AI and machine learning security and procurement requirements: Recognizing that AI now underpins everything from battlefield planning to intelligence analysis, the bill introduces sweeping requirements to safeguard these systems from emerging digital threats.The NDAA spells out a spate of policy and procurement practices that the military should meet regarding artificial intelligence and machine learning (ML). First, the DoD, in consultation with other Federal agencies, has 180 days after the date of enactment to develop and implement a department-wide policy for the cybersecurity and associated governance of AI and ML systems and applications, as well as the models for AI and ML used in national defense applications.The policy must protect against security threats to AI and machine learning, including model serialization attacks, model tampering, data leakage, adversarial prompt injection, model extraction, model jailbreaks, and supply chain attacks. It also must employ cybersecurity measures throughout the life cycle of systems using artificial intelligence or machine learning.Moreover, the policy must reflect the adoption of industry-recognized frameworks to guide the development and implementation of AI and ML security best practices. Likewise, it must follow standards for governance, testing, auditing, and monitoring of systems using artificial intelligence and machine learning to ensure the integrity and resilience of such systems against corruption and unauthorized manipulation.Finally, the AI and machine learning policy must accommodate training requirements for the department’s workforce to ensure personnel are prepared to identify and mitigate vulnerabilities specific to AI and ML.The bill further spells out physical and cybersecurity procurement requirements for AI and machine learning systems. It specifies that the defense secretary must develop a framework for the implementation of cybersecurity and physical security standards and best practices relating to AI and ML technologies to mitigate risks to the department from the use of such technologies.The NDAA specifies that the framework must cover all relevant aspects of the security of AI and ML systems, including the risk posed to and by the DoD workforce, including insider threat risks, training and workforce development requirements regarding artificial intelligence security awareness, artificial intelligence-specific threats and vulnerabilities, professional development and education, supply chain threats (including counterfeits), tampering risks, unintended exposure or theft of AI systems or data, security management practices and more.It also requires the framework to draw on existing frameworks, including the NIST Special Publication 800 series and existing DoD frameworks, including the Cybersecurity Maturity Model Certification framework.Finally, under the legislation, the framework must prioritize the most highly capable AI systems that may be of highest interest to cyber threat actors, based on risk assessments and threat reporting, and impose requirements for security on contractors.Other AI provisions under the NDAA require the DoD to revise the mandatory training on cybersecurity for members of the Armed Forces and civilian employees of the department to include content related to the unique cybersecurity challenges posed by artificial intelligence.The bill further says that by April 1, 2026, the DoD needs to establish a task force on AI sandbox environments to identify, coordinate, and advance department-wide efforts to develop and deploy AI sandbox environments necessary to support experimentation, training, familiarization, and development across the military.
Other noteworthy cyber-related NDAA provisions: Beyond mobile security and AI governance, the NDAA includes a broad array of cyber measures with strategic implications across defense, intelligence, and international partnerships.The following are among the more noteworthy cybersecurity provisions in the compromise bill:Commercial spyware: The bill contains a “sense of Congress” statement that there is a national security need for the legitimate and responsible procurement and application of cyber intrusion capabilities, including efforts related to counterterrorism, counternarcotics, and countertrafficking. It expresses the view that the proliferation of commercial spyware presents significant and growing risks to national security, including to the safety and security of government personnel.It suggests that the US should oppose the misuse of commercial spyware “to target individuals, including journalists, defenders of internationally recognized human rights, and members of civil society groups, members of ethnic or religious minority groups, and others for exercising their internationally recognized human rights and fundamental freedoms, or the family members of these targeted individuals.”It also further stipulates that the US should coordinate with allies and partners to prevent the export of commercial spyware tools to end-users likely to use them for malicious activities, and to share information on this issue with allies robustly.Evaluation of national security risks posed by foreign adversary acquisition of American multiomic data: The bill stipulates that not later than 270 days after its enactment, the director of national intelligence, in consultation with the secretary of defense, the US attorney general the secretary of health and humans services, the secretary of commerce, the secretary of homeland security, the secretary of state, and the national cyber director, shall complete an assessment of risks to national security posed by human multiomic data from US citizens that is collected or stored by a foreign adversary from the provision of biotechnology equipment or services. Multiomic data combines different types of biological data, such as genomics, transcriptomics, proteomics, and metabolomics, to provide a complete picture of a biological system.Biological data for artificial intelligence: The legislation calls for tiered levels of cybersecurity safeguards and access controls for the storage of biological data and contains requirements for the protection of the privacy of individuals.Cybersecurity regulatory harmonization: By June 1, 2026, the DoD must harmonize the cybersecurity requirements applicable to the defense industrial base, reduce the number of such requirements that are unique to a specific contract or other agreement, and submit to the congressional defense committees a report on the actions taken to carry out the harmonization.Cybersecurity and resilience annex in Strategic Rail Corridor Network assessments: The legislation says the defense secretary, in coordination with the transportation secretary and the homeland security secretary, should conduct a periodic evaluation of the Strategic Rail Corridor Network. The assessment must include an annex containing a review of the cybersecurity and the resilience of the physical infrastructure of the Strategic Rail Corridor. The Strategic Rail Corridor is the interconnected network of rail corridors important to national defense and military mobility, as defined by the Department of Defense and the Federal Railroad Administration.Cyber workforce recruitment and retention: The billrequires the defense secretary to fix the rates of basic pay for military employees working on cyber with a pay rate on par with comparable employees elsewhere in the government.Supporting cybersecurity and cyber resilience in the Western Balkans: The NDAA contains a “sense of Congress” statement that the United States support for cybersecurity, cyber resilience, and secure ICT infrastructure in Western Balkans countries will strengthen the region’s ability to defend itself from and respond to malicious cyber activity conducted by nonstate and foreign actors, including foreign governments, that seek to influence the region.Demonstration of real-time monitoring capabilities to enhance weapon system platforms: If funds are available, the secretary of defense, in coordinationwith the undersecretary of defense for acquisition andsustainment and the service acquisition executives, will carry out a demonstration to equip selected weapon systemplatforms with onboard, near real-time, end-to-end serialbus and radio frequency monitoring capabilities to detectcyber threats and improve maintenance efficiency.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4103754/key-cybersecurity-takeaways-from-the-2026-ndaa.html
