Sec. 1522. Modernization of the Department of Defense’s Authorization to Operate processes
551 words·~3 min read·
/bill/118/hr/8070/rh/section-1522A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 270 days after the date of the enactment of this Act, the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense and in coordination with the Chief Information Officers of the military departments, shall establish and regularly update a digital directory of all authorizing officials in the military departments. The directory established under paragraph
(1)shall include— the most current contact information for such authorizing official; and a list of each training required to perform the duties and responsibilities of an authorizing official completed by such authorizing official. Not later than 270 days after the date of the enactment of this Act, the Chief Information Officers of the military departments shall jointly develop and implement a policy and guidance— requiring authorizing officials in the military departments to presume the cybersecurity of a cloud-based platform, service, or application that has already been accredited by another authorizing official in a military department for the same or similar purposes and the same classification level when determining whether to approve or deny a request for an Authorization to Operate for such cloud-based platform, service, or application; and requiring authorizing officials in the military departments to consult with the current or planned mission owners of a cloud-based platform, service, or application that will use such cloud-based platform, service, or application pursuant to an Authorization to Operate for such cloud-based platform, service, or application when such authorizing official is making a determination whether to approve or deny the request for such Authorization to Operate. The policy and guidance required under paragraph
(1)shall— require each relevant authorizing official in a military department who is making a determination to approve or deny a request for an Authorization to Operate for a cloud-based platform, service, or application to ensure that documentation containing all of the relevant details of the cybersecurity, accreditation, performance, and operational capabilities of such cloud-based platform, service, or application is easily accessible and comprehensible to all relevant stakeholders with respect to such request; and require the development and implementation of a system for the digital sharing of the documentation described in subparagraph (A), including documenting the communication and acknowledgment of the uses of cloud-based platforms, services, and applications between mission owners and system owners of such cloud-based platforms, services, and applications. The policy and guidance developed under this subsection shall apply with respect to all cloud-based platforms, services, and applications capabilities operating across accredited cloud environments of the military departments, to the extent practicable. In this section— the term Authorization to Operate has the meaning given such term in the Office of Management and Budget Circular A-130; the term authorizing official means an officer who is authorized to assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations and the United States; the term military departments has the meaning given such term in section 101(a) of title 10, United States Code; the term mission owner means the user of a cloud-based platform, service, or application; and the term system owner means the element of the Department of Defense responsible for acquiring a cloud-based platform, service, or application, but which is not a mission owner of such cloud-based platform, service, or application.