Sec. 1501. Accountability of the Authorization to Operate processes
1,511 words·~7 min read·
/bill/119/hr/3838/rh/section-1501·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 1522 of the National Defense Authorization Act for Fiscal Year 2025 ( Public Law 118–159 ; 10 U.S.C. 2223 note) is amended— in subsection (b)(2)— in subparagraph (C), by striking and at the end; in subparagraph (D), by striking the period at the end and inserting a semicolon; and by adding at the end the following new subparagraphs: defines Department of Defense-wide, mandatory timelines for activities performed by authorizing officials with respect to an Authorization to Operate for cloud-hosted platforms, services, and applications; and establishes processes and policies, developed in coordination with the Chief Information Officers of the military departments, for the boards established in subsections
(c)and (d). ; by redesignating subsections
(c)and
(d)as subsections
(e)and (g), respectively; by inserting after subsection
(b)the following new subsections: Not later than 180 days after enactment of this Act, the Secretary of Defense shall establish a board, to be known as the Authority-to-Operate Expedited Appeals Board . The board established under paragraph
(1)shall decide whether to grant each Authorization to Operate for which a relevant stakeholder in the Authorization to Operate submission process submits a request in accordance with subparagraph
(B)not later than 90 days after the date on which such relevant stakeholder submits such request. A relevant stakeholder in the Authorization to Operate submission process seeking a decision from the board established under paragraph
(1)with respect to an Authorization to Operate may submit a request for such decision to such board if— a request for such Authorization to Operate was appropriately submitted to the authorizing official for such Authorization to Operate not less than 180 days prior to the submission to the board; and as of the date of such submission, such authorizing official has not made a final decision with respect to such Authorization to Operate. Upon the submission of a request for an Authorization to Operate in accordance with subparagraph (B), the authorizing official for an Authorization to Operate shall cease to have authority to grant or deny such Authorization to Operate. The Secretary of Defense shall ensure that each relevant stakeholder in the Authorization to Operate submission process may submit to the board established under paragraph
(1)a request for a decision under paragraph (2). The board established under paragraph
(1)shall be composed of the following members: The Chief Information Officer of the Department of Defense. The Commander of the United States Cyber Command. The Director of the Defense Information Systems Agency. Any other official determined appropriate by the chair of such board. The chair of the board established under paragraph
(1)shall be the Chief Information Officer of the Department of Defense. The board established under paragraph
(1)shall meet not less than frequently than quarterly. The Secretary of Defense may designate a body in the Department of Defense to carry the responsibilities described in paragraph
(2)if— the body so designated is in existence as of the date of the enactment of this subsection: and the responsibilities of such body relate to managing risks for information technologies. If the Secretary of Defense designates a body under subparagraph (A)— paragraph
(1)shall not apply with respect to the Secretary; and such body shall be deemed to be a board established in such military department under paragraph
(1)for the purposes of paragraphs
(2)and (3). If the body designated by the Secretary of Defense under this paragraph ceases to exist or becomes permanently unable to carry out the responsibilities described in paragraph (2), the Secretary may designate another body in the Department of Defense to carry out such responsibilities or establish a board in accordance with paragraph (1), except that the Secretary shall establish such board not later than 180 days after the date on which the body designated by the Secretary under this paragraph ceases to exist or becomes permanently unable to carry out such responsibilities. Not later than 180 days after enactment of this Act, each Secretary of a military department shall establish in such military department a board. Each board established in a military department under paragraph
(1)shall decide whether to grant each Authorization to Operate for which a relevant stakeholder in the Authorization to Operate submission process submits a request in accordance with subparagraph
(B)not later than 90 days after the date on which such relevant stakeholder submits such request. A relevant stakeholder in the Authorization to Operate submission process seeking a decision from a board established in a military department under paragraph
(1)with respect to an Authorization to Operate may submit a request for such decision to such board if— a request for such Authorization to Operate was appropriately submitted to the authorizing official for such Authorization to Operate not less than 180 days prior to the submission to the board; the Authorization to Operate is for an information system of such military department; and as of the date of such submission, the authorizing official for such Authorization to Operate has not made a final decision with respect such Authorization to Operate. Upon the submission of a request for an Authorization to Operate in accordance with subparagraph (B), the authorizing official for an Authorization to Operate shall cease to have authority to grant or deny such Authorization to Operate. The Secretary concerned for a military department shall ensure that each relevant stakeholder in the Authorization to Operate submission process may submit to the board established in such military department under paragraph
(1)a request for a decision under paragraph (2). A board established in a military department under paragraph
(1)shall be composed of the following members: The Chief Information Officer of such military department. The service acquisition executive of such military department. The commanders of the relevant service cyber components. Any other official determined appropriate by the chair of such board. The chair of a board established in a military department under paragraph
(1)shall be the Chief Information Officer of such military department. Each board established under paragraph
(1)shall meet not less than frequently than quarterly. The Secretary of a military department may designate a body in such military department to carry the responsibilities of described in paragraph
(2)if— the body so designated is in existence as of the date of the enactment of this subsection: and the responsibilities of such body relate to managing risks for information technologies. If the Secretary of a military department designates a body under subparagraph (A)— paragraph
(1)shall not apply with respect to such Secretary; and such body shall be deemed to be a board established in such military department under paragraph
(1)for the purposes of paragraphs
(2)and (3). If the body designated by the Secretary of a military department under this paragraph ceases to exist or becomes permanently unable to carry out the responsibilities described in paragraph (2), the Secretary may designate another body in such military department to carry out such responsibilities or establish a board in accordance with paragraph (1), except that the Secretary shall establish such board not later than 180 days after the date on which the body designated by the Secretary under this paragraph ceases to exist or becomes permanently unable to carry out such responsibilities. ; and by inserting after subsection (e), as so redesignated, the following new subsection: Not later than six months after the date of the enactment of this subsection, and every six months thereafter under October 1, 2031, the Secretary of Defense shall submit to the congressional defense committees a report on activities under this section in the six-month period ending on the date of the submission of such report. Each report required under paragraph
(1)shall include, for the period covered by such report— the number of new Authorizations to Operate; the number of Authorizations to Operate evaluated; the number of requests for Authorizations to Operate that were denied; the number of requests for Authorizations to Operate submitted to the board established under subsection (c); the number of requests for Authorizations to Operate resolved by the board established under subsection (c); the number of requests for Authorizations to Operate submitted to a board established under subsection (d); the number of requests for Authorizations to Operate resolved by a board established under subsection (d); the average length of time required for a capability to receive an Authorization to Operate in accordance with the organization’s implementation of the risk management framework publish by the National Institution of Standards and Technology in NIST Special Publication 800-37, or any amendatory or superseding document thereto; the number of Authorizations to Operate issued pursuant to the policy required by subsection (b); the number of requested reciprocal Authorizations to Operate denied due to insufficiency of supporting evidence; and a narrative summary identifying deficiencies in Bodies of Evidence packages that prevented an authorizing official from adopting the security analysis and artifacts, as appropriate, of a cloud-hosted platform, service, or application that has already been authorized by another authorizing official in the Department of Defense in accordance with the policy required by subsection (b). .
Connectionstraces to 2
Citation graph
cites case law
Sec. 1501
Accountability of the Authorization to Operate processes
Cites 2Cited by 0 across 0 sources