{"database": "openregs", "table": "crs_reports", "rows": [["IF13197", "Cyber and Artificial Intelligence Provisions in the FY2026 National Defense Authorization Act (NDAA)", "2026-04-07T04:00:00Z", "2026-04-08T08:22:56Z", "Active", "Resources", "Catherine A. Theohary, Kelley M. Sayler", "Defense Authorization, Defense Budgets & Appropriations, Artificial Intelligence, National Defense Authorization Act (NDAA), Strategy, Operations & Emerging Threats, Technology, Information & Cyber Defense", "The National Defense Authorization Act for Fiscal Year 2026 (FY2026 NDAA; P.L. 119-60) contains numerous provisions regarding cyber-related issues, including artificial intelligence (AI). Title XV organizes Cyberspace-Related Matters into five subtitles: A. Operations; B. Cybersecurity; C. Information Technology and Data Management; D. Artificial Intelligence; and E. Reports and Other Matters. Other titles in the FY2026 NDAA contain provisions directly or indirectly related to cyberspace and AI. This In Focus describes selected elements of these and other selected provisions and potential issues for Congress. \nCyber Operations Provisions\nSection 1501 of the FY2026 NDAA requires the Commander of U.S. Cyber Command (USCYBERCOM) to establish processes for planning, programming, and budget coordination for Cyber Mission Force (CMF) operations to ensure the CMF is adequately resourced to sustain its mission.\nSection 1502 amends 10 U.S.C. \u00a7392a(b) to direct the Senior Military Advisor for Cyber Policy to report to the Assistant Secretary of Defense for Cyber Policy, rather than the Under Secretary of Defense for Policy. \nSection 1503 directs the Secretary of Defense (SECDEF) to \u201cdevelop a technical debt classification that adequately reflects different types of technical debt\u201d and integrate the framework into Department of Defense (DOD) structures \u201crelating to resourcing and programmatic decisions for existing or proposed information technology systems, services, or related programs of record.\u201d (DOD is \u201cusing a secondary Department of War designation\u201d and the SECDEF is using a secondary title of \u201cSecretary of War\u201d under Executive Order 14347, dated September 5, 2025.) Technical debt is the future cost of relying on suboptimal, expedient choices during software development.\nSection 1504 establishes a DOD-wide Data Ontology Governance Working Group to \u201cexpand data interoperability, enhance information sharing, and enable more effective decision making throughout the Department.\u201d \nSection 1505 requires DOD tabletop exercises that develop future force employment concepts and assess different models for command and control of cyberspace operations. \nSection 1506 requires the Under Secretary of Defense for Personnel and Readiness and the Under Secretary of Defense for Policy to coordinate an initiative to understand and address the behavioral health challenges and work-related stresses faced by the CMF. \nSection 1507 prohibits the SECDEF from eliminating certain \u201ccyber assessment capabilities or red teams\u201d that support operational tests and evaluations for DOD programs without providing a specified certification to Congress.\nSection 1508 contains a prohibition on availability of funds to modify the authorities of the Commander of USCYBERCOM.\nSection 1509 limits the availability of funds for the Combined Joint All-Domain Command and Control initiative until the SECDEF provides a framework for guiding investments and measuring progress.\nCybersecurity Provisions\nSection 1511 requires cybersecurity requirements in contracts for secure mobile phones and related telecommunications services provided to senior officials and personnel performing sensitive national security functions in DOD. These requirements must include encryption, persistent identifier mitigation or obfuscation, and continuous monitoring capabilities.\nSection 1512 requires DOD, in coordination with other agencies, to establish a comprehensive cybersecurity and governance policy for all AI and machine learning systems used within DOD. The policy must address risks such as counterfeit parts, data poisoning, jailbreaks, and unauthorized access\u2014among other related elements\u2014and is to be implemented as an extension or augmentation to existing cybersecurity frameworks. \nSection 1513 directs the development of physical and cybersecurity procurement requirements to mitigate risk of use for covered DOD AI and machine-learning systems.\nSection 1514 directs the SECDEF to establish a collaborative cybersecurity educational program with academic institutions to develop cybersecurity competencies at those institutions.\nSection 1515 requires the incorporation of AI considerations into DOD cybersecurity training for DOD personnel.\nInformation Technology and Data Management Provisions\nSection 1521 amends DOD\u2019s Authorization to Operate (ATO) processes to include \u201cmandatory timelines for activities performed by authorizing officials with respect to an [ATO] for cloud-hosted platforms, services, and applications.\u201d\nSection 1522 requires an annual report on DOD\u2019s ongoing unified datalink strategy.\nAI Provisions\nSection 1531 modifies Section 1532 of the FY2025 NDAA (P.L. 118-159) on the high performance computing roadmap to require the SECDEF to ensure that data centers to be installed on military installations consider energy and usage requirements.\nSection 1532 prohibits DOD from using or acquiring covered AI systems\u2014including those from DeepSeek and High Flyer\u2014or systems from covered nations\u2014including the Democratic People\u2019s Republic of Korea, the People\u2019s Republic of China, the Russian Federation, and the Islamic Republic of Iran\u2014or AI companies. The SECDEF may grant a case-by-case waiver for research, training, and evaluation or military activities supporting national security functions such as counterterrorism or counterintelligence.\nSection 1533 directs the SECDEF to establish a cross-functional team for AI model assessment and oversight. The team is to develop a DOD-wide assessment framework regarding the development and procurement of AI, to include standards for performance of AI models, testing procedures, security requirements, and compliance with DOD\u2019s ethical AI principles. \nSection 1534 directs the SECDEF to create a task force to develop and deploy AI sandboxes\u2014isolated and controlled computing environments\u2014to support DOD\u2019s experimentation with and training and development of AI. The task force is to create standard requirements for AI sandbox environments across DOD.\nSection 1535 directs the SECDEF to create an AI Futures Steering committee to shape DOD\u2019s advanced AI strategy, analyze the development and effects of associated technologies, and identify resource requirements. \nReports and Other Matters\nSection 1541 modifies an existing certification requirement for military recruiting contracts to ensure DOD does not \u201crate or rank news or information sources for the factual accuracy of their content; provide ratings or opinions on news or in formation sources regarding misinformation, bias, adherence to journalistic standards, or ethics; or acquire or use any service that provides any ratings, rankings, or opinions ... from any other person.\u201d\nSection 1542 directs that the annual assessments and reports on the assignment of certain budget control responsibility to the Commander of USCYBERCOM include a review of investments in AI capabilities, including their alignment with the milestones of DOD\u2019s roadmap and implementation plan for cyber adoption of AI.\nSection 1543 requires a study on increasing the cost of and reducing incentives for cyberattacks on defense critical infrastructure.\nSection 1544 requires a study on the appropriate \u201cframework for structuring and organizing, including training and preparing, the reserve component personnel and units to be employed within the [CMF] for cyberspace operations.\u201d\nSection 1545 requires an annual report on Mission Assurance Coordination Board activities, to include cybersecurity risks to covered assessments (as defined in DOD Instruction 3020.45).\nOther Cyber- and AI-Related Provisions\nSection 5301 authorizes a Post Data Pilot Program to \u201c[cultivate] a data and AI culture at diplomatic posts globally, including data fluency and data collaboration\u201d and promote data integration at the Department of State (DOS).\nSection 5302 requires DOS to issue internal guidelines to track the use of commercial cloud enclaves deployed in overseas commercial clouds. \nSection 5303 requires detailed reports to Congress on technology transformation projects within DOS.\nSection 5304 expresses the sense of Congress of a need for \u201cresponsible procurement and application\u201d of commercial spyware capabilities and notes that the growing market for these capabilities has enhanced the abilities of \u201cstate and non-state actors\u201d to target journalists, human rights groups, and other members of civil society. It also notes that the United States will, as a matter of policy, \u201coppose the misuse of commercial spyware\u201d to target vulnerable populations.\nSection 6601 directs the Director of the National Security Agency to develop security guidance to defend AI against theft or sabotage by nation-state adversaries by identifying vulnerabilities in the cybersecurity and AI supply chain. \nSection 6602 instructs the intelligence community\u2019s (IC) Chief Information Officer and Chief AI Officer to identify commonly used AI systems or functions within the IC that could be repurposed for other IC elements and adopt supporting policies and contractual terms.\nSection 6603 addresses the use of publicly available AI models in classified environments and directs the creation of policies for AI testing standards that evaluate \u201cperformance, efficacy, safety, fairness, transparency, accountability, appropriateness, lawfulness, and trustworthiness\u201d for common AI use cases. \nSection 6604 instructs the Director of National Intelligence to create guidelines that require the removal of DeepSeek, or its successors, from IC and IC-related systems. \nIssues for Congress\nCongress may conduct oversight of DOD\u2019s implementation of these provisions and consider the implications of related reporting requirements for future defense authorizations and appropriations.\nCongress currently is considering reauthorization of the Cybersecurity Information Sharing Act of 2015 (CISA; P.L. 114-113), which established a voluntary information-sharing process between private sector and federal government entities for cyberthreat indicators and defensive measures. As amended by Section 106 of P.L. 119-37, the act expired on January 30, 2026; its reauthorization was not included in the FY2026 NDAA. ", "https://www.congress.gov/crs_external_products/IF/PDF/IF13197/IF13197.1.pdf", "https://www.congress.gov/crs_external_products/IF/HTML/IF13197.html"]], "columns": ["id", "title", "publish_date", "update_date", "status", "content_type", "authors", "topics", "summary", "pdf_url", "html_url"], "primary_keys": ["id"], "primary_key_values": ["IF13197"], "units": {}, "query_ms": 0.48814702313393354, "source": "Federal Register API & Regulations.gov API", "source_url": "https://www.federalregister.gov/developers/api/v1", "license": "Public Domain (U.S. Government data)", "license_url": "https://www.regulations.gov/faq"}