Section 1553 of the fiscal 2023 defense authorization bill will require all DOD cloud contracts to include provisions that allow the department to access and test systems housing classified data.
A key provision in the fiscal 2023 National Defense Authorization Act has tasked the Defense Department with evaluating the cybersecurity of any commercial cloud systems that touch its classified data, but there are concerns about what downstream effects provision will have.
Section 1553 of the recently-passed legislation requires DOD to collaborate with industry on a new policy authorizing it "to conduct independent, threat-realistic assessments" for all commercial cloud infrastructure that provides storage or computing for classified data.
That same provision also requires commercial cloud contracts with DOD to include clauses allowing the department to access and test all systems housing classified data. While the move is meant to improve the department's visibility into its enterprise-wide cloud and cybersecurity infrastructure, Alex Rossino, an advisory research analyst on Deltek's federal market analysis team, said its implementation could require a hefty compliance effort.
“The policy is going to evolve and it’s going to take some time for the kinks to be worked out,” Rossino told FCW, pointing to the DOD's ongoing rollout of its Cybersecurity Maturity Model Certification program, which calls on defense contractors to demonstrate they have prescribed levels of cyber protections to compete for acquisitions.
“If you look at just how much trouble they’ve had with CMMC already, you can see that this might be a little bit more complicated than the language makes it sound,” said Rossino.
It remains unclear how the DOD plans to go about the testing process once it has developed a standardized policy. For starters, the department will have to either authorize an internal office to conduct regular evaluations for its commercial cloud systems or hire a third-party contractor.
But the DOD will also have to evaluate its current contracts with cloud service providers to determine whether they meet the new requirements – a heavy lift, according to Rossino.
“It’s going to require the DOD to look back at some of these contracts, and there are dozens, if not hundreds of them,” he said. “This is going to be a serious level of effort.”
However, at least one thing is clear for Rossino when it comes to implementing the new cloud computing provisions featured in the NDAA: the DOD is preparing to increasingly lean on its $9 billion Joint Warfighting Cloud Capability, or JWCC, multiple-award contract vehicle designed to procure commercial cloud capabilities directly from CSPs.
The indefinite-delivery, indefinite-quantity vehicle is meant to streamline the acquisition process of commercial cloud services in part by standardizing security and management requirements.
In December, the DOD awarded Amazon Web Services, Google, Microsoft and Oracle the chance to compete for task orders on the JWCC contract, and the NDAA will likely mean the new cybersecurity testing clauses will be implemented directly onto those task orders, Rossino wrote in a Deltek blog post.
If the CMMC rollout is any indication of what comes next for the new testing and evaluation cloud cybersecurity provision, there’s a long road ahead – albeit, one with the potential to provide major improvements, Rossino told FCW.
“This is just the next phase in the saga,” he said. “They want to use ‘Star Wars’ acronyms, so there you go: Here is the saga.”