NDAA Enacts 25 Recommendations from the Bipartisan Cyberspace Solarium Commission
This year’s NDAA provides the most comprehensive and forward-looking piece of national cybersecurity legislation in the nation’s history.
Washington, D.C. (January 2, 2021) - U.S. Senator Angus King (I-Maine) and Congressman Mike Gallagher (R-Wis.), co-chairs of the Cyberspace Solarium Commission (CSC), today announced that 27 provisions in the National Defense Authorization Act directly draw from 25 CSC recommendations for improving U.S. cybersecurity posture have been codified into law with the Senate’s 81-13 override vote on New Year's Day.
“The inclusion of the National Cyber Director (NCD) housed in the Executive Office of the President (EOP) is a real game changer. The NCD will be the President’s principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector. We thank all members of congress and especially Senator Mike Rounds (R-S.D.) for his leadership in getting this provision into the final conference report,” said Co-Chairs Senator Angus S. King, Jr. and Representative Mike Gallagher.
“Strengthening national cybersecurity has been a priority of mine for more than a decade, and I am proud this year’s NDAA is among the most consequential cybersecurity bills ever to become law,” said Co-founder and Co-Chair of the Congressional Cybersecurity Caucus Congressman Jim Langevin (D-R.I.). “Developing and advancing the numerous legislative proposals to make America safer in cyberspace was a massive undertaking, but we are better off today because of it. I’m thankful to my fellow commissioners for working in a bipartisan fashion to advance key legislation that is going to make us more secure, including my National Cyber Director Act. With these policies enacted, we are establishing the forward-leaning, layered cyber deterrence strategy that we need to face emerging and evolving cyber threats and adversaries.”
“Superpowers can’t lose cyberwars and stay on top. Dominance in the cyber domain will dictate outcomes of modern wars,” said Senator Ben Sasse (R-Neb.). “The inclusion of over two dozen of our Commission’s recommendations, as well as the establishment of a National Cyber Director, puts us on a stronger path to dominance. We’ve got a lot more work ahead, but can be proud of our progress.”
The FY21 National Defense Authorization Act (NDAA) also includes another 50 cyber provisions developed and incorporated by Congressional committees, members and staff, and makes meaningful progress on improving the state of America’s cyber defenses, reorganizing the government to successfully partner with the private sector to combat growing cyber threats, clarifying the roles and responsibilities of federal government agencies, and setting in motion critical processes like Continuity of the Economy planning.
The Cyberspace Solarium Commission recommendations are included in these 27 NDAA provisions:
1705 - Strengthening Federal Networks (CSC Recommendation 1.4): Authorizes CISA to conduct unalerted threat hunting on federal networks.
1706 - Improvement Relating to the Quadrennial Cyber Posture Review (CSC Recommendation 6.1 and 6.1.3): Directs DoD to conduct a force structure assessment of the Cyber Mission Force to ensure sufficient force structure and capabilities for the current threat and mission, this will include and assessment fo the combat support agencies that support the cyber mission.
1711 - Modification of acquisition authority of Commander of United States Cyber Command (CSC Recommendation 6.1.1): Amends FY16 NDAA to change the acquisition authority of USCC. (related to 1746)
1712 - Modification of Requirements Relating to the Strategic Cyber Security Program and the Evaluation of Cyber Vulnerabilities of Major Weapon Systems of the Department of Defense (CSC Recommendation 6.2.b): Tasks DoD with developing a plan for the annual assessment of cyber vulnerabilities of major weapon systems, sharing lessons learned and best practices from the annual assessment of cyber resiliency of nuclear command and control system
1714 - Renewing the Cyberspace Solarium Commission (CSC Recommendation 0.0): Reauthorizes the CSC through late December 2021.
1715 - Establishment in DHS of the Joint Cyber Planning Office (CSC Recommendation 5.4): Establishes a Joint Cyber Planning Office under CISA, to facilitate comprehensive planning of defensive cybersecurity campaigns across federal departments and agencies and the private sector.
1716 - Administrative Subpoena Authority for the Cybersecurity and Infrastructure Security Agency (CSC Recommendation 5.1.3): Grants administrative subpoena authority to CISA in order to identify vulnerable systems and notify public and private system owners.
1718 - Cybersecurity Advisory Committee (CSC Recommendation 1.4): Establishes a Cybersecurity Advisory Committee to advise DHS/CISA.
1719 - Cybersecurity Education and Training Assistance Program (CSC Recommendation 1.5.1): Authorizes the (already existing) Cybersecurity Education and Training Assistance Program at DHS/CISA—a K-12 cyber education initiative. CETAP will continue to provide curricula for K12 education, resources and training for K12 educators. It will promote and support national standards for K12 cyber education.
1722 - Report on the risk to national security posed by quantum computing technologies (CSC Recommendation 6.2.4): Mandates a comprehensive assessment of the threats and risks posed by quantum technologies to national security systems.
1728 - Assessing Private-Public Collaboration in Cybersecurity (CSC Recommendation 5.4.1): Requires the DoD to assess of the impact of the current Pathfinder initiative, the Department’s support to and integration with existing Federal cybersecurity centers, and comparable initiatives led by other Federal departments or agencies that support long-term public-private cybersecurity collaboration and make recommendations for improvements.
1729 - Clarifying the Cyber Capabilities and Interoperability of the National Guard (CSC Recommendation 3.3.6): Directs the DoD to evaluate statutes, rules, regulations, and standards that pertain to the use of the National Guard for the response to and recovery from significant cyber incidents.
1730 - Evaluation of non-traditional cyber support to the Department of Defense (CSC Recommendation 6.1.7): Requires an assessment from the DoD on the need for, models for, and requirements of a cyber reserve force.
1731 - Establishment of an Integrated Cybersecurity Center (CSC Recommendation 5.3): Directs the executive branch to submit a report to Congress evaluating the Federal cybersecurity centers and the potential for better coordination of Federal cybersecurity efforts at an integrated cybersecurity center within CISA.
1737 - Defense Industrial Base Participation in a Threat Intelligence Sharing Program (CSC Recommendation 6.2.1): Requires DoD to assess the feasibility, suitability, and definition of, and resourcing required to establish a DIB threat information sharing program.
1739 - Defense Industrial Base Cybersecurity Threat Hunting and Sensing, Discovery, and Mitigation (CSC Recommendation 6.2.2): Requires DoD to complete an assessment of the feasibility, suitability, and resourcing required to establish a DIB cybersecurity threat hunting program.
1744 - Creation of a Biennial National Cyber Exercise (CSC Recommendation 3.3.5): Establishes a national cyber exercise to be conducted every two years to include federal, state, and private sector stakeholders, as well as international partners.
1745 - Cybersecurity and Infrastructure Security Agency Review (CSC Recommendation 1.4): Tasks DHS with conducting a comprehensive review of the ability of the CISA to fulfill its current and CSC recommended missions, this includes both a force structure assessment and resource review..
1746 - Report on Enabling U.S. Cyber Command Resource Allocation (CSC Recommendation 6.1.1): Requires the DoD to submit a report to congress detailing actions to ensure that USCC possesses the necessary authorities, direction, and control of the Cyber Ops Forces and the budget needed to fulfill its mission. (related to 1711)
1747 - Ensuring Cyber Resiliency of Nuclear Command and Control Systems (CSC Recommendation 6.2.a): Requires the DoD to develop a comprehensive plan to implement findings and recommendations pertaining to the cyber defense of nuclear command and control systems.
1752 - Establish the National Cyber Director and the Office of the National Cyber Director (CSC Recommendation 1.3): Establishes a Senate-confirmed National Cyber Director within the White House to serve as the President’s principal cyber advisor and provide a nexus for cybersecurity leadership in the White House.
9001 - DHS Strengthen CISA Director (CSC Recommendation 1.4): Administrative changes to strengthen the Director position at CISA.
9002 - Codify Sector Risk Management Agencies (CSC Recommendation 3.1): Codifies Sector Specific Agencies as Sector Risk Management Agencies, establishing minimum responsibilities and requirements for identifying, assessing, and assisting in managing risk for the critical infrastructure sectors under their purview.
9005 - GAO Study of Cybersecurity Insurance (CSC Recommendation 4.4): Calls on the GAO to study ways to improve the market for cybersecurity insurance.
9006 - Strategy to Secure Email (CSC Recommendation 4.5.2): Directs the DHS to develop a strategy to implement the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard across all U.S.-based email providers to secure our emails from spam and diminish the effectiveness of phishing emails.
9401-9407 - Recruit, Develop, and Retain a Stronger Cyber Workforce (CSC Recommendation 1.5): Enhances the federal government’s ability to recruit, develop, and retain its cyber workforce. Changes to NIST NICE, including a large grant program to national partners, and improvements to the CyberCorps Scholarship for Service program.
9603 - Continuity of the Economy Plan (CSC Recommendation 3.2): Mandates the creation of a Continuity of the Economy planning effort to ensure the rapid restart and recovery of the U.S. economy after a major disruption.