Lawmakers attached several cybersecurity-focused amendments to the fiscal 2018 National Defense Authorization Act in a last-minute effort Wednesday to change how the federal government defends itself from cyberattacks and how the military conducts offensive cyber-operations.
The House was still working on the bill as of Thursday afternoon. The provisions added Wednesday joined an already lengthy list of items related to government cybersecurity initiatives.
Because the NDAA is a policy bill and not a spending bill, congressional rules leave it more open to amendments. It’s common for lawmakers to use it as a vehicle for a wide range of legislative priorities. Most of the amendments added Wednesday have a military component, though.
Six cybersecurity amendments were added Wednesday to the House’s version of the bill, which still faces a conference committee with the Senate version.
Reps. Mike Johnson, R-La., Dan Lipinski, D-Ill., Gregg Harper, R-Miss., Robert Brady, D-Pa., Jose Correa, D-Calif., Pete Aguilar, D-Calif., and Carol Shea-Porter, D-N.H., were each involved in introducing approved amendments.
Amendments added to the House bill:
Report on Cyber Capability and Readiness Shortfalls
Sponsor: Rep. Mike Johnson, R-La.
Summary: Calls on the Army, within 180 days of the bill’s enactment, to provide a report to Congress that outlines the Army’s Combat Training Centers, current resident cyber capabilities and related training programs. The purpose of the report is to better inform lawmakers on possible pitfalls, insufficient funding and opportunities for expansion in the Army’s cybersecurity efforts.
Providing Assistance to House of Representatives in Response to Cybersecurity Events
Sponsors: Rep. Gregg Harper, R-Miss., and Rep. Robert Brady, D-Pa.
Summary: Calls for the creation of an emergency fund for House leadership to tap into if a significant cyberattack were to cripple information technology systems used by lawmakers and congressional staff. This extra cash could be used by staff in “containing, mitigating, or resolving the event.” In addition, the amendment outlines that the Speaker of the House would request assistance from the head of any executive department, military department, or any “independent establishment,” including a private sector cybersecurity firm.
Sense of Congress on Cooperative Program for NIST Framework Compliance
Sponsor: Rep. Dan Lipinski, D-Ill.
Summary: Calls on the secretary of Defense to establish a cooperative program between the Office of the Chief Information Officer of the Department of Defense, the office known as Defense Procurement Acquisition Policy, and the National Institute of Standards and Technology’s Manufacturing Extension Partnership. The program would be designed to help educate and assist small to medium-sized manufacturing firms in the Department of Defense’s supply chain to become compliant with NIST Special Publication 800-171, an information security standards framework.
Strategy for the Offensive Use of Cyber Capabilities
Sponsor: Rep. Jose Correa, D-Calif.
Summary: Calls on the Department of Defense to update its cybersecurity strategy; to require the president to develop a strategy for the offensive use of cyber capabilities; and to allow for technical assistance to North Atlantic Treaty Organization members.
Report on Prior Attempted Russian Cyberattacks Against Defense Systems
Sponsor: Rep. Jose Correa, D-Calif.
Summary: Would require the secretary of Defense, in coordination with the director of national intelligence, to provide Congress with a report on any known attempts to hack into Department of Defense systems within the past 24 months by the Russian Federation or actors supported by the Russian Federation. The measure includes a deadline of within 90 days from passage.
Department of Defense Cyber Workforce Development Pilot Program
Sponsor: Rep. Pete Aguilar, D-Calif., and Rep. Carol Shea-Porter, D-N.H.
Summary: Would create a talent management pilot program for the recruitment, training, development and retention of cyber workforce personnel within the Defense Department. This program would be managed by the chief information officer of the department in consultation with the principal cybersecurity adviser to the secretary of Defense. Every fiscal year, the Defense Department will be expected to provide a report to Congress that outlines the program’s effectiveness, findings and any necessary changes.