[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4505 Introduced in House (IH)]
113th CONGRESS
2d Session
H. R. 4505
To direct the Comptroller General of the United States and the Chief
Information Officer of the Department of Defense to assess the cloud
security requirements of the Department of Defense.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 28, 2014
Ms. Tsongas (for herself, Mr. Kilmer, Mr. Larsen of Washington, and Mr.
Connolly) introduced the following bill; which was referred to the
Committee on Armed Services, and in addition to the Committee on
Oversight and Government Reform, for a period to be subsequently
determined by the Speaker, in each case for consideration of such
provisions as fall within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To direct the Comptroller General of the United States and the Chief
Information Officer of the Department of Defense to assess the cloud
security requirements of the Department of Defense.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``DOD Cloud Security Act''.
SEC. 2. ASSESSMENT OF DEPARTMENT OF DEFENSE CLOUD SECURITY
REQUIREMENTS.
(a) Comptroller General Responsibilities.--The Comptroller General
of the United States shall--
(1) review and summarize the best practices relating to
cloud security by reviewing the practices of other Federal
departments and agencies and commercial cloud providers;
(2) assess the cloud capacity of the Department of Defense
and such other departments and agencies by assessing how and to
what extent the Department has adopted commercial cloud; and
(3) assess the opportunities for the Department to utilize
cloud computing in lieu of or in addition to conventional
computing.
(b) Chief Information Officer Responsibilities.--The Chief
Information Officer of the Department of Defense shall--
(1) determine the security requirements that are necessary
for any cloud service to store Department of Defense
information, including--
(A) by individually detailing security requirements
for each Department of Defense impact level and
security classification level; and
(B) by providing a justification to the Committees
on Armed Services of the Senate and House of
Representatives for any discrepancy between security
requirements for different provider types;
(2) conduct a threat-based assessment of whether security
controls resident in commercial cloud services and the cloud
services of other Federal departments and agencies meet the
security requirements determined under paragraph (2),
including--
(A) by determining what services can and cannot be
provided by commercial cloud vendors, based on such
security requirements;
(B) by providing justification for why such
determinations were made by citing, as appropriate,
industry responses to requests for information and
capability statement that confirm the conclusions of
the Department of Defense; and
(C) by requesting that commercial vendors submit
their plans for how they can adapt their systems to the
unique and dynamic cyber defense requirements of the
Department of Defense;
(3) require any government-owned, operated, or unique
system that is or will be designed to provide cloud
capabilities for the Department of Defense to be certified and
accredited through the same process, and to the same standards,
that is used to certify and accredit commercial service
providers; and
(4) ensure that, as part of any Department of Defense pilot
demonstrations with commercial cloud vendors--
(A) an analysis is conducted of--
(i) requiring the Defense Information
Systems Agency to work with commercial service
providers to extend the Department of Defense
Information Network to commercial service
providers that are issued provisional authority
to operate for Department of Defense impact
levels 1 and 2 in order to leverage the
commercial service providers for secure
connections to the Department of Defense
Information Network;
(ii) the benefits and challenges relating
to how the secure connections would be enabled
and delivered as a service by the DISA cloud
broker to the commercial service providers who
have achieved provisional authority to operate
for Department of Defense impact levels 1 and
2;
(iii) requiring the Defense Information
Systems Agency to address the ability of
commercial service providers to provide service
for Department of Defense impact levels 3
through 5 using logical separation;
(iv) the ability of commercial service
providers to provide innovative solutions to
the separation of customer data and supporting
resources that do not rely on physical
separation;
(v) the benefits and challenges regarding
the consideration of such solutions for
equivalence to physical separation; and
(vi) the benefits and challenges of hybrid
solutions for providing cloud services; and
(B) the Chief Information Officer provides to the
Committees on Armed Services of the Senate and House of
Representatives a briefing on the matters referred to
in subparagraph (A) by not later than 30 days after the
conclusion of such pilot demonstration.
<all>