Cloud Computing Provisions in the 2021 Defense Authorization Bill

Each fiscal year (FY) the US Congress passes a National Defense Authorization Act (NDAA) covering broad provisions for the Department of Defense (DOD) and defense-related activities in other federal departments. With rare exception, the NDAA includes elements that drive information technology policy and practice at the DOD, including cloud computing, cybersecurity, emerging technologies and acquisition policy.

As of this writing, the bill is still in process of being finalized, but the House of Representatives has passed their version, H.R. 6395 and the Senate has passed their version, S. 4049. The most recent version of the amended bill text is available on the H.R. 6395 page and has been placed on the Senate’s legislative calendar for consideration, but it is still unclear of the timing of likely final passage.

Comparing commonalities between the House and Senate drafts and what has made it into the current version there are several cloud computing related provisions that likely may make it into the final reconciled bill that goes to the president for signing.

FedRAMP Authorization

• Establishes within the General Services Administration the Federal Risk and Authorization Management Program (FedRAMP) as a government-wide program to provide an authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.
• Includes authorizations for the Joint Authorization Board, the FedRAMP Program Management Office, independent assessment organizations and a 15-member Federal Secure Cloud Advisory Committee to provide advice and recommendations.
• Authorizes $20M per year to fund the Joint Authorization Board and the FedRAMP Program Management Office.

FedRAMP Standards for 5G

• Requires the DOD to use FedRAMP moderate or high cloud standard baselines, supplemented with the DOD’s FedRAMP cloud standard controls and control enhancements, to assess fifth generation (5G) core service providers whose services will be used in the DOD’s provisional authorization process.

National Security Innovation Network

• Directs the DOD to establish the National Security Innovation Network to create a network throughout the United States that connects the DOD to academic institutions, commercial accelerators and incubators, commercial innovation hubs, and non-profit entities with missions relating to national security innovation.
• The Network is to leverage commercial software platforms and databases that enable the DOD to access commercial technologies through an accredited and cloud-based development environment, consistent with DOD standards.

Artificial Intelligence R&D

• Directs GAO to conduct a study of artificial intelligence (AI) computer hardware and computing required to maintain U.S. leadership in AI research and development, in part by assessing the composition of federally supported civilian computing resources at universities and federal laboratories, including programs with laboratory computing, high performance computing, cloud computing, quantum computing, edge computing, and other computing resources.
• Directs of the National Science Foundation to fund research and education activities in artificial intelligence systems and related fields, with adequate access to research and education infrastructure, including the development of new computing resources and partnership with the private sector for the provision of cloud-based computing services.

Spectrum Modernization

• Directs the Assistant Secretary of Commerce for Communications and Information to develop plans to modernize federal infrastructure for managing federal spectrum use, including innovative capabilities in infrastructure, such as cloud-based databases, artificial intelligence technologies, automation, and improved modeling and simulation capabilities.

Coast Guard IT Management and Cloud Strategy

• Directs GAO to conduct a comprehensive review of the Coast Guard Command, Control, Communications, Computers, Cyber, and Intelligence Service Center, including an analysis of how the Coast Guard manages its information technology program. The review is to include an analysis of the goals and acquisition strategies for all proposed Coast Guard enterprise-wide cloud computing service procurements.
• Directs the Commandant of the Coast Guard to submit a detailed description of the USCG cloud computing strategy.

Impact of China on Cloud Standards

• Authorizes the National Institute of Standards and Technology (NIST) to contract with an appropriate non-governmental organization to study the impact of China’s policies on international standards bodies setting emerging technologies, including the impact of the ‘‘Chinese Standard 2035’’ strategy on international standards for select emerging technologies, such as advanced communication technologies or cloud computing and cloud services.

The themes of addressing the many facets of cloud computing at the DOD and beyond – policy, technical, supply chain, etc. – are familiar inclusions in the yearly NDAA. Many of the provisions take incremental actions that would build on existing efforts to advance the use and security of cloud computing within federal departments and agencies as well as support cloud capabilities in the broader U.S. context.