Thursday, July 13, 2017

S 1519 Introduced – FY 2018 NDAA

Earlier this week Sen. McCain (R,AZ) introduced S 1519, the National Defense Authorization Act for Fiscal Year 2018. The bill has already been marked up in the Senate Armed Services Committee. The House version of this bill is currently being considered on the floor of the House. The bill includes a number of cyber provisions.

Those provisions include:

§510. Service credit for cyberspace experience or advanced education upon original appointment as a commissioned officer.
§1042. Department of Defense integration of information operations and cyber-enabled information operations.
§1621. Policy of the United States on cyberspace, cybersecurity, and cyber warfare.
§1622. Cyber posture review.
§1623. Modification and clarification of requirements and authorities relating to establishment of unified combatant command for cyber operations.
§1624. Annual assessment of cyber resiliency of nuclear command and control system.
§1625. Strategic Cybersecurity Program.
§1626. Evaluation of agile acquisition of cyber tools and applications.
§1627. Report on cost implications of terminating dual-hat arrangement for Commander of United States Cyber Command.
§1628. Modification of Information Assurance Scholarship Program.
§1629. Measuring compliance of components of Department of Defense with cybersecurity requirements for securing industrial control systems.
§1630. Exercise on assessing cybersecurity support to election systems of States.
§1630A. Report on various approaches to cyber deterrence.
§1630B. Prohibition on use of software platforms developed by Kaspersky Lab.

Only one of these provisions (§1629) specifically addresses industrial control system operations.

ICS Compliance

Section 1629 requires DOD to modify its Cyber Scorecard (part of the DOD Cybersecurity Discipline Implementation Plan) to specifically address securing “the industrial control systems of the Department against cyber threats, including supervisory control and data acquisition systems (SCADA), distributed control systems (DCS), programmable logic controllers (PLC), and platform information technology (PIT)” {§1629(a)}.

Kaspersky Lab

Section 1630B is the much-publicized prohibition of DOD use or continued use products from the Kaspersky Lab. There is nothing in the language of §1630B (or in the Committee Report on the bill) that explains the reason for the prohibition.

Moving Forward

This bill is one of the ‘required’ bills that will be passed each year. The bill will be taken up by the Senate, probably before the summer recess starts in August. The process will include a substantial number of amendments to be considered. Once the bill passes in the Senate, a conference committee will take up the differences between the House version (HR 2810) and this bill.


If the §1629 provisions make it into the final bill, DOD will have to substantially re-write their Cybersecurity Discipline Implementation Plan. The current document is IT-centric with no mention of control systems or their unique security issues.

The Kaspersky provision is pure political theater; anti-Russian posturing at its worst. Interestingly, the ‘immediately’ provisions of the section do not become effective until October 1st, 2018 {§1630B(c)}, theoretically one year after this bill becomes effective. I suspect that this unusual provision was added to allow calmer heads to remove this requirement after the political capital is harvested.

No comments:

/* Use this with templates/template-twocol.html */