The new National Defense Authorization Act revamped the cybersecurity responsibilities of the Department of Defense’s chief information officer, upping its responsibility for intrusion prevention and data sharing.
The wide-ranging NDAA, released late Dec. 9 after weeks of negotiations between lawmakers in the House and Senate, charged the DoD CIO, currently Dana Deasy, in managing and modernizing the enterprise cybersecurity of the Pentagon.
Under the NDAA, expected to be passed and signed into law, the DoD CIO officer must ensure that the department “maximizes” cybersecurity capability and ensure that department components across the Pentagon share data on endpoint activities.
Congress also tasked the CIO with ensuring that the department “supports improved” automation of cyberattack detection and response. The NDAA directs the CIO to enhance the DoD cyber posture to be prepared to fend off “common” adversary tactics, and intrusion techniques.
After the bill is signed into law by President Donald Trump, the DoD CIO must also mandate and establish a pathway toward increased data sharing across the department on cybersecurity capability, network and endpoint activity. Related to that activity, the CIO must also make mission data accessible to other DoD components.
Currently, DoD data sits in silos across the enterprise, making it difficult or near-impossible for other DoD components to receive. The Pentagon awarded a general purpose cloud contract to Microsoft as part of its broader cloud strategy to try to knock down those silos. That cloud is known as the Joint Enterprise Defense Infrastructure, or JEDI, and the Pentagon plans to move 80 percent of DoD applications there once it is established; the contract is currently tied up in both the U.S. Court of Federal Claims and the U.S. Court of Appeals, though a judge hasn’t halted any work from proceeding.
The NDAA also increases the CIO’s tasks related to the the DoD’s computing, making the officeholder in charged of refreshes, installations and acquisition of bandwidth. Additionally, it requires that DoD CIO utilize cybersecurity tools created by the Defense Advanced Research Projects Agency, Defense Innovation Unit and other DoD innovative hubs.
In another effort to increase cybersecurity at the Pentagon, the CIO must engage the NSA in cybersecurity testing and engineering, and use the Defense Digital Service as workforce, engineering and policy experts.
In his October confirmation hearing, Deasy said that the NSA would perform penetration on the JEDI cloud in order to guarantee its cybersecurity.