The Defense Department would require senior leaders to have secure cell phones, staff to receive cybersecurity training including a focus on artificial intelligence, and cyber troops to have access to mental health services, under an annual defense policy compromise bill released this weekend.
The agreement between House and Senate negotiators on the National Defense Authorization Act (NDAA) for Fiscal Year 2026 is a massive bill that runs the gamut from the Pentagon, including a record $901 billion. It also contains a number of policy provisions relating to cybersecurity. The House could take it up as soon as this week.
The legislation states that the Secretary of Defense “shall ensure” that wireless mobile phones the department provides to its senior leaders and others working on sensitive national security missions meet a list of cybersecurity requirements, such as data encryption. Pentagon watchdog released last week long-awaited exams of the Signalgate incident that enveloped Defense Secretary Pete Hegseth.
The bill directs the Department to ensure that behavioral health specialists with appropriate security clearances are dispatched to U.S. Cyber Command and the Cyber Mission Force. This is part of the tradition of past arrangements of defense policy bills to address the mental health needs of personnel there.
The department is asked to revise mandatory cybersecurity training for members of the armed forces and civilian employees “to include content related to the unique cybersecurity challenges posed by the use of artificial intelligence.”
The bill contains many other cybersecurity provisions.
This would create obstacles to divide the direction of Cyber Command and the National Security Agency by prohibiting any department funding from being used to “reduce or diminish the responsibilities, authorities, or organizational oversight of the Commander, United States Cyber Command.”
On behalf of defense contractors, the bill directs the department to “harmonize cybersecurity requirements” across the department and reduce the number of cybersecurity requirements “that are specific to specific contracts.” This is one of the axes of the Trump administration’s next cybersecurity strategy.
It also includes a policy statement on the use of commercial spyware. It says the policy includes opposing the misuse of commercial spyware by including groups such as journalists and human rights activists, coordinating with allies to prevent the export of commercial spyware to those likely to misuse it and “establishing strong safeguards”, as well as working with the private sector to combat abuse.
Such policy statements have no legal force but provide insight into the consensus and intentions of legislators.
