Automated and continuous monitoring of cybersecurity controls would become a requirement of Defense Department cybersecurity under provisions included in the Senate version of the fiscal 2011 national defense authorization bill.,

The Senate Armed Services Committee marked up the bill May 28; it now awaits action by the full Senate and then reconciliation with the House version, which contains an amendment that would extend cybersecurity reform across the entire government.

The Senate committee language also requires the defense secretary to develop a new software security strategy for major systems, one that would emphasize development of new automated software code analysis tools for detecting vulnerabilities and attempted intrusions. Automated tools exist today, but they detect only 60 percent of vulnerabilities, committee authorizers wrote in the bill's accompanying report.

The strategy would also include new contractual requirement for life-cycle software assurance during development, assurance tests at milestone reviews and remediation of critical assurance deficiencies of legacy systems. The strategy could results in the Defense Department having more access to the source code of applications. "It is much more difficult to analyze vulnerabilities without the source code--a very common situation," the committee report notes.

A unique acquisition strategy for cyber warfare tools would also become a requirement. Senator authorizers say they're concerned that since the new Cyber Command is headed by the National Security Agency director, the Cyber Command could turn to the NSA for procurement. They would instead channel cyber warfare acquisition into a tailored process that would include testing.

As for what cyber warfare actually is, the committee wants a report by March 1, 2011 that examines issues such as deterrence, the rules of engagement, and what constitutes use of force in cyber space.

For more:
- see THOMAS page for S.3454 (includes link to the accompanying report), or go directly to the full text
- also see the THOMAS page for the House version

Related Articles:
SASC wants $30M for private sector cybersecurity pilots
House approves FISMA reform
House encourages IT acquisition reform in Defense bill