Cloud Computing Provisions in National Defense Authorization Act

By | January 18, 2023
Thin client Computer

Analysis of the FY 2023 NDAA appears to show some cloud-related work.

The annually-passed National Defense Authorization Act (NDAA) often contains provisions dealing with the procurement and use of technology by the Department of Defense (DOD) and other federal agencies. The NDAA for Fiscal Year 2023, passed in mid-late December, was no exception, containing several provisions dealing with cloud computing. Today’s post continues an analysis of that legislation (begun last week with this post on inflation) for potentially useful information.

Support for R&D of Bio-Industrial Manufacturing Processes

Section 215 concerns the esoteric subject of R&D for bio-industrial manufacturing. Directing the Secretary of Defense to support “the development of a network of bio-industrial manufacturing facilities to conduct research and development,” the provision outlines that such support “may consist of funding one or more existing facilities or the establishment of new facilities.” These facilities will facilitate the creation of “materials such as polymers, coatings, resins, commodity chemicals, and other materials with fragile supply chains.”

Cloud computing likely comes in with the provision’s demand that the DOD establish “an interoperable, secure, digital infrastructure for collaborative data exchange across entities in the bio-industrial manufacturing community, government agencies, industry, and academia.” While not explicitly mentioning cloud, past collaborative research efforts along these lines have tended to leverage cloud infrastructure for the dissemination of data. One can look at research on cancer at the National Cancer Institute and on meteorology at the National Oceanic and Atmospheric Administration for examples. Other examples can be found in the annual budget supplement put out by the Networking and Information Technology Research and Development (NITRD) program, too. Call it a hunch that this effort results in cloud-related work.

Plan for Commercial Cloud Test and Evaluation

Section 1553 instructs the Secretary of Defense, in consultation with industry, to “implement a policy and plan for the test and evaluation of the cybersecurity of the clouds of commercial cloud service providers that provide, or are intended to provide, storage or computing of classified data of the Department of Defense.” The final plan adopted is supposed to include a “requirement that future contracts with cloud service providers for the storage or computing of classified data … permit[s] the Secretary to conduct independent, threat-realistic assessments of the commercial cloud infrastructure

Clauses will be inserted into contracts with CSPs handling classified data giving the DOD permission to access and test the cloud infrastructure being used to house the classified data in question. This provision appears to be related to the forthcoming Cybersecurity Maturity Model Certification (CMMC) program. Presumably, the first contracts that will see these new provisions will be those awarded for the Joint Warfighting Cloud Capability. I don’t have access to a copy of the finalized contract to confirm if a similar clause is not already in those documents.

Demonstration Program for Component Content Management Systems

Section 917 orders the DOD Chief Information Officer to carry out a pilot program that demonstrates “the application of component content management systems to a distinct set of data of the Department.” The use of cloud-based content management systems is growing rapidly across the federal government so I’m willing to bet dollars to donuts that the CMS piloted will be a cloud-based capability hosted by one of the JWCC CSPs. This would be the path of least resistance. If that isn’t the route taken then industry partners should keep an eye open for a Sources Sought notice this fiscal year.