Sec. 1521. Accountability of the Authorization to Operate processes
844 words·~4 min read·
/bill/119/s/1071/eah/section-1521·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 1522 of the National Defense Authorization Act for Fiscal Year 2025 ( Public Law 118–159 ; 10 U.S.C. 2223 note) is amended— in subsection (b)(2)— in subparagraph (C), by striking and at the end; in subparagraph (D), by striking the period at the end and inserting ; and ; and by adding at the end the following new subparagraph: defines Department of Defense-wide, mandatory timelines for activities performed by authorizing officials with respect to an Authorization to Operate for cloud-hosted platforms, services, and applications. ; in subsection (b)(3), by striking subsection
(a)and inserting paragraph
(1); by redesignating subsection
(c)as subsection (d); by inserting after subsection
(b)the following new subsection: Not later than 180 days after the date of the enactment of this subsection, the Chief Information Officer of the Department of Defense, in coordination with the Chief Information Officers of the military departments, shall provide to each element of the Department of Defense with Authorization to Operate responsibilities guidance on, and direct each such element to develop and implement, one or more processes to expedite the granting of Authorizations to Operate and, where applicable, related appeals. The processes implemented by an element of the Department of Defense under paragraph
(1)shall provide for expedited review of a request for an Authorization to Operate if— such Authorization to Operate is for an information system of such element; and the request for such Authorization to Operate was appropriately submitted to the authorizing official for such Authorization to Operate and— the final determination whether to grant such Authorization to Operate as has been pending before such authorizing official for not fewer than 180 days without resolution; if a mechanism for appealing a determination by an authorizing official with respect to such Authorization to Operate exists, such an appeal has been pending before such authorizing official for not fewer than 90 days without response; or any other circumstances identified by the Chief Information Officer of the Department of Defense in the policy established under paragraph
(1)that demonstrate unreasonable delay or impediment to the Authorization to Operate process. The process for expedited appeals developed under paragraph
(1)shall include— clearly defined timelines for resolution of the expedited review of the appeal, not to exceed 45 days from the date the expedited review is requested; requirements for a written justification when such timelines cannot be met; and tracking and reporting mechanisms to monitor compliance with such timelines. ; and by amending subsection (d), as so redesignated, to read as follows: Not later than 120 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees a report on the status of the implementation of subsections
(a)and (b). Not later than July 1, 2026, the Chief Information Officer of the Department of Defense shall submit to the congressional defense committees a report on the status of the implementation of subsections (c). Not later than six months after the date of the enactment of this subsection, and every six months thereafter under October 1, 2031, the Secretary of Defense, in coordination with the Chief Information Officer of the Department of Defense and the Chief Information Officers of the military departments, shall submit to the congressional defense committees a report on the activities under this section in the six-month period ending on the date of the submission of such report. Each report required under subparagraph
(A)shall include, for the period covered by such report— the number of new Authorizations to Operate issued; the number of requests for an Authorization to Operate that were submitted with complete and sufficient documentation to the appropriate authorizing official; the number of requests for Authorizations to Operate that were denied; the number of requests for Authorizations to Operate that were escalated to the process implemented under subsection (c), disaggregated by escalations— to the Chief Information Officer of the Department of Defense; and to the Chief Information Officer of each military department; the number of requests described in clause
(iv)that were resolved, disaggregated by resolutions— by the Chief Information Officer of the Department of Defense; and by the Chief Information Officer of each military department; the average time required for a capability to receive an Authorization to Operate, disaggregated each element of the Department responsible for evaluating the request for the Authorization to Operate; the number of Authorizations to Operate issued pursuant to the policy required by subsection (b); the number of requested reciprocal Authorizations to Operate denied due to insufficiency of supporting evidence, along with a narrative summary of the primary reasons for such denials; a narrative summary of any recurring deficiencies in the materials required for system authorization under the Risk Management Framework; recommendations to refine the Risk Management Framework and the Authority to Operate process, including opportunities to define, implement, and validate security controls at a higher organizational level so that subordinate systems may rely on those controls without duplicative implementation or assessment; and an evaluation of the training, standards, and qualification requirements for authorizing officials. .
Connectionstraces to 2
Citation graph
cites case law
Sec. 1521
Accountability of the Authorization to Operate processes
Cites 2Cited by 0 across 0 sources