The 2020 National Defense Authorization Act always is chalk full of interesting and impactful policy changes or updates. The thing with the 1,794-page bill is knowing where to look.
No one person can read through the roughly 8 pounds of paper without missing a few important nuggets. So with some help of some federal experts, I dug into the NDAA and found several provisions that likely flew under your radar:
Marine Corps Maj. Gen. Dennis Crall, the senior military adviser for cyber policy for the Defense Department’s chief information officer, offered simple advice at the recent AFCEA Northern Virginia luncheon: “Read the NDAA.”
Specifically, Crall wanted industry to look at the provision requiring each military service to create a principal cyber adviser — Section 905, if you are keeping score at home.
“Congress gave us very directed tasks and responsibilities for this new billet or this new role. There are also some implied tasks. The services need some time to go through this and decide how they are going to provide a level of sufficient implementation,” Crall said. “But here is what we know, the same things that happened at the Office of the Secretary of Defense level of the principal cyber adviser translate well. In fact, some of the responsibilities appear to be identical. One of the key ones is to oversee the implementation of service strategies and policies that are in place.”
He said the new cyber adviser likely will take on a role that the agency CIO, chief data officer or even cyber commands don’t do — look across the board at all cyber activities and advises senior leaders to ensure cohesiveness of all of these disparate efforts.
The goal, Crall said, is not to replace or usurp any specific leader in a service, but providing advice across all of the mission areas.
“It happens in my office right now. It’s the very same thing that happens at the OSD level to be able to look from one end of the spectrum to the other and provide a level of advice to make sure the left hand and the right hand know what each is doing and looking at offsets and strategy to make sure we are covering down the Secretary’s highest priorities” he said. “One of the key pieces is to review cyber budget proposals to make a determination of adequacy. Adequacy is not defined. We will define it. But one thing adequacy does do, I think very clearly, is takes a look at the sufficiency of the plan, meaning the funding, scope and nature that it’s desired to achieve. And where there is an inadequate or imbalance in that adequacy, however the services’ decide to define that, there is a requirement for that principal cyber adviser to come back to Congress annually and describe which plans are inadequate and why. That’s pretty significant.”
Tucked into section 128, the Navy is given specific requirements for buying its next strategic sealift fleet vessel.
Stay up to date on all things federal with our revamped mobile app. Download it to your device today.
But this is really a procurement provision, according to one of my federal experts.
Congress wants a new vessel by 2026, but more interestingly, it’s how lawmakers want the Navy to go about buying the vessel.
The provision all but tells the Navy to return to the days of the “lead system integrator.” Under the LSI concept, the government gives its contractor broad responsibilities to do everything from developing requirements to source selection to construction to testing and validation.
The NDAA states, “The Secretary of the Navy may seek to enter into a contract or other agreement with a private-sector entity under which the entity may act as executive agent for the Secretary for purposes of the contract. The executive agent described in may be responsible for: selecting a shipyard for the construction of the sealift vessel; managing and overseeing the construction of the sealift vessel; and such other matters as the Secretary of the Navy determines to be appropriate.”
It seems lawmakers want the Navy to contract out the entire process, even where the ship is built.
This definitely raises some questions, including how much of this effort could be considered inherently governmental?
This is especially poignant given the LSI debacles of the 2000s. The Army’s Future Combat System (FCS) and the Coast Guard’s Deepwater program are two of the most well-known LSI failures.
Turn to Section 1651 in your handy NDAA and you’ll find an interesting provision on DoD’s big data platform. It’s not too unusual, calling on the Pentagon to reorient its efforts around DoD’s cyber strategy.
But if you dig deeper into the provision, as Mike Hettinger, the CEO of Hettinger Strategy Group did, you’ll find Congress called out the Joint Regional Security Stacks (JRSS). JRSS is DoD’s initiative that started in 2013 to create a security infrastructure to reduce the number of network entry points that could be targeted by hackers. Let’s say over the last now almost seven years, JRSS hasn’t gone well. In 2019, the DoD inspector general released two audits raising serious questions about the future of JRSS, including the existence of critical security vulnerabilities, a lack of training for personnel who are tasked with operating the security stacks and that senior Defense officials have not adequately set and managed requirements for the system.
The NDAA tells DoD by Jan. 1, 2021, to develop a common baseline standard for collecting security data and processing it through a schema as a way to identify and mitigate cyber threats across the Defense Information Network (DoDIN).
“The Secretary shall take such actions as the Secretary considers necessary to standardize deployed infrastructure, including the Department of Defense’s perimeter capabilities at the Internet Access Points, the Joint Regional Security Stacks, or other approved solutions, and the routing of data laterally and vertically from Department of Defense Information Network segments and tiers, to enable standard and comprehensive metadata collection,” the law states. “[The Secretary shall] take such actions as the Secretary considers necessary to standardize deployed cybersecurity applications, products, and sensors and the routing of data laterally and vertically from Department of Defense Information Network segments and tiers, to enable standard and comprehensive metadata collection.”
The fact that Congress called out JRSS in the provision is interesting given the program’s struggles and this might be an initial push by lawmakers for DoD to move on from the current approach to JRSS.
Despite concerns about JRSS, Congress still allocated two buckets of funding for JRSS as well. The first is $88 million for acquisition of tools and the second bucket is $18 million for research, test and evaluation.
Quick turn to Section 1648 because DoD has less than 20 days to meet the initial requirement under this part of the NDAA.
Congress is giving the Pentagon a Feb. 1 deadline to “develop a consistent, comprehensive framework to enhance cybersecurity for the United States defense industrial base.” Military leaders then have to brief lawmakers by March 11 on the framework and expected pilot programs to test it out.
This, of course, is known as the Cybersecurity Maturity Model Certification (CMMC) initiative DoD started in 2019 and released its first draft of the requirement in September.
While the CMMC is hardly an “under the radar” provision of the NDAA, Gordon Bitko, the former FBI CIO and now the senior vice president for policy, public sector at the IT Industry Council, said the expedited timeframe both Congress and DoD wants is concerning for industry.
“Everyone is on board with understanding the cyber risks the defense industrial board (DIB) faces and needing to find ways to harden and secure their systems and data better. But the concerns ITI members have is what seems like the arbitrary rush to hit those dates laid out in the NDAA,” Bitko said in an interview. “Even though the bills and guidance are requiring DoD to do it in a collaborative way, none of our members feel like it’s happening well enough. We are providing feedback and ideas to DoD, but it seems like they will get to them later. If we go down the road of creating a process and infrastructure upfront without having gotten input from industry who spend a lot of time thinking about cyber, I’m concerned DoD will create a duplicative infrastructure and not apply lessons learned from things like the Federal Risk Authorization Management Program (FedRAMP).”
Bitko said DoD has not addressed several big picture questions such as the scope of CMMC and how it will filter down into the supply chain, the true cost and time to get more than 300,000 vendors through third-party accreditors and the value of the certification if it’s only an annual requirement or one that happens every three or five years.
On page 333, Section 802 seems to be one of those provisions where what’s old is new again.
It calls for DoD to run at least two and no more than five pilots where a cross-functional team of experts, known as “alpha contracting teams,” come together to work on a particularly complex acquisition.
“The conferees note that this construct revives in a modern context the ‘alpha contracting’ concept that is more than a decade old. Further, it brings together all government personnel involved in the functions that support acquisition actions, to include contracting staff as well as technical staff, operators and cost personnel,” the NDAA states. “This is intended to ensure that technical requirements are appropriately valued and that the most effective acquisition strategy to achieve these requirements is identified.”
Matthew Cornelius, the executive director of the Alliance for Digital Innovation (ADI), pointed out this provision.
“Done correctly, this pilot program and the initiatives DoD chooses for inclusions can truly bring together the best of government, academia and industry to collectively address complex procurements,” he said. “These initiatives should be broadly scoped so as to allow true collaboration and technical expertise to influence better buying decisions and not bias outcomes towards a single, established entity.”
Congress wants DoD to act quickly with deadlines of Feb. 1 to establish pilot criteria, May 1 to identify and notify Congress of the test cases selected and Dec. 1 to brief lawmakers on the pilots metrics, including how they are improving acquisition cycle time and other metrics.