A lot of the focus on the annual Defense authorization is about the funding levels and policy changes for the Pentagon.
But as anyone who has been in the federal market for at least a year knows, the National Defense Authorization Act is a catch all for legislation and provisions that matter to all agencies. These range from cybersecurity to acquisition to management. Congress passed the 2021 NDAA conference report Dec. 3.
With so many to choose from, here are 10 policy changes that passed and six that failed to make the cut that are among the most interesting and/or significant.
Let’s start off with those that failed because they have some of the more interesting backstories and surprises.
FedRAMP Authorization Act
The House passed the bill as a standalone in February. It passed again as part of its version of the NDAA in July. Among the things the legislation would do is codify the cloud security program known as the Federal Risk Authorization Management Program (FedRAMP) and would require agencies to provide a “presumption of adequacy” to vendors that are already FedRAMP-certified from other agencies.
But for whatever reason in conference, the Senate, which didn’t act on the bill for 10 months, won out.
One industry source said the blame falls squarely on Sen. Ron Johnson (R-Wis.), the chairman of the Homeland Security and Governmental Affairs Committee.
“His objection as far as I know is that the committee never considered the legislation. But they had ample time to consider it, so that tells me he didn’t really care about it or didn’t want it,” said the source, who requested anonymity in order to speak about these discussions. “I think many of us are looking forward to Johnson leaving as chairman of HSGAC. We hope the next chairman is more receptive to the bill.”
An email to Johnson’s press office seeking comment was not immediately returned.
Rep. Gerry Connolly (D-Va.) has been pushing the FedRAMP bill for more than three years, getting it through the House twice before this 11th hour decision to spike it by the conferees.
“About six weeks or so ago, Johnson objected to the bill based on process because his committee hadn’t held hearings or voted on the bill. Basically the conferees gave Johnson the veto power to have it struck and he did,” the source said. “Connolly’s folks pushed hard to get it done, even raising it to the full committee and pushed hard to get it to the chairmen and ranking members to discuss. At the end of the day, the conferees decided to take Sen. Johnson’s objection and it was enough to pull the provision.”
Cyber provisions left out
Two interesting cyber provisions also were cut from the final NDAA.
The House wanted to create a cyber threat collaboration environment among DoD, the intelligence community and the Department of Homeland Security. The goal would’ve been to “develop an information collaboration environment that enables entities to identify, mitigate and prevent malicious cyber activity. The collaboration environment would provide limited access to appropriate operationally relevant data about cybersecurity risks and cybersecurity threats, including malware forensics and data from network sensor programs, on a platform that enables query and analysis.”
It also wanted to establish an Office of Cyber Engagement of the Department of Veterans Affairs.
This new office would’ve addressed “cyber risks to veterans, share information about such risks and coordinate with other federal agencies.”
It’s unclear in both cases why the Senate won out, but neither effort seems outrageous.
Some may say the cyber collaboration environment already exists within the Cyber Threat Intelligence Integration Center (CTTIC) so why establish another one?
Feds can still use TikTok
Mayne senators are big fans of TikTok? What other reason could there be that the upper chamber wouldn’t support the banning of federal employees downloading the controversial app on their government-furnished cell phones?
The House bill included a prohibition of the video streaming application, but for reasons unknown the Senate took it out.
In August, President Donald Trump issued an executive order highlighting concerns about TikTok and its ability to capture data of users. Six weeks later, the Commerce Department issued implementation regulations of that EO. It’s possible lawmakers thought codifying the banning of an app was too hard to overturn should an American or allied-nation company buy the video streaming app.
Keep regulations complicated
What seems like a logical provision to make it easier for the general public — i.e. non-lawyers or lobbyists — to understand federal regulations hit the cutting room floor.
This time it was the Senate that included a requirement to post a 100-word summary of proposed rules to Regulations.gov. The House version of the NDAA didn’t include the provision and the Senate relented on it.
It’s unclear, once again, why someone objected to this common sense provision that wouldn’t cost anything.
Maybe some thought it would be redundant to the Plain Writing Act of 2010, which required agencies to simplify how they write federal regulations and train employees to write in a more clear and concise manner.
Less documents for DHS acquisitions
The Senate decided the Homeland Security Department provided enough document for large-scale acquisition programs and removed the House’s provision seeking to provide more details of major acquisition initiatives.
The provision would’ve required everything from lifecycle cost estimates to cost-benefit analysis to acquisition plans outlining the procurement approach and acquisition vehicles.
The House has been pushing for DHS acquisition reform for some time, including passing Rep. Dan Crenshaw’s (R-Texas) DHS Acquisition Reform Act of 2019 in February. However, this was a bill that the Senate Homeland Security and Governmental Affairs Committee didn’t act on.
Here are 10 provisions that made it into the 2021 NDAA that impact all agencies and contractors.
Small business contracting changes
There are several provisions that attempt to improve the procurement environment for small businesses. Here are a few that will have a big impact.
Even before the Government Accountability Office found in a recent report that the category management initiative is impacting small firms, Congress has been concerned for years.
The NDAA included a provision requiring training of contracting officers and others in the acquisition community on best practices for buying goods and services from small firms and ways to avoid conflicts with the requirements of the Small Business Act.
GAO found in late November that while small businesses received 30% of the spending under category management, the number of these companies winning contracts decreased between 2016 and 2019. Auditors say small firms are concerned about scalability, contract terms and the focus on using “best-in-class” contracts.
And it seems like GAO identified the need for training.
“Agencies’ Office of Small and Disadvantage Business Utilization (OSDBU) personnel play an important role in supporting their category management efforts and are their agencies’ primary interface with small businesses. However, during interviews with OSDBU personnel, we found that these officials had varying levels of familiarity with specific details about the category management initiative,” GAO wrote. “For example, some OSDBU personnel misunderstood OMB’s guidance for using BIC contracts and believed the guidance mandated agencies to use them. OMB’s overarching guidance states that the size of the BIC goal is designed to give agencies flexibility to use other governmentwide, agencywide, and local agency contracts that reflect category management principles.”
Lawmakers also officially transferred oversight of the service-disabled veteran-owned small business certification requirements to the Small Business Administration from the Department of Veterans Affairs. The NDAA requires this transfer to happen within two years.
GAO found problems with the VA-led certification process as far back as 2009.
Congress continues to give joint ventures of small businesses more power. In Section 868 of the NDAA, lawmakers said agencies should consider the past performance of these efforts as first tier subcontractors.
The move to use first tier subcontractor experience has long been a goal of small business advocacy groups. This seems like a first step in an important change.
There were almost 500 mentions of cybersecurity in the conference report, including an entire section dedicated with 50 provisions.
These are the seven that impact agencies other than, or in addition to, DoD:
The bill sets new experience requirements for the director of DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and limit the person to two five-year terms. The final bill doesn’t include the term limits
The Senate provision to modify the National Institute of Standards and Technology to include the identification and development of standards and guidelines for improving the cybersecurity workforce of an agency made it into the bill.
The House provision giving CISA more authority to “conduct threat hunting on federal information systems,” and for the agency to “provide services, information technology and sensors to other federal agencies upon request” also survived the conference committee.
Similarly, the requirement for CISA to establish a joint cyber planning office “to develop plans for the cyber defense of private and public sector entities,” the authority to issue administrative subpoenas and establish an advisory committee all were included in the NDAA.
One other significant CISA provision will require the director to review the agency’s ability to carry out its mission and implement certain recommendations of the U.S. Cyberspace Solarium Commission Report.
Two other non-CISA related provisions that are important.
One would require the Office of the Director of National Intelligence to work with the departments of State, Defense and other agencies to establish a social media data and threat analysis center and submit a report to Congress.
The report would focus “on foreign influence campaigns targeting United States federal elections and would be due by March 1.
Finally, the NDAA reestablishes a National Cybersecurity Director in the White House.
“The Office of the Director would have a range of responsibilities, including serving as the principal advisor to the president on cybersecurity matters, leading the development and implementation of cyber strategy, and coordinating major cyber incident response efforts across the federal government,” the provision states.