The Pentagon is seen from the air over Washington, DC on August 25, 2013. The 6.5 million sq ft (600,000 sq meter) building serves as the headquarters of the US Department of Defense and was built from 1941 to1943. AFP PHOTO / Saul LOEB (Photo credit should read SAUL LOEB/AFP/Getty Images) (SAUL LOEB / AFP/Getty Images)
The 2014 National Defense Authorization Act cleared the Senate late Thursday with provisions affecting cybersecurity, cloud computing and purchasing multi-year commercial satellite services.
The bill authorizes $607 billion in defense spending for the current fiscal year. Having passed Congress, it now heads to President Obamaís desk for his signature.
Some provisions from earlier versions of the bill did not make the final cut. The DoD deputy chief management officer will not be re-titled under secretary of defense for management. That position also will not be designated as the DoD chief information officer.
The provision, which was only in the Senate version of the bill, would also have made the role of CIO a Senate-confirmed position.
Earlier this month, Defense Secretary Chuck Hagel announced plans to cut staff sizes and reorganize positions in an effort to save at least $1 billion over the next five years. They include realigning oversight of business systems from the DCMO to the DoD CIO. The new DCMO role will focus on key efforts, including management, policy, and analysis and planning, performance, and integration, Hagel said.
However, the proposed blending of DCMO and CIO roles could still happen, according to a joint explanatory statement from both houses of Congress. ďWe will evaluate this proposal before making a decision on elevating the DCMO and designating that new position as responsible for the CIO roles,Ē the statement reads in part.
The bill gives the defense secretary until March 15 to provide direction on plans for buying cloud computing systems and approving requirements for cloud solutions, such as enabling cross-domain, departmentwide discovery and correlation of data stored in cloud and non-cloud computing databases, relational and non-relational databases, and hybrid databases.
The secretary must also provide direction on plans to ensure cloud systems and services are interoperable, align with DoDís joint information environment and incorporate attribute-based access controls, which help manage who has access to certain information.
For cloud contracts over $1 million, the secretary must coordinate with the director of national intelligence to ensure DoDís cloud investments are integrated with the Intelligence Community Information Technology Enterprise (ICITE). This will enable IT interoperability, information sharing, and other efficiencies, according to the bill. ICITE is a five-year strategy to standardize and consolidate IT operations across the IC.
In cybersecurity, the bill requires:
The defense secretary to report on the ability of each service to operate in non-permissive and hostile cyber environments. The unclassified report is due to Congress a year after the NDAA is enacted. It will include an assessment of potential cyber threats to major weapon systems and tactical communications systems that could emerge in the next five years, as well as strategies to detect, deter, and defend against cyber attacks on current and planned major weapon systems.
The creation of a Communications Security Review and Advisory Board, chaired by the CIO, to monitor DoDís communications security, cryptographic modernization, and key management efforts, including activities under major defense acquisition programs. CIOs for the military services will report to the board about their serviceís communications security activities.
The president to develop an interagency process for creating recommendations on controlling the proliferation of cyber weapons. Industry will be included in this process to the extent possible and help identify the intelligence, law enforcement, and financial sanctions that should be used to suppress the trade in cyber tools that can be used for criminal or terrorist activities. These methods, however, should enable the government and the private sector to use such cyber tools for self-defense.
The defense secretary to brief Congress on options for strengthening outreach and threat awareness programs for DoDís small businesses contractors. Doing so will help them understand the gravity and scope of cyber threats; develop a plan to protect intellectual property; and develop a plan to protect the networks of such businesses.
A provision in the bill also requires the under secretary of defense for acquisition, technology, and logistics and DoD CIO to establish a strategy for multi-year purchasing of commercial satellite services. The strategy will be based on an analysis of benefits for acquiring satellite services through multi-year acquisitions, as well as potential risks and programming, budgeting, and execution challenges.