**Congress Is Recommitting to Resilience**
The National Defense Authorization Act (NDAA) has passed the House, marking a significant step towards recentering resilience in US defense policy. The bill aims to reverse the course set by the previous administration, which consistently curtailed efforts to harden critical infrastructure against hybrid threats.
As highlighted by the 2023 Volt Typhoon hacking campaign, where Chinese state-sponsored cyber actors targeted critical US infrastructure organizations, resilience is no longer a niche topic but a strategic requirement. The operation demonstrated how disruption can be banked in peacetime and harvested in crisis, revealing a new coercive logic guiding US adversaries.
The Trump administration's reversal of previous progress on resilience was stark. A White House memo (NSM-22) issued by the Biden administration in April 2024 framed critical infrastructure security and resilience as a national security priority. However, an executive order issued in March targeted this framework and related policies, weakening national resilience architecture.
Key offices and departments tasked with these responsibilities, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Emergency Management Agency (FEMA), and the Resilience and Response Directorate in the National Security Council, have seen funding cuts. This has led to reduced federal connective tissue, capability at seams between federal, state, and local levels, incentives for sustained preparedness investment, and ultimately, less resilience.
Now, Congress is attempting to rebuild resilience through its most reliable instrument: the NDAA. The 2026 NDAA package treats resilience as a strategic requirement embedded in cyber deterrence, defense-critical infrastructure planning, energy continuity, and industrial base illumination.
**A Shift in Cyber Deterrence**
The most strategically important shift in the bill is in cyber deterrence. The NDAA requires the Defense Department to develop a strategy to reestablish credible deterrence against cyberattacks on the country's defense-critical infrastructure. This includes interim and final briefings to be held in 2026.
Congress explicitly maintains that current approaches are inadequate, citing both the Volt Typhoon and Salt Typhoon cyberattack campaigns as evidence that persistent access and pre-positioning are now standard features of the threat environment. In practical terms, Congress is pushing the Defense Department to treat denial and endurance as core components of deterrence, instead of simply retaliating after damage has already been done.
The bill also proposes an expansion of authority for cyber operations that would move the Defense Department toward a more operational view of defense-critical infrastructure. This strengthening of underlying enabling systems is key to planning and operations, consistent with the underlying deterrence logic of resilience: fortify what matters most, reduce the payoff of attack, and force adversaries to take higher-risk, higher-cost paths to achieve strategic effects.
**Supply Chain Resilience**
Congress is also shifting resilience from rhetoric to machinery by establishing a Mission Infrastructure Resilience Task Force to assess vulnerabilities in defense-critical infrastructure that is necessary for executing defense operational and contingency plans. This ties infrastructure risk to tangible plans, not just generic measures of quality such as facility condition scores.
The task force will create a prioritization mechanism to identify what breaks first, what cascades, and what must be remediated to keep forces moving under disruption. If implemented correctly, this move could become the backbone of a planning-informed investment logic that the defense sector has struggled to sustain across administrations.
**Treat Resilience as a Warfighting Requirement**
Congress's bill also reinforces a broader lesson from US military assistance to Ukraine over the past several years: industrial surge capacity is a warfighting requirement, and input fragility becomes strategic fragility. The NDAA criticizes existing siloed mapping efforts and urges consolidation around a single supply chain mapping tool.
The bill's emphasis aligns with the broader premise that deterrence fails when the enabling systems of modern command, control, and logistics are assumed rather than defended. Additionally, the NDAA points to allied and partner resilience as a strategic multiplier, including emphasis on Taiwan's critical digital infrastructure capabilities.
**Conclusion**
While Congress has arguably passed the strongest resilience provisions in a generation, the defense bill is an imperfect tool for a national and societal problem of this scale. The White House's approach treats resilience as overhead and its governance as a nuisance, shifting responsibility downward while shrinking federal tools that enable coherent national preparedness.
Congress cannot reverse this by itself; the power and capacity to coordinate across sectors, set durable expectations with private owners and operators, and sustain preparedness investments are federal and often reside outside of the defense sphere. The gutting of previous resilience-building efforts has created structural gaps that defense-focused resilience alone cannot fully fill.
Still, Congress has moved to reverse that logic, and—if implemented—the defense bill's provisions would improve the United States' capacity to withstand attacks and give it time to plan effective retaliation. The next step is to treat resilience as a warfighting requirement: build it into readiness reporting, link infrastructure fortification to operational planning, stress-test defense supply chains with the same rigor applied to weapons systems, and synchronize allied resilience efforts with campaign design.
Congress has initiated this critical rebuild—the question now is whether the United States can finish the job before an adversary strikes.