As most business leaders now realize, companies that are contracted with the United States Department of Defense (DoD) and their tier one subcontractors are required to adhere to the regulatory requirements of the Defense Federal Acquisition Regulation Supplement (DFARS) and the National Institute of Standards and Technology Special Publication (NIST SP) 800-171. The regulation requirements of DFARS and NIST SP 800-171 could make it difficult for your organization to employ a qualified Cloud Service Provider (CSP).
While there are many CSPs to choose from, not all meet the requirements that DoD contractors are required to adhere to. For example, not all CSPs have the ability to handle the cyber reporting requirements mandated by DFARS. Some organizations have required their CSPs to sign a Statement of Work (SOW) to show how they have implemented Federal Risk and Authorization Management Program (FedRAMP) requirements, which exceed those of NIST SP 800-171 in order to protect themselves. By employing FedRAMP standards, it ensures that all federal data is secure even given the unique environment of cloud computing.
According to a report by the DoD, Cybersecurity Challenges: Protecting DoD’s Unclassified Information, DFARS Clause 252.204-7012 requires contractors and subcontractors to:
• Provide adequate security to safeguard CDI that resides on or is transiting through a contractor’s internal information system or network.
• Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support.
• Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
• If requested, submit media and additional information to support damage assessment.
• Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve CDI.
The same DoD report shows CSPs are also regulated by the same DFARS requirements. “When cloud services are used to process data on the DoD’s behalf, DFARS Clause 252.239-7010 and DoD Cloud Computing Security Requirements Guide (SRG) apply,” according to the report. This means any CDI stored, transmitted, or used through the CSP must also meet the same rigorous security standards as direct DoD contractors. The purpose of this clause of DFARS is to safeguard Covered Defense Information (CDI) and Cyber Incident Reporting (CIR). Such regulations are meant to improve the collective cybersecurity of the United States and protect its interest by:
• Securing DoD’s information systems and networks.
• Codifying cybersecurity responsibilities and procedures for the acquisition workforce in defense acquisition policy.
• Outlining contractual requirements implemented through the Federal Acquisition Regulation (FAR) and DFARS.
• Voluntarily sharing cyber threat information through the DoD’s DIB Cybersecurity Program.
• Leveraging security standards such as those identified in the NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
Now that you know external CSPs are required to meet the equivalent of FedRAMP, your business may need to modify its search for the right provider. If you intend to use a CSP in the performance of any portion of your DoD contract(s), your business will be required to ensure the CSP meets the security requirements established by FedRAMP’s Moderate baseline.
Your organization will also be responsible for ensuring the CSP it works with complies with the requirements of paragraphs C through G regarding cyber incident reporting, media preservation, and malicious software. The CSP must also agree to allow access to information and equipment for forensic analysis and cyber incident damage assessment.
Finding the Right CSP
In order to choose the right CSP to ensure your business continues to be DFARS and NIST SP 800-171 compliant while using cloud-based services, there are a few things to look for. First, any potential CSPs should be able to document how they meet FedRAMP requirements. Without this document, your organization will be considered non-compliant with DFARS Clause 252.204-7012.
It is also best if the CSP you are considering working with is FedRAMP accredited. If it isn’t, then the CSP must be able to prove that is has met the minimum equivalent of controls to achieve compliance with the FedRAMP moderate baseline standards.
You will also need to ensure that your CSP has a document outlining the process for cyber incident reporting. This document must provide a framework for how the CSP meets the FedRAMP requirements for reporting a cyber incident. Furthermore, the document must also demonstrate that the CSP has the cyber incident reporting requirement in place.
Look for a CSP specifically designed to meet regulatory compliance. One that Dox recommends and licenses for small to medium-sized businesses is Microsoft Office 365 U.S. Government Community Cloud (GCC) High environment. As a Microsoft Silver Partner, Dox is one of only six Microsoft partners in the U.S. certified to provide Office 365 GCC High licensing for organizations with fewer than 500 licenses.
While DFARS does not impose NIST SP 800-171 requirements on CSPs, they must still meet DFARS and FedRAMP requirements. Your CSP will need to sign a contract holding it accountable for meeting these security standards and documenting how it will achieve and maintain them. Ultimately, the responsibility for subcontractors such as CSPs achieving regulatory compliance sits firmly with the DoD contractor.
If your CSP is unwilling to sign a contract with all of the above information and documentation, then DFARS 7012 prohibits your business from using that particular CSP. You don’t want your business to lose contracts and revenue over non-compliance with DFARS Clause 252.204-7012. You’ll need to find another CSP that will meet the DFARS and FedRAMP requirements without exception.
Finally, if your current external CSP has not yet signed a contract like the one discussed above, you will need to get one signed immediately. Until your existing CSP has signed a contract that it meets DFARS 7012 and FedRAMP regulation requirements, your business remains non-complaint with the DFARS regulation itself. That means your business could face costly stop work orders from the DoD, a loss of future contracts, and even face civil penalties as a result. It’s not worth the risk so get the contract signed.
If you have further questions about ensuring your business and CSP are both DFARS compliant, contact Dox right away at (585) 473-7766. When it comes to regulatory compliance, there’s no time to lose.