President Donald Trump signed a $901 billion Pentagon policy bill on Thursday night that features a slew of key cybersecurity provisions.

The 2026 National Defense Authorization Act passed with bipartisan support in both the House and the Senate. The compromise measure authorizes Defense Department policies and unprecedented spending levels for national security programs.

The bill includes language that effectively preserves the dual-hat leadership structure of U.S. Cyber Command and the National Security Agency by prohibiting the use of any Pentagon funds to “reduce or diminish the responsibilities, authorities, or organizational oversight of the Commander of United States Cyber Command.”

The bill serves as an extra layer of protection for keeping the leadership arrangement — which has been debated ever since Cyber Command was established in 2010 — in place against Trump and his allies.

Trump nearly severed the relationship in the final days of his first term but was rebuffed by military brass. The idea was renewed during the last presidential transition but was dropped, informally, earlier this year after senior national security officials concluded a split would prove too time-consuming and costly.

The president on Thursday formally nominated Army Lt. Gen. Joshua Rudd to be the next head of the Cyber Command and the NSA.

The bill provides Cyber Command roughly $73 million for digital operations, an additional $30 million for unspecified activities and $314 million for operations and maintenance at its headquarters at Fort Meade, Maryland.

The final NDAA requires the Defense secretary to ensure DOD senior leaders are provided mobile phones with “enhanced cybersecurity protections,” including data encryption. 

Earlier this month, the Pentagon’s inspector general issued a report that found Defense Secretary Pete Hegseth broke existing DOD rules for handling sensitive information and potentially put troops in danger when he used the commercial messaging app Signal to discuss a then-pending U.S. military strike in Yemen 

The watchdog office released a separate report that concluded the department lacks a secure messaging platform that could help coordinate sensitive operations.

The latest NDAA gives the department about a year to “list all critical infrastructure that relies on materials or components” with origins tied to any “foreign entity of concern.”

The bipartisan measure also orders the department to “harmonize” its own cybersecurity requirements by next June. A push to cut through such digital red tape is slated to be a pillar of the national cybersecurity strategy the Trump administration intends to release next month.