A big theme in this year’s annual defense policy bill has been increased oversight for cyber policy, operations and forces.
The National Defense Authorization Act, which was finalized late Dec. 9 by congressional defense committees, has over 30 cyber-related provisions. Here are seven oversight items included in the bill:
Modification of acquisition authority
In 2016, Congress granted U.S. Cyber Command limited acquisition authority — capping acquisition funds at $75 million per year, sunsetting in 2021.
This year’s bill amends the authority to say that the command cannot obligate or expend more than $75 million on new contract efforts.
Readiness of the cyber mission force
The bill requires the secretary of defense to create metrics for the assessment of the readiness of the cyber mission force and brief Congress on such metrics.
Following the May 2018 full operational capability of the cyber mission force, Cyber Command said it was shifting its focus from building the force to readiness. The command has articulated its own metrics that it is putting into practice to measure readiness.
The Government Accountability Office in a March report took aim at DoD and Cyber Command for building the force too quickly, which led to readiness issues.
More requirements for separating the National Security Agency and Cyber Command
The bill adds elements to previous legislation that DoD must certify before it can sever the so-called dual-hat relationship between the NSA and Cyber Command, which also share a leader.
The changes include a requirement that each organization have robust command-and-control systems for planning, deconflicting and executing military cyber operations and now national intelligence operations as well, a requirement that tools for cyber operations are sufficient for achieving required effects and a Cyber Command can acquire or develop them and that the cyber mission force “has demonstrated the capacity to execute the cyber missions of the Department.”
In a change from the Senate panel’s version of the bill, for which there was no analogous portion in the House-passed version, the final bill also requires DoD to provide the defense committees with a briefing on the current and future partnership between the NSA and Cyber Command.
These briefings should include information on common infrastructure and acquisition, operational priorities, research and development partnerships and projected long term efforts.
Authorities for cyber operations and policies governing them
After the Trump administration modified the rules for approving cyber operations from the previous administration, there has been a protracted fight between the executive and legislative branches to see the underlying documentation governing the change.
The bill requires no later than 30 days after its enactment and upon request from committees, the president must allow them to read a copy of all so-called National Security Presidential Memorandums relating DoD operations in cyberspace.
Another provision in the bill requires congressional committees be notified in writing when authorities articulated in these policy documents are delegated from the president to the secretary of defense for military operations in cyberspace no later than 15 days after the delegation.
Report on cyber operations
The secretary of defense must deliver a report to Congress no later than March 1 of each year summarizing all named military cyber operations that were conducted in the previous calendar year.
This report must be organized by adversarial country and should include a raft of specifics to include, among others, the objective and purpose, impacted countries or entities, methodologies used for the cyber effects, specific cyber mission force teams involved, infrastructure used and costs.
Study of cyber capabilities
Congress wants the Defense Science Board to study future cyber war-fighting capabilities of DoD.
Within the past year, Cyber Command created the Joint Cyber Warfighting Architecture, which guides cyber capability and development in five broad areas.
The Defense Science Board study should provide a technical evaluation of the architecture, especially key acquisition program priorities such as Unified Platform, Joint Cyber Command and Control and the Persistent Cyber Training Environment.
The provision in the bill also directs the study to include information on capability requirements, speed of development, coherence of the architecture, technical evaluation of tool development, evaluation of operational planning and targeting of Cyber Command and recommendations.
Study of cyber command elements
The bill directs the Pentagon’s principal cyber adviser to examine the best way to organize and staff four military cyber agencies.
The study would look at what it means it would mean if the personnel in these agencies were moved from services to joint organizations. It would also consider what would happen if those billets were moved to Cyber Command.
The first of the organizations would be the Joint Force Headquarters-Cyber (JFHQ-C). The four JFHQ-Cs deploy offensive cyber teams within the combatant commands. They provide planning, targeting, intelligence and cyber capabilities to the combatant commands they’re assigned and are led by the heads of the four service cyber components.
The second is the Joint Mission Operations Centers.
The third group is what’s known as cyber operations-integrated planning elements. These are small teams currently being created by each service cyber component that will serve as a forward element of the JFHQ-C locally at the combatant command staff to help coordinate cyber effects for battle plans.
The fourth are the Joint Cyber Centers at each combatant command.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.