What is the National Defense Authorization Act?
Since 1961, the National Defense Authorization Act (NDAA) has authorized funding levels and provided authorities for the U.S. military and other critical defense priorities, ensuring America’s forces have the resources they need to carry out their missions.
Authority to Operate
A barrier that exists for technology companies is obtaining an Authorization to Operate (ATO) for their software applications, services, and or platform capabilities. The ATO process can be challenging, tedious, and unpredictable, with varying costs and timelines. This process is particularly cumbersome and incongruent with the dynamic nature of software deployment. Once the ATO hurdle is cleared, technology companies face their next challenge: continuous monitoring and associated updates. Every major software update must be run through a compliance process. This poses significant challenges for both the software company and the government end-user. It prohibits the timely and continuous resolution of issues and prevents the government from leveraging the latest and most cutting-edge version of an application.
“Presumptive reciprocity” in the context of the National Defense Authorization Act (NDAA) refers to a provision mandating that if one Department of Defense (DoD) authorizing official has approved a cloud-based platform or service as secure, then other DoD officials should automatically accept that assessment without needing to conduct a separate review. Presumptive reciprocity helps lighten the ATO burden and was recently reinforced in Section 1522 of the FY25 NDAA. Enabling another DoD organization to take an ATO for their software application, services, and or platforms from the Air Force Authorizing Official, for example, and having it accepted by the Navy’s Authorizing Official, greatly reduces the burden on both government accrediting officials and the technology company. Most importantly, the DoD warfighter wins by gaining access to best-in-class capabilities delivered at the speed of relevance, ensuring they can execute their missions effectively.
FY2025 NATIONAL DEFENSE AUTHORIZATION ACT (NDAA) SEC. 1522.
What does the language in Sec. 1522 of the FY25 NDAA on DoD Presumptive Reciprocity entail?
- Tasks the DoD Chief Information Officer (CIO) to work with Military Department CIOs to develop and regularly maintain a digital directory of all Authorizing Officials (AOs) across the DoD. Specifically, this database will contain current contact information of the AOs AND list training requirements that must be completed to be certified and perform the duties of an AO.
- Identifies the need to establish a policy for “Presumption of Reciprocal Software Accrediting Standards.” The DoD CIO is tasked with creating and implementing a policy for DoD that would require AOs to adopt security analysis and supporting documentation of cloud-hosted platforms, services, or applications that have been approved by another AO in the DoD.
- This policy change will allow for more rapid adoption of cloud-hosted platforms, services, or applications at the corresponding classification level (e.g., CUI, Secret, Top Secret) with the existing approval conditions and no further authorization or approval reviews required.
- The policy will include the following:
- Standardization of security, accreditation, performance, and operational capabilities of the cloud-hosted platforms, services, and applications;
- A digital workflow to document acceptance by/among the mission owners and system owners to use the operational capabilities from the cloud-hosted platforms, services, and applications; and
- Define an adjudication process with associated timelines that would allow AOs that disagree with using this policy to present their rationale to the DoD CIO or designated entity for reconciliation.
- The policy applies to the following:
- ALL AOs in the DoD (Military Department, Defense Agency and Field Activity, and Component).
- ALL operational capabilities of cloud-hosted platforms, services, and applications that are on public cloud infrastructure and authorized through FedRAMP and DISA AND capabilities in private cloud landing zones managed by the DoD that have been approved by DoD AOs.
The big take away here is that the FY25 NDAA language marks a significant step forward in reducing bureaucratic hurdles for both technology companies and the DoD. By implementing “presumptive reciprocity,” the NDAA streamlines the ATO process, enabling faster adoption of cloud-hosted platforms and services while maintaining rigorous security standards. This policy helps ensure that the DoD can access cutting-edge technology more efficiently, empowering warfighters with the tools they need to execute their missions with speed and precision. As the DoD continues to modernize and adapt to rapidly evolving technologies, these changes pave the way for a more agile, secure, and effective defense ecosystem.
To learn more about Second Front Systems and the National Defense Authorization Act, visit our website and keep up with our latest efforts with the DoD.
Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including Second Front Systems, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.
