Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · STATUTE-COMPILATIONS · Servicemember Quality of Life Improvement and National Defense Authorization Act for Fiscal Year 2025 · Sec. 1522

Sec. 1522. MODERNIZATION OF THE DEPARTMENT OF DEFENSE’S AUTHORIZATION TO OPERATE PROCESSES

1,518 words·~7 min read·/statute-compilations/comps-18280/sec-1522

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

## SEC. 1522 MODERNIZATION OF THE DEPARTMENT OF DEFENSE’S AUTHORIZATION TO OPERATE PROCESSES ###
(a)Active Directory of Authorizing Officials ####
(1)In general Not later than 270 days after the date of the enactment of this Act, the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense and in coordination with the Chief Information Officers of the military departments, shall establish and regularly update a digital directory of all authorizing officials in the military departments. ####
(2)Contents The directory established under paragraph
(1)shall include— #####
(A)the most current contact information for such authorizing official; and #####
(B)a list of each training required to perform the duties and responsibilities of an authorizing official completed by such authorizing official. ###
(b)Presumption of Reciprocal Software Accrediting Standards ####
(1)Policy required Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense, shall implement a policy that requires authorizing officials to adopt the security analysis and artifacts, as appropriate, of a cloud-hosted platform, service, or application that has already been authorized by another authorizing official in the Department of Defense in order to more rapidly adopt and use such cloud-hosted platforms, services, and applications, at the corresponding classification level and in accordance with the existing authorization conditions, without additional authorizations or reviews. ####
(2)Elements The Secretary shall ensure that the policy implemented under paragraph (1)— #####
(A)ensures the development of standardized and transparent documentation of the security, accreditation, performance, and operational capabilities of cloud-hosted platforms, services, and applications to enable decision making by mission owners of such cloud-hosted platforms, services, and applications; #####
(B)provides for an intuitive and digital workflow to document acknowledgments among mission owners and system owners of use of the operational capabilities of cloud-hosted platforms, services, and applications; #####
(C)directs a review by mission owners of existing authorization information, at the appropriate classification level, regarding the status of the operational capabilities of cloud-hosted platforms, services, and applications, including through management dashboards or other management analytic capabilities; #####
(D)defines a process, including required timelines, to allow authorizing officials that disagree with the security analysis of a cloud-hosted platform, service, or application that such official would be required to adopt under such policy to present such disagreement to the Chief Information Officer of the Department of Defense, or such other individual or entity designated by the Chief Information Officer, for adjudication; and #####
(E)defines Department of Defense-wide, mandatory timelines for activities performed by authorizing officials with respect to an Authorization to Operate for cloud-hosted platforms, services, and applications. ####
(3)Applicability The policy implemented pursuant to paragraph
(1)shall apply to— #####
(A)all authorizing officials in the Department of Defense, including in each military department, component, and agency of the Department; and #####
(B)all operational capabilities of cloud-hosted platforms, services, and applications, including capabilities on public cloud infrastructure, as authorized through the Federal Risk and Authorization Management Program established under section 3608 of title 44, United States Code, and the Defense Information Systems Agency, and capabilities on private cloud landing zones managed by the Department of Defense that are authorized by Department accrediting officials. ###
(c)Expedited Processing ####
(1)Processes required Not later than 180 days after the date of the enactment of this subsection, the Chief Information Officer of the Department of Defense, in coordination with the Chief Information Officers of the military departments, shall provide to each element of the Department of Defense with Authorization to Operate responsibilities guidance on, and direct each such element to develop and implement, one or more processes to expedite the granting of Authorizations to Operate and, where applicable, related appeals. ####
(2)Criteria for expedited review The processes implemented by an element of the Department of Defense under paragraph
(1)shall provide for expedited review of a request for an Authorization to Operate if— #####
(A)such Authorization to Operate is for an information system of such element; and #####
(B)the request for such Authorization to Operate was appropriately submitted to the authorizing official for such Authorization to Operate and— ######
(i)the final determination whether to grant such Authorization to Operate as has been pending before such authorizing official for not fewer than 180 days without resolution; ######
(ii)if a mechanism for appealing a determination by an authorizing official with respect to such Authorization to Operate exists, such an appeal has been pending before such authorizing official for not fewer than 90 days without response; or ######
(iii)any other circumstances identified by the Chief Information Officer of the Department of Defense in the policy established under paragraph
(1)that demonstrate unreasonable delay or impediment to the Authorization to Operate process. ####
(3)Elements The process for expedited appeals developed under paragraph
(1)shall include— #####
(A)clearly defined timelines for resolution of the expedited review of the appeal, not to exceed 45 days from the date the expedited review is requested; #####
(B)requirements for a written justification when such timelines cannot be met; and #####
(C)tracking and reporting mechanisms to monitor compliance with such timelines. ###
(d)Reports ####
(1)Implementation status #####
(A)Secretary report Not later than 120 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees a report on the status of the implementation of subsections
(a)and (b). #####
(B)Chief information officer report Not later than July 1, 2026, the Chief Information Officer of the Department of Defense shall submit to the congressional defense committees a report on the status of the implementation of subsections (c). ####
(2)Biannual report #####
(A)In general Not later than six months after the date of the enactment of this subsection, and every six months thereafter under October 1, 2031, the Secretary of Defense, in coordination with the Chief Information Officer of the Department of Defense and the Chief Information Officers of the military departments, shall submit to the congressional defense committees a report on the activities under this section in the six-month period ending on the date of the submission of such report. #####
(B)Contents Each report required under subparagraph
(A)shall include, for the period covered by such report— ######
(i)the number of new Authorizations to Operate issued; ######
(ii)the number of requests for an Authorization to Operate that were submitted with complete and sufficient documentation to the appropriate authorizing official; ######
(iii)the number of requests for Authorizations to Operate that were denied; ######
(iv)the number of requests for Authorizations to Operate that were escalated to the process implemented under subsection (c), disaggregated by escalations— ######
(I)to the Chief Information Officer of the Department of Defense; and ######
(II)to the Chief Information Officer of each military department; ######
(v)the number of requests described in clause
(iv)that were resolved, disaggregated by resolutions— ######
(I)by the Chief Information Officer of the Department of Defense; and ######
(II)by the Chief Information Officer of each military department; ######
(vi)the average time required for a capability to receive an Authorization to Operate, disaggregated each element of the Department responsible for evaluating the request for the Authorization to Operate; ######
(vii)the number of Authorizations to Operate issued pursuant to the policy required by subsection (b); ######
(viii)the number of requested reciprocal Authorizations to Operate denied due to insufficiency of supporting evidence, along with a narrative summary of the primary reasons for such denials; ######
(ix)a narrative summary of any recurring deficiencies in the materials required for system authorization under the Risk Management Framework; ######
(x)recommendations to refine the Risk Management Framework and the Authority to Operate process, including opportunities to define, implement, and validate security controls at a higher organizational level so that subordinate systems may rely on those controls without duplicative implementation or assessment; and ######
(xi)an evaluation of the training, standards, and qualification requirements for authorizing officials. ### (d)2 Definitions In this section— 2Second subsection
(d)so in law. See amendment made by section 1521(5) of P.L. 119-60. ####
(1)the term “Authorization to Operate” has the meaning given such term in the Office of Management and Budget Circular A-130; ####
(2)the term “authorizing official” means an officer who is authorized to assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the United States; ####
(3)the term “military departments” has the meaning given such term in section 101(a) of title 10, United States Code; ####
(4)the term “mission owner” means the user of a cloud-based platform, service, or application; and ####
(5)the term “system owner” means the element of the Department of Defense responsible for acquiring a cloud-based platform, service, or application, but which is not a mission owner of such cloud-based platform, service, or application.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.