Proposed legislation would push Pentagon to streamline ATO process for cloud-based capabilities
Key lawmakers have drafted a legislative provision that would require the Pentagon to streamline the authorization to operate for cloud-based platforms, services and applications.
A mark for the fiscal 2025 Servicemember Quality of Life Improvement and National Defense Authorization Act, released Monday, calls for the modernization of the Department of Defense’s ATO processes.
The proposal, put forth by the House Armed Services Subcommittee on Cyber Innovative Technologies and Information Systems (CITI), would require the DOD to institute the presumption of reciprocal software accrediting standards.
Reciprocity essentially enables federal entities to reuse another internal or external organization’s assessments to share information — and ultimately reduce associated costs in time and investments that accompany approving IT systems to operate on the information networks.
Section 1522 of the CITI subcommittee mark would require the chief information officers of the U.S. military departments to jointly develop and implement a policy and guidance — not later than 270 days after the enactment of the NDAA — “requiring authorizing officials in the military departments to presume the cybersecurity of a cloud-based platform, service, or application that has already been accredited by another authorizing official in a military department for the same or similar purposes and the same classification level when determining whether to approve or deny a request for an Authorization to Operate for such cloud-based platform, service, or application.”
The guidance would also require authorizing officials to consult with the current or planned mission owners of a cloud-based platform, service, or application when they’re making a determination whether to approve or deny an ATO request.
Additionally, officials who are making a determination to approve or deny an ATO request for a cloud-based platform, service, or application would have to ensure that documentation containing all of the relevant details of the cybersecurity, accreditation, performance and operational capabilities of such technology are “easily accessible and comprehensible to all relevant stakeholders with respect to such request,” according to the text of the mark.
The DOD would also have to develop and implement a system for the digital sharing of that type of documentation.
“The policy and guidance developed under this subsection shall apply with respect to all cloud-based platforms, services, and applications capabilities operating across accredited cloud environments of the military departments, to the extent practicable,” according to the mark.
The legislation comes as the Pentagon is forging ahead with various cloud initiatives as a key component of its IT modernization efforts.
Earlier this month, in response to industry complaints about the department’s ATO process, DOD leadership issued new guidance aimed at resolving risk management and cybersecurity reciprocity challenges.