WASHINGTON, D.C. – The Co-Chairs of the Cyberspace Solarium Commission today welcomed the news that 26 of their recommendations for improving the United States’ cybersecurity posture have been incorporated into the 2021 National Defense Authorization Act (NDAA) – representing the most comprehensive and forward-looking piece of national cybersecurity in the nation’s history. 

“The Cyberspace Solarium Commission started as a provision in the 2019 NDAA, and is pleased to see more than two dozen of our key priorities and recommendations accepted and adopted to protect our national security interests, our economy, and our increasingly-connected way of life,” said Co-Chairs Senator Angus S. King, Jr. (I-Maine) and Representative Mike Gallagher (R-WI).  “From the first day we embarked on crafting America’s cyberdoctrine, we were determined to create a plan of action, not a report collecting dust on a shelf.  It is only because of the hard work and commitment of our commissioners, and tireless staff that we were able to create such a robust report earlier this year; it is due to them that we were able to inform national policy on such a remarkable level.

“Many will note the inclusion of our top priority – the National Cyber Director – within this final legislation.  We thank Senator Mike Rounds (R-SD) for his leadership in getting this provision into the final conference report.”

The conference report, which resolved differences between the Senate and House versions of the NDAA, also includes more than 50 cyberprovisions developed and incorporated by Congressional staff members – reflecting the result of hundreds of hours of thoughtful discussion to continue forming the United States 21st Century Cyberdoctrine.  It represents an equal or greater amount of collaboration from key Congressional leaders, most significantly Cyberspace Solarium Commissioners Senator Ben Sasse (R-NE) and Representative Jim Langevin (D-RI).

The bill, released this week, makes meaningful progress on improving the state of America’s cyber defenses, reorganizing the government to successfully partner with the private sector to combat growing cyber threats, clarifying the roles and responsibilities of federal government agencies, and setting in motion critical processes like Continuity of the Economy Planning.

The Cyberspace Solarium Commission recommendations included in the 2021 National Defense Authorization Act are:

1. 1. 1752 - Establish the National Cyber Director and the Office of the National Cyber Director (CSC Recommendation 1.3): Establishes a National Cyber Director within the Executive Office of the President to serve in a Senate-confirmed capacity as the President’s principal cyber advisor and provide a nexus for cybersecurity leadership in the White House.
   2. 9603 - Continuity of the Economy Plan (CSC Recommendation 3.2): Mandates the creation of a Continuity of the Economy planning effort to ensure the rapid restart and recovery of the U.S. economy after a major disruption.
   3. 1715 - Establishment in DHS of the Joint Cyber Planning Office (CSC Recommendation 5.4): Establishes a Joint Cyber Planning Office under CISA, to facilitate comprehensive planning of defensive cybersecurity campaigns across federal departments and agencies and the private sector.
   4. 1731 - Establishment of an Integrated Cybersecurity Center (CSC Recommendation 5.3): Directs the executive branch to submit a report to Congress evaluating the Federal cybersecurity centers and the potential for better coordination of Federal cybersecurity efforts at an integrated cybersecurity center within CISA.
   5. 1745 - Cybersecurity and Infrastructure Security Agency Review (CSC Recommendation 1.4): Tasks DHS with conducting a comprehensive review of the ability of the CISA to fulfill its current missions and implement the recommendations detailed by the Cyberspace Solarium Commission.
   6. 9001 - Department of Homeland Security CISA Director  (CSC Recommendation 1.4): Administrative changes to strengthen the Director position at CISA.
   7. 1718 - Cybersecurity Advisory Committee (CSC Recommendation 1.4): Establishes a Cybersecurity Advisory Committee to advise DHS/CISA.
   8. 1716 - Administrative Subpoena Authority for the Cybersecurity and Infrastructure Security Agency (CSC Recommendation 5.1.3): Grants administrative subpoena authority to CISA in order to identify vulnerable systems and notify public and private system owners.
   9. 1705 - Strengthening Federal Networks (CSC Recommendation 1.4): Authorizes CISA to perform threat hunting identification on federal networks, and for other purposes.
   10. 9002 - Codify Sector Risk Management Agencies (CSC Recommendation 3.1): Codifies Sector Specific Agencies as Sector Risk Management Agencies, establishing minimum responsibilities and requirements for identifying, assessing, and assisting in managing risk for the critical infrastructure sectors under their purview.
   11. 1744 - Creation of a Biennial National Cyber Exercise (CSC Recommendation 3.3.5): Establishes a federal government cyber exercise to be conducted every two years for ten years to include federal, state, and private sector stakeholders, as well as international partners.
   12. 1728 - Assessing Private-Public Collaboration in Cybersecurity (CSC Recommendation 5.4.1): Requires the Department of Defense to assess of the impact of the current Pathfinder initiative, the Department’s support to and integration with existing Federal cybersecurity centers, and comparable initiatives led by other Federal departments or agencies that support long-term public-private cybersecurity collaboration and make recommendations for improvements.
   13. 1729 - Clarifying the Cyber Capabilities and Interoperability of the National Guard (CSC Recommendation 3.3.6): Directs the Department of Defense to evaluate statutes, rules, regulations, and standards that pertain to the use of the National Guard for the response to and recovery from significant cyber incidents.
   14. 1706 - Improvement Relating to the Quadrennial Cyber Posture Review (CSC Recommendation 6.1 and 6.1.3): Directs the DoD to conduct a force structure assessment of the Cyber Mission Force to ensure that the United States has the appropriate force structure and capabilities in light of growing mission requirements and expectations, in both scope and scale.
   15. 1746 - Report on Enabling U.S. Cyber Command Resource Allocation (CSC Recommendation 6.1.1): Requires the Department of Defense to submit a report to Congress detailing actions to ensure that U.S. Cyber Command possesses the necessary authorities, direction, and control of the Cyber Operations Forces and the budget needed to fulfill its mission.
   16. 1730 - Evaluation of non-traditional cyber support to the Department of Defense (CSC Recommendation 6.1.7): Requires an assessment from DoD on the need for, and requirements of, a cyber reserve force.
   17. 1737 - Defense Industrial Base Participation in a Threat Intelligence Sharing Program (CSC Recommendation 6.2.1): Requires the Department of Defense to assess the feasibility, suitability, and definition of, and resourcing required to establish a defense industrial base threat information sharing program.
   18. 1739 - Defense Industrial Base Cybersecurity Threat Hunting and Sensing, Discovery, and Mitigation (CSC Recommendation 6.2.2): Requires the Department of Defense to complete an assessment of the feasibility, suitability, and resourcing required to establish a defense industrial base cybersecurity threat hunting program.
   19. 1722 - Report on the risk to national security posed by quantum computing technologies (CSC Recommendation 6.2.4): Mandates the comprehensive assessment of the threats and risks posed by quantum technologies to national security systems.
   20. 1747 - Ensuring Cyber Resiliency of Nuclear Command and Control Systems (CSC Recommendation 6.2): Requires the Department of Defense to develop a comprehensive plan to implement findings and recommendations pertaining to the cyber defense of nuclear command and control systems.
   21. 1712 - Modification of Requirements Relating to the Strategic Cyber Security Program and the Evaluation of Cyber Vulnerabilities of Major Weapon Systems of the Department of Defense (CSC Recommendation 6.2): Tasks the Department of Defense with developing a comprehensive plan for the annual assessment of cyber vulnerabilities of major weapon systems of the Department of Defense, sharing lessons learned and best practices from the annual assessment of cyber resiliency of nuclear command and control system
   22. 9005 - GAO Study of Cybersecurity Insurance (CSC Recommendation 4.4): Calls on the Government Accountability Office to study ways to improve the market for cybersecurity insurance.
   23. 9401-9407 -  Recruit, Develop, and Retain a Stronger Cyber Workforce (CSC Recommendation 1.5): Enhances the federal government’s ability to recruit, develop, and retain its cyber workforce. Changes to NIST NICE and Scholarship for Service.
   24. 1719 -  Cybersecurity Education and Training Assistance Program (CSC Recommendation 1.5.a): Authorizes the Cybersecurity Education and Training Assistance Program at DHS/CISA—a K-12 cyber education initiative.
   25. 1714 - Renewing the Cyberspace Solarium Commission (CSC Recommendation 0.0): Reauthorizes the U.S. Cyberspace Solarium Commission through late December 2021 (20 months after report submission). Removes the Commissioners from DoD, FBI, DHS, and ODNI. Halts consultant services, detailees, and any possibility of extension. For the duration of its continuance, CSC will focus on collecting and assessing comments and relevant developments; reviewing implementation; revising, amending, or making new recommendations; providing an annual update to Congress; and concluding activities. CSC will provide assessments of the final report every 10 months.
   26. 9006 - Strategy to Secure Email (CSC Recommendation 4.5.2):  Directs the Department of Homeland Security to develop a strategy to implement the Domain-based Message Authentication, Reporting, and Conformance standard across all U.S.-based email providers to secure our emails from spam and diminish the effectiveness of phishing emails.