Cloud Computing Provisions in the FY 2026 NDAA

Late last week, the House of Representatives passed S. 1071, their amended copy of the Senate’s National Defense Authorization Act (NDAA). The reconciled bill has now passed both chambers of Congress and will go to the white House for signature into law by the President.

Each year’s NDAA usually contains provisions related to the use of, or even investment in, specific technologies. This year’s bill is no exception. Today’s article takes a look at the provisions in the FY 2026 bill related to cloud computing and includes a consideration of the implications of these for government contractors and cloud service providers.

Key Cloud Computing Provisions

Section 1692: Prohibition on Access to DOD Cloud-Based Resources by Certain Individuals

This provision

• Prohibits individuals who are citizens of foreign countries of concern from accessing DOD cloud computing systems.
• Applies to maintenance, administration, operation, use, receipt of information, or any direct or indirect access.
• Applies regardless of whether the individual is supervised by a U.S. citizen.
• Requires DOD to review all existing cloud computing contracts for compliance violations.

Defined Restrictions:

• Foreign countries of concern include China, Russia, Iran, North Korea, and other designated adversary nations.
• Covers all levels of access, from administrative privileges to indirect access through third parties.
• No exemptions for supervised or contractor personnel from these nations.

Section 5302: Authorization to Use Commercial Cloud Enclaves Overseas (State Department)

This provision

• Authorizes the Department of State to utilize commercial cloud enclaves for overseas operations.
• Enables deployment of cloud infrastructure outside the continental United States.
• Supports diplomatic missions with modern cloud-based tools while maintaining security requirements.

Section 1521: Accountability of Authorization to Operate Processes

This provision

• Establishes an accountability framework for cloud system authorizations.
• Enhances oversight of cloud security certifications.

Section 1504: Department of Defense Data Ontology Governance Working Group

This provision

• Creates governance structure for data standards in cloud environments.
• Ensures interoperability across cloud platforms.

Section 1513: Physical and Cybersecurity Procurement Requirements for AI Systems

This provision

• Mandates security requirements for AI systems deployed on cloud infrastructure.
• Addresses supply chain risks in cloud-based AI implementations.

Implications for Government Contractors

• Compliance requirements are likely to have the biggest immediate impact, particularly concerning workforce screening and management. Contractors should conduct a comprehensive review of all personnel with access to DOD cloud environments and verify the citizenship status of all staff working on DOD cloud contracts.
• Contractors should be prepared for supply chain audits, including of subcontractors and supply chain partners, for foreign ownership or personnel exposure. These reviews may require subcontracting relationships to be restructured.
• Contractors must implement enhanced authentication and authorization controls, if these aren’t already in place.
• Authorization of overseas commercial cloud enclaves may create opportunities for contractors supporting diplomatic missions, though similar citizenship restrictions likely apply.

Final Thoughts

The provisions in the FY 2026 NDAA represents a shift in DOD's approach to cloud security, emphasizing personnel-based access controls over technical measures alone. Government contractors must take immediate action to assess their compliance posture, implement necessary controls, and develop long-term strategies to operate within these new restrictions.