Download NDAA catalogue
The
National Defense Authorization Act (NDAA) for Fiscal Year 2022 incorporated some of the Hill’s work on cybersecurity in 2021. There were 37 cybersecurity amendments included in this analysis—all of which focused on domestic policies and excluded amendments for international cooperation (such as Sec. 1551). Notably, there were
efforts from lawmakers to get cyber incident reporting included in this bill,
requiring critical infrastructure entities to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware attacks within 24 hours. These were removed from the final FY22 NDAA signed into law on December 27, 2021.
The categories used from the first analysis in this series on
Cybersecurity in the 117th Congress were applied to this process, with some categories broadened to fit the scope of the NDAA’s amendments. Organization was overwhelmingly the most popular category, with 89% of the cybersecurity amendments including provisions related to this tag. Contrary to the bills proposed on the hill, none of the cybersecurity amendments in the NDAA included specific funding allocations. However, the Department of Defense is projected to spend upwards of
$10 billion on cybersecurity in FY22. Below is the breakdown of the amendments based on four categories.
Workforce: expands or addresses the current cybersecurity workforce.
- 8 amendments created mechanisms for workforce enhancement.
Capacity building: advances cybersecurity capabilities.
- 20 amendments focused on capacity building.
Risk assessment: analyzes potential cybersecurity vulnerabilities, often creating reports or briefings to relevant stakeholders.
- 16 amendments included risk assessments.
Organization: amends current federal organization structure, such as extending position terms, creating programs, or updating agency processes.
- 33 amendments addressed federal organization structure.