Today the House accepted the Conference Report on S 2943, the FY 2017 National Defense Authorization Act (NDAA), by a strongly bipartisan vote of 375 – 34. The cybersecurity provisions of both HR 4909 and the Senate version of S 2943 were included in the final version with some modifications.
The cybersecurity provisions in the bill included (the page numbers refer to the explanation of the provision in the Conference Report):
Sec. 1641 [HR 4909, §1631] Special emergency procurement authority to facilitate the defense against or recovery from a cyber attack (pg 2717);
Sec. 1642 [S 2943, §1633] Limitation on termination of dual-hat arrangement for Command of the United States Cyber Command (pg 2717);
Sec. 1643 [S 2943, §1632] Cyber mission forces matters (pgs 2717-8);
Sec. 1644 [HR 4909, §1633] Requirement to enter into agreements relating to use of cyber opposition Forces (pg 2718);
Sec. 1645 [S 2943, §1631] Cyber protection support for Department of Defense personnel in positions highly vulnerable to cyber attack (pg 2718);
Sec. 1646 [HR 4909, §1634] Limitation on full deployment of joint regional security stacks (pg 2719);
Sec. 1647 [HR 4909, §1637] Advisory committee on industrial security and industrial base policy (pgs 2719-20);
Sec. 1648 [HR 4909, §1632] Change in name of National Defense University’s Information Resources Management College to College of Information and Cyberspace (pg 2720);
Sec. 1649 [S 2943, §1635] Evaluation of cyber vulnerabilities of F–35 aircraft and support systems (pg 2720);
Sec. 1650 [S 2943, §1637 and §1634] Evaluation of cyber vulnerabilities of Department of Defense critical infrastructure (pg 2721);
Sec. 1651 [HR 4909, §1639] Strategy to incorporate Army reserve component cyber protection teams into Department of Defense cyber mission force (pg 2721);
Sec. 1652 [S 2943, §1636] Strategic plan for the Defense Information Systems Agency (pgs 2721-2);
Sec. 1653 [S 2943, §1638] Plan for information security continuous monitoring capability and comply-to-connect policy; limitation on software licensing (pg 2722);
Sec. 1654 [S 2943, §1639 and §1640] Reports on deterrence of adversaries in cyberspace (pgs 2722-3); and
Sec. 1655 [HR 4909, §1638] Sense of Congress on cyber resiliency of the networks and communications systems of the National Guard (pg 2723).
Control System Security
Control system security is now addressed in two of those sections; §1644 and §1650.
Section 1644 addresses the use and training of cyber opposition forces in military exercises. The Conference Committee added a new subsection (c) that calls for the development of a joint training program and certification “for the protection of control systems”. The development is to be completed by June 30th, 2017.
Section 1650 addresses the evaluation of cyber vulnerabilities within DOD critical infrastructure. It incorporates the ‘cyber informed methodologies’ that I discussed earlier. That terminology is not actually used, but the pilot program required in subsection (b) and the tools for that pilot described in subsection (e) clearly apply to those types of methodologies.
The Senate is likely to take up the Conference Report next week. They are very likely to accept the report under their unanimous consent procedures.