Cyber elements in the Senate version of the fiscal year 2023 defense authorization bill are mostly Defense Department-focused, including a provision to require contractors to submit a Software Bill of Materials, and new authorities for U.S. Cyber Command to play an active role in addressing critical infrastructure attacks by "foreign powers."
The full text of the bill was filed Monday by Senate Armed Services Committee Chairman Jack Reed (D-RI) and Ranking Member Jim Inhofe (R-OK). Plans for consideration on the floor have not been announced.
The Senate version does not include key Cyberspace Solarium Commission proposals that are a priority for cyber policy veteran Rep. Jim Langevin (D-RI), who is retiring this year. Langevin, a Solarium member, was able to get commission recommendations on codifying systemically important critical infrastructure and the creation of a joint collaborative environment into the House version of the bill.
Another Solarium proposal left out of the Senate version is codifying a five-year term for the Cybersecurity and Infrastructure Security Agency director.
According to the report accompanying the bill, “The committee recommends a provision that would require the Secretary of Defense to amend the Department of Defense Supplement to the Federal Acquisition Regulation to require a software bill of materials for all non-commercial software created for or acquired by the Department of Defense.”
The report says, “The provision would also require certain Department officials to provide recommendations and the Secretary to conduct a study of acquiring a software bill of materials for software already acquired by the Department. In addition, the provision would require the Secretary, in consultation with industry, to develop an approach for commercial software that provides policies and processes for operationalizing software bills of materials to enable the Department to understand more promptly the cybersecurity risks to Department capabilities posed by discoveries of vulnerabilities and compromises in commercial and open source software.”
“Finally,” the report says, “the provision would require the Secretary to request information on options to identify software to enable risk assessments and patching of security vulnerabilities detected absent a reliable bill of materials.”
On critical infrastructure, the report says:
The committee recommends a provision that would allow the President, on determination of an active, systemic, and ongoing campaign of attacks in cyberspace by a foreign power against the Government or the critical infrastructure of the United States, to authorize the Secretary of Defense, acting through the Commander, U.S. Cyber Command, to conduct military cyber activities or operations pursuant to section 394 of title 10, United States Code, in foreign cyberspace to deter, safeguard, or defend against such attacks.
It also addresses a 2018 memorandum between DHS and DOD to protect privately owned critical infrastructure by requiring a report on implementation progress.
The DHS inspector general conducted an audit last year evaluating the department’s cybersecurity information sharing efforts on the MOU and other elements of the “Cyber Action Plan.”
The audit said, “In 2018, the Secretary of Homeland Security and the Secretary of Defense established a joint memorandum to clarify the roles and responsibilities between DHS and DOD and enhance the U.S. Government’s readiness to respond to cyber threats. To accomplish this, the 2018 joint memorandum established six coordinated lines of effort (LOE) to secure, protect, and defend the homeland. These LOEs were:
"1. Intelligence, Indicators, and Warning
"2. Strengthening the Resilience of National Critical Functions
"3. Increasing Joint Operational Planning and Coordination
"4. Incident Response
"5. Integrating with State, Local, Tribal, and Territorial Governments
"6. Defense of Federal Networks"
The Senate defense policy bill requires a separate report on “critical infrastructure prioritization” in the context of whether DOD has done “sufficient contingency planning . . . to determine the appropriate response and prioritization of critical infrastructure in the event of a physical or cyber event for Defense Continuity and Mission Assurance purpose.”
The bill addresses the Pentagon’s Cybersecurity Maturity Model Certification program, praising work to address the committee’s concerns “about needing to improve the cybersecurity of the defense industrial base (DIB), balanced with the needs of small and medium-sized businesses.” It specifically asks for a report from the comptroller general on “incorporation of reciprocity in the CMMC process.”
The Senate Armed Services cyber subcommittee held a hearing in May 2021 on the cybersecurity of the DIB where DOD official Jesse Salazar provided an update on the CMMC internal review. CMMC 2.0 was announced in November.
The authorization bill also includes a provision expressing support for Open Radio Access network standards and technology to accelerate DOD adoption of fifth generation networks, and the creation of the “Department of Defense Cyber and Digital Service Academy as a scholarship-for-service program partnered with universities and colleges in the United States.”