Cloud Provisions in the FY 2025 NDAA

Last December, two days before Christmas, the president signed the National Defense Authorization Act (NDAA) for Fiscal Year 2025 (H.R. 5009) into law. Two months earlier, I provided an overview of some of the cloud computing-related provisions in the draft legislation. As typically happens, some of the provisions in the draft legislation did not make it into the final bill while others did. Today’s post takes a quick look at these latter sections. Where it is applicable, I have added a comment on the potential market implications of the respective provision.

Section 805 – Orders the Secretary of Defense to establish pathways for the efficient and effective acquisition, development, integration, and timely delivery of software and covered hardware, including commercially available cloud computing platforms. Comment – This section could shape how the DOD procures cloud services in the future. It bears watching for that reason.

Section 1505 – Requires the Department of Defense Chief Information Officer (DOD CIO) to report each cloud contract being used by the DOD. The report shall include covered cloud contracts submitted by the Office of the Secretary of Defense, the Secretaries of the military departments, the head of each Department of Defense Field Activity, and the commander of each combatant command. In addition, the report must list the cloud capabilities and services acquired under contracts other than covered cloud contracts, show where these environments are being used, and identify the costs incurred. Comment – A section in the draft legislation, this requirement will help the DOD get a handle on what has already become a sprawling cloud environment.

Section 1514 – This section requires the DOD CIO to “develop a strategy for the management and cybersecurity of the multi-cloud environments of the Department.” The strategy must align with the DOD’s zero trust strategy; provide the DOD with network visibility and interoperability across all of its multi-cloud environments; leverage identity, credential, and access management technologies; use enterprise-wide endpoint security; improve the identification and resolution of security concerns for each cloud environment prior to and during the adoption of such cloud environment by the DOD; increase the adoption of artificial intelligence (AI/ML) applications; increase the transparency of multi-cloud usage; improve planning for capacity demand, budgeting, and predictability for users and the contractors; identify opportunities for improving data use and storage in multi-cloud environments, particularly to train AI/ML capabilities; streamline cloud-service certification processes; and plan for training defense personnel on how to incorporate the use of multi-cloud environments into the DOD’s functions. Comment – This section could translate into the procurement or use of an analytics capability to help provide the data necessary for measuring the required outcomes.

Section 1522 – Instructs the DOD CIO and CIOs of the Military Departments to establish and regularly update a digital directory of all officials responsible for issuing Authorization to Operate (ATO) certifications for cloud-based platforms, services, or applications.

Section 1532 – Requires the Secretary of Defense to establish a roadmap for testing next generation advanced artificial intelligence capabilities, including those accessible through commercial cloud or hybrid cloud environments.

Section 7303 – According to this section, the Secretary of State is required to file a report with congressional committees concerning “the status of the Bureau of Consular Affairs (CA) adoption of cloud-based products and services as, well as options to require enterprise-wide adoption of cloud computing, including for all consular operations.” Comment – This provision suggests that CA will be investing more in cloud in FY 2025 and beyond.

Section 1615 – Insists the Secretary of Defense submit to congressional defense committees a strategy to improve cooperation between the DOD and allies and partners of the United States located in the Middle East, with the goal of improving partner-sharing network capabilities. The strategy shall leverage current activities in multi-cloud computing environments to reduce the reliance on solely hardware-based networking solutions. Comment – This section makes it clear that the DOD will continue leveraging large commodity cloud providers with international reach to meet the strategy requirements.