Monday, June 17, 2019

S 1790 Introduced – FY 2020 NDAA


Last week Sen. Inhofe (R,OK) introduced S 1790, the National Defense Authorization Act (NDAA) for Fiscal Year 2020. The bill was reported favorably by the Senate Armed Services Committee which Inhofe chairs. The Senate is scheduled to take up the bill this week. The bill includes an entire sub-title that addresses cyber operations; including one section that addresses the development of a set of cybersecurity standards for the defense industrial base.

Defense Industrial Base Cybersecurity


Section 1634 requires DOD to “develop a consistent, comprehensive framework to enhance cybersecurity for the United States defense industrial base” {§1634(a)}. The framework would be developed by February 1st, 2020. The framework would include {§1634(b)}:

Identification of unified cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements to be imposed on the defense industrial base for the purpose of assessing the cybersecurity of individual contractors.
The roles and responsibilities of various activities within the Department of Defense, across the entire acquisition process, beginning with market research, including responsibility determination, solicitation, and award, and continuing with contractor management and oversight on matters relating to cybersecurity.
The responsibilities of the prime contractors, and all subcontractors in the supply chain, for implementing the required cybersecurity standards, regulations, metrics, ratings, third-party certifications, and requirements identified under paragraph (1).
A plan to provide implementation guidance, education, manuals, and, as necessary, direct technical support or assistance to such contractors on matters relating to cybersecurity.
Methods and programs for defining and managing controlled unclassified information, and for limiting the presence of unnecessary sensitive information on contractor networks.
Quantitative metrics for assessing the effectiveness of the overall framework over time, with respect to the exfiltration of controlled unclassified information from the defense industrial base.

While the language in the bill does not specify whether the cybersecurity concerns cover both the information technology and control system technology used in the industrial base, the Committee Report does address the matter. It notes (pg 306):

“The committee is concerned that contractors within the defense industrial base are an inviting target for our adversaries, who have been conducting cyberattacks to steal critical military technologies.”

Control System Cybersecurity


The Report does address control system cybersecurity research being conducted by DOD. On pages 325-6 the Committee “commends the Department of Defense for its efforts to address the cybersecurity of installation industrial control systems (ICSs).” It goes on to discuss a National Security Agency research program, Integrated Adaptive Cyber Defense (IACD).  It notes that “IACD technologies include sensing and automated orchestration and interoperability among cybersecurity tools and systems to defend both operational technology (such as ICSs) and information technology”. There is additional discussion of this technology under the “Software defined networking and network and cybersecurity orchestration” heading on pages 333-4.

Cybersecurity Research


The Report notes (pgs 97-8) that the Committee is recommending funding Defense-wide cybersecurity research (line item # PE 62668D8Z) at $25.1 million, an increase of $10.0 million above the Administration’s request.

Moving Forward


This bill will start to be considered on the floor of the Senate sometime this week (a number of nominations have to be completed first). Amendments have already started to be proposed to this bill, over 200 were submitted on Thursday alone. How many of those (and yet to be submitted) amendments will make it to the floor of the Senate remains to be seen.

No comments:

 
/* Use this with templates/template-twocol.html */