August 23, 2018

Cybersecurity in the 2019 National Defense Authorization Act ... Five Topics for Businesses

Unsurprisingly, the John S. McCain National Defense Authorization Act for 2019 addresses privacy, cybersecurity, and critical infrastructure in many ways. Here are five cyber provisions for defense contractors and other businesses to track:

     1. The Secretary of Defense must notify four Senate and House committees when there is a “significant loss” of personally identifiable information affecting military and civilian personnel or controlled unclassified information by a cleared defense contractor. Look for new Defense Department reporting procedures in early 2019. Sec. 1639. 

     2. Pointing to the public-private nature of cyberspace and national security, the Secretary of Defense may share cyber threat information relating to China, Iran, North Korea, and Russia with private sector entities during military operations to disrupt cyber attacks. This operational collaboration applies broadly to false online personas and compromised infrastructure affecting U.S. elections or otherwise influencing U.S. political processes. Sec. 1642.

     3. The Defense Department will launch a new defense industrial base program to help small manufacturers and universities identify and reduce cybersecurity risk. It will include training, assistance with cybersecurity self-assessments, and a certification program for those who will provide cyber planning assistance to small businesses and universities. Sec. 1644.

     4. A pilot program modeling complex cyber and physical attacks on multiple critical infrastructure sectors will explore new risk analysis methodologies and commercial computing capabilities. Goals of the program include better incident response training and public-private collaboration when the military supports civil authorities during cyber emergencies. Sec. 1649.

     5. To mitigate national security risks to IT products or services, new regulations will require Defense Department contractors to disclose obligations to foreign governments relating to information or operational technology, cybersecurity, an industrial control system, or weapons system. Allowing foreign governments (or their representatives) to review the code of noncommercial products and seeking an ITAR export license are two of the reportable actions. Sec. 1655.

For assistance with these and other cyber dimensions of your company's work, contact Partner David Delaney at ddelaney [at] or call (919) 545-4910.

About the Author

David Delaney is a Partner at FH+H, focusing his practice on clients' cyberspace needs. He advises on a wide range of business issues arising under international, federal, and state law, including data security, privacy, breach response, product development, contracts, internal policies, and regulatory compliance. He is licensed to practice in Maryland and North Carolina.

Read Mr. Delaney's full bio here.

Connect with Us: Sign Up to Receive Email Updates

Stay Updated and Receive Occasional FH+H Updates