Conference Report for HR 6395 – FY 2021 NDAA

On Thursday the conferees for HR 6395, the FY 2021 National Defense Authorization Act (NDAA), published their 4500 page ‘Conference Report’ working out the differences between the two versions of the bill. The official GPO version is not yet available, but the House Armed Services Committee posted a copy on their web site. The House is slated to take up the revised language from the report on Tuesday, followed by the Senate later in the week. There is an open threat of a presidential veto, but we will have to wait and see how that turns out.

Provisions of Interest

There are a huge number of ‘cyber’ related provisions in this bill. The following list shows those that I think are most interesting from a control system security point of view.

§1715. Establishment in Department of Homeland Security of joint cyber planning office. (pg 1810) (revised pg 4170)
§1716. Subpoena authority. (pg 1815)
§1717. Cybersecurity State Coordinator. (pg 1827) (revised pg 4170)
§1718. Cybersecurity Advisory Committee. (pg 1836) (revised pg 4170)

§1725. Pilot program on remote provision by National Guard to National Guards of other States of cybersecurity technical assistance in training, preparation, and response to cyber incidents. (pg 1865) (revised pg 4174)

§1729. Cyber capabilities and interoperability of the National Guard. (pg 1880) (revised pg 4175)

§1736. Defense industrial base cybersecurity sensor architecture plan. (pg 1901) (revised pg 4178)

§1737. Assessment on defense industrial base participation in a threat information sharing program. (pg 1903) (revised pg 4179)

§1738. Assistance for small manufacturers in the defense industrial supply chain on matters relating to cybersecurity. (pg 1909)

§1739. Assessment on defense industrial base cybersecurity threat hunting program. (pg 1912) (revised pg 4180)

§1742. Department of Defense cyber hygiene and Cybersecurity Maturity Model Certification framework. (pg 1922) (revised pg 4182)

§1745. Cybersecurity and Infrastructure Security Agency review. (pg 1933)

§1752. National Cyber Director. (pg 1950) (revised pg 4186)

§9005. GAO study of cybersecurity insurance. (pg 3407)

The ‘(pg XXXX)’ listing refers to the language of the actual provision in the bill. The ‘(revised pg 4XXX)’ listing refers to the brief discussion of changes made to the provision in the conference.

Interesting Finds

There is no way that I ‘read’ all 4517 pages of the report. Most of what I did do was put the term ‘cyber’ in the search tool of my .PDF reader and click through the report. In doing so, I discovered a couple of interesting items.

I found the first item on page 680 in §589F. This section introduces a new term that I have never heard before; ‘cyberexploitation’. It is defined as using digital means and online platforms to [§589F(d)(1)]:

• “knowingly access, or conspire to access, without authorization, an individual’s personal information to be employed (or to be used) with malicious intent; or

• “to deceive an individual with misinformation with malicious intent.”

In this section of the NDAA it is used to describe actions taken against family member of armed forces personnel. The bullet in the definition above could apply to all sorts of cyber activities that we have been seeing in recent history. I think that this term (I would hyphenate it ‘cyber-exploitation’) should be more widely used.

I found the second item on page 2247 during the discussion of §2826, Improved electrical metering of Department of Defense infrastructure supporting critical missions. The final subsection shows the increasing cybersecurity sophistication of congressional staffers. It reads:

“(c) CYBERSECURITY.—The Secretary of Defense and the Secretaries of the military departments shall consult with the Chief Information Officer of the Department of Defense to ensure that the electrical energy metering options considered under subsection (b) do not compromise the cybersecurity of Department of Defense networks.”

Intelligence Authorization Act

As I noted in my blog post about the Senate passing HR 3695, the Senate include the FY 2021 Intelligence Authorization Act as a division in the bill. That language did not survive conference. The House has not yet acted on their version of this (HR 7856) ‘must pass’ legislation. The Senate has not acted on their standalone version (S 3905). There is still a chance that some version of this bill could find it into the omnibus spending bill.