Cyber Protections Set to Advance in Must-Pass Defense Legislation

Introduction

On December 7, 2025, House and Senate Armed Services Committee leaders unveiled legislative text (House Amendment to S. 1071) for the fiscal year (FY) 2026 must-pass defense authorization bill, unveiling a wide-ranging package that includes numerous cyber-focused provisions poised to become law. On December 10, 2025, the House cleared the measure via a 312-112 vote, and the Senate is set to vote to final passage next week before the holiday recess.

The package, which expands U.S. cyber authorities, investments and governance across the U.S. Department of Defense (DoD), the U.S. Department of State, the U.S. Department of Energy (DOE) and the U.S. Coast Guard, reflects a broad modernization agenda, enhancing U.S. Cyber Command’s operational autonomy and preserving the longstanding “dual-hat” leadership structure with the National Security Agency (NSA) by prohibiting any reduction in the Command’s authorities or oversight. It also tightens cybersecurity across the defense enterprise by requiring the Secretary to ensure that mobile phones provided to senior officials meet strict encryption and security standards; mandates the incorporation of artificial intelligence (AI)-specific threats into mandatory cybersecurity training; prohibits the elimination of key NSA-certified cyber assessment and red-team testing capabilities and directs DoD to create guidelines for using commercial cloud enclaves overseas for high-risk systems.

The bill further pushes DoD to harmonize cybersecurity regulations across the defense industrial base, reducing duplicative contract requirements while institutionalizing new governance processes and annual CIO reporting. It enhances the security of AI and emerging technologies, expands data and cloud modernization, strengthens the resilience of critical infrastructure and advances cyber capacity-building with foreign partners.

Alongside these policy changes, the legislation allocates significant new resources to U.S. Cyber Command, providing approximately $73 million for cyberspace operations, roughly $30 million for unspecified activities and an additional $314 million to support operations and maintenance at its headquarters.

The compromise package omits reauthorization of both the 2015 Cybersecurity Information Sharing Act (CISA 2015) and the State and Local Cybersecurity Grant Program, both of which were included in the short-term continuing resolution (CR) but now slated to expire at the end of January absent further congressional action.

Below is a consolidated summary of the key cyber-related provisions included in the compromise version of the defense authorization bill.

U.S. Department of Defense

Title VIII: Acquisition Policy, Acquisition Management and Related Matters

• Provisions Relating to Supply Chains and Domestic Sourcing (Subtitle D)
  • Assessment of Critical Infrastructure Owned by DoD Dependent on Foreign Materials or Components (Sec. 838): The bill directs the Department to, by January 1, 2027, identify all DoD critical infrastructure that depends on materials or components sourced from “foreign entities of concern” and conduct a detailed risk assessment of those dependencies. The assessment must evaluate supply-chain vulnerabilities, domestic manufacturing gaps and the resilience of critical infrastructure during national emergencies, with initial focus permitted on the most essential assets (such as those tied to Indo-Pacific contingencies). “Foreign entity of concern” is defined to include China, North Korea, Russia, Iran and any other entity determined by the Secretary to present material risk to U.S. national security interests.
• Industrial Base Matters (Subtitle F)
  • Cybersecurity Regulatory Harmonization (Sec. 866): By June 1, 2026, the provision requires DoD to standardize cybersecurity requirements across the defense industrial base, reduce contract-specific cyber rules and report those actions to Congress. The legislation also requires formal governance processes to identify duplicative or inconsistent requirements, centralize approval of new cyber rules and ensure stakeholder input. Beginning December 31, 2026, the DoD Chief Information Officer (CIO) must submit annual reports for three years detailing implementation progress, contract exceptions and approval decisions.

Title IX: DoD Organization and Management

• Office of the Secretary of Defense and Related Matters (Subtitle A)
  • Modification to Authorities of the Director of Operational Test and Evaluation (Sec. 904): The provision grants the Director of Operational Test and Evaluation (DOT&E) access to test and evaluation master plans, requires the Secretary to request sufficient annual funding for DOT&E and authorizes the Director to contract with federally funded research and development centers for expert support. It also prohibits divestment, consolidation, transfer or degradation of several key testing and evaluation programs, including the Cyber Assessment Program, through September 30, 2027, unless the Secretary submits a detailed justification and waits 30 days.

Title X: General Provisions

• Studies and Reports (Subtitle F)
  • Cybersecurity and Resilience Annex in Strategic Rail Corridor Network Assessments (Sec. 1067): The provision directs DoD to, in collaboration with the U.S. Department of Transportation (DOT) and the U.S. Department of Homeland Security (DHS), ensure that all future assessments of the Strategic Rail Corridor Network include a cybersecurity and physical resilience annex. The annex must evaluate cyber threats and vulnerabilities, assess resilience to cyber attacks and adversary disruptions and recommend actions to strengthen defenses and infrastructure.

Other Matters (Subtitle G)

• Framework for Reforming Technology Transfer and Foreign Disclosure Policies (Sec. 1086): The provision requires DoD to, within 180 days, develop a comprehensive framework to overhaul the Department’s technology transfer and foreign disclosure policies. The framework must modernize rules for sharing sensitive and emerging defense technologies (including AI, cybersecurity, hypersonics, autonomous systems and quantum), streamline approval processes, align policies across the military services, incorporate industry input and update the National Disclosure Policy.
• Critical Infrastructure Compatibility Tabletop Exercise (Sec. 1093): The measure directs DoD to, within one year, conduct a nationwide tabletop exercise to evaluate the resilience of U.S. military installations and surrounding civilian infrastructure in the face of severe weather events or adversarial attacks on the homeland, including cyber incidents targeting intelligent energy control systems, traffic management systems and emergency response networks.

Title XI: Civilian Personnel

• Cyber Workforce Recruitment and Retention (Sec. 1113): The bill expands the Cyber Excepted Service to include positions supporting U.S. Cyber Command and up to 500 additional highly skilled cyber positions critical to national security. It updates pay authorities to better align cyber employee salaries with comparable federal positions and allows pay up to 150% of Executive Schedule Level I, while also extending and expanding reporting requirements on staffing costs and recruitment impacts.

Title XII: Matters Relating to Foreign Nations

• Matters Relating to Israel (Subtitle D)
  • Research, Development, Test and Evaluation of Emerging Technologies to Further the Warfighting Capabilities of the U.S. and Certain Partner Countries (Sec. 1234): The provision authorizes DoD to jointly research, develop, test and evaluate emerging technologies, including AI, cybersecurity, robotics, quantum systems and automation, with certain partner countries, provided certain protections for sensitive information and national security are maintained.
• Matters Relating to Europe, Ukraine and the Russian Federation (Subtitle E)
  • Modification and Extension of Annual Report on Military and Security Developments Involving the Russian Federation (Sec. 1241): The provision broadens the scope, geographic reach and analytical depth of the annual classified and unclassified report to Congress on Russian military and security developments. With respect to cyber, the Secretary must provide detailed assessments of Russia’s cyberwarfare capabilities, the volume and nature of malicious cyber incidents targeting DoD networks, Russia’s information and influence operations and its integration of cyber tools into broader military campaigns.
• Matters Relating to Asia (Subtitle G)
  • Extension of Pilot Program to Improve Cyber Cooperation with Foreign Military Partners in Southeast Asia (Sec. 1261): The provision extends DoD’s pilot program to improve cyber cooperation with foreign military partners in Southeast Asia through 2028.

Title XV: Cyberspace-Related Matters

• Cyber Operations (Subtitle A)
  • Planning, Programming and Budget Coordination for Operations of Cyber Mission Force (Sec. 1501): The provision grants the Commander of U.S. Cyber Command direct authority to control and manage the planning, programming, budgeting and execution of resources for the Cyber Mission Force, including preparing independent budget submissions and justification materials for Congress.
  • Modification to Reporting Requirements for Senior Military Advisor for Cyber Policy (Sec. 1502): The provision shifts the supervisory and reporting authority for the Senior Military Advisor for Cyber Policy and the Deputy Principal Cyber Advisor from the Under Secretary of Defense for Policy to the Assistant Secretary of Defense for Cyber Policy.
  • Framework for Integration of Information Technology Technical Debt Assessment into Annual Budget Process (Sec. 1503): The provision directs DoD to, by September 1, 2026, develop and implement a comprehensive framework to integrate the assessment, tracking and management of technical debt into IT investment decisions and budget justification processes. The framework must establish standardized definitions, metrics, prioritization methods and organizational responsibilities and be fully incorporated into the FY 2027 budgeting process.
  • Department of Defense Data Ontology Governance Working Group (Sec. 1504): The provision establishes a DoD Data Ontology Governance Working Group to develop and implement a common, Department-wide data ontology and governance structure to improve data interoperability, information sharing and decision-making. The Working Group, to be composed of senior digital, IT, data, intelligence and acquisition leaders, must develop domain-specific data ontologies, designate functional area leads and create a centralized governance structure with standardized ownership, access and maintenance processes. The group must be established by June 1, 2026, issue Department-wide policy by June 1, 2027 and fully implement the governance framework by June 1, 2028.
  • Future Force Employment Concepts Development Tabletop Exercises (Sec. 1505): The provision requires DoD to, by September 1, 2026, conduct one or more tabletop exercises to evaluate future concepts for employing cyber forces beyond the current force structure and planning cycle. The exercises must assess new cyber force formations, integration with non-cyber units, command-and-control models and alternative doctrine, organization and training approaches.
  • Occupational Resiliency of the Cyber Mission Force (Sec. 1506): The provision directs DoD to, within one year, launch an initiative to address occupational resiliency and work-related behavioral health challenges at Cyber Mission Force duty locations by assigning appropriately cleared behavioral health professionals on site.
  • Prohibition on the Elimination of Certain Cyber Assessment Capabilities for Test and Evaluation (Sec. 1507): The language prohibits DoD from eliminating, consolidating or reducing any National Security Agency (NSA)-certified cyber assessment or red-team capabilities used for operational test and evaluation unless the Secretary first submits a detailed certification to Congress justifying the action with cost, workforce, operational impact and intelligence-integration analyses.
  • Prohibition on Availability of Funds to Modify Authorities of the Commander of United States Cyber Command (Sec. 1508): The provision, a version of which was included in the Senate bill, bars DoD from using FY 2026 funds to reduce or weaken the authorities, responsibilities or organizational oversight of the Commander of U.S. Cyber Command below the level in effect as of June 1, 2025. Although the final NDAA language is narrower than the Senate-passed version, which would have prohibited any structural changes to Cyber Command, the compromise text aims to protect the current leadership construct, including the long-standing “dual-hat” arrangement. The bill allows only limited organizational or authority adjustments that do not degrade Cyber Command’s operational effectiveness and requires written notice to Congress at least 30 days before such changes.
  • Limitation on Availability of Funds for the Combined Joint All-Domain Command and Control Initiative (Sec. 1509): The language limits the obligation or expenditure of more than 90% of FY 2026 research, development, test and evaluation funds for the Combined Joint All-Domain Command and Control (CJADC2) initiative until the Secretary submits a comprehensive investment and performance framework to Congress.
    
    
• Cybersecurity (Subtitle B)
  • Secure Mobile Phones for Senior Officials and Personnel Performing Sensitive Functions (Sec. 1511): This section requires DoD to, within 90 days of enactment, ensure that all mobile phones and telecommunications services provided to senior officials and personnel performing sensitive national security functions are procured under contracts requiring enhanced cybersecurity protections, including encryption of data and communications, mitigation of persistent device identifiers to prevent tracking and continuous device monitoring.
  • AI and Machine Learning Security in DoD (Sec. 1512): Within 180 days of enactment, the provision directs DoD to establish a Department-wide cybersecurity and governance policy for AI and machine learning (ML), addressing lifecycle security, industry standards, workforce training and protections against AI-specific threats such as model tampering and data leakage. The Department must then conduct a comprehensive review of its AI/ML cybersecurity practices.
  • Physical and Cybersecurity Procurement Requirements for AI Systems (Sec. 1513): The provision, which was in the Senate bill, requires DoD to develop a comprehensive, risk-based framework for implementing cybersecurity and physical security standards for covered AI and ML systems. The framework must address workforce risks, AI-specific threats and vulnerabilities, supply chain risks, adversarial tampering, data theft and security posture management, while leveraging existing frameworks, including the National Institute of Standards and Technology (NIST) Special Publication 800 series and the Cybersecurity Maturity Model Certification (CMMC) framework. Higher security levels are required for AI systems of greatest national security concern, including protection against highly capable cyber threat actors, with additional components designed specifically for advanced AI systems. The Secretary may amend the Defense Federal Acquisition Regulation Supplement (DFARS) or take similar actions to mandate adoption of best practices by covered entities. Covered AI and ML technologies include all aspects of the system lifecycle and covered entities are those contracted by DoD to develop, deploy, store or host such systems.
  • Collaborative Cybersecurity Educational Program (Sec. 1514): This section requires DoD to establish a collaborative cybersecurity education program with academic institutions to develop curriculum standards, workforce competencies, outreach efforts and best practices to strengthen the national cyber workforce.
  • Incorporation of AI Considerations into Cybersecurity Training (Sec. 1515): The provision, which was in the House bill, requires the Chief Information Officer (CIO) to, within one year, revise the mandatory annual cybersecurity training for Armed Forces members and civilian employees to include content addressing the unique cyber challenges posed by AI.
    
    
• Information Technology and Data Management (Subtitle C)
  • Accountability of the Authorization to Operate Processes (Sec. 1521): This section aims to strengthen accountability and timeliness in the DoD Authorization to Operate (ATO) process by requiring Department-wide mandatory timelines and creating expedited review and appeal procedures for delayed authorizations, particularly for cloud-hosted systems. It directs the DoD CIO and military departments to implement escalation processes when approvals stall and imposes strict resolution timelines with written justifications for delays. The provision also mandates detailed biannual reporting to Congress through 2031 on ATO decisions, delays, denials, workforce qualifications and recommendations to improve the Risk Management Framework.
  • Annual Report on Department of Defense Unified Datalink Strategy (Sec. 1522): The provision requires DoD to submit annual reports to Congress through December 31, 2032, on the implementation of the Department’s unified datalink strategy, beginning within 180 days of enactment.
    
    
• Reports and Other Matters (Subtitle E)
  • Study on Reducing Incentives for Cyber Attacks on U.S. Defense Critical Infrastructure (Sec. 1543): The provision directs DoD to conduct a comprehensive study on how military capabilities can be used to increase the costs to adversaries for targeting U.S. defense critical infrastructure in cyberspace, with the goal of deterring such attacks.
  • Integration of Reserve Components into Cyber Mission Force (Sec. 1544): The provision requires DoD to, by October 1, 2026, conduct a study on how best to structure, train and integrate reserve component personnel into the Cyber Mission Force for cyberspace operations.
  • Annual Report on Mission Assurance Coordination Board Activities (Sec. 1545): The provision requires the co-chairs of the Mission Assurance Coordination Board to submit annual reports to Congress from December 1, 2026, through December 1, 2031, detailing the Board’s activities and findings. Each report must summarize covered cybersecurity assessments; identify high and significant risks (including cross-system risks); assess the cybersecurity and resilience of operational technology and physical infrastructure; incorporate input from installation commanders on readiness impacts; track remediation progress across the Future Years Defense Program and provide recommendations for mitigation, prioritization and asset protection.
  • Limitation on the Divestment, Consolidation and Curtailment of Certain Electronic Warfare Test and Evaluation Activities (Sec. 1546): The provision prohibits the Army from divesting, consolidating or curtailing electronic warfare test and evaluation activities within the Major Range and Test Facility Base unless a detailed report is first submitted to Congress justifying the decision with cost, workforce and operational impact analyses.

Title XVI: Other Defense Matters

• Mapping and Report on Strategic Ports (Sec. 1704): The provision requires the State and Defense departments to map, study and report on strategic global ports, with a focus on identifying Chinese government efforts to control or influence such ports and the associated national security risks and report to Congress within one year.

Title XVIII: Acquisition Reform

• Alignment of the Defense Acquisition System (Subtitle A)
  • Establishment of Project Spectrum (Sec. 1807): The measure establishes “Project Spectrum,” an online DoD platform to help small and mid-sized defense contractors understand and comply with defense acquisition requirements, with a strong emphasis on cybersecurity compliance (including alignment with CMMC, and foreign ownership risk.

Title XXVIII: Military Construction General Provisions

• Real Property and Facilities Administration (Subtitle C)
  • Authorization for Monetary Contributions to the Conveyees of Utility Systems for Infrastructure Improvements (Sec. 2842): The language authorizes DoD to fund infrastructure improvements to conveyed utility systems (including cybersecurity upgrades) through direct monetary contributions to the utility owner instead of traditional military construction projects.

U.S. Department of Energy (DOE)

Title XXXI: DOE National Security Programs

• Program Authorizations, Restrictions and Limitations (Subtitle B)
  • Organization and Codification of Provisions of Law Relating to Atomic Energy Defense Activities (Sec. 3111): The language requires the National Nuclear Security Administration (NNSA) to establish mandatory procedures for contractors and subcontractors to rapidly report successful cyber penetrations of certain sensitive networks. The Administrator must define which networks qualify and contractors must report breaches within 60 days, including details on attack methods, malware samples (if available) and what NNSA-related information may have been compromised. The provision also requires contractors to provide NNSA personnel with the necessary access to equipment and data for forensic analysis (with protections for proprietary information).

U.S. Department of State

Title I: Organization and Operations

• Management and Consular Affairs (Subtitle A)
  • Chief Information Officer for Diplomatic Technology (Sec. 5116): The measure establishes a Chief Information Officer for Diplomatic Technology within the Department to oversee the IT, cybersecurity workforce and digital infrastructure. The CIO is also responsible for enterprise IT governance, cybersecurity and risk management, technology innovation, budgeting and acquisitions and improving customer experience in diplomatic technology operations.
  • Bureau of Diplomatic Technology (Sec. 5117): The provision creates a Bureau of Diplomatic Technology within the State Department, responsible for strategy, planning, budgeting, acquisition, governance, cybersecurity, IT workforce planning, modernization and oversight of the Department’s information technology and communications systems.
  • Sense of Congress Regarding Modernization and Realignment of Consular Systems (Sec. 5120): The language expresses that the State Department should modernize consular information systems by aligning them with Department-wide IT and cybersecurity strategy, reducing redundancy and improving efficiency.

Title III: Information Security and Cyber Diplomacy

• Post Data Pilot Program (Sec. 5301): The provision creates a Post Data Program to improve data and AI use across U.S. diplomatic posts, overseen by the Department’s Chief Data and AI Officer (CDAO). The Secretary must submit an implementation plan within 180 days and report annually for three years on progress.
• Authorization to Use Commercial Cloud Enclaves Overseas (Sec. 5302): The provision directs the Department to issue guidelines within 180 days authorizing and tracking the use of overseas commercial cloud enclaves for high-risk (FISMA High) OCONUS systems, ensuring the deployments comply with federal cybersecurity requirements and National Institute of Standards and Technology (NIST)/ISO best practices.
• Reports on Technology Transformation Projects at the Department (Sec. 5303): The provision directs the Secretary to submit annual reports to Congress detailing all major technology transformation projects completed in the previous two fiscal years, including each project’s goals, technologies used, performance results, adoption metrics, costs and implementation challenges. Projects that fail to achieve at least 50% user adoption within six months must include remediation plans and assessments of whether deployment should be modified or paused.
• Commercial Spyware (Sec. 5304): The language expresses concern about the growing national security and human rights risks of commercial spyware and stresses that U.S. policy is to oppose such misuse, coordinate with allies to restrict abusive spyware exports and work with industry to detect and counter such tools.

U.S. Coast Guard

Title LXXIII: Shipping and Navigation

• Ports (Subtitle C)
  • Cyber-Incident Training (Sec. 7325): The language authorizes the Secretary to conduct unannounced security exercises in Captain of the Port Zones. These exercises may involve any facility or vessel that is required to maintain a security plan.

Other Matters

Title LXXXIII: Foreign Affairs Matters

• Western Balkans Democracy and Prosperity (Subtitle C)
  • Supporting Cybersecurity and Cyber Resilience in the Western Balkans (Sec. 8339): The language emphasizes that strengthening cybersecurity and cyber resilience in the Western Balkans is in the national security interest of the United States, particularly given threats from Russia, China, Iran and North Korea. The bill requires an interagency report, led by the State Department and coordinated with Defense, Homeland Security and others, assessing cyber conditions in the region, reviewing U.S. initiatives, evaluating information-sharing and identifying options to improve support.