U.S. Senator Ben Sasse, a member of the Senate Select Committee on Intelligence, issued the following statement after the passage of the 2021 National Defense Authorization Act.

"The uncomfortable truth is that we’ve been lagging behind when it comes to cyber and wars are already being fought with hackers. Here’s the good news though: because of the Solarium Commission’s work, this year’s defense bill makes our cyber strategy stronger than ever before. We’ve got a whole lot more work to do, but this is real progress. Two dozen of our provisions are in this defense bill and that’s exactly why I’ve been working on this front for years."

Background: 

This year’s NDAA includes 26 provisions that were led by Senator Sasse and the rest of the legislative commissioners appointed to Solarium. Most notably, they include:

  • Establishes a National Cyber Director and the Office of the National Cyber Director within the Executive Office of the President in a Senate-confirmed capacity.
  • Creates a Continuity of the Economy Plan to ensure we have a recovery plan in place in the event of a major disruption.
  • Forms the Joint Cyber Planning Office under CISA to facilitate the planning of cohesive cybersecurity campaigns between federal agencies and the private sector.
  • Directs the Executive Branch to submit a report to Congress that evaluates current Federal cybersecurity centers and areas for improvement.
  • Tasks DHS with conducting a Cybersecurity and Infrastructure Security Agency Review on the ability of CISA to accomplish its current missions.
  • Establishes a Department of Homeland Security CISA Director.  
  • Establishes a Cybersecurity Advisory Committee.  
  • Gives administrative subpoena authority to the Cybersecurity and Infrastructure Security Agency to identify vulnerable systems and notify both public and private system owners.
  • Authorizes CISA to perform threat hunting identification on federal networks.
  • Codifies sector specific agencies as Sector Risk Management Agencies that will establish responsibilities and requirements for identifying and assessing risk for critical infrastructure sectors.
  • Creation of a Biennial National Cyber Exercise that will be conducted every two years for ten years.
  • Requires the DoD to assess Private-Public Collaboration in Cybersecurity.  
  • Directs the DoD to conduct  a force structure assessment of the Cyber Mission Force.
  • Directs the DoD to evaluate statutes, rules, regulations, and standards that pertain to the use of the National Guard for the response to and recovery from significant cyber incidents.
  • Improvements relating to the Quadrennial Cyber Posture Review.  
  • Creates a Report on Enabling U.S. Cyber Command Resource Allocation that ensures Cyber Command has the necessary means and the budget needed to fulfill its mission.
  • Requires an assessment from the DoD of non-traditional cyber support.  
  • Creates a Defense Industrial Base Participation in a Threat Intelligence Sharing and Mitigation Program.
  • Mandates a report on the risk to national security posed by quantum computing technologies.
  • Requires the DoD to develop a comprehensive plan pertaining to the cyber defense of nuclear command and control systems.
  • Modification of Requirements Relating to the Strategic Cyber Security Program and the Evaluation of Cyber Vulnerabilities of Major Weapon Systems of the DOD: Tasks the DoD with developing an annual assessment of cyber vulnerabilities of Major Weapon Systems.
  • Asks the GAO to conduct a study of Cybersecurity Insurance.  
  • Enhances the federal government’s ability to recruit, develop, and retain a stronger cyber workforce.
  • Authorizes the Cybersecurity Education and Training Assistance Program.  
  • Renews the Cyberspace Solarium Commission.  
  • Directs DHS to develop a strategy to secure U.S.-based email providers.