Policy Winners and Losers in the Defense Authorization Bill

A lot of the focus on the annual Defense authorization is about the funding levels and policy changes for the Pentagon.

But as anyone who has been in the federal market for at least a year knows, the National Defense Authorization Act is a catch all for legislation and provisions that matter to all agencies. These range from cybersecurity to acquisition to management. Congress passed the 2021 NDAA conference report Dec. 3.

With so many to choose from, here are 10 policy changes that passed and six that failed to make the cut that are among the most interesting and/or significant.

Let’s start off with those that failed because they have some of the more interesting backstories and surprises.

FedRAMP Authorization Act

The House passed the bill as a standalone in February. It passed again as part of its version of the NDAA in July. Among the things the legislation would do is codify the cloud security program known as the Federal Risk Authorization Management Program (FedRAMP) and would require agencies to provide a “presumption of adequacy” to vendors that are already FedRAMP-certified from other agencies.

But for whatever reason in conference, the Senate, which didn’t act on the bill for 10 months, won out.

One industry source said the blame falls squarely on Sen. Ron Johnson (R-Wis.), the chairman of the Homeland Security and Governmental Affairs Committee.

“His objection as far as I know is that the committee never considered the legislation. But they had ample time to consider it, so that tells me he didn’t really care about it or didn’t want it,” said the source, who requested anonymity in order to speak about these discussions. “I think many of us are looking forward to Johnson leaving as chairman of HSGAC. We hope the next chairman is more receptive to the bill.”

An email to Johnson’s press office seeking comment was not immediately returned.

Rep. Gerry Connolly (D-Va.) has been pushing the FedRAMP bill for more than three years, getting it through the House twice before this 11th hour decision to spike it by the conferees.

“About six weeks or so ago, Johnson objected to the bill based on process because his committee hadn’t held hearings or voted on the bill. Basically the conferees gave Johnson the veto power to have it struck and he did,” the source said. “Connolly’s folks pushed hard to get it done, even raising it to the full committee and pushed hard to get it to the chairmen and ranking members to discuss. At the end of the day, the conferees decided to take Sen. Johnson’s objection and it was enough to pull the provision.”

Cyber provisions left out

Two interesting cyber provisions also were cut from the final NDAA.

Download Newsletter