Cloud Computing Provisions in the FY 2024 NDAA

In case you missed it while celebrating the holidays, the Congress finally passed, and the President signed, a National Defense Authorization Act (NDAA) for fiscal year 2024. The bill, passed and signed as H.R. 2670, contains numerous technology provisions in its 973 pages, including several concerning cloud computing. Today’s post summarizes those provisions and offers some thoughts about their implications for the federal cloud market.

Amending the Federal Data Center Consolidation Initiative (FDCCI)

Although the FDCCI has been winding down, agencies remain intent on reducing the number of data centers they own and operate. To that end, Section 5302 reminds technology leaders that when “determining whether to establish or continue to operate an existing data center … [they should] regularly assess the application portfolio of the covered agency and ensure that each at-risk legacy application is updated, replaced, or modernized, as appropriate. In addition, agency leaders should “prioritize and, to the greatest extent possible, leverage commercial data center solutions, including hybrid cloud, multi-cloud, co-location, interconnection, or cloud computing rather than acquiring, overseeing, or managing custom data center infrastructure.”

Market Implications – This provision repeats the underlying reasons why data center consolidation exists, namely, to modernize applications and encourage cloud adoption. Codifying these requirements should sustain what is an already growing market.

Cloud Computing in the Intelligence Community (IC)

The remaining provisions examined here concern various aspects of the use of cloud computing in the IC.

Section 7354 requires the Director of the Central Intelligence Agency to report on use of the Commercial Cloud Enterprise (C2E). The data required must include “the number and value of all task orders issued; the duration of each task order; the number of sole source task orders issued compared to the number of task orders issued on a competitive basis; and an update on the status of the security accreditation and authority to operate decision of each vendor.”

Section 7355 adds another reporting requirement. Specifically, “the head of each element of the intelligence community shall submit to the appropriate committees of Congress a notification with respect to any sole source task order awarded … under the C2E. Each notification must include a description of the order; the duration of the order; a summary of services provided under the order; the value of the order; the justification for awarding the order on a sole source basis; and an identification of the vendor awarded the order.

Section 7356 adds a third reporting requirement calling for the Director of National Intelligence to “complete a comprehensive analysis of the commercial cloud initiatives of the intelligence community” related to C2E. This analysis should provide the following information:

1) The current year and 5-year projected costs for commercial cloud utilization for each element of the intelligence community, including costs related to data storage, data migration, egress fees, and any other commercial cloud services.

2) The termination or planned termination of the legacy data storage capacity of an element of the intelligence community and the projected cost savings resulting from such termination.

3) Efforts underway by the Office of the Director of National Intelligence and elements of the intelligence community to utilize multiple commercial cloud service providers.

4) The operational value that elements of the intelligence community are achieving through utilization of commercial cloud analytic tools and services.

5) An estimate of how C2E is currently postured to support artificial intelligence workloads of intelligence community elements and a description of criteria for continuing to rely on legacy data centers for those artificial intelligence requirements by an intelligence community element.

Market Implications – Congress is clearly concerned about the security of C2E cloud service providers and about the competitiveness of related contracting opportunities. C2E service providers could be asked to update their accreditation status, provide information on their artificial intelligence capabilities, and report data on the cost of their services. The planned termination of legacy data storage capabilities hints that further growth in the use of C2E is coming.