On December 31, 2017, contractors and subcontractors working with the Department of Defense (DoD) will be required to provide adequate security measures on all covered information systems that process, store, or transmit covered defense information (CDI) in accordance with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. If you intend to use cloud computing services in the performance of a contract, there are specific requirements that must be followed, depending on how those cloud computing services will be utilized.
DFARS clause 252.239.7010 defines “cloud computing” as:
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This includes other commercial terms, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software-as-a-service, infrastructure-as-a-service, and platform-as-a-service.
A contractor will be required to affirmatively indicate in its offer whether it anticipates the use of cloud computing services in the performance of the contract. If a contractor initially indicates that it does not intend to use cloud computing in the performance of the contract and, after award, decides to do so, it must receive the approval of the Contracting Officer prior to utilizing cloud computing services.
If a contractor intends to provide an Information Technology (IT) system or services on behalf of the Government, the requirements found in DFARS clause 252.239.7010 will apply. DFARS clause 252.239.7010 requires contractors who operate an IT service or system on behalf of the Government to implement and maintain “administrative, technical, and physical safeguards and controls with the security level and services required” consistent with the Cloud Computing Security Requirements Guide (SRG) (https://iase.disa.mil/cloud_security/Pages/index.aspx) in effect at the time the solicitation is issued or as authorized by the Contracting Officer. Clause 252.239.7010 also requires that the contractor maintain all Government data not physically located on DoD premises within the United States or outlying areas unless the contractor receives written notification from the Contracting Officer to use another location.
If a contractor is not providing IT services on behalf of the government, but intends to use an external cloud service provider (CSP) to store, process, or transmit any CDI in performance of the contract, the contractor will be responsible for ensuring that the CSP meets the security requirements equivalent to the FedRAMP Moderate baseline (https://www.fedramp.gov/resources/documents-2016/). The contractor will also be responsible for ensuring that the CSP complies with the requirements for cyber incident reporting in accordance with DFARS clause 252.204-7012. It is important to remember that if the CSP is considered a subcontractor, the “flow down” provisions of 252.204-7012 will also apply.
If the contractor is not providing an IT system or services on behalf of the government but is using its own internal or “private” cloud to perform its own data processing related to the performance of the contract, then the requirements of NIST SP 800-171 will apply.
These provisions specific to cloud computing are important considerations for any contractor when assessing business requirements in a defense contract solicitation.