Inside the Capitol

Senate approves cyber-loaded defense bill

The Senate on Wednesday easily passed a compromise $768 billion defense policy bill laced with cybersecurity provisions.

Lawmakers voted 89 to 10 to approve the National Defense Authorization Act (NDAA), sending it to President Joe Biden who is expected to sign it.

The compromise $768 billion authorization bill does not include cyber incident reporting legislation despite a nearly year-long bipartisan push following the SolarWinds breach and major ransomware attacks. Such a measure was incorporated into the original House version of the NDAA, but it didn’t survive the Senate’s drawn-out amendment process and was nixed.

A bipartisan bill to update the 2014 Federal Information Security Modernization Act, which previously cleared the Senate Homeland Security Committee, was also left on the cutting room floor.

Still, several notable cyber provisions did make it into the bill.

The massive defense spending road map backs the administration's $605 million request for U.S. Cyber Command’s general budget and grant's the organization's chief with executive budget authority. It “modernizes the relationship” between the Defense Department’s CIO and the National Security Agency’s cyber components and creates an office to centralize the Pentagon’s cyber threat information products.

The final bill also requires DoD to submit a report on how its Cybersecurity Maturity Model Certification (CMMC) program impacts small businesses.

The must-pass legislation “initiates the widest empowerment and expansion” of the Cybersecurity and Infrastructure Security Agency “since the SolarWinds incident,” according to a summary of the bill released last week.

It greenlights CISA’s CyberSentry program, which is focused on protecting critical infrastructure systems against hackers, and requires the DHS cyber wing to update its incident response plan at least every two years. 

The policy blueprint allows CISA to establish a National Cyber Exercise Program, designed to simulate the partial or complete shutdown of a government or critical infrastructure network by a cyber incident.

The bipartisan bill also creates a grant program at DHS to support U.S.-Israel cooperation in the research and development of cybersecurity technology.

Martin Matishak

Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.

No previous article
No new articles