Sections 861-867 focus on Small Businesses, including committing the Department of Defense to analyze and review how their Cybersecurity Maturity Model Certification (CMMC) can work for small businesses. The act then also establishes a bridge of communication between the Secretary of Defense at the Pentagon and the Cybersecurity and Infrastructure Security Agency (CISA).
CISA, according to the new NDAA, will be required to biannually update their incident response plans, as well as consult with respective industry agencies in the private sector to assess where plans can be strengthened.
An amendment, which would require private sector breaches and incidents to be reported to CISA within 72 hours, did pass the House, but was in the final bill approved by the Senate.
"This result is beyond disappointing and undermines national security. We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk," House Homeland Security Committee Chairman Bennie Thompson, D-Miss and Rep. Yvette D. Clarke, D-NY, said in a joint statement.
According to the House Armed Services Committee, the new law also, "Modernizes the relationship between the Department of Defense Chief Information Officer and the National Security Agency’s components responsible for cybersecurity, Establishes a program office within Joint Forces Headquarters-DODIN to centralize the management of cyber threat information products across the Department of Defense," and "Initiates the widest empowerment and expansion of CISA through legislation since the SolarWinds incident."