After months of negotiations, the compromise version of the annual defense policy bill is in – but it left out a proposed artificial intelligence (AI) moratorium and reauthorization of the Technology Modernization Fund (TMF), instead including major cybersecurity and AI amendments.
The National Defense Authorization Act (NDAA) text released by the House Armed Services Committee Sunday night is more than 3,000 pages long and includes numerous cyber-related provisions.
A controversial proposal to preempt state AI laws was ultimately left out of the NDAA, despite support from President Donald Trump and key congressional Republicans. The measure drew strong bipartisan resistance, and the Senate blocked its addition to the Trump administration’s tax and spending package in July.
President Trump instead said he would move forward with an executive order this week to preempt state AI laws, writing on Truth Social that, “There must be only One Rulebook if we are going to continue to lead in AI.”
A reauthorization for the TMF, which provides federal civilian agencies with funding to undertake tech modernization projects, was also left out of the NDAA. The TMF is set to expire on Dec. 12 and requires congressional action before then to avoid a lapse in its authority.
Reauthorizations of the Cybersecurity Information Sharing Act of 2015 and the State and Local Cybersecurity Grant Program were also excluded from the NDAA agreement. Both programs are set to expire on Jan. 30, 2026, after being temporarily extended by Congress’s stopgap funding bill.
Cyber Inclusions
Despite leaving out several major cyber provisions, the NDAA’s text includes other key directives. One key provision would implement restrictions on how the United States can invest in advanced technologies produced in China and other adversarial nations.
That comes after the bipartisan GAIN AI Act failed to make it into the NDAA agreement. The amendment would have required American semiconductor manufacturers to sell to U.S.-based companies before selling abroad.
“This is an important step toward ensuring the United States remains the world’s leader in advanced technology,” Sen. Elizabeth Warren, D-Mass., said in a statement, adding that the inclusion “will help ensure that we develop the most sensitive and cutting-edge technology here in America rather than supercharge its development in countries that do not share our values.”
In other China-related restrictions, the NDAA would prohibit federal agencies from holding contracts with biotechnology companies or firms with ties to adversarial countries.
Cybersecurity is also getting a boost. After the Pentagon’s inspector general determined that Secretary of Defense Pete Hegseth’s use of the messaging app Signal earlier this year created a significant security risk and put U.S. troops in danger, lawmakers included text to require that Hegseth ensure all high-level defense officials use mobile devices with “enhanced security protections.”
Specifically, those devices would need to be encrypted, be able to obfuscate device identifiers, and enable continuous monitoring. The devices would be mandated within three months of the NDAA’s passage.
Hegseth would additionally be responsible for developing a Pentagon-wide policy for secure AI and machine learning use. Part of that directive would mandate training requirements for the defense workforce to be able to identify and mitigate vulnerabilities specific to AI/ML.
This summer, the Defense Department awarded four companies contracts for the use of their AI systems, including Anthropic, Google, xAI, and OpenAI.
The defense secretary would need to harmonize cybersecurity regulations across the Pentagon’s industrial base by June 2026 to “ensure that processes and governance structures exist and are sufficient to identify and eliminate duplicative and inconsistent cybersecurity requirements and cybersecurity requirements unique to single contracts,” according to the NDAA’s text.