Sec. 1553. PLAN FOR COMMERCIAL CLOUD TEST AND EVALUATION
427 words·~2 min read·
/statute-compilations/comps-17475/sec-1553A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
## SEC. 1553 PLAN FOR COMMERCIAL CLOUD TEST AND EVALUATION **[**[10 U.S.C. 2224 note](/us/usc/t10/s2224)**]** ###
(a)Policy and Plan Not later than 180 days after the date of enactment of this Act, the Secretary of Defense, in consultation with commercial industry, shall implement a policy and plan for test and evaluation of the cybersecurity of the clouds of commercial cloud service providers that provide, or are intended to provide, storage or computing of classified data of the Department of Defense. ###
(b)Contents The policy and plan under subsection
(a)shall include the following: ####
(1)A requirement that, beginning on the date of the enactment of this Act, future contracts with cloud service providers for storage or computing of classified data of the Department include provisions that permit the Secretary to conduct independent, threat-realistic assessments of the commercial cloud infrastructure, including with respect to— #####
(A)the storage, compute, and enabling elements, including the control plane and virtualization hypervisor for mission elements of the Department supported by the cloud provider; and #####
(B)the supporting systems used in the fulfillment, facilitation, or operations relating to the mission of the Department under the contract, including the interfaces with these systems. ####
(2)An explanation as to how the Secretary intends to proceed on amending existing contracts with cloud service providers to permit the same level of assessments required for future contracts under paragraph (1). ####
(3)Identification and description of any proposed tiered test and evaluation requirements aligned with different impact and classification levels. ###
(c)Waiver Authority The Secretary may include in the policy and plan under subsection
(a)an authority to waive any requirement under subsection
(b)if the waiver is jointly approved by the Chief Information Officer of the Department of Defense and the Director of Operational Test and Evaluation. ###
(d)Submission Not later than 180 days after the date of enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives the policy and plan under subsection (a). ###
(e)Threat-realistic Assessment Defined In this section, the term “threat-realistic assessments” means, with respect to commercial cloud infrastructure, activities that— ####
(1)are designed to accurately emulate cyber threats from advanced nation state adversaries, such as Russia and China; and ####
(2)include cooperative penetration testing and no-notice threat-emulation activities where personnel of the Department of Defense attempt to penetrate and gain control of the cloud-provider facilities, networks, systems, and defenses associated with, or which enable, the supported missions of the Department.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 1553
PLAN FOR COMMERCIAL CLOUD TEST AND EVALUATION
Cites 1Cited by 0 across 0 sources