Cyber looms large in House NDAA

The House of Representatives passed the National Defense Authorization Act for fiscal year 2023 last Friday after members filed over 1,200 amendments to the bill, including a variety of technology and cybersecurity issues impacting the federal government. 

From further formalizing the government's newest cybersecurity agency with directorial term limits to establishing the National Digital Reserve Corps, the current NDAA features a suite of information technology security improvements and policy upgrades which lawmakers hope will find their way into the bill after the House and Senate versions are hashed into a single bill in a conference committee.

Under the Cybersecurity and Infrastructure Security Agency Leadership Act, officials appointed to the head of the cybersecurity agency will serve five-year terms to effectively see their leadership extend beyond presidencies. The amendment also specifies the appointment process, requiring the president to appoint a CISA director "by and with the advice and consent of the Senate." 

A separate amendment also requires the CISA director to investigate the impact of the 2020 SolarWinds attack and identify security gaps and recommendations in a report to Congress. The Building Cyber Resilience After SolarWinds Act also instructs the Government Accountability Office to issue a report evaluating the Cyber Safety Review Board.

Formerly known as "systemically important critical infrastructure," the Identification of Systemically Important Entities Act designates certain entities as critical to the continuation of national critical functions and establishes an interagency council to conduct critical infrastructure cybersecurity coordination. The amendment also includes new requirements and unique benefits for critical infrastructure entities identified as systemically important.

The Report on Commercial Satellite Cybersecurity; CISA Commercial Satellite System Cybersecurity Clearinghouse amendment directs the GAO to issue a report evaluating federal policy supporting cybersecurity for commercial satellite systems while focusing on critical infrastructure sectors. It also instructs CISA to maintain a publicly accessible record of resources, known as a clearinghouse, pertaining to cybersecurity tools and information for commercial satellites. 

The Department of Homeland Security will work to establish at least two cybersecurity-focused Critical Technology Security Centers under an amendment sponsored by Rep. Jim Langevin (D-R.I.). The legislation is designed to test the security open source software that forms part of critical technologies as well as software that supports government missions

An amendment from Rep. Andrew Garbarino (R-N.Y.) requires the administrator of the Small Business Administration to establish or approve an existing cyber counseling certification program to help employees at small businesses receive training in cyber planning assistance. The amendment also requires the program to certify at least five or 10% of small business development center employees in cybersecurity planning assistance training.

An amendment from Rep. Chrissy Houlahan (D-Pa) directs the Veterans Affairs secretary to establish a new pilot course for veterans and their spouses around cybersecurity training. The program will include coursework that can qualify for postsecondary credit towards associate or baccalaureate degrees, as well as virtual learning opportunities and performance-based assessments that ultimately lead to federal work-based learning opportunities and programs. 

The General Services Administration is instructed under an amendment from Rep. Tony Gonzales (R-Texas) to establish the National Digital Reserve Corps, a public-private partnership featuring a range of experts across the fields of cybersecurity, artificial intelligence and digital technology to work within the federal government and coordinate with agencies on addressing some of the most pervasive cyber challenges impacting the government.