Download NDAA catalogue
The National Defense Authorization Act (NDAA) for Fiscal Year 2022
incorporated some of the Hill’s work on cybersecurity in 2021. There were 37 cybersecurity amendments included in this analysis—all of which focused on domestic policies and excluded amendments for international cooperation (such as Sec. 1551). Notably, there were efforts from lawmakers
to get cyber incident reporting included in this bill, requiring critical infrastructure entities
to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware attacks within 24 hours. These were removed from the final FY22 NDAA signed into law on December 27, 2021.
The categories used from the first analysis in this series on Cybersecurity in the 117th Congress
were applied to this process, with some categories broadened to fit the scope of the NDAA’s amendments. Organization was overwhelmingly the most popular category, with 89% of the cybersecurity amendments including provisions related to this tag. Contrary to the bills proposed on the hill, none of the cybersecurity amendments in the NDAA included specific funding allocations. However, the Department of Defense is projected to spend upwards of $10 billion
on cybersecurity in FY22. Below is the breakdown of the amendments based on four categories.
: expands or addresses the current cybersecurity workforce.
- 8 amendments created mechanisms for workforce enhancement.
: advances cybersecurity capabilities.
- 20 amendments focused on capacity building.
: analyzes potential cybersecurity vulnerabilities, often creating reports or briefings to relevant stakeholders.
- 16 amendments included risk assessments.
: amends current federal organization structure, such as extending position terms, creating programs, or updating agency processes.
- 33 amendments addressed federal organization structure.