Cloud Computing in the House Draft FY 2025 National Defense Authorization Act

Last week’s post took a look at significant contracting provisions in the full draft of the National Defense Authorization Act (NDAA) for fiscal year 2025 (H.R. 8070) that the House of Representatives recently passed. Readers looking for that post can find it here.

This week’s post focuses on the provisions related to cloud computing. Should these provisions survive the reconciliation process with the Senate’s version of the bill, a couple of them could spur investments of interest to industry. Where applicable, I’ve added an analyst comment concerning the possibility of a contract requirement being developed.

Section 566 directs the Department of Defense to establish a pilot program for a secure, mobile personal health record for members of the armed forces participating in the transition assistance program. It requires that the pilot is accessible to the Department of Veterans Affairs, is web-based, and uses cloud-based record storage for the program.

Analyst Comment – The pilot project required for Section 566 looks like a good candidate for the award of an Other Transaction Agreement (OTA).

Section 1504 requires an inventory of the cloud computing capabilities currently in use by the DOD. It directs the DOD’s Chief Information Officer to produce a roadmap for the department that lists cloud computing capabilities, environments, architectures and systems currently in use and pending development.

Section 1512 directs the Secretary of Defense to submit to congressional defense committees a strategy for improving cooperation on air and missile defense between the DOD and U.S. allies in the Middle East by standing up a new Joint Partner-Sharing Network capability.

Analyst Comment – This section requires the DOD to leverage a multi-cloud environment for the new information sharing capability. The environment DOD chooses is likely to be one offered by the Joint Warfighting Cloud Capability (JWCC) providers, so this requirement, should it survive past bill reconciliation, will probably appear as a task order for JWCC vendors.

Section 1522 on the modernization of the DOD’s authorization to operate (ATO) Processes calls for DOD officials to presume that a cloud-based platform, service, or application which has already been accredited by another authorizing official, is secure and viable for reuse.

Analyst Comment – The House appears to understand that the additional controls DOD uses to issue ATOs for cloud solutions can greatly increase the time and expense related to the review and certification process. This section would implement a “certify once, use multiple times” approach to ATOs similar to that used by the FedRAMP program without watering down the DOD’s security protocols.

Section 1606 requests that any future hybrid space architectures (HSAs) developed by the DOD are cloud-based.

Analyst Comment – This provision is unnecessary and will probably be scrapped given the fact that the DOD has been developing a cloud-based hybrid space architecture since FY 2022. It awarded two OTAs for a prototype HSA in FY 2022 and spent almost $20M on the project in FY 2023.