HR 2670 Reported in House – FY 2024 NDAA

Last month the House Armed Services Committee completed their work on HR 2670, the National Defense Authorization Act for FY 2024. The amended version of the bill was ordered reported favorably by a strongly bipartisan vote of 58 to 1. The Committee also published their Report on the bill. Cyber warfare provisions abound in the bill (in Title XV, Cyberspace-Related Matters, in particular), but there are five cybersecurity related sections, and four cybersecurity mentions in passing in the bill. Additional cybersecurity discussions are found in the Committee Report.

NOTE: There is an interesting clerical error in the reported version of the bill. In Section 1, it names the bill the “Military Construction Authorization Act for Fiscal Year 2024”. That is actually the title of Division B of the legislation. The introduced version of the bill calls it the “National Defense Authorization Act for Fiscal Year 2024”.

Cybersecurity Sections in the Bill

There are five sections in the legislation that deal specifically in cybersecurity matters:

• §1501. Harmonization and clarification of Strategic Cybersecurity Program and related matters.

• §1505. Military cybersecurity cooperation with Taiwan.

• §1521. Authority to accept voluntary and uncompensated services from cybersecurity experts.

• §1524. Responsibility for cybersecurity and critical infrastructure protection of the defense industrial base.

• §3113. Cybersecurity Risk Inventory, Assessment, and Mitigation Working Group.

Section 1524 makes amendments related to responsibilities outlined in the §1724 of the FY 2021 NDAA with regards to critical infrastructure cybersecurity. These are essentially housekeeping measures, not changes in policy.

Section 3113 amends the FY 2000 NDAA by adding a new §3222, Cybersecurity Risk Inventory, Assessment, and Mitigation Working Group. That new section would establish in the National Nuclear Security Administration a working group that would “prepare a comprehensive strategy for inventorying the range of National Nuclear Security Administration systems that are potentially at risk in the operational technology and nuclear weapons information technology environments, assessing the systems at risk, and implementing risk mitigation actions.”

Cybersecurity Mentions in Passing

There are four sections in the bill where cybersecurity is mentioned as part of a larger program or process. These sections include:

• §345. Pilot Program on Optimization of Aerial Refueling and Fuel Management in Contested Logistics Environments Through Use of Artificial Intelligence (pg 148) in paragraph (b)(5).

• §808. Organizational Conflict of Interests Relating to National Security and Foreign Policy (pg 410) in subparagraph (e)(5)(F).

• §932. Enhancing Department of Defense Coordination of Geoeconomic Affairs (pgs 550-1) in subparagraph (b)(2)(C).

• §1307. Modifications to Initiative to Support Protection of National Security Academic Researchers from Undue Influence and Other Security Threats (pg 772) in subparagraph (h)(2)(A).

Cybersecurity Discussion in Report

As is becoming increasingly important in the NDAA process, the Committee Report contains a number of discussions on cybersecurity matters that contain policy directives and reporting requirements from the Armed Services Committee to the Department of Defense and the Department of Energy. While these directives do not carry the force of law, they are reinforced by the power of oversight.

The discussions that pertain directly to cybersecurity matters include:

• Assessment of defensive and offensive cybersecurity capabilities in 5G/NextG environments (pg 70),

• Evaluation of National Centers of Academic Excellence in Cybersecurity (pgs 322-3),

• Innovation for Cybersecurity of the Defense Industrial Base (pg 323),

• Leveraging Commercial Capability for Cybersecurity in Cloud Environments (pg 325), and

• Shipyard Cybersecurity (pgs 328-9)

Cybersecurity Mentions in passing in Report

As with the actual bill, the Report contains eight mentions of cybersecurity issues and requirements as part of discussions of larger issues and projects. These mentions include:

• Integrated tactical network and crypto modernization (pgs 13-4),

• Resilient autonomous systems research and workforce diversity (pg 54),

• Science, technology, engineering, and mathematics (stem) partnership expansion (pg 68),

• Foreign Dispatch Services (pg 109),

• Immersive Training (pgs 116-7),

• Biobanking Feasibility Briefing (pg 191),

• U.S.-Israel Defense Assessment (pgs 303-4), and

• Department Use of Open-Source Software (pg 321).

Moving Forward

This is one of the ‘must pass’ bills that Congress takes up every year. Even in this highly polarized session, the House Armed Services Committee has managed to produce a bipartisan consensus around this bill and report. There is only one relatively minor issue raised in the ‘Additional Views’ (pg 632) portion of the Report.

It looks like the House will take up this bill sometime next week. The House Rules Committee called for proposed amendments for this bill with a deadline of June 30^th. No meeting date is currently listed, but I expect that the meeting will most likely take place on Tuesday, July 11^th, the first day the House is back in session. To date 1426 amendments have been proposed by members and I expect more to slide in this week. Seventeen of those current amendments deal with cyber issues, but we will have to wait and see which ones make to the floor for consideration.