La legislaci\u00f3n propone que si una oficina del departamento considera oficialmente que una “plataforma, servicio o aplicaci\u00f3n basada en la nube” es lo suficientemente cibersegura para su uso, entonces todas las partes del Departamento de Defensa pueden aceptar esta ATO (Autoridad para operar).El subcomit\u00e9 de Servicios Armados de la C\u00e1mara de Representantes sobre cibern\u00e9tica, tecnolog\u00edas de la informaci\u00f3n e innovaci\u00f3n emiti\u00f3 el lunes una gu\u00eda de ciberseguridad que exige reciprocidad en los sistemas de computaci\u00f3n en la nube, presionando al Pent\u00e1gono para simplificar los procedimientos de autorizaci\u00f3n para operar, a menudo duplicados.<\/p>\n
WASHINGTON \u2014\u00a0The House Armed Services subcommittee on cyber, information technologies and innovation issued\u00a0cybersecurity guidance<\/a>\u00a0requiring reciprocity on cloud computing systems Monday, pushing the Pentagon to streamline often-duplicative Authorization To Operate procedures.<\/p>\n In the draft 2025 National Defense Authorization Act, the subcommittee wrote that no later than 270 days after the NDAA is implemented, the CIOs of the Army, Navy and Air Force Departments\u00a0should develop and implement a policy that enforces reciprocity for cloud computing.\u00a0In essence, if one office in the department officially deems that a\u00a0\u201ccloud-based platform, service, or application\u201d is sufficiently cybersecure to use, then all\u00a0parts of DoD can accept this \u201cAuthority To Operate\u201d (ATO) instead of having to redo the certification process.<\/p>\n The idea is to eliminate redundant ATO processes, currently a major headache for both defense officials and IT contractors, who must prove a particular piece of software or hardware is secure over and over to different Authorizing Officers (AOs) with jurisdiction over different organizations, who often impose subtly different standards.<\/p>\n This mandate\u00a0doesn\u2019t apply to non-cloud \u201con premise\u201d systems, which remain a large percentage of the DoD network, albeit an ever-dwindling one.<\/p>\n The draft language released Monday proposes that before\u00a0approving or denying a request for authorization to operate a cloud-based platform, service or application, military department AOs must consult with the current or planned mission owners of that platform, service or application. This means that the AO from one department or office should comply with what other AOs decided when determining if a cloud computing system is cybersecure.<\/p>\n Other guidance in the draft proposes that AOs shall provide documentation that is accessible and comprehensible to \u201crelevant stakeholders.\u201d Additionally, a system that compiles and shares the documentation \u201cof cloud-based platforms, services, and applications between mission owners and system owners\u201d should be developed.<\/p>\n HASC\u2019s proposal of reciprocity comes after the Pentagon released cybersecurity guidance also enforcing reciprocity last week, which was not specific to only cloud computing systems.<\/p>\n