Cloud Provisions in the Draft FY 2025 NDAA

This week’s post shifts the focus from small business provisions in the various draft versions of the FY 2025 National Defense Authorization Act (NDAA) to a couple of those dealing with cloud computing. Although there is no guarantee that these provisions will make it through the legislative reconciliation process, the possibility that they might makes it worth putting them on industry’s radar.

Using Cloud for Artificial Intelligence Development

Let’s begin with Section 810 in the draft Senate NDAA (S. 4638) “Ensuring Competition in Artificial Intelligence Procurement.” Despite its title, this section does not deal only with AI. It also pertains to cloud providers. Specifically, the section requires that the DOD update the Defense Federal Acquisition Regulations Supplement to “ensure that Government-furnished data, provided for purposes of development and operation of AI products and services to the Department of Defense, is not disclosed or used without proper authorization.”

Furthermore, any “government-furnished data stored on vendor systems [including cloud-based systems], provided for purposes of development and operation of AI products and services to the Department of Defense” must also be “protected from other data on such systems” under the penalty of fines and potential contract termination if such data is not adequately protected.

Cloud service providers can request an exemption from this rule from the Chief Digital and Artificial Intelligence Officer, but, barring that, all cloud providers working with the DOD should be aware of  the requirements related to segregating data.

Cloud Security Accreditation

Also included in the Senate draft (S. 4638), Section 1621 requires the Secretary of Defense to “implement a policy that requires security authorizing officials to inherit or reciprocate the security analysis and artifacts, as appropriate, of a cloud hosted platform, service, or application that has already been authorized by another authorizing official in the Department of Defense.” The reuse of this accreditation is intended to accelerate the adoption of “cloud-hosted platforms, services, and applications, at the corresponding classification level and in accordance with the existing authorization conditions, without additional authorizations or reviews.” The policy should rely on a standardized review process.

This provision should benefit industry partners and the DOD alike by taking the same type of  “secure once, authorize many times” approach used by the Federal Risk and Authorization Management Program. A similar section (#1522) can be found in the draft House version of the NDAA, indicating that this provision is likely to remain into the final version of the bill.

Counting DOD Cloud Capabilities

Section 1504 of the House draft NDAA (H.R. 8070) calls for the DOD to report to congressional defense committees “the current and planned cloud elements of the Department and … the roadmap [for each] required.” Each report must include the following information:

• The dates for any planned or ongoing replacement, update, modification, or retirement of the cloud element.
• The relevant cost metrics for the cloud element, including the current program cost, cost-to-complete, and incremental costs.
• The contracting method used, being used, or planned to be used, as applicable, to acquire the cloud element.
• The organization responsible for managing the cloud element and the users of that element.
• Relevant metrics regarding the interoperability, accessibility, and usability of the cloud element.
• An assessment of the compliance of the cloud element with the applicable IT principles and standards of the Department.
• An assessment of any unique attributes of the cloud element that may inhibit the introduction, replacement, update, modification, or retirement of the cloud element.
• An assessment of the dependencies, if any, between the cloud element and the introduction, replacement, update, modification, and retirement of any other cloud element of the Department.

Although these reports are due to congressional committees, it is possible that information in them will be distilled into a planning forecast for upcoming cloud contract competitions or re-competitions. This could be of good use to industry, particularly small businesses looking for opportunities in the cloud market. In addition, the DOD’s reporting of its anticipated cloud budget for each fiscal year is often so detached from reality that it is practically worthless. Forcing the department to get a handle on its current and planned investments could mean more accurate data will be reported, which offers better insight into the defense side of the cloud market.