Cybersecurity, Privacy, & AI

Trending Now

Report From FDLI Annual Meeting: FDA’s Expanding Use of AI – What Regulated Industry Should Know • NIST Revises SP 800-70 | National Checklist Program for IT Products: Guidelines for Checklist Users and Developers • Cyberattacks Are Now Part of US Counterterrorism Strategy • What’s Driving the Air Force OT Cyber Office’s Massive FY 2027 Budget Request? • DHS Units to Re-Up Contract With Controversial Mobile Device Data Extractor

Published on December 9, 2021 • Cyber

NDAA Passes House and Emerges from Conference with Senate, without Mandatory Cyber Reporting

ItzaVU | Shutterstock

In a hurry to finish before this session of Congress ends, the fiscal 2022 National Defense Authorization Act was passed by the House 363–70 on Tuesday, then went directly to conference with the Senate, which had not yet passed its own version. The bill that emerged includes $778 billion for national security spending, and combines the text passed by the Senate Armed Services Committee in July and the House bill passed in September.

The final version has dropped provisions found in the House version that would have required many companies to report cyberattacks and ransomware payments to federal officials. Supporters said that time ran out to resolve differences, and blamed Senate Republicans such as Minority Leader Mitch McConnell (R-KY) and Rick Scott (R-FL) for the exclusion. A Senate aide said that progress had been made, however, and the measure might still be enacted separately. The bill also left out House-passed provisions that would have set a five-year term for the CISA director, and called for DHS to develop a “cyber threat information collaboration environment.”

Provisions included in the final bill would:

Require DoD’s Comptroller, CIO, and Chief Data Officer to devise a plan to consolidate IT systems.
Expand the National Guard’s role as cybersecurity support.
Require a report on “duplicative information technology contracts.”
Make the undersecretary of defense for research and engineering the chief technical advisor to the Joint Requirements Oversight Council.
Require the deputy principal cyber advisor position to come from the Office of the Undersecretary of Defense for Policy.
Create a microelectronics research network.
Create a pilot program to develop “unique acquisition mechanisms for emerging technologies.”
Authorize CISA to establish a National Cyber Exercise Program to simulate shutdown of the government or a critical infrastructure network.
Mandate an assessment of the impact of the CMMC on small businesses.
Require DOD to develop joint zero trust and data management strategies.

Sources:

Federal Computer Week: House passes NDAA compromise bill
CyberScoop: Cyber Incident Reporting Mandates Suffer Another Congressional Setback
Federal News Network: CISA Cyber Incident Reporting Requirements Trip on Defense Bill Finish Line

Stay compliant and protected with daily updates on cybersecurity, data privacy, and federal oversight with our Cyber & Privacy newsletter, delivering up-to-the-minute intelligence Monday–Saturday — Subscribe here.