Cloud and AI Sections in Senate Amendments to the FY 2025 NDAA

On September 19, the Senate Armed Services Committee (SASC) released a so-called “manager’s package” of amendments to S. 4638, the Senate’s version of the National Defense Authorization Act (NDAA) for Fiscal Year 2025. The manager’s package (S. Amdt. 3290) incorporates 93 amendments submitted by various members of the Senate and agreed to by the SASC and Senate leadership. The manager’s package also includes text for the Intelligence Authorization Act for Fiscal Year 2025, the State Authorization Act for Fiscal Year 2025, and other Senate authorization bills. The Congress is in the process of reconciling the Senate’s version of the FY 2025 NDAA with the version passed by the House of Representatives (H.R. 8070).

The amendment package contains sections concerning technology that could be of interest to industry. Today’s post describes two of those sections and offers some comments on their implications for the market.

Cloud Computing

Tucked into the text for the State Department Authorization Act for Fiscal Year 2025 is Section 9304. It calls for the submission of a Report on Cloud Computing In the Bureau of Consular Affairs (CA). Specifically, “Not later than 90 days after the date of the enactment of [the FY 2025 NDAA], the Secretary shall submit to the appropriate congressional committees a report on the status of the Bureau of Consular Affairs adoption of cloud-based products and services as well as options to require enterprise-wide adoption of cloud computing, including for all consular operations.”

Analyst Comment

CA has been aggressively adding cloud services to its inventory of capabilities over the last three fiscal years. After spending only $3.5M in FY 2021, CA’s obligations for identifiable cloud-based services rose to $48.4M in FY 2023. Most of this spending is dedicated to four different cloud services: Salesforce Government Cloud Plus ($27.3M); VMware Government Services ($10.8M); Palo Alto Networks Government Cloud Services ($6.5M); and Adobe capabilities ($1.0M).

Unfortunately, Section 9304 does not explain why the Senate is so concerned about cloud use by CA. One could speculate that because CA uses these services around the world, the Senate wants to keep data secure. Whatever the concern might be, legislative attention only increases the pressure on State to adopt cloud to a greater extent, and this is good news for providers.

Artificial Intelligence

Section 505 instructs the Director of the National Security Agency to “establish an Artificial Intelligence Security Center within the NSA’s Cybersecurity Collaboration Center. The new center will be responsible for “developing guidance to prevent or mitigate counter-artificial intelligence techniques; promoting secure artificial intelligence adoption practices for managers of national security systems; [and] such other functions as the Director considers appropriate.”

Analyst Comment

While the public dabbles in Generative AI to write term papers and create memes, governments around the world are becoming very concerned about the ability of increasingly powerful AI capabilities to compromise secure systems. Section 505 provides a peek into the burgeoning area of AI-based security. Given the NSA’s place in the national security ecosystem, it is likely that the guidance issued will shape employee (and perhaps contractor) training in the years to come. Contractors working in the fields of AI and cybersecurity would do well to heed whatever documents related to this section that come out of the NSA in the future because of the impact they could have on capabilities the National Security Community wants to use.