I TH CONGRESS D SESSION H. R. 0 To direct the Comptroller General of the United States and the Chief Information Officer of the Department of Defense to assess the cloud security requirements of the Department of Defense. IN THE HOUSE OF REPRESENTATIVES APRIL, 01 Ms. TSONGAS (for herself, Mr. KILMER, Mr. LARSEN of Washington, and Mr. CONNOLLY) introduced the following bill; which was referred to the Committee on Armed Services, and in addition to the Committee on Oversight and Government Reform, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned A BILL To direct the Comptroller General of the United States and the Chief Information Officer of the Department of Defense to assess the cloud security requirements of the Department of Defense. 1 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the DOD Cloud Security rfrederick on DSK7TPTVN1PROD with BILLS Act. VerDate Mar 1 0 0:01 Apr, 01 Jkt 000 PO 00000 Frm 00001 Fmt 66 Sfmt 601 E:\BILLS\H0.IH H0
1 6 7 1 1 1 1 17 1 0 1 6 HR 0 IH VerDate Mar 1 0 0:01 Apr, 01 Jkt 000 PO 00000 Frm 0000 Fmt 66 Sfmt 601 E:\BILLS\H0.IH H0 SEC.. ASSESSMENT OF DEPARTMENT OF DEFENSE CLOUD SECURITY REQUIREMENTS. (a) COMPTROLLER GENERAL RESPONSIBILITIES. The Comptroller General of the United States shall (1) review and summarize the best practices relating to cloud security by reviewing the practices of other Federal departments and agencies and commercial cloud providers; () assess the cloud capacity of the Department of Defense and such other departments and agencies by assessing how and to what extent the Department has adopted commercial cloud; and () assess the opportunities for the Department to utilize cloud computing in lieu of or in addition to conventional computing. (b) CHIEF INFORMATION OFFICER RESPONSIBIL- ITIES. The Chief Information Officer of the Department of Defense shall (1) determine the security requirements that are necessary for any cloud service to store Department of Defense information, including (A) by individually detailing security requirements for each Department of Defense impact level and security classification level; and (B) by providing a justification to the Committees on Armed Services of the Senate
1 and House of Representatives for any discrep- ancy between security requirements for dif- ferent provider types; () conduct a threat-based assessment of whether security controls resident in commercial 6 cloud services and the cloud services of other Fed- 7 eral departments and agencies meet the security re- quirements determined under paragraph (), includ- ing (A) by determining what services can and cannot be provided by commercial cloud ven- 1 dors, based on such security requirements; 1 (B) by providing justification for why such 1 determinations were made by citing, as appro- 1 priate, industry responses to requests for infor- mation and capability statement that confirm 17 the conclusions of the Department of Defense; 1 and (C) by requesting that commercial vendors 0 submit their plans for how they can adapt their 1 systems to the unique and dynamic cyber de- fense requirements of the Department of De- fense; () require any government-owned, operated, or unique system that is or will be designed to provide HR 0 IH VerDate Mar 1 0 0:01 Apr, 01 Jkt 000 PO 00000 Frm 0000 Fmt 66 Sfmt 601 E:\BILLS\H0.IH H0
1 cloud capabilities for the Department of Defense to be certified and accredited through the same proc- ess, and to the same standards, that is used to cer- tify and accredit commercial service providers; and () ensure that, as part of any Department of 6 Defense pilot demonstrations with commercial cloud 7 vendors (A) an analysis is conducted of (i) requiring the Defense Information Systems Agency to work with commercial service providers to extend the Department 1 of Defense Information Network to com- 1 mercial service providers that are issued 1 provisional authority to operate for De- 1 partment of Defense impact levels 1 and in order to leverage the commercial service 17 providers for secure connections to the De- 1 partment of Defense Information Network; (ii) the benefits and challenges relat- 0 ing to how the secure connections would be 1 enabled and delivered as a service by the DISA cloud broker to the commercial serv- ice providers who have achieved provisional authority to operate for Department of De- fense impact levels 1 and ; HR 0 IH VerDate Mar 1 0 0:01 Apr, 01 Jkt 000 PO 00000 Frm 0000 Fmt 66 Sfmt 601 E:\BILLS\H0.IH H0
1 6 7 1 1 1 1 17 1 0 1 (iii) requiring the Defense Information Systems Agency to address the ability of commercial service providers to provide service for Department of Defense impact levels through using logical separation; (iv) the ability of commercial service providers to provide innovative solutions to the separation of customer data and supporting resources that do not rely on physical separation; (v) the benefits and challenges regarding the consideration of such solutions for equivalence to physical separation; and (vi) the benefits and challenges of hybrid solutions for providing cloud services; and (B) the Chief Information Officer provides to the Committees on Armed Services of the Senate and House of Representatives a briefing on the matters referred to in subparagraph (A) by not later than 0 days after the conclusion of such pilot demonstration. Æ rfrederick on DSK7TPTVN1PROD with BILLS HR 0 IH VerDate Mar 1 0 0:01 Apr, 01 Jkt 000 PO 00000 Frm 0000 Fmt 66 Sfmt 601 E:\BILLS\H0.IH H0