WASHINGTON — The House Armed Services subcommittee on cyber, information technologies and innovation issued cybersecurity guidance requiring reciprocity on cloud computing systems Monday, pushing the Pentagon to streamline often-duplicative Authorization To Operate procedures.
In the draft 2025 National Defense Authorization Act, the subcommittee wrote that no later than 270 days after the NDAA is implemented, the CIOs of the Army, Navy and Air Force Departments should develop and implement a policy that enforces reciprocity for cloud computing. In essence, if one office in the department officially deems that a “cloud-based platform, service, or application” is sufficiently cybersecure to use, then all parts of DoD can accept this “Authority To Operate” (ATO) instead of having to redo the certification process.
The idea is to eliminate redundant ATO processes, currently a major headache for both defense officials and IT contractors, who must prove a particular piece of software or hardware is secure over and over to different Authorizing Officers (AOs) with jurisdiction over different organizations, who often impose subtly different standards.
This mandate doesn’t apply to non-cloud “on premise” systems, which remain a large percentage of the DoD network, albeit an ever-dwindling one.
Related: Pentagon announces new reciprocity guidance to streamline software adaptation
The draft language released Monday proposes that before approving or denying a request for authorization to operate a cloud-based platform, service or application, military department AOs must consult with the current or planned mission owners of that platform, service or application. This means that the AO from one department or office should comply with what other AOs decided when determining if a cloud computing system is cybersecure.
Other guidance in the draft proposes that AOs shall provide documentation that is accessible and comprehensible to “relevant stakeholders.” Additionally, a system that compiles and shares the documentation “of cloud-based platforms, services, and applications between mission owners and system owners” should be developed.
HASC’s proposal of reciprocity comes after the Pentagon released cybersecurity guidance also enforcing reciprocity last week, which was not specific to only cloud computing systems.
The plan, according to a one-pager signed by Deputy Defense Secretary Kathleen Hicks, formally titled “Resolving Risk Management Framework and Cybersecurity Reciprocity Issues,” states that the “Department implements the Risk Management Framework (RMF), in accordance with DoD Instruction 8510.01, to guide how we build, field, and maintain cyber secure and survivable capabilities.”
Pentagon CIO John Sherman told the GEOINT audience that this move will assure “that folks don’t have to check each other’s homework over and over again,” unless an official has “bona fide reasons” to perform rechecks.
The full guidance has yet to be released by the Pentagon, however a representative from Sherman’s office told Breaking Defense in an email that the full guidance will be released “in the coming weeks.”
The HASC plans to mark up the FY25 NDAA on May 22.