On Dec. 7, the House and Senate Homeland Security Committees released their compromise version of the 2026 National Defense and Authorization Act (NDAA), a nearly 3,100-page piece of legislation that contains a host of provisions to fund several Department of Defense cybersecurity efforts in fiscal year 2026.
Although cybersecurity is referenced hundreds of times across the NDAA, the legislation contains provisions that, once the law becomes effective, will mark significant shifts in how the US military manages major cybersecurity tasks, particularly in the timely arena of protecting mobile communications of top brass and AI deployments, as well as more understated, but potentially high-impact, infosec duties.
Although numbers chronically vary widely for NDAA cyber expenses, depending on the source or the year, according to a July budget request from the CFO for the Defense Department, the cyber activities in the NDAA request for FY2026 are approximately $15.1 billion, or 4.1% more than the previous year’s request. This cyber budget bump stands in stark contrast to proposed double-digit cuts for civilian agencies.
Around $9.1 billion of that amount goes to pure cybersecurity efforts, with the rest allocated to not clearly defined “cyberspace operations” of US Cyber Command, the Defense Intelligence Agency, the Defense Threat Reduction Agency, the National Security Agency, and the Office of the Under Secretary of Defense, Research and Engineering.
Around $611.9 million of the total was allocated to DoD cyber research for the “deployment and modernization of existing capabilities and technologies that advance next generation cybersecurity and cyberspace operations programs.”
Securing mobile phones for top officials
Few cyber risks are as operationally consequential as insecure mobile communications, and the NDAA directly targets this gap with new mandates for how the Pentagon procures and protects devices for top officials.
The bill requires that, no later than 90 days after enactment, the DoD will ensure that each wireless mobile phone and all related telecommunications the department provides to senior military officials or any other employee who performs sensitive national security functions are acquired under contracts or other agreements that require enhanced cybersecurity protections.
Under the bill, enhanced cybersecurity protections mean encrypted data, capabilities to mitigate or obfuscate persistent device identifiers, including periodic rotation of network or hardware identifiers to reduce the risk of inappropriate tracking of the activity or location of the wireless mobile phones, and the capability to monitor the wireless mobile phones continuously.
Under the legislation, 180 days after the bill’s enactment, the Secretary of Defense must submit to the relevant congressional defense committees a report detailing the mobile telecommunications contracts the Pentagon has entered pursuant to these provisions, how it determined which employees these mobile provisions apply to, and the total costs of wireless mobile phones and telecommunication services involved.
It is likely no coincidence that these provisions follow the so-called Signalgate incidents from earlier this year. During those incidents, the current DoD head Pete Hegseth shared over Signal via his private mobile device “nonpublic” information that identified “the quantity and strike times of manned US aircraft over hostile territory over an unapproved, unsecure network approximately two to four hours before the execution of those strikes,” according to a report released on Dec. 2 by the department’s inspector general.
AI and machine learning security and procurement requirements
Recognizing that AI now underpins everything from battlefield planning to intelligence analysis, the bill introduces sweeping requirements to safeguard these systems from emerging digital threats.
The NDAA spells out a spate of policy and procurement practices that the military should meet regarding artificial intelligence and machine learning (ML). First, the DoD, in consultation with other Federal agencies, has 180 days after the date of enactment to develop and implement a department-wide policy for the cybersecurity and associated governance of AI and ML systems and applications, as well as the models for AI and ML used in national defense applications.
The policy must protect against security threats to AI and machine learning, including model serialization attacks, model tampering, data leakage, adversarial prompt injection, model extraction, model jailbreaks, and supply chain attacks. It also must employ cybersecurity measures throughout the life cycle of systems using artificial intelligence or machine learning.
Moreover, the policy must reflect the adoption of industry-recognized frameworks to guide the development and implementation of AI and ML security best practices. Likewise, it must follow standards for governance, testing, auditing, and monitoring of systems using artificial intelligence and machine learning to ensure the integrity and resilience of such systems against corruption and unauthorized manipulation.
Finally, the AI and machine learning policy must accommodate training requirements for the department’s workforce to ensure personnel are prepared to identify and mitigate vulnerabilities specific to AI and ML.
The bill further spells out physical and cybersecurity procurement requirements for AI and machine learning systems. It specifies that the defense secretary must develop a framework for the implementation of cybersecurity and physical security standards and best practices relating to AI and ML technologies to mitigate risks to the department from the use of such technologies.
The NDAA specifies that the framework must cover all relevant aspects of the security of AI and ML systems, including the risk posed to and by the DoD workforce, including insider threat risks, training and workforce development requirements regarding artificial intelligence security awareness, artificial intelligence-specific threats and vulnerabilities, professional development and education, supply chain threats (including counterfeits), tampering risks, unintended exposure or theft of AI systems or data, security management practices and more.
It also requires the framework to draw on existing frameworks, including the NIST Special Publication 800 series and existing DoD frameworks, including the Cybersecurity Maturity Model Certification framework.
Finally, under the legislation, the framework must prioritize the most highly capable AI systems that may be of highest interest to cyber threat actors, based on risk assessments and threat reporting, and impose requirements for security on contractors.
Other AI provisions under the NDAA require the DoD to revise the mandatory training on cybersecurity for members of the Armed Forces and civilian employees of the department to include content related to the unique cybersecurity challenges posed by artificial intelligence.
The bill further says that by April 1, 2026, the DoD needs to establish a task force on AI sandbox environments to identify, coordinate, and advance department-wide efforts to develop and deploy AI sandbox environments necessary to support experimentation, training, familiarization, and development across the military.
Other noteworthy cyber-related NDAA provisions
Beyond mobile security and AI governance, the NDAA includes a broad array of cyber measures with strategic implications across defense, intelligence, and international partnerships.
The following are among the more noteworthy cybersecurity provisions in the compromise bill:
Commercial spyware: The bill contains a “sense of Congress” statement that there is a national security need for the legitimate and responsible procurement and application of cyber intrusion capabilities, including efforts related to counterterrorism, counternarcotics, and countertrafficking. It expresses the view that the proliferation of commercial spyware presents significant and growing risks to national security, including to the safety and security of government personnel.
It suggests that the US should oppose the misuse of commercial spyware “to target individuals, including journalists, defenders of internationally recognized human rights, and members of civil society groups, members of ethnic or religious minority groups, and others for exercising their internationally recognized human rights and fundamental freedoms, or the family members of these targeted individuals.”
It also further stipulates that the US should coordinate with allies and partners to prevent the export of commercial spyware tools to end-users likely to use them for malicious activities, and to share information on this issue with allies robustly.
Evaluation of national security risks posed by foreign adversary acquisition of American multiomic data: The bill stipulates that not later than 270 days after its enactment, the director of national intelligence, in consultation with the secretary of defense, the US attorney general the secretary of health and humans services, the secretary of commerce, the secretary of homeland security, the secretary of state, and the national cyber director, shall complete an assessment of risks to national security posed by human multiomic data from US citizens that is collected or stored by a foreign adversary from the provision of biotechnology equipment or services. Multiomic data combines different types of biological data, such as genomics, transcriptomics, proteomics, and metabolomics, to provide a complete picture of a biological system.
Biological data for artificial intelligence: The legislation calls for tiered levels of cybersecurity safeguards and access controls for the storage of biological data and contains requirements for the protection of the privacy of individuals.
Cybersecurity regulatory harmonization: By June 1, 2026, the DoD must harmonize the cybersecurity requirements applicable to the defense industrial base, reduce the number of such requirements that are unique to a specific contract or other agreement, and submit to the congressional defense committees a report on the actions taken to carry out the harmonization.
Cybersecurity and resilience annex in Strategic Rail Corridor Network assessments: The legislation says the defense secretary, in coordination with the transportation secretary and the homeland security secretary, should conduct a periodic evaluation of the Strategic Rail Corridor Network. The assessment must include an annex containing a review of the cybersecurity and the resilience of the physical infrastructure of the Strategic Rail Corridor. The Strategic Rail Corridor is the interconnected network of rail corridors important to national defense and military mobility, as defined by the Department of Defense and the Federal Railroad Administration.
Cyber workforce recruitment and retention: The billrequires the defense secretary to fix the rates of basic pay for military employees working on cyber with a pay rate on par with comparable employees elsewhere in the government.
Supporting cybersecurity and cyber resilience in the Western Balkans: The NDAA contains a “sense of Congress” statement that the United States support for cybersecurity, cyber resilience, and secure ICT infrastructure in Western Balkans countries will strengthen the region’s ability to defend itself from and respond to malicious cyber activity conducted by nonstate and foreign actors, including foreign governments, that seek to influence the region.
Demonstration of real-time monitoring capabilities to enhance weapon system platforms: If funds are available, the secretary of defense, in coordinationwith the undersecretary of defense for acquisition andsustainment and the service acquisition executives, will carry out a demonstration to equip selected weapon systemplatforms with onboard, near real-time, end-to-end serialbus and radio frequency monitoring capabilities to detectcyber threats and improve maintenance efficiency.
No Responses