It’s that time of year again when the Senate and House of Representatives are busy reconciling their respective versions of the National Defense Authorization Act (NDAA) for Fiscal Year 2026. As usual, these bills contain provisions dealing with specific types of technology used by the Department of Defense (DOD) and sometimes other federal agencies as well. Today’s post provides a look at some of the provisions in the draft bills – especially the House version – that deal with cloud computing.

As a reminder, given the draft status of the legislation, these provisions might not make it into the final version of the bill that is sent for the President’s signature. Many provisions will survive the reconciliation process, however, and so today’s post summarizes the provisions that might be of greatest interest to industry.

Draft Senate NDAA (S. 2296)

Section 879 – Phase-Out of Computer and Printer Acquisitions Involving Entities Owned or Controlled by China. Mandating that the Secretary of Defense (SecDef) may not acquire any computer or printer if the manufacturer is a covered Chinese entity, this section exempts contracts or other agreements for cloud-based services, including virtual desktops, or cellular telephones. Cloud Service Providers should review their supply chains to comply with this requirement in case it clears the reconciliation hurdle.

Draft House NDAA (H.R. 3838)

Section 242 – Feasibility Study on Use of Cloud Laboratories. This section directs the DOD to study the feasibility and advisability of using cloud-based laboratories to provide authorized researchers with access to high-quality experimental instrumentation and data The requested Congressional review will include estimated costs for the construction and sustainment of cloud laboratories and timelines for establishing cloud laboratories, suggesting that a contract or contracts for such laboratories may be awarded.

Section 857 – Enhanced Security Strategy for Private Fifth-Generation Information and Communications Capabilities. Instructing the DOD to procure fifth-generation wireless technology for private networks on military installations to promote enhanced wireless network security requirements, including supply chain risk management, this section orders the SecDef to prioritize using cloud-native capabilities. Industry should look for potential business opportunities to come from this review.

Section 1616 – Prohibition on Access to DOD Cloud-Based Resources by Individuals Who are Not Citizens of the United States or Allied Countries. Dictates that no individual who is a citizen of a foreign country of concern may maintain, administer, operate, use, receive information about, or directly access or indirectly access, regardless of whether the individual is supervised by a citizen of the United States, any DOD cloud computing system. Requires the DOD to review all cloud computing contracts for violation of this requirement. Similar in thrust to Section 879 of the Senate bill, industry partners will want to review the background of personnel working on defense-related cloud agreements to ensure they comply.

Section 1832 – Data-as-a-Service (DaaS) Solutions for Weapon System Contracts. Mandating that the SecDef ensures the pricing and terms and conditions of access to DaaS is commensurate with commercial practices for similar access, this section prohibits the SecDef from requiring that commercial DaaS offerors provide access in a manner different from what is customarily provided to commercial buyers.