NDAA roundup: Senate bill places deep focus on cyber, IT and AI
Editor’s Note: This story has been updated to reflect the House passing its version of the NDAA.
The Senate Armed Services Committee on Wednesday filed its final version of the annual defense policy bill, which would authorize $768 billion in spending on defense that prioritizes the modernization of the military’s IT and cybersecurity capabilities, including the approval of an additional $286 million in cyber spending across the Department of Defense.
The Senate’s move to send the 2022 National Defense Authorization Act to the chamber’s floor came after the House Armed Services Committee earlier in September submitted its own version of the bill for amendment voting. The Senate’s topline authorization would approve a $25 billion increase in spending over the president’s budget request for defense, whereas the House’s would approve an added $24 billion.
The annual NDAA does not provide funding but establishes policy authorizing DOD programs to spend money from separate defense appropriations.
“This bill is the most important bill we do each year, but the current crises we face make it more essential now,” Sen. Jim Inhofe, R-Okla., said of the Senate NDAA. “It’s up to Congress to ensure that our troops and their families have the tools, capabilities, training and resources needed to defend our country from these very real, very serious threats. That’s why this year’s bill boosts defense spending by $25 billion above the President’s request.
In addition to the headline 2.7% pay raise the bill authorizes for military personnel, the Senate version is packed with new authorizations and requirements for DOD IT, artificial intelligence and cybersecurity. Committee Chair Sen. Jack Reed, D-R.I., said the bill “prioritizes efforts to strengthen our cyber defenses, improve readiness, and accelerate the research and development of advanced technologies.”
Highlights on the cybersecurity front include the authorization of an additional $286.4 million in cybersecurity spending to be used across the DOD and the requirement that the department develops “a joint zero trust strategy and a model architecture for the Department of Defense Information Network.”
The DOD CIO would work with the commander of the Joint Forces Headquarters-Department of Defense Information Network (JFHQ-DODIN) to issue that plan, and each of the military services and DOD components would be required to develop “detailed implementation plans.”
“The committee remains concerned about the Department’s slow adoption of zero-trust principles and supports efforts to engender a Department-wide cybersecurity paradigm shift towards embracing critical elements of a zero-trust architecture, including identity, credential, and access management; macro and micro network segmentation; least privilege access controls; and endpoint cybersecurity,” says a report on the bill.
The bill also calls for the DOD’s cyber leads to develop a data management strategy within 180 days of enactment to support offensive and defensive cyber operations. The strategy would encapsulate “data acquired from DOD intelligence and counterintelligence components, including the National Security Agency and U.S. Cyber Command (CYBERCOM), as well as DOD cybersecurity service providers, cyber threat information from industry and other Government agencies, and data gathered from comprehensive collection within the DOD Information Network (DODIN),” the report says.
Finally, the bill, if passed, would require the secretary of defense to submit a report on the plans for the Cyber Maturity Model Certification (CMMC) program by Jan. 15, 2022. That report would include any programmatic changes that come out of the recent internal DOD review of the CMMC program, the strategy for instituting rule over the program, any budget or resource requirements and a plan for communicating changes with industry.
The CMMC measure would also require “plans for ensuring that persons seeking a Department of Defense contract for the first time are not required to expend funds to acquire cybersecurity capabilities and a certification required to perform under a contract as a precondition for bidding on such a contract without reimbursement in the event that such persons do not receive a contract award.”
If passed, the 2022 NDAA would authorize a more than $1 billion increase to fund “cutting-edge research and prototyping activities … in critical areas such as artificial intelligence, microelectronics, advanced materials, 5G, and biotechnology,” the bill report says.
It would also implement a number of recommendations the National Security Commission on AI made in its final report, such as requiring “the establishment of performance objectives and accompanying metrics for the incorporation of AI and digital readiness into Department of Defense platforms, processes, and operations.”
“The committee notes that the final report of the National Security Commission for Artificial Intelligence highlights the establishment of AI and digital readiness performance goals as an important step to achieving a state of military AI readiness by 2025,” says the report.
Along with that, it could call for heads of the military services to conduct skills gaps assessments “in the fields of software development, software engineering, knowledge management, data science, and AI.”
The bill also calls for the Joint AI Center to modify its Joint Common Foundation (JCF) program — a coding platform aimed at helping users across the military build their own artificial intelligence models. With the change, the Senate intends to make it so that DOD components “can easily contract with leading commercial artificial intelligence (AI) companies to support the rapid and efficient development and deployment of applications and capabilities.”
While the Senate committee peppered general IT requirements and authorities through its bill, some larger measures stood out.
On the cloud front, the committee wants to accelerate the Fourth Estate’s move to the cloud via milCloud 2.0. The authors acknowledge in the report “that previously scheduled cloud migration efforts at select fourth-estate agencies have been repeatedly delayed by funding shortfalls, including shortfalls created by reprioritization of funds toward immediate COVID-19 related teleworking information technology improvements.”
Thus, they recommend a $42 million budget increase for the Defense Systems Information Agency to lead the Fourth Estate milCloud migration.
Additionally, the bill calls on Space Force technology leaders, in conjunction with the DOD CIO, to brief Congress by Oct. 1 on how the Space Force will leverage cloud computing for its programs and systems.
“The committee believes that the use of commercial cloud services for military space programs merits further study and, as appropriate, rapid adoption,” the report says.
As the DOD looks to adopt emerging technologies, Congress wants to make sure it has the flexible authorities and knowledgeable leadership to do so.
As such, it recommends an assessment of any impediments to the DOD’s acquisition of commercial technologies and a pilot to “develop and implement unique contracting mechanisms for emerging technologies that seek to increase the speed, flexibility, and competition of the Department of Defense (DOD) acquisition process.”
“DOD leaders consistently emphasize the critical importance in the current great power competition of capitalizing quickly on commercial technology advances in such areas as artificial intelligence and machine learning, cloud computing, cloud-based enterprise services, and software products and services,” the bill report says. “However, the committee is concerned that, too often, DOD components choose to contract for the development of custom solutions when mature commercial capabilities exist that will save time and money and provide better performance.”
And to improve leaders’ understanding of these technologies, Congress wants DOD to develop an executive education program on emerging technologies for senior civilian and military leaders.
The House passed its version of the NDAA late Thursday. Once the Senate passes its bill, both chambers will conference to create a final bill for the president’s approval.