Cyber provisions, workforce initiatives take effect as Biden signs NDAA

The final version of the legislation creates an occupational series for federal staff with data expertise.
President Joe Biden
President Joe Biden speaks during a video call with the White House Covid-19 Response team and the National Governors Association in the South Court Auditorium at the Eisenhower Executive Office Building on Dec. 27, 2021. (Photo by Anna Moneymaker/Getty Images)

President Biden on Monday signed the National Defense Authorization Act for fiscal 2022 into law, including provisions to support federal cybersecurity, the government’s use of emerging technology and the appointment of staff with data expertise at federal agencies.

The annual legislation, which sets the budgets mainly for Department of Defense programs and national security programs at the Department of Energy, was cleared by lawmakers earlier this month.

It includes a long-awaited measure to create an occupational series job classification for data science and data management, which will allow federal agencies to hire staff directly for their data expertise. Other proposals to reform the Federal Information Security Modernization Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP) were not included in the final version of the bill.

The NDAA mandates also that the Pentagon review how the Cybersecurity Maturity Model Certification process applies to small businesses, and also establishes a pilot program for the secretary of Defense to work with the director of civilian Cybersecurity and Infrastructure Security Agency.


The legislation also compels the DOD to examine any conflicts in cyber governance between the department’s chief information officer, the head of the Defense Information Systems Agency and U.S. Cyber Command.

Tech lobbyist and former senior House Republican leadership staffer Mike Hettinger said the bill is the latest sign that cybersecurity “remains a front-burner issue” for lawmakers.

“We hear a lot of discussion about the cyber provisions that weren’t included in the FY22 NDAA – incident reporting, FISMA and FedRAMP — but don’t talk enough about the ones that were included like provisions supporting the development of DOD’s zero trust strategy, enhancing CISA’s role in cyber response, creating the CyberSentry program within CISA to continuously monitor threats to critical infrastructure, increasing overall R&D spending, and numerous others,” he said.

Latest Podcasts