Dozens of cybersecurity-related provisions hailed by both sides of the aisle are contained in the $740 billion 2021 National Defense Authorization Act (NDAA) vetoed by President Trump--snapping a 59-year streak of presidential approval--but subsequently codified into law in a Congressional override.
Of the 77 cybersecurity articles in the NDAA, 27 are directly drawn from 25 recommendations presented by the Cyberspace Solarium Commission (CSC) last year to improve the nation’s cybersecurity posture. The NDAA's additional 50 cybersecurity measures were developed by Congressional committees.
An important clause to restore the position of national cyber director within the White House responsible for coordinating federal cybersecurity policies maps to the standalone National Cyber Director Act introduced last July by Reps. Jim Langevin (D-RI) and Mike Gallagher (R-WI). That bipartisan legislation called for a lead to function as the president’s principal advisor on cybersecurity and associated emerging technology issues. The person filling the job would be nominated by the president and subject to Senate confirmation.
CSC co-chairs Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI) called the NDAA the “most comprehensive and forward-looking piece of national cybersecurity legislation in the nation's history,” additionally describing the national cyber director post as a “real game changer.”
Here are 10 key CSC recommendations included in the NDAA:
- Authorizes the Cybersecurity Infrastructure and Security Agency (CISA) to conduct unalerted threat hunting on federal networks.
- Tasks the Department of Defense (DoD) to develop a plan for the annual assessment of cyber vulnerabilities of major weapon systems.
- Establishes a Joint Cyber Planning Office under CISA to plan defensive cybersecurity campaigns across government agencies and the private sector.
- Authorizes the already existing Cybersecurity Education and Training Assistance Program to promote and support national standards for K-12 cyber education.
- Directs the executive branch to submit a report to Congress evaluating the federal cybersecurity centers and the potential for better coordination of federal cybersecurity efforts at an integrated cybersecurity center within CISA.
- Establishes a national cyber exercise to be conducted every two years to include federal, state, and private sector stakeholders, as well as international partners.
- Tasks the Department of Homeland Security (DHS) with conducting a comprehensive review of CISA's ability to fulfill its current and CSC-recommended missions.
- Establishes minimum responsibilities and requirements for identifying, assessing and assisting in managing risk for critical infrastructure sectors.
- Calls on the GAO to study ways to improve the market for cybersecurity insurance.
- Enhances the federal government’s ability to recruit, develop and retain its cyber workforce.
Support for the cybersecurity measures included in the NDAA came from other legislative corners. “Developing and advancing the numerous legislative proposals to make America safer in cyberspace was a massive undertaking, but we are better off today because of it,” said Jim Langevin (D-RI) who co-founded and co-chairs the Congressional Cybersecurity Caucus. “With these policies enacted, we are establishing the forward-leaning, layered cyber deterrence strategy that we need to face emerging and evolving cyber threats and adversaries.”