Review – S 1071 and Cybersecurity – FY 2026 NDAA

Yesterday the House Rules Committee completed the Rule that includes the consideration of S 1071, the FY 2026 National Defense Authorization Act (NDAA). The resolution approving that rule will be voted on today, and the bill will probably be considered on Thursday. The 3,083-page text of the bill contains 367 separate mentions of the word ‘cyber’, a few too many to do a reasonable assessment here. The picture is better for the term ‘cybersecurity’, there are only 86 mentions, but still too many for a short form analysis like this.

A more reasonable way to look at cybersecurity in a bill of this size is to look at the individual sections that deal with cybersecurity issues. That is much easier, as there are just eight such sections:

§ 866. Cybersecurity regulatory harmonization.

§ 1067. Cybersecurity and resilience annex in Strategic Rail Corridor Network assessments.

§ 1511. Secure mobile phones for senior officials and personnel performing sensitive functions.

§ 1512. Artificial intelligence and machine learning security in the Department of Defense.

§ 1513. Physical and cybersecurity procurement requirements for artificial intelligence systems.

§ 1514. Collaborative cybersecurity educational program.

§ 1515. Incorporation of artificial intelligence considerations into cybersecurity training.

§ 8339. Supporting cybersecurity and cyber resilience in the Western Balkans. (State Dept)

The five § 15XX sections are all within TITLE XV, Cyberspace-Related Matters. These deal with almost entirely military matters, and three of them specifically deal with artificial intelligence issues related to cybersecurity which I currently consider beyond the scope of this blog. I am also going to ignore the section dealing with secure telephones, with the caveat that anyone that uses a cell phone should peruse the section, just to see what types of things that security folks worry about with these ubiquitous devices. Finally, the State Department requirement to support cybersecurity in the Western Balkans is of little specific interest here. So that leaves three sections of potential interest here.

 

For more information on the cybersecurity provisions in this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1071-and-cybersecurity-fy-2026 - subscription required.