United States Cyber Force Bill

At a Glance

  • Establishes the U.S. Cyber Force as a new military branch under the DoD
  • Unifies Army, Navy, Air Force, and Marine cyber units under one command
  • Mandates cybersecurity standards for all federal contractors within 18 months
  • Creates a Cyber Reserve Corps of civilian professionals for emergencies
  • Sets competitive pay with 25% base supplements to retain cyber talent
United States Cyber Force Bill

The digital battlefield has become as consequential to national security as land, sea, air, and space. Foreign adversaries—nation-states and their proxies—conduct daily operations against American infrastructure, government systems, and private industry. They probe electrical grids, water systems, financial networks, and healthcare facilities for vulnerabilities. They infiltrate supply chains, steal intellectual property, and harvest data on millions of Americans. They seek to manipulate elections, amplify social divisions, and erode public trust in democratic institutions. These are not theoretical threats but ongoing operations documented by intelligence agencies and experienced by American businesses and citizens[1].

Yet the United States lacks a unified military organization dedicated to defending cyberspace. Cyber operations are currently distributed across multiple service components—Army Cyber Command, Fleet Cyber Command, Marine Corps Forces Cyberspace Command, and Air Force cyber units—each with different training standards, career paths, and organizational priorities[2]. U.S. Cyber Command coordinates these disparate elements but must compete with parent services for personnel, funding, and attention. Military leaders have acknowledged this fragmented approach is unsustainable: none of the existing services prioritizes cyberspace as its core mission, resulting in inconsistent support, unclear career paths, insufficient expertise, and cyber operations perpetually treated as secondary to other missions.

Meanwhile, critical infrastructure remains vulnerable. Federal contractors and suppliers operate under inconsistent security requirements. Private companies in essential industries—energy, communications, transportation, finance, healthcare—face sophisticated attacks with varying levels of federal support and guidance. Information about threats flows unevenly between government agencies and the private sector, leaving potential targets unaware of dangers until after breaches occur.

This legislation establishes the United States Cyber Force as a dedicated branch of the armed forces under the Department of Defense, with a singular mission: protecting American infrastructure and interests in cyberspace. The Cyber Force will unify defensive and offensive cyber capabilities, establish mandatory security requirements for federal suppliers and critical industries, detect and counter foreign influence operations targeting American elections and society, and conduct operations against adversaries while sharing actionable intelligence with government agencies and private sector partners. Just as the creation of the Air Force recognized that air power required dedicated doctrine, training, and leadership, and the Space Force acknowledged the unique demands of the space domain, the Cyber Force recognizes that cyberspace is a distinct warfighting domain requiring focused attention, specialized expertise, and organizational priority that the current structure cannot provide.

Problems the Bill Aims to Solve

Fragmented Cyber Capabilities Across Military Services. Cyber operations are currently spread across Army, Navy, Air Force, and Marine Corps components, each with different priorities, training programs, and career structures. No single service treats cyberspace as its primary mission, resulting in inconsistent readiness and competing demands for resources and personnel.

Talent Recruitment and Retention Failures. The military struggles to recruit and retain skilled cyber professionals who can command significantly higher salaries in the private sector[3]. Existing services lack the specialized incentive structures, career paths, and organizational culture needed to compete for top talent. Personnel are frequently rotated out of cyber positions just as they develop expertise.

Persistent Foreign Attacks on American Infrastructure. Nation-state adversaries conduct continuous cyber operations against U.S. electrical grids, water systems, financial institutions, healthcare networks, and government systems[1]. These attacks probe for vulnerabilities, position for future disruption, and steal sensitive data—often without effective detection or response.

Inconsistent Security Standards for Federal Suppliers. Companies that provide goods and services to the federal government operate under varying and often inadequate cybersecurity requirements. Supply chain compromises have enabled adversaries to access government systems through trusted vendors, yet no unified security baseline exists across federal contracting.

Vulnerable Critical Infrastructure in the Private Sector. Essential industries—energy, communications, transportation, finance, healthcare—face sophisticated cyber threats but lack clear federal security requirements or consistent access to threat intelligence[4]. The line between national security and private enterprise has blurred, yet responsibilities remain undefined.

Foreign Interference in Elections and Public Discourse. Adversaries actively work to manipulate American elections, amplify social divisions, and undermine public trust in democratic institutions through coordinated influence operations. Detection and response capabilities are scattered across agencies without unified authority or mission focus.

Inadequate Intelligence Sharing with the Private Sector. Government agencies possess valuable threat intelligence that could help private companies defend themselves, but information sharing mechanisms remain slow, cumbersome, and inconsistent[5]. Companies often learn of threats only after successful attacks.

Lack of Offensive Deterrence Capability. Without a credible, unified offensive cyber capability, adversaries face insufficient consequences for attacks on American interests. Deterrence requires adversaries to believe the United States can and will impose costs for malicious cyber activity—a posture undermined by fragmented authorities and capabilities.

No Unified Command Authority for Cyber Defense. Responsibility for defending American cyberspace is divided among military commands, intelligence agencies, law enforcement, and civilian departments. This diffusion of authority creates gaps, delays responses, and prevents the coordinated action that modern cyber threats demand.

United States Cyber Force Act

120th Congress, 2nd Session

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

Sec. 1. SHORT TITLE.

This Act may be cited as the "United States Cyber Force Act."

Sec. 2. ESTABLISHMENT OF THE UNITED STATES CYBER FORCE.

  1. (1) There is established as a branch of the armed forces a United States Cyber Force, organized, trained, and equipped to conduct defensive and offensive operations in cyberspace.
  2. (2) The Cyber Force shall be a military service within the Department of Defense, organized under the Department of the Cyber Force, headed by the Secretary of the Cyber Force.
  3. (3) MISSION.—The Cyber Force shall defend DOD and Federal Government networks; conduct offensive cyber operations as directed; protect critical infrastructure from cyberattack; detect, attribute, and counter foreign influence operations targeting elections and public discourse; and share cyber threat intelligence with Federal agencies and the private sector.

Sec. 3. COMMANDANT OF THE CYBER FORCE.

  1. (1) The Commandant shall be appointed by the President with the advice and consent of the Senate, from among officers with significant cyber operations experience.
  2. (2) The Commandant shall serve as a member of the Joint Chiefs of Staff and hold the grade of general for a term of 4 years.

Sec. 4. TRANSFER OF CYBER UNITS.

  1. (1) Not later than 24 months after enactment, the Secretary of Defense shall transfer to the Cyber Force: Army Cyber Command, Fleet Cyber Command and Tenth Fleet, Marine Corps Forces Cyberspace Command, and Sixteenth Air Force (Air Forces Cyber).
  2. (2) A detailed transition plan shall be submitted to Congress within 180 days of enactment, including phased timelines, continuity provisions, personnel reassignment plans, and budget requirements.

Sec. 5. MANDATORY CYBERSECURITY STANDARDS FOR FEDERAL CONTRACTORS.

  1. (1) Not later than 18 months after enactment, the Secretary of Defense shall promulgate mandatory cybersecurity standards for all federal contractors, including zero-trust architecture, multi-factor authentication, encrypted storage and transmission, mandatory 24-hour incident reporting, and annual third-party audits.
  2. (2) Non-compliant contractors shall be subject to suspension or debarment and civil penalties up to $500,000 per violation.

Sec. 6. CRITICAL INFRASTRUCTURE CYBER PROTECTION PROGRAM.

  1. (1) There is established a Critical Infrastructure Cyber Protection Program to coordinate defense of energy, telecommunications, transportation, financial services, and healthcare sectors.
  2. (2) The program shall establish minimum cybersecurity standards, provide technical assistance and threat assessments, and conduct regular cyberattack simulation exercises.

Sec. 7. CYBER THREAT INTELLIGENCE SHARING.

  1. (1) The Cyber Force shall establish a real-time intelligence sharing system for all Federal departments and agencies.
  2. (2) Declassified intelligence shall be made available to private sector entities through a secure automated platform. Participation by private entities shall be voluntary.
  3. (3) Private sector entities sharing threat indicators in good faith shall not be liable in civil actions for such sharing.

Sec. 8. FOREIGN INFLUENCE OPERATIONS DETECTION AND RESPONSE.

  1. (1) The Cyber Force shall maintain a dedicated mission for monitoring, detecting, and attributing foreign influence operations; coordinating with the intelligence community and FBI to protect election integrity; and developing countermeasures against foreign manipulation of digital communications.
  2. (2) The Commandant shall submit an annual classified report to Congress and a public unclassified summary.

Sec. 9. COMPETITIVE PAY AND CYBER RESERVE CORPS.

  1. (1) The Secretary of the Cyber Force shall establish a cyber-specific pay table with base pay supplements of not less than 25 percent, retention bonuses up to $75,000, and recruitment bonuses up to $50,000 for qualified personnel.
  2. (2) CYBER RESERVE CORPS.—A Cyber Reserve Corps of civilian cybersecurity professionals who volunteer for part-time service and may be called to active duty during declared cyber emergencies. Members shall maintain clearances, complete annual training not exceeding 30 days, and receive equivalent active-duty compensation upon activation.

Sec. 10. AUTHORIZATION OF APPROPRIATIONS.

There are authorized to be appropriated $15,000,000,000 for fiscal year 2026 and such sums as necessary for fiscal years 2027 through 2031.

Sec. 11. EFFECTIVE DATE.

  1. (1) This Act shall take effect on the date of enactment.
  2. (2) The Cyber Force shall achieve initial operational capability within 18 months and full capability within 36 months.

Sources

  1. Cybersecurity and Infrastructure Security Agency, "People's Republic of China Cyber Threat" and related advisories. https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/china
  2. U.S. Government Accountability Office, "Military Cyber Personnel: Opportunities Exist to Improve Service Obligation Guidance and Data Tracking," GAO-23-105423. https://www.gao.gov/products/gao-23-105423
  3. RAND Corporation, "Attracting, Recruiting, and Retaining Successful Cyberspace Operations Officers: Cyber Workforce Interview Findings." https://www.rand.org/pubs/research_reports/RR2618.html
  4. U.S. Government Accountability Office, "Cybersecurity High-Risk Series: Challenges in Protecting Cyber Critical Infrastructure," GAO-23-106441. https://www.gao.gov/products/gao-23-106441
  5. U.S. Government Accountability Office, "Critical Infrastructure Protection: National Cybersecurity Strategy Needs to Address Information Sharing Performance Measures and Methods," GAO-23-105468. https://www.gao.gov/products/gao-23-105468