The defense policy bill Congress is poised to approve contains multiple items aimed at states’ cybersecurity efforts, including one that could give National Guard units broader abilities to respond to cyberattacks.
The final draft of the National Defense Authorization Act, a massive bill that Congress passes annually, introduced Thursday includes language that formalizes and expands the role that National Guard units play in cyber operations, including when they can be called upon to respond to an incident and how they collaborate with civilian agencies.
The National Guards of every state have in recent years formed dedicated cyber unit, with members of those units assisting their state governments in a range of missions, including responding to ransomware attacks, defending election infrastructure and protecting digital services used in states’ pandemic responses.
The NDAA would the secretaries of defense and homeland security to update the National Cyber Incident Response Plan to greater incorporate those National Guard units, codifying how they interact with federal agencies like the FBI and Cybersecurity and Infrastructure Security Agency, state and local governments, law enforcement and other non-federal entities.
The bill also authorizes the Pentagon to create a pilot program in which those National Guard cyber units could offer remote assistance to their counterparts in other states. That activity could involve “training, preparation, and response to cyber incidents, and would have to be conducted in coordination with the FBI, Department of Homeland Security and relevant state agencies. Any pilot project would also have to be conducted within the confines of existing mutual-aid agreements between states, like the Emergency Management Assistance Compact, which is often invoked in response to natural disasters like hurricanes and wildfires.
Both National Guard-related measures had been previously endorsed by the National Governors Association, which in October asked congressional leaders for their inclusion in the final version of the NDAA.
Additionally, the NDAA would direct CISA to hire a cybersecurity coordinator for each state, a program that was suggested by an amendment backed by a bipartisan group of senators. The coordinators would be responsible for building relationships with the public and private sectors in their states, serving as risk advisers facilitating the sharing of threat intelligence and acting as emissaries for the federal government’s cyber capabilities. The coordinators would also be available to help state and local governments develop their cyber incident response plans.
The NDAA also includes a broader range of cybersecurity-focused proposals, many of them drawn from the report issued earlier this year by the Cyberspace Solarium Commission. While President Donald Trump has threatened to veto the defense bill over a series of unrelated grudges, both houses of Congress are almost certain to have enough votes to override the outgoing president.