A final rule that amends a section of the Defense Federal Acquisition Regulation Supplement (DFARS) was published by the Department of Defense on Oct. 21 and holds specific regulations for contractors providing cloud services or operating an IT system on behalf of DoD.
The final rule is titled “Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018).” This rule replaces interim rules that had been in place since 2015 and are specific to DoD policy on the purchase of cloud computing services.
Cloud computing is defined as enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing — including networks, servers, storage, applications and services — that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This can include other commercial terms, such as on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service. It also includes commercial offerings for software-as-a-service, infrastructure-as-a-service and platform-as-a-service.
The final rule is a requirement for contractors to ensure that external Cloud Service Providers (CSPs) used in performance of the contract to store, process, or transmit any covered defense information (CDI) meet security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.
Contractors must comply with requirements in the clause for:
—Cyber incident reporting;
—Media preservation and protection;
—Access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment.
Because all cyber incidents related to cloud computing services must be reported, it’s important to note that these reporting obligations would extend to incidents that involve a shared infrastructure. For DoD contractors using cloud-based services for CDI, make sure your CSP agreements with vendors meet these standards.
It is essential for contractors to realize that if you are using cloud services in the performance of a contract, which include cloud-based backups and storage, it must be reported and the NIST 800-171 requirements apply. If you indicate that you won’t use cloud services in a proposal, but then decide to use them later in performance of the contract, it requires contracting officer approval.
Because DFARS compliance is a process that can take six months to year, we strongly encourage contractors to start the process now. Our Sera-Brynn team is the experts in DFARS compliance and we can help contractors with their cloud computing questions and issues. Call us today to learn how we can help you.