Cybersecurity Provisions Proliferate in the National Defense Authorization Act

The National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2022, signed into law on December 27, 2021, contains a plethora of cybersecurity provisions on topics from ransomware and incident response, to procurement programs and public-private partnerships, to critical infrastructure.  In this alert, Crowell & Moring’s Privacy and Cybersecurity Group highlights the inclusions and omissions of note for cybersecurity professionals, government contractors, and critical infrastructure providers.

Ransomware

In response to the recent rise in ransomware attacks, Section 1510 directs the Department of Defense (DoD) to conduct a comprehensive assessment of its ability to disrupt and defend against ransomware attacks and develop recommendations to deter and counter such attacks.  The DoD will brief Congress on its assessment and recommendations by the end of July 2022.

Incident Response

Section 1546 and 1547 instruct the Cybersecurity and Infrastructure Security Agency (CISA) to update and then evaluate the National Cyber Incident Response Plan.  Section 1546 amends 6 U.S.C. § 660 to require CISA to update the National Cyber Incident Response Plan at least every two years to address the evolving threat landscape and adds a requirement for CISA to engage with industry on the government’s responsibilities and capabilities with regard to incident response.

Section 1547 establishes within CISA a National Cyber Exercise Program intended to evaluate the National Cyber Incident Response Plan.  The program will be based on current risk assessments and designed to simulate the partial or complete incapacitation of a government or critical infrastructure network from a cyber attack.  As part of the program, CISA will select model exercises that public and private sector entities can adopt and aid such entities with the design, implementation, and evaluation of incident response plans and exercises. 

Controlled Unclassified Information

Of note to government contractors, the FY2022 NDAA contains two provisions focused on improving the government’s Controlled Unclassified Information (CUI) program.  The first, Section 1526, instructs the DoD to publish a report by the end of June 2022 on the “DoD CUI Program,” including the extent to which the DoD is properly marking or otherwise identifying CUI; the circumstances under which commercial information can be considered CUI; the benefits and drawbacks of requiring CUI to be marked with a unique CUI legend; and examples of information that is and is not considered CUI.

The second, Section 6423, addresses a subset of CUI common in the transportation sector, known as Sensitive Security Information (SSI).  This section gives the Transportation Security Administration (TSA) until the end of March 2022 to ensure clear and consistent designation of SSI; update SSI identification guidelines; identify challenges affecting the identification, redaction, and designation of SSI; and ensure that TSA personnel are adequately trained on applicable policies and procedures.  Thereafter, the TSA will communicate with stakeholders who handle SSI, including contractors, to raise awareness of the TSA’s policies and guidelines governing the handling and use of SSI.

Cybersecurity Maturity Model Certification

The Act also instructs the DoD to publish two separate reports on the implementation of Version 2.0 of its Cybersecurity Maturity Model Certification (CMMC) program.  Section 1533 requires the submission of a report on the Department’s plans for the CMMC program, including, among other things: the rulemaking process, communications with industry, reimbursing contractors for the cost of compliance, and the role of prime contractors with respect to the cybersecurity of their subcontractors.  Of note, the report must address the DoD’s plans for reimbursing small and non-traditional defense contractors for the cost of certification and ensuring that companies seeking a DoD contract for the first time are reimbursed for their cost of compliance in the event they are not awarded a contract. 

Section 866, meanwhile, mandates the issuance of a report on the effects of CMMC on small businesses, including the estimated costs of compliance; an explanation of how such costs will be recoverable from the government; and the DoD’s plans to mitigate negative effects on small businesses, ensure that small businesses are appropriately trained, and work with small businesses to enable them to bid on and win contracts without having to risk funds on compliance. 

The reports are due by the end of March and June 2022, respectively.

Procurement of Cybersecurity Products and Services

Section 1521 gives the DoD until the end of 2022 to designate an executive agent for the enterprise-wide procurement of so-called “cyber data products and services” (i.e., commercially-available datasets and analytic services germane to offensive and defensive cyber operations, including products and services that provide technical data, indicators, and analytic services relating to cyber threats).  Thereafter, by July 2023, DoD components will be prohibited from independently procuring a cyber data product or service that has been procured for enterprise-wide use, unless such component is able to conduct the procurement at a lower price or the executive agent approves the purchase.

Public-Private Partnerships

Section 1508 instructs US Cyber Command to establish a voluntary process to partner with private sector information technology and cybersecurity companies to explore and develop methods and plans to coordinate the actions of private sector entities and US Cyber Command against malicious cyber actors.  The coordination process should be up and running by January 1, 2023, and requires US Cyber Command to ensure that trade secrets and proprietary information remain private and protected.

Section 1550 creates a five-year pilot program within CISA to assess the possibility of establishing voluntary public-private partnerships with “internet ecosystem companies” to support actions by such companies to discover and disrupt malicious cyber actors.  As used here, the phrase internet ecosystem company means a US business that provides, among other things, cybersecurity, internet, telecommunications, content delivery, and/or cloud services.  As part of the program, CISA may help companies develop effective know-your-customer programs; provide technical assistance and analytics to improve the private sector’s ability to detect and prevent illicit or suspicious actions through their services; develop and socialize best practices for the collection, retention, and sharing of data to support discovery and disruption of malicious cyber activity; and share actionable intelligence and indicators of compromise for ongoing and potential threats; as well as provide recommendations for workflows, training, automated tools, and technical capabilities for internet ecosystem companies to implement to reliably detect, analyze, disrupt, and mitigate malicious cyber operations conducted using their services. 

Zero Trust

Section 1528 seeks to further the government-wide adoption of zero trust architectures and instructs the DoD to develop a zero trust strategy and model architecture for use across the DoD Information Network.  The strategy must include policies for implementing zero trust in on-premises, hybrid, and cloud environments; policies specific to operational technology, critical data, infrastructure, weapons systems, and classified networks; specifications for the enterprise-wide acquisition of zero trust capabilities; and a metrics-based assessment plan.  Congress instructed the DoD, in developing the strategy, to encourage the use of third-party cybersecurity-as-a-service models and engage with industry on issues relating to the deployment of zero trust architectures.

Critical Infrastructure

In order to further strengthen the nation’s critical infrastructure against cyber threats, such as last year’s ransomware attack against Colonial Pipeline, Section 1541 requires CISA to identify and address threats and vulnerabilities to information and operational technologies intended for use in the automated control of critical infrastructure.  To do so, the NDAA directs CISA to lead government efforts to identify and mitigate cybersecurity threats to industrial control systems; maintain threat hunting and incident response capabilities; provide technical assistance to identify, evaluate, assess, and mitigate vulnerabilities; and disseminate vulnerability information to the critical infrastructure community.

Sections 1542 through 1544 also relate to the identification and remediation of cybersecurity vulnerabilities.  Section 1542 allows CISA to identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities to information and industrial control systems; while Section 1543 requires the submission of a report to Congress by the end of 2022 detailing CISA’s efforts to mitigate such vulnerabilities and improve information sharing with the private sector.  Section 1544, meanwhile, authorizes the Department of Homeland Security (DHS) to establish an incentive-based program for industry, academia, and others to identify remediation solutions for cybersecurity vulnerabilities in information and industrial control systems.

Section 1548 establishes within CISA a “CyberSentry” program to provide continuous monitoring and detection of cybersecurity risks to owners and operators of critical infrastructure.  Private sector participation in the program will be voluntary.  As part of the program, CISA will enter into strategic partnerships with critical infrastructure providers to provide technical assistance in the form of continuous monitoring of industrial control systems; leverage intelligence to advise providers regarding mitigation measures; identify risks to industrial control systems and work with critical infrastructure providers to remediate vulnerabilities; and produce aggregated, anonymized analytic products with findings and recommendations that can be disseminated to partner entities.

Notable Omissions

While debating the FY2022 NDAA, Congress elected to omit a handful of notable cyber provisions that could reappear, at least in some form, in the coming months.  The NDAA, for example, does not include a high-profile provision that would have required private sector entities to report ransomware incidents to CISA within 24 hours and most other cyber incidents within 72 hours.  Nor does the legislation include provisions proposed in the House to codify the Federal Risk and Authorization Management (FedRAMP) program and update the Federal Information Security Modernization Act (FISMA).

* * *

Crowell & Moring’s Government Contracts Group addressed additional acquisition policy changes of which government contractors should be aware in a separate client alert last week.