The fiscal year (FY) 2023 National Defense Authorization Act (NDAA) continued to take shape today as the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems voted to approve its markup of language related to cybersecurity and other tech matters that likely will be featured in the NDAA.
Included in the print – which was approved by the subcommittee by a voice vote – is language that would create more oversight for the Defense Department’s (DoD) Joint All-Domain Command and Control (JADC2) program and seek clarity on DoD’s role in assuring the Defense Industrial Base (DIB) is cyber secure. The print features other provisions related to artificial intelligence, 5G technologies, and more.
“This mark reflects the balance priorities of this subcommittee,” subcommittee Chair Rep. Jim Langevin, D-R.I., said at today’s markup. “It does the hard work of continued and detailed oversight of the Department of Defense. It provides support guidance and, when necessary, corrections to ongoing programs and it moves the ball forward aggressively in key technology areas.”
“It empowers and encourages innovation across the department, but also shows up the key areas of research and development and testing evaluation that are all too easily taken for granted,” Rep. Langevin continued.
While the subcommittee’s markup of the bill is now complete, the full NDAA could still take months to become law, and there is plenty of legislative jostling to come between now and then. The finalized versions of the NDAA, however, are generally considered to be “must-pass” legislation.
Increased Oversight of JADC2
The DoD has been developing the JADC2 program as a way to create a data sharing program across all domains of the military, with the implementation plan being signed in March. However, the print says that the subcommittee is “concerned” about the DoD’s progress on implementing the program.
The bill calls for a report by the end of calendar year 2022 from the Secretary of Defense that would serve as a progress report of sorts on where the DoD and its components are in implementing the JADC2 program.
“The committee recognizes the Department has made progress on JADC2 planning, but each of the military services has a separate effort to address the Department’s JADC2 requirements concept, and it is unclear what capabilities will be delivered to the warfighter, how much they will cost, and when they will be delivered,” the print says.
The print directs the Secretary of Defense to give the House Armed Services Committee a report that contains:
- “An inventory of JADC2-related development efforts, with a description of each’s respective performance objectives, costs, and schedules;”
- “A description of JADC2 performance goals and how the development efforts, identified under [the above bullet], will contribute to achieving those goals, including performance metrics;” and
- “A list of potential JADC2 capability gaps and a plan for how the Department of Defense will ensure those capabilities are addressed and funded.”
Additionally, the bill calls for a review from the Comptroller General no later than March 31, 2023, that reviews DoD’s JADC2 efforts. That review, as well as an accompanying report and briefing, should include an overview of JADC2 implementation efforts, costs, and timetables, as well as an overview of DoD’s process for overseeing the implementation of the program.
Clarity on DoD Role in DIB Cyber
The bill also contains a provision that would look to clarify the DoD’s role in assuring the cybersecurity of the DIB. Specifically, the bill calls for the DoD’s Office the Under Secretary of Acquisition and Sustainment – known as OUSD A&S – to outline which DoD components will play which roles in securing the DIB.
OUSD A&S’s role in securing the DIB became more ambiguous after DoD’s Cybersecurity Maturity Model Certification (CMMC) program was realigned under the Office of the CIO earlier this year.
“Cybersecurity has become a critical facet of all Department of Defense matters and especially in the context of acquisition of new systems, weapons, technologies, and assets for the warfighter,” the print says. “The Department of Defense depends upon the Defense Industrial Base (DIB) to provide these items. As such, the cybersecurity of the DIB must be resourced and invested to enable private industry to defend itself and its products.”
“The committee has noted and continues to hold concerns about how the issue of DIB cybersecurity is managed across the Department and specifically across the Office of the Secretary of Defense, with multiple stakeholders and imprecise lines of responsibility between components,” the print continues.
The print would direct OUSD A&S to brief the House Armed Services Committee – no later than November 1, 2022 – on the role it plays in securing the DIB, as well as the role of the Assistant Secretary of Defense for DIB Policy.
After Laura Taylor-Kale was nominated for the latter post in May, a DoD spokesperson told MeriTalk, “CMMC will be implemented through contracts and acquisitions, so a close partnership with OUSD A&S will be critical to the program’s success. The Office of the Assistant Secretary of Defense for Industrial Base Policy is our partner in ensuring the cybersecurity of the DIB. The office is responsible for overseeing the Office of Small Business Programs that assists small businesses in implementing the NIST SP 800-171 requirements.”
5G, AI, GPS, and more
The bill also includes various provisions related to artificial intelligence (AI), 5G technologies, and quantum computing, as well as a provision that would call for a briefing on potential alternatives to Global Positioning Systems (GPS) in the case of a disruption.
There are multiple provisions related to AI, including calling for a briefing on how the DoD plans to integrate independent testing and validation of AI model life cycles, as well as a provision calling for a report on how DoD plans to implement ethical AI principles into its AI education strategy.
The bill also calls for reports on commercial 5G installations on military installations, the state of quantum computing, and the current quantum cooperation taking place between the United States and the United Kingdom. The subcommittee print also calls for a briefing on DoD’s 5G testbeds and, separately, a comprehensive review of the DoD’s Cyber Excepted Service to take place no more than 180 days after enactment.
As far as GPS, the print says, “The committee recognizes the increasing threat of Global Positioning System disruptions and believes it is critical to invest in technologies that provide resilient and assured position, navigation, and timing capabilities, including those provided through alternative navigation.”
It calls on for a briefing from the Secretary of Defense on current alternative navigation systems and its plan for the Future Years Defense Program to provide alternatives and improve the infrastructure and architecture.