The fiscal year (FY) 2023 National Defense Authorization Act (NDAA) approved by the House late on July 14 by a vote of 329-101 picked up hundreds of other bills along the way as approved amendments, including numerous government tech-related legislative items ranging from long-sought Federal Risk and Authorization Management Program (FedRAMP) enhancements to a bill that would wrap Federal agency CIOs more tightly into agency planning processes.
The inclusion of those items in the FY2023 NDAA bill is promising for their chances to become law eventually, but those prospects remain far from certain.
The next step for the House-approved NDAA bill is the Senate, where legislators will debate the bill and further amend it. Following that step, differences between the House and Senate versions of the NDAA will be worked out in a conference committee, and then a unified bill will be returned to both the House and Senate for final votes.
On top of that, the NDAA on its own is not an appropriations bill, but it is a vital policy-setting bill that is considered by most in Congress to be “must-pass” legislation.
“After months of hard work, negotiations, and vigorous debate the House has completed our work to pass the FY23 NDAA,” said Rep. Adam Smith, D-Wash., chairman of the House Armed Services Committee. “The annual defense bill serves as the legislative foundation for national security policymaking.”
On the technology front, Rep. Smith the bill authorizes a 20 percent jump in basic research funding, triples investment in the National Security innovation Network, bumps up funding for the Defense Innovation Unit, and extends until 2024 the Small Business Innovation Research and Small Business Technology Transfer programs.
Here are just a few of the prominent items among the many technology and cybersecurity-related legislative items attached via amendments to the FY2023 NDAA. The entire list from the House Armed Services Committee is available here.
Legislation pushed for the past several years by Rep. Gerry Connolly, D-Va., to codify into Federal law the FedRAMP program – which certifies the security of cloud technologies for Federal government use and is operated by the General Services Administration (GSA) – made the NDAA by a vote of 277-150. A very similar version of the legislation won House approval last year.
According to a summary of the amendment, the bill would enhance the program by: (1) Accelerating the adoption of secure cloud solutions through the reuse of assessments and authorizations; (2) Achieving consistent security authorizations using a baseline set of agreed-upon standards for cloud product approval; and (3) Ensuring consistent application of existing security practices.”
Rep. Connolly said earlier this year that the House FedRAMP bill incorporates work “with the Office of Management and Budget, GSA, industry stakeholders, and my friends on the other side of the aisle to ensure that the bill makes needed improvements.” He continued, “This bill is essential … It will demonstrate a universal commitment to FedRAMP and the accelerated adoption of secure cloud computing technologies across the Federal enterprise – a vital component of the broader Federal IT modernization effort itself.”
Also winning a spot on the NDAA by a 277-150 vote is the Performance Enhancement Reform Act, which was approved by the full House last year.
The bill sponsored by Rep. Connolly, who chairs the House Government Operations Subcommittee, and Rep. Jody Hice, R-Ga., the panel’s ranking member, would make sure that Federal agency CIOs – along with chief data, financial, and human capital officers – are wrapped into the process of how agency leaders craft performance plans for their organizations.
On the technology front, the bill would require agency performance plans to “include descriptions of technology modernization investments, system upgrades, staff technology skills and expertise, stakeholder input and feedback, and other resources to meet the agency’s performance goals,” the subcommittee said.
Approved by voice vote as an amendment to the FY2023 NDAA is legislation offered by Rep. Jim Langevin, D-R.I., that would create a class of “systemically important” critical infrastructure providers that would be obligated to collaborate more closely with the Federal government on cybersecurity.
In February, Rep. Langevin said he identified about 100 private sector firms he’d consider “systemically important” critical infrastructure providers. “The issue of what we call systemically important critical infrastructure is focused on those companies that are so large and so important to the national or economic security of the United States that if they went down, it wouldn’t be just the company having a bad day, but the entire country having a bad day,” he said.
“We want to create a closer collaborative relationship with those companies that give broader actionable intelligence sharing, as well as have the companies be able to give context to what, maybe, the intel community is seeing,” said the congressman, who chairs the House Armed Services Committee’s cyber subcommittee.