Conference Report for HR 2670 Published

2024 NDAA

Yesterday, the conference committee for HR 2670 published their report on HR 2670, the 2024 National Defense Authorization Act. The report includes a listing of sections from the House and Senate versions of the bill that were included (and excluded) in the final version of the bill. The 3000+ page Report also includes the actual text of the bill. In addition to the NDAA provisions the final version includes the State Department and Intelligence authorization bills.

Included Cybersecurity Provisions

A search of the contents page for the bill shows the following sections in the bill related to cybersecurity matters:

• §1315 Extension and modification of pilot program to improve cyber cooperation with foreign military partners in Southeast Asia,

• §1502 Harmonization and clarification of Strategic Cybersecurity Program and related matters,

• §1511 Responsibility for cybersecurity and critical infrastructure protection of defense industrial base ,

• §1512 Cybersecurity enhancements for nuclear command, control, and communications network,

• §1513 Pilot program relating to semiconductor supply chain and Cybersecurity Collaboration Center,

• §1514 Transfer of data and technology developed under MOSAICS program,

• §1515 Modernization program for network boundary and cross domain defense,

• §1516 Establishment of certain identity, credential, and access management activities as program of record,

• §1517 Pilot program on assuring critical infrastructure support, for military contingencies,

• §1518 Military cybersecurity cooperation with Taiwan,

• §1519 Guidance regarding securing laboratories of the Armed Forces,

• §1532 Selected Reserve order to active duty to respond to a significant cyber incident,

• §1536 Authority to conduct pilot program on Civilian Cybersecurity Reserve,

• §1553 Report on Department of Defense Enterprise capabilities for cybersecurity,

• §2809 Incorporation of cybersecurity supply chain risk management tools and methods,

• §3111 Transfer of cybersecurity responsibilities to Administrator for Nuclear Security, and

• §3113 Cybersecurity Risk Inventory, Assessment, and Mitigation Working Group.

There are 781 mentions of the word ‘cyber’ in the Report, I have not yet had a chance to review all of them. Nor have I reviewed the wording of the sections listed above.

Excluded Cybersecurity Provisions

The first portion of the Report (the first 47 pages) provides a listing of the included and excluded sections. The following excluded sections refer to cybersecurity related provisions that were listed in either the House or Senate version of the bill:

• Funding for cyber supply chain risk management,

• Cooperation with allies and partners in Middle East on development of integrated regional cybersecurity architecture,

• Cyber incident reporting,

• Strategy on cybersecurity resiliency of Department of Defense space enterprise, and

• Improving outreach related to cybersecurity job preparation.

Moving Forward

The Report is currently (tentatively) scheduled to be considered by the House next week. The House.gov website notes that the bill will be considered under the suspension of the rules process (limited debate, no floor amendments, and a super-majority would be required for passage).

Commentary

Typically (but certainly not always) conference reports are considered under a closed rule. This too limits debate, and prohibits consideration of miscellaneous amendments, but only requires a simple majority for passage. The reason for this is almost certainly to do with opposition to the revised version of the bill by some of the more fringe elements of the Republican caucus. First off, those folks hold an effective veto power (three votes per the deal that McCarthy made to become the Speaker last January) in the House Rules Committee, so they could potentially stop the approval a rule. Then, if a rule were approved, it would take only three Republicans voting against the rule on the floor of the House (the opposition party by tradition votes against rules) to stop the House from considering the Report.

The House (and Senate) leaderships expect that there will be sufficient bipartisan support for the bill to be passed in both bodies. This means that, once again, the Republican leadership is counting on support from Democrats to pass an important piece of legislation. While this bill is not as important to fringe elements of the party as spending bills, it is still likely to draw the ire of at least a segment of that fringe. What that means for future political operations in the House remains to be seen.

Comments

[Christopher Sundberg]

Great overview! For me it was interesting that memory safe languages did not make the cut in this version.