The National Defense Authorization Act for Fiscal Year 2016 [pdf], signed into law just before Thanksgiving, authorizes $607 billion for Department of Defense activities in FY 2016. It also implements a number of acquisition reforms intended to enhance the Government’s cybersecurity efforts and streamline the various acquisition regulations.  Here we break down some of the key acquisition provisions:

  • Rapid acquisition authority for cyber attacks. Section 803 of the 2016 NDAA expands the DoD’s ability to employ rapid acquisition procedures established under the 2003 NDAA to enhance its ability to respond to combat emergencies and urgent operational needs. Under Section 803, rapid acquisition procedures may now be used to acquire “needed offensive or defensive cyber capabilities, supplies, and associated support services” to respond to a cyber attack that “has resulted in critical mission failure, the loss of life, property destruction, or economic effects.” The term “cyber attack” is broadly defined as including any “deliberate action to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information or programs” in those systems. Acquisitions made pursuant to this authority are subject to an aggregate limit of $200 million in each fiscal year.
  • U.S. Cyber Command acquisition authority and liability protection for cybersecurity contractors. In addition to expanding DoD’s rapid acquisition authority to deal with cyber attacks, Section 807 of the NDAA provides new limited acquisition authority for the Commander of the United States Cyber Command (CYBERCOM). The Commander is authorized to procure “cyber operations-peculiar equipment and capabilities,” subject to an annual limit of $75 million for each fiscal year from 2016 through 2021. Section 1647 of the NDAA also requires the evaluation of cyber vulnerabilities of all major DoD weapons systems by the end of 2019. Section 1641 of the NDAA provides enhanced liability protection for reporting cyber incidents for both “cleared” and “operationally critical” contractors, so long as there is no willful misconduct.