What you need to know about DFARS and Cloud Computing Services

By Heather Engel, Sera-Brynn, Executive Vice President 

This article is the third in a series.

Don’t be overwhelmed by mandatory cybersecurity requirements implemented by the Department of Defense (DoD) on contractors and subcontractors. Becoming compliant under Defense Federal Acquisitions Regulations Supplement (DFARS) 252.204-7012 has to be viewed simply as a necessity of doing business with the DoD.

In this third part of our blog series on DFARS, we will look at the DFARS cloud compliance requirements.

Background on DFARS

In review from Part I (navigating DFARS) and Part II (DFARS compliance using the Sera-Brynn method), it’s incumbent upon government contractors and subcontractors to comply with federal acquisition regulations (FAR). If you do business with the DoD, DFARS Clause 252.204-7012 requires you to safeguard covered defense information and report cyber incidents.

So how does the use of cloud computing services affect DFARS?

Cloud Computing Services

DFARS clauses are intricate and in many cases inextricably linked. Compliance with 252.204-7012 also requires your company to address DFARS Clause 252.239-7009 and 7010.

Implemented in August 2015, these regulations define cloud computing as: “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” What does that mean for defense contractors?

If your company is providing cloud services to DoD or operating an IT system on behalf of DoD, the Cloud Computing Security Requirements Guide applies. What many companies don’t realize is that if you are using cloud services in the performance of a contract, for example cloud based backups or storage, you must report that you are doing so and the NIST 800-171 requirements apply. If you indicate that you won’t use cloud services in a proposal, but then decide to use them later in performance of the contract, contracting officer approval is required.

This is one reason it’s so critical to have an understanding of how Covered Defense Information (CDI) is stored, processed and transmitted in your corporate network. CDI stored or processed in a cloud is subject to restrictions, and in some cases you may be required to use an authorized DoD cloud service provider. DoD Procedures, Guidance and Information 239.7602-2 requires a contracting officer to authorize storage of data outside the United States – and many cloud services offer redundancy by storing data in international locations.

DFARS and Cloud Computing Essentials

There are other essentials in working in the cloud revolving around administrative, technical and physical safeguards and controls and maintaining data that’s not on DoD premises. If you indicate that cloud services will be used in the performance of a contract, the contracting officer is required to validate the provider against the DoD Cloud Service Catalog to ensure the cloud service provider has provisional authorization.

And, all cyber incidents related to cloud computing services must be reported, the same as any other incident, so the contract a defense contractor has in place with cloud services providers should address responsibilities for reporting and investigation.

The Outlook

Paramount in all of this is remembering that by December 2017, companies and organizations doing business with DoD have to show full compliance with DFARS. We strongly recommend starting the process now if you haven’t already and budgeting for technology improvements to phase in changes that will enhance security maturity. Those improvements might mean a change in your current service provider if you use cloud based services.

If you have questions, feel free to reach out to us. We can help with strategic planning and long-term risk management of your DoD contracts.

About Heather Engel

Heather Engel is a Fully Qualified Navy Validator, which requires credentials that include: Advanced certifications in Information Assurance; A minimum of five years performing Certification and Accreditation on Navy Systems; Additional training in Systems Management; Systems Certification and Risk Analysis; Demonstrated knowledge of Navy IA policies and the responsibilities of a Navy Validator. Engel provides risk management and business intelligence to Sera-Brynn clients across a wide variety of industries, carrying more than 15 years of experience in risk and compliance system integration, disaster recovery, security policy and security testing and evaluation.