This year\u2019s National Defense Authorization Act (NDAA), the annual \u201cmust-pass\u201d spending bill that ensures the continued funding of the nation\u2019s military, has a wealth of information security recommendations that come from the bi-partisan, bi-cameral, public-private initiative known as the Cyberspace Solarium Commission (CSC). The CSC was itself established in 2019\u2019s NDAA bill and was asked to come up with a new strategic approach to cybersecurity.Last spring, the CSC issued a report that offered 82 policy and legislative recommendations to improve cybersecurity. Of those, 26 will likely become law given that both the House and Senate last week passed the bill by overwhelming margins. The veto-proof vote count is needed given that President Donald Trump has repeatedly vowed to veto this year\u2019s NDAA unless it also contains provisions that strip internet companies of legal liability protections granted them in Section 230 of the Communications Decency Act of 1996. Over the weekend, Trump reiterated via Tweet his intention to veto the NDAA.Solarium co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) expressed their delight in turning substantive cybersecurity recommendations into legislative provisions. \u201cFrom the first day we embarked on crafting America\u2019s cyberdoctrine, we were determined to create a plan of action, not a report collecting dust on a shelf.\u00a0It is only because of the hard work and commitment of our commissioners and tireless staff that we were able to create such a robust report earlier this year. It is due to them that we were able to inform national policy on such a remarkable level,\u201d the pair said in a statement.A new White House \u201cAnthony Fauci\u201d of cybersecurityThe Commission\u2019s top accomplishment in the bill is the reestablishment of cybersecurity leadership in the White House by creating a national cyber director position. Senator Mike Rounds (R-SD) garners much of the credit for this achievement. \u201cThe creation of a national cyber director position in this year\u2019s NDAA was the result of years of hard work,\u201d Rounds said in a statement.\u201cThis is a tremendous success for process. You need to give credit to Senator King and Representative Gallagher, Representative [Jim] Langevin [D-RI] and others who were on the Commission for running the Commission the way they did and the staff where they got tremendous input from across the community,\u201d Jonathan Reiber, senior director for cybersecurity strategy and policy at AttackIQ, tells CSO. \u201cBut then they wrote the legislation and handed it over to the committees. That, to me, is the fascinating and great success of this. Getting very smart thinking into the Commission\u2019s study and then turning it into draft legislation.\u201dRegarding the national cyber director position, Reiber says that \u201cif we have learned anything from the coronavirus, it\u2019s that it is very important to have experts in front of the American people and briefing the president and running a process when it comes to a national contingency that crosses multiple sectors of society. The real benefit in having a national cyber director is, imagine this person being like Anthony Fauci who is an expert in the field, who has the respect of their peers in the cabinet and has the authority to speak to the public, and the direct relationship with the president to help the president understand what\u2019s going on.\u201dSubpoena authority for CISAAnother high-profile CSC recommendation in the NDAA gives administrative subpoena authority to the Department of Homeland Security\u2019s (DHS\u2019s) Cybersecurity and Infrastructure Security Agency (CISA) so that it can \u201cidentify vulnerable systems and notify public and private system owners.\u201d The goal is to allow CISA to be proactive in reaching out to vulnerable parties to let them know they have a vulnerability before bad actors exploit it. \u201cIt\u2019s very good to have CISA personnel now hunt on federal networks,\u201d Reiber says.Joint cyber planning office in CISAAnother prominent CSC recommendation in the NDAA calls for establishing a joint cyber planning office in CISA that would pull together relevant experts and agencies across the federal government to facilitate comprehensive planning of defensive cybersecurity campaigns. A CSC advisor, Casey Ellis, CTO, founder, and chairman of Bugcrowd, applauds this recommendation. \u201cThe DHS efforts and pre-work role in securing the 2020 election across the states illustrate the need for a dedicated planning and project management office on a go-forward basis for similar and other wide-scale defensive efforts,\u201d he tells CSO.\u201cIt\u2019s a big achievement to have a joint cyber planning office that has DoD, NSA, FBI, DOJ and DNI working with the private sector to plan operations,\u201d Reiber says.Non-traditional cybersecurity support for the DoDYet another CSC recommendation attracting attention is the evaluation of non-traditional cybersecurity support to the Department of Defense. \u201cThis is a critical need which is foreshadowed by the Hack the Pentagon series of crowdsourced security engagements between the DoD and the broader white-hat hacker community who could be considered, in effect, a \u2018cyber reserve,\u2019\u201d Ellis says. \u201cThe attack surface and the adversary are both evolving rapidly, and this is as essential from a skillset diversity standpoint as it is for pure headcount availability.\u201dOther noteworthy recommendations from the Commission in the NDAA include:Report on the risk to national security posed by quantum computing technologies, which mandates the comprehensive assessment of the threats and risks posed by quantum technologies to national security systems. \u201cMany of the assumptions that cybersecurity is built on rely on Moore's Law and traditional concepts of processing. Quantum will catch a lot of this by surprise, and a holistic threat and risk assessment is important and becoming urgent, given the recent advances in quantum supremacy,\u201d Ellis says.Improvement relating to the Quadrennial Cyber Posture Review, which directs the DoD to conduct a force structure assessment of the Cyber Mission Force to ensure that the United States has the appropriate force structure and capabilities in light of growing mission requirements and expectations, in both scope and scale. \u201cThe DoD conducting a force structure assessment of the Cyber Mission Force is important given the accelerating evolution of technology usage and the offensive capability of US adversaries,\u201d Ellis says.Cybersecurity Education and Training Assistance Program, which authorizes the Cybersecurity Education and Training Assistance Program at CISA and is a K-12 cybersecurity education initiative. \u201cThe K-12 cyber education initiative is incredibly exciting. Educating the generation who will inherit these problems and opportunities and making them more native to security concepts can only be a good thing,\u201d Ellis says.CSC\u2019s recommendations will prevail in a divided congressAlthough the House passed the NDAA on December 2 with a \u201cveto-proof\u201d majority of 335 to 78, as of today, the Senate is still debating the measure. Even though Senate Republicans are far more reluctant to defy Trump, the smart money in Washington predicts that the Senate will also pass the NDAA with a veto-proof majority.The success of the Solarium Commission in bridging chambers and parties bodes well for the ultimate passage of most if not all of the 26 recommendations even if the NDAA were to fail passage in its current form. \u201cA veto would be a setback, but I imagine the majority of the CSC recommendations would either be re-tabled or pursued via other avenues of execution,\u201d Ellis says.