Cloud Provisions in the Senate Draft of the FY 2020 National Defense Authorization Act

It is that time of year again, the summer months when Congress begins marking-up the coming fiscal year’s version of the National Defense Authorization Act (NDAA). At this point in the process there are two versions of the NDAA – one floating around in the Senate (S. 1790) and one in the House of Representatives (H.R. 2500). These draft NDAA versions often contain early iterations of language intended to guide technology acquisition and use by the Department of Defense, and sometimes even the federal government as a whole. This year’s Senate version of the NDAA is no different, including provisions on DOD’s use of cloud computing, measures it is taking to shore up its cyber posture, and recommendations for the employment of artificial intelligence, and advanced analytics. This post summarizes provisions relevant to DOD cloud computing and their implications for federal contractors.

Cloud and Data Management

Section 1035 requires the DOD CIO, the Chief Data Officer, the J6 of the Joint Staff, and the DOD Chief Management Officer to develop an enterprise policy guiding the transition of data and applications to the cloud as called for in the DOD Cloud Strategy. This policy is due within 180 days after the FY 2020 NDAA is signed into law.

Contractor Implications: Policy guidance moving data to the cloud is not the only part of this provision that will affect contractors. The Senate also wants to “dramatically improve support for operational missions and management processes … by the use of artificial intelligence and machine learning technologies.” DOD will require contractor help making this happen, particularly because the Senate also requires DOD to format its data “to support new types of analyses,” to prevent “the replication in the cloud of data stores that cannot readily be accessed by applications for which the data stores were not originally engineered” (i.e., formatted legacy system data).” This will ensure that “data sets can be readily discovered and combined with others to enable new insights and capabilities [and ensure] that data and applications are readily portable and not tightly coupled to a specific cloud infrastructure or platform.” All of these activities will require data engineering support.

Cybersecurity

The draft legislation contains multiple provisions combining cloud and cyber technologies.

Section 1631 requires that DOD “transition all Big Data Platform (BDP) instances to a cloud computing environment.

Contractor Implications: Depending on how DOD chooses to implement this provision a contractor facility could be used to host the BDP. At the same time, DOD could choose to host the BDP in milCloud 2.0 since it is under the Defense Information Systems Agency, which is responsible for defending the DOD Information Network (DODIN). In either case cloud migration and engineering services would be required.

Section 1634 directs DOD to establish a secure software development environment within a DOD cloud environment (i.e., inside the DOD’s network perimeter) for contractors to access department data and do software development work.

Contractor Implications: DOD could compete a solicitation for the creation of a cloud-based development environment or it could simply add it as a contract line item to established or pending contracts. milCloud 2.0, for example, could easily accommodate such an environment, as could the anticipated Joint Enterprise Defense Infrastructure (JEDI) contractor.

Section 1635 calls for the DOD CIO to “ensure that the Department possesses the necessary computing  infrastructure, through technology  refresh, installation or acquisition of bandwidth, and the use of cloud computing power, to host and enable necessary cybersecurity capabilities.”

Contractor Implications: This requirement goes to the heart of the Enterprise IT-as-a-Service efforts being pursued by the Air Force and Army. Neither service possesses the transport infrastructure capable of utilizing cloud to the extent the DOD (and Congress) wants. Section 1635, therefore, basically provides a legislative mandate for the continuation of EITaaS activities, ensuring that these will continue for years to come.