Enforcing 2023 NDAA Mandate for Cloud Cybersecurity Testing Likely a Challenge, Analyst Says

An advisory research analyst for the Virginia-based software company Deltek said the implementation of a cloud cyber testing requirement under the 2023 National Defense Authorization Act could be beneficial but would be a monumental task. In an interview with FCW, Deltek’s Alex Rossino said it could take some time to identify the nuances that Section 1553 of the 2023 NDAA would present.

Section 1553 requires the secretary of defense to work with industry in developing and implementing a policy and plan for evaluating and testing the cybersecurity of commercial cloud services that store or compute classified data for the Pentagon.

The DOD has yet to come up with a standardized policy for implementing Section 1553, and it remains unclear how the department would do cloud cyber testing. Also, according to Rossino, implementation would also involve the DOD reviewing existing cloud services contracts in order to determine compliance, FCW reported Thursday.

While there are various uncertainties with cloud cyber testing, Rossino said the Pentagon will bank on its $9 billion Joint Warfighting Cloud Capability contract to procure commercial cloud capabilities from CSPs. On the matter of CSPs, a red team from the National Security Agency will perform simulated attacks on the four JWCC contractors to determine if their zero trust platforms would hold up against adversaries and to see if they could implement a cloud-based zero trust solution.