Cybersecurity, 5G, Supply Chain, and Spectrum Issues in the FY20 NDAA

The National Defense Authorization Act (NDAA) has been signed into law for 59 consecutive years. Because fewer bills have come to be viewed as “must pass” legislation, the annual defense bill tends to attract debate on issues that do not necessarily fall exclusively under the jurisdiction of the House and Senate Armed Services Committees.

Plurus Strategies has worked on issues for numerous clients over multiple NDAA cycles. In particular, we have carved out a niche in helping non-defense clients play offense or defense on various issues that have some national security relevance to justify their inclusion in NDAA discussions. We have observed that technology and telecommunications policy, while typically under the primary jurisdiction of other congressional committees, has increasingly hitched a ride on the defense bill.

President Donald Trump signed the FY20 NDAA into law on December 20, 2019. Following tense conference committee negotiations, the final FY20 NDAA Conference Report included the following provisions on cybersecurity, 5G, and supply chain:

Cybersecurity

On cybersecurity, the FY20 NDAA strengthens congressional oversight of cyber operations and aims to enhance the Department of Defense’s (DoD) cybersecurity strategy and cyber warfare capabilities. More specifically, the conference report:

  • Directs the Secretary of Defense (SecDef) to develop a consistent, comprehensive framework to enhance the cybersecurity of the U.S. defense industrial base;

  • Requires development of metrics for the assessment of the readiness of the Cyber Mission Forces;

  • Establishes a consortium of universities to advise SecDef on cybersecurity matters;

  • Establishes Principal Cyber Advisors on military cyber force matters for each military service;

  • Allows the secretaries of the military departments to use up to $3 million in Operation and Maintenance funds to develop cyber operations-peculiar capabilities for the rapid creation, testing, fielding, and operation of cyber capabilities;

  • Requires SecDef to notify the congressional defense committees and describe various operational details of any delegation of authorities from the National Command Authority for military cyberspace operations;

  • Directs an annual report on military cyberspace operations; 

  • Directs a zero-based review of DoD cyber and information technology personnel; 

  • Mandates a study on improving cyber career paths in the Navy; 

  • Refines the role of the Chief Information Officer (CIO) in improving enterprise-wide cybersecurity; 

  • Commissions a Defense Science Board study on future DoD cyber warfighting capabilities;

  • Directs SecDef to conduct a review of the cyber posture of the U.S. on a quadrennial basis; and 

  • Extends the completion date of the Cyberspace Solarium Commission. 

5G

Notably, the FY20 NDAA conference report recognizes the importance and urgency of establishing a department-wide 5G strategy to enhance military capabilities. Of particular interest, the conference report:

  • Authorizes $275 million for a new 5G information communications technology (ICT) research and development program and creation of 5G test sites at DoD installations across the U.S.;

  • Requires the establishment of microelectronic trusted supply chain and operational security standards in order to improve the acquisition of securely manufactured, commercially available products and ensure the industrial base is more resilient to a variety of risks; and

  • Requires the development of a DoD 5G strategy and implementation plan.

Supply Chain and Emerging Technologies

The FY20 NDAA conference report builds on the work of past NDAAs to enable DoD to assess and mitigate risks to its supply chain posed by advanced intelligence services like China and Russia that seek to exploit vulnerabilities that could erode the U.S. military advantage. Related to these efforts, the conference report:

  • Modernizes risk assessment and mitigation across DoD’s contracting process to strengthen decision-making about which suppliers to use;

  • Repairs microelectronics supply chain security;

  • As part of the Intelligence Authorization Act, requires an intelligence community-led task force to protect against counterintelligence threats from countries such as Russia and China and requires accountability for foreign threats to U.S. infrastructure before entering into foreign intelligence sharing agreements;

  • Directs DoD to develop a cyber science and technologies activities roadmap; and

  • Authorizes the creation of a new technology and national security fellowship for undergraduate and graduate students in STEM fields.

Spectrum Sharing

Notably missing from the version of the FY20 NDAA signed into law was the Sec. 214 spectrum sharing language initially included in the Senate-passed NDAA. This provision in the Senate bill would have expanded DoD’s role in managing spectrum resources held by the federal government, as well as spectrum licensed for commercial use. We understand spectrum continues to be an interest for the defense committees and we anticipate further discussion of spectrum policy in the FY21 NDAA cycle.