Sunday, June 28, 2020

S 4049 Introduced – FY 2021 NDAA


Earlier this week Sen Inhofe (R,OK) introduced S 4049, the National Defense Authorization Act (NDAA)for Fiscal Year 2021. The bill contains many cyber provisions, but most are related to cyber warfare operations. There are seven sections however, that may have an impact on industrial cybersecurity operations.

The Senate Armed Services Committee has reported the bill, but the written report is not yet available from the Government Printing Office. The Senate has started the process for consideration of this bill with the first cloture vote scheduled for tomorrow.

Cybersecurity Items of Interest


The seven sections of potential interest are (number in parenthesis are page number in bill):

§590. Pilot programs on remote provision by National Guard to State governments and National Guards of other States of cybersecurity technical assistance in training, preparation, and response to cyber incidents. (pg 361)
§1623. Defense industrial base cybersecurity sensor architecture plan. (pg 881)
§1631. Defense industrial base participation in a cybersecurity threat intelligence sharing program. (pg 905)
§1632. Assessment on defense industrial base cybersecurity threat hunting. (pg 911)
§1635. Expansion of authority for access and information relating to cyber attacks on operationally critical contractors of the Armed Forces. (pg 915)
§1642. Assistance for small manufacturers in the defense industrial supply chain on matters relating to cybersecurity. (pg 927)
§3131. Reporting on penetrations of networks of contractors and subcontractors [of NNSA]. (pg 1044)

Section 590 is almost certainly essentially the same language that we will eventually see in S 3929 that was introduced on June 10th, 2020. That bill has not yet been published by the GPO; continuing problems there due to COVID-19 restrictions. The §590 provisions would require DOD to develop a pilot program to asses and develop National Guard capabilities to conduct remote operations to assist other States and National Guard units “with cybersecurity technical assistance in training, preparation, and response” while remaining within their home State.

The five sections relating to the Defense industrial base (DIB) would increase requirements and authority for DOD to oversee cybersecurity operations within the DIB. The provisions would include:

§1623 – DOD establishment of cybersecurity monitoring requirement and DOD access to the data from that monitoring,
§1631 – Mandatory 2-way information sharing about cybersecurity incidents, including incident reporting to DOD and threat analysis sharing from DOD,
§1632 – Require DOD to assess the need for DOD to conduct continuous threat hunting operations on DIB networks,
§1635 – Would amend 10 USC 391(c) to provide authority for armed forces to investigate cyber incident at facilities of ‘operationally critical contractors”, and
§1642 – Would authorize DOD grants to small manufacturers to obtain cybersecurity assistance from centers established under 15 USC 278k(a).

A unifying thread in these five sections is a gradual move from voluntary to mandatory cybersecurity activities in the DIB. A similar move is reflected in §3131 with reference to contractors for the National Nuclear Security Administration (NNSA).

Floor Amendments


The bill was opened for the submission of amendments starting on Wednesday of last week. To date there have been over 500 amendments submitted. Only a small number of these amendments will make their way to the floor of the Senate for actual consideration. Amendments that I will be watching for include (the number in the brackets is the page number in the linked document):

SA 1710. Mr. KING (I,NH) - SEC. XX. Department of Homeland Security Critical Technology Security Centers. [S3233],
SA 1711. Mr. KING - SEC. XX Cybersecurity Reporting Requirements for Publicly Traded Companies [S3233],
SA 1711. Mr. KING - SEC. XX Cyber State of Distress [S3235],
SA 1715. Mr. KING - SEC. XX Bureau of Cyber Statistics [S3236-7],
SA 1719. Mr. KING – SEC. XX Strengthening Processes for Identifying Critical Infrastructure Cybersecurity Intelligence Needs and Priorities [S3239-40],
SA 1723. Mr. KING - SEC. XX Assessing Private-Public Collaboration in Cybersecurity [S3243],
SA 1751. Mr. PETERS (D,MI) - SEC. 1643. Pilot Programs on Remote Provision by National Guard to State Governments and National Guards of Other States of Cybersecurity Technical Assistance in Training, Preparation, and Response to Cyber Incidents [S3258],
SA 1806. Mr. JOHNSON (R,WI) - SEC. XX Countering Unmanned Aircraft Systems Coordinator [S 3329],
SA 1807. Mr. JOHNSON - SEC. XX Subpoena Authority [S 3329-30],
SA 1814. Mr. RUBIO (R,FL) - SEC. XX Secure and Trusted Technology [S 3333-4],
SA 1815. Mr. RUBIO - DIVISION XX Intelligence Authorizations for Fiscal Year 2021 [S 3335-44],
SA 1816. Mr. RUBIO - DIVISION XX Intelligence Authorizations for Fiscal Year 2021 [S 3344-55],
SA 1827. Mr. WARNER (D,VA) - SEC. XX Secure and Trusted Technology [S 3362-4],
SA 1868. Mr. REED (D,NV) - SEC. XX Cybersecurity Transparency [S 3389],
SA 1892. Mr. PORTMAN (R,OH) - SEC. 240. Element in Annual Reports on Cyber Science And Technology Activities on Work with Academic Consortia to Develop a Strategy to Secure Embedded Hardware in Department of Defense Capabilities [S 3399],
SA 1910. Mr. WARNER - SEC. XX Study on Alternatives and Recommendations for Providing a Cyber Protection Program for the Defense Industrial Base [S 3407],
SA 1911. Mr. WARNER - SEC. XX Policies for Cybersecurity and Resilience for Certain Programs Developing Applications Using Artificial Intelligence or Machine Learning [S 3408],
SA 1917. Ms. HASSAN (D,NH) - SEC. ll. Cybersecurity State Coordinator Act [S 3409],
SA 1936. Mr. PETERS - SEC. 590. Pilot Programs on Remote Provision by National Guard to State Governments and National Guards of Other States of Cybersecurity Technical Assistance in Training, Preparation, and Response to Cyber Incidents [S 3415],
SA 2080. Mr. PORTMAN - SEC. 240. Element in Annual Reports on Cyber Science and Technology Activities on Work with Academic Consortia on High Priority Cybersecurity Research Activities in Department of Defense Capabilities [S 3523],
SA 2094. Mrs. FISCHER (R,NE) - SEC. XX Support and Enhancement of Defense Critical Electric Infrastructure [S 3527],
SA 2098. Mr. PERDUE (R,GA) - SEC. XX Cybersecurity Advisory Committee [S 3528],
SA 2104. Ms. HASSAN - SEC. XX National Guard Cyber Support and Cyber Services For Governmental Entities Outside the Department of Defense and Nongovernmental Entities [s 3542],
SA 2135. Mrs. FISCHER - SEC. XX Internet of Things [S 3552],
SA 2178. Mr. WICKER (R,MS) - TITLE XX Cyber Workforce Matters [S 3569-72],
SA 2195. Mr. JOHNSON - SEC. XX Subpoena Authority [S 3584-5],
SA 2209. Mrs. FISCHER - SEC. XX Internet of Things [S 3621],

Since most of these amendments will not make it to floor consideration, I will not take up any more time on the detailed analysis of the listed amendments. Two things I will mention, however. First many of these bills have similar names to bills that have been introduced in the Senate. This is not unusual. The NDAA is a ‘must pass bill’ so the attachment of other legislation to the bill that otherwise would not make it to the floor on its own is a common legislative tactic.

The second item of note is that there are a number of instances where the same person has proposed two (slightly) different versions of the same amendment. Typically, minor revisions have been made to make the amendment more palatable to one or more factions (or even just a single Senator) to make it easier for the bill to make into the limited consideration space.

More amendments will be submitted next week.

Commentary


This is considered to be a ‘must pass’ bill and this is the one ‘must pass’ bill that usually makes it through the legislative process. This is because the leaders of the Armed Services Committee typically do a good job of keeping the most contentious issues out of the bill, but that has been getting more difficult as the political gulf in Washington has been widening. In today’s political environment there is no guarantee that this bill will pass in regular order. Watch for the cloture vote on Monday for indications of how much of a problem this bill will be facing.

In the normal course of events, this bill would be expected to pass by the end of the week. I would not be surprised to see it held over until next week or even later. In the meantime, some amendments will be dealt with and even more will be introduced.

No comments:

 
/* Use this with templates/template-twocol.html */