The compromise version of the annual National Defense Authorization Act was released Tuesday, clearing the House in an overwhelming 364-60 vote. But a key provision expected to be in the bill was not included.
While there are other cyber provisions in the NDAA, a long-touted incident notification rule, requiring some victims of breaches to alert the federal government within a few days of noticing, was not included.
Incident reporting had bipartisan support in both the House and the Senate, with slight differences in wording across different proposals that had been expected to work their way out in conference. It was touted by lawmakers as an important step for national security following the SolarWinds espionage that began in 2020. In that instance, Mandiant notified the government and public at large it had discovered a large-scale hacking operation in progress affecting federal networks and contractors, even though it was under no obligation to do so. Lawmakers had become concerned that allowing enterprises to not share information about breaches that could affect national security would allow these campaigns to continue unfettered.
Democrats are blaming Sen. Mitch McConnell, R-Ky., for the NDAA's exclusion of incident reporting language. Republicans contacted for the story did not immediately respond."
There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning Wednesday — well past the NDAA deadline.
"This result is beyond disappointing and undermines national security," said Reps. Bennie Thompson, D-Miss., and Yvette Clark, D-N.Y., the chairs of the House Homeland Security Committee and it's subcommittee on cybersecurity, infrastructure protection, and innovation, in a statement.
"We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the president’s desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA," they continued.
On the whole, this year's NDAA did not contain the same density of cyber legislation as last year's, when legislators included a boatload of recommendations that came from the Cyber Solarium Commission. However, it was not completely devoid of information security.
If passed by the Senate and signed by President Joe Biden, the NDAA will require the Department of Defense to create a zero-trust model for the DoD Information Network (DODIN), as well as study the impact of new supply chain cybersecurity requirements on small businesses. It will also give the National Guard more capacity for cybersecurity support.