Under the House and Senate armed services committees’ compromise defense policy bill, Defense Department components would have more authority to purchase alternative cybersecurity products and services.
The 2025 Defense Authorization bill, unveiled on Saturday, modifies a provision in the 2022 authorization law that required military services and defense agencies to procure all cyber products and services through a centralized program management office. Lawmakers now would let DoD components buy cyber services independently if they can demonstrate a “compelling need” for a product or service, or if independent procurement will support competition in the market.
Sen. Eric Schmitt, (R-Mo.), who has long expressed concern about the Pentagon’s overreliance on major technology companies like Microsoft for its cyber products, spearheaded the effort.
“DoD CIO has used this authority to create a one-size-fits-all approach to all DoD components, causing serious concerns related to a single zero-day flaw being used to create massive disruptions across DoD’s networks. The amendment returns decision-making power back to DoD components, so they can adopt tailored cybersecurity approaches based on the threats they face,” says the amendment summary from earlier this summer, which was shared with Federal News Network.
Another provision spearheaded by Schmitt made it into the compromise bill — it ensures companies that conduct software development in China and work with the DoD disclose cybersecurity vulnerabilities to their U.S.-based arm.
Alongside these changes, the bill also would mandate the Joint Force Headquarters-Department of Defense Information Network to be formally designated as a subordinate unified command under Cyber Command.
JFHQ-DODIN, which DoD created in 2015, is currently a subordinate headquarters under Cyber Command responsible for overseeing the operations and security of the DoD’s global network.
Last year, the command elevated the Cyber National Mission Force — House and Senate lawmakers argued that JFHQ-DODIN could benefit from similar restructure.
Other cyber provisions that made it into the defense bill include:
- Requiring the Defense Department to establish a hackathon program under which combatant commands along with military services secretaries conduct at least four hackathons annually. The chief digital and artificial intelligence officer will develop and implement standards for for hackathons and provide supporting technical infrastructure to the host of each hackathon.
- Establishing a cyber threat tabletop exercise program to prepare the Defense Department and the defense industrial base for “cyber attacks preceding or during times of conflict or wars.”
- Establishing a structured reporting requirement for the DoD to track and account for its cloud computing capabilities. DoD’s chief information officer is responsible for the report — each report must include covered cloud contracts tied to the Joint Warfighting Cloud Capability initiative and a list of cloud services or capabilities acquired outside of these covered contracts.
Meanwhile, the compromise bill removes much of the language to mandate the Defense Department to commission an independent study focused mainly on establishing a separate cyber branch.
The bill now requires the Defense Department to enter into an agreement with the National Academies of Sciences, Engineering and Medicine to “conduct an evaluation of alternative organizational models for the cyber forces of the armed forces.”
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
