon Systems of the Department of Defense: Tasks DoD with developing a plan for the annual assessment of cyber vulnerabilities of major weapon systems, sharing lessons learned and best practices from the annual assessment of cyber resiliency of nuclear command and control system.
- Renewing the Cyberspace Solarium Commission: Reauthorizes the CSC through late December 2021.
- Establishment in DHS of the Joint Cyber Planning Office: Establishes a Joint Cyber Planning Office under CISA, to facilitate comprehensive planning of defensive cybersecurity campaigns across federal departments and agencies and the private sector.
- Administrative Subpoena Authority for the Cybersecurity and Infrastructure Security Agency: Grants administrative subpoena authority to CISA in order to identify vulnerable systems and notify public and private system owners.
- Cybersecurity Advisory Committee: Establishes a Cybersecurity Advisory Committee to advise DHS/CISA.
- Cybersecurity Education and Training Assistance Program: Authorizes the (already existing) Cybersecurity Education and Training Assistance Program at DHS/CISA—a K-12 cyber education initiative. CETAP will continue to provide curricula for K12 education, resources and training for K12 educators. It will promote and support national standards for K12 cyber education.
- Report on the risk to national security posed by quantum computing technologies: Mandates a comprehensive assessment of the threats and risks posed by quantum technologies to national security systems.
- Assessing Private-Public Collaboration in Cybersecurity: Requires the DoD to assess of the impact of the current Pathfinder initiative, the Department's support to and integration with existing Federal cybersecurity centers, and comparable initiatives led by other Federal departments or agencies that support long-term public-private cybersecurity collaboration and make recommendations for improvements.
- Clarifying the Cyber Capabilities and Interoperability of the National Guard: Directs the DoD to evaluate statutes, rules, regulations, and standards that pertain to the use of the National Guard for the response to and recovery from significant cyber incidents.
- Evaluation of non-traditional cyber support to the Department of Defense: Requires an assessment from the DoD on the need for, models for, and requirements of a cyber reserve force.
- Establishment of an Integrated Cybersecurity Center: Directs the executive branch to submit a report to Congress evaluating the Federal cybersecurity centers and the potential for better coordination of Federal cybersecurity efforts at an integrated cybersecurity center within CISA.
- Defense Industrial Base Participation in a Threat Intelligence Sharing Program: Requires DoD to assess the feasibility, suitability, and definition of, and resourcing required to establish a DIB threat information sharing program.
- Defense Industrial Base Cybersecurity Threat Hunting and Sensing, Discovery, and Mitigation: Requires DoD to complete an assessment of the feasibility, suitability, and resourcing required to establish a DIB cybersecurity threat hunting program.
- Creation of a Biennial National Cyber Exercise: Establishes a national cyber exercise to be conducted every two years to include federal, state, and private sector stakeholders, as well as international partners.
- Cybersecurity and Infrastructure Security Agency Review: Tasks DHS with conducting a comprehensive review of the ability of the CISA to fulfill its current and CSC recommended missions, this includes both a force structure assessment and resource review.
- Report on Enabling U.S. Cyber Command Resource Allocation: Requires the DoD to submit a report to congress detailing actions to ensure that USCC possesses the necessary authorities, direction, and control of the Cyber Ops Forces and the budget needed to fulfill its mission. (related to 1711)
- Ensuring Cyber Resiliency of Nuclear Command and Control Systems: Requires the DoD to develop a comprehensive plan to implement findings and recommendations pertaining to the cyber defense of nuclear command and control systems.
- Establish the National Cyber Director and the Office of the National Cyber Director: Establishes a Senate-confirmed National Cyber Director within the White House to serve as the President's principal cyber advisor and provide a nexus for cybersecurity leadership in the White House.
- DHS Strengthen CISA Director: Administrative changes to strengthen the Director position at CISA.
- Codify Sector Risk Management Agencies: Codifies Sector Specific Agencies as Sector Risk Management Agencies, establishing minimum responsibilities and requirements for identifying, assessing, and assisting in managing risk for the critical infrastructure sectors under their purview.
- GAO Study of Cybersecurity Insurance: Calls on the GAO to study ways to improve the market for cybersecurity insurance.
- Strategy to Secure Email: Directs the DHS to develop a strategy to implement the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard across all U.S.-based email providers to secure our emails from spam and diminish the effectiveness of phishing emails.
- Recruit, Develop, and Retain a Stronger Cyber Workforce: Enhances the federal government’s ability to recruit, develop, and retain its cyber workforce. Changes to NIST NICE, including a large grant program to national partners, and improvements to the CyberCorps Scholarship for Service program.
- Continuity of the Economy Plan: Mandates the creation of a Continuity of the Economy planning effort to ensure the rapid restart and recovery of the U.S. economy after a major disruption.