The Senate Armed Services Committee has introduced an amendment that would give the Defense Department components more authority to purchase alternative cybersecurity products and services.

Senate Armed Services Committee leaders filed their version of the National Defense Authorization Act for fiscal 2025 on Monday, which was passed behind closed doors last month in a 22-3 vote. The bill is now heading to the Senate floor for consideration.

The legislation includes an amendment to a portion of Section 1521 of the defense bill for fiscal 2022, which centralizes the procurement of cyber products and services across the Defense Department. 

The fiscal 2022 defense bill states that the DoD components can’t independently purchase cyber services unless they can buy services at a lower per-unit price than what the DoD chief information officer office, which leads department-wide procurement of cyber services, offers. The components can also procure cyber services independently if the DoD CIO office approves the purchase.

If passed, the amendment included in the 2025 defense bill would allow DoD components to buy cyber services independently if they can demonstrate the “compelling need that the requirement of the product has due to its urgency, or to ensure product or service competition within the market.”

Sen. Eric Schmitt (R-Mo.), who has long expressed concern about the Defense Department’s increasing reliance on Microsoft for its cyber products, initiated the amendment.

“DoD CIO has used this authority to create a one-size-fits-all approach to all DoD components, causing serious concerns related to a single zero-day flaw being used to create massive disruptions across DoD’s networks. The amendment returns decision-making power back to DoD components, so they can adopt tailored cybersecurity approaches based on the threats they face,” the amendment summary shared with Federal News Network says.

In May, Schmitt, along with Sen. Ron Wyden (D-Ore.), sent a letter to the Pentagon inquiring about the department’s push to implement Microsoft’s most expensive licenses, known as E5, across all components. The Pentagon already widely relies on Microsoft products and services but it has been considering mandating all components to upgrade to Microsoft’s E5 license as part of its effort to achieve the target level of zero trust by 2027.

“Although we welcome the department’s decision to invest in greater cybersecurity, we are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs and better outcomes related to cybersecurity,” Schmitt and Wyden wrote.

Another amendment, also spearheaded by Schmitt, would require companies that conduct software development in China to notify the Pentagon if they are required to disclose any software vulnerability to any Chinese agency, such as the Ministry of Industry and Information Technology.

“PRC security laws mandate that cyber companies with presences in China must report any flaw discovered to their government, potentially giving state-sponsored hackers a treasure trove of zero-day flaws to exploit. This bill would ensure that companies doing business with DoD that have presences in the PRC report the same information to their US-based arm as their PRC arm reports to the CCP government,” the summary of the amendment provided to Federal News Network reads.

The provision amends Section 855 of the fiscal 2022 defense policy bill and is identical to the Defense Technology Reporting Parity Act, which Schmitt filed on the floor prior to the 2025 defense policy bill.

The two amendments signal lawmakers’ growing concern about the Pentagons’ reliance on a single vendor for its cybersecurity products.

The fiscal 2025 defense policy bill authorizes a topline of $911.8 billion, which exceeds spending limits imposed by the Fiscal Responsibility Act passed last year.

Sen. Jack Reed (D-R.I.), chairman of the Armed Services Committee, voted against the legislation due to the funding increase that would break the spending caps.

“I regret that I needed to vote against passage of this bill because it includes a funding increase that cannot be appropriated without breaking lawful spending caps and causing unintended harm to our military. I appreciate the need for greater defense spending to ensure our national security, but I cannot support this approach,” Reed said in a statement.

The House passed its version of the defense bill last month, and the two chambers will have to negotiate to pass the bill before the end of 2024.

The post NDAA amendment to give more authority to DoD components to buy cyber products first appeared on Federal News Network.

X