Blank stares and Shrugs
Close your eyes and imagine that you’re doing your daily devotional reading of the DFARS 252.204-7012 and the Interim Rule (7019-7021) with your morning cup of coffee when, all of a sudden, you notice something that you’ve never noticed before. It catches your eye so aggressively that you spew your coffee all over your Dell Latitude, which, in turn, forces you to submit a ticket to IT requesting a replacement. OK, maybe I’m exaggerating a bit but, in all reality, there are times when skimming through these hearty regulations, we pick up on something we haven’t seen before. For me, it was under section (b)(1)(i) of the DFARS 252.204-7012. I noticed the phrase “Cloud computing services shall be subject to the security requirements specified in clause 252.239-7010.” To use a witty statement by a friend and co-worker often says: “What in the Nation of Tar?!”
We all know and love DFARS 7012. We are all familiar with the requirements related to the implementation of NIST 800-171 (whichever one is in effect at the time of solicitation) and the 72-hour incident reporting requirements. We all know that CUI must be protected and (under the Interim rule as well as the upcoming final rule for CMMC) contractors are required to have a recent assessment and SPRS score against NIST 800-171 in accordance with the DoD Assessment Methodology. We know that, but what is this “DFARS 252.239-7010” for Cloud Computing Services?
I began searching high and low for more information about 7010. First, I went to the government’s acquisition website https://www.acquisition.gov/dfars/252.239-7010-cloud-computing-services.#DFARS_252.239-7010 to read what the clause actually says. Next, I asked industry peers if they’d ever come across this DFARS. I found that few of the people I spoke with had ever heard of it, nor had they ever seen it in their experience working on DoD contracts. I even asked a high-level contracting executive with years of experience in the field about this DFARS clause during a Q&A at a recent cybersecurity conference I attended. The answer? “I’ve never heard of it”. Odd right? In this article, I’d like to share what I’ve learned and explain where this DFARS clause comes from, what’s required by it, and who it applies to.
DFARS 252.239-7010: What is it?
The DFARS in question, Cloud Computing Services, is actually quite lengthy in its content; being a little over 50% of the size of the big boy, DFARS 252.204-7012. The 7010 is a clause that expresses the security requirements related to the implementation and use of a cloud computing service in performance of a contract. It’s also directly referenced within DFARS 252.204-7012. Maybe this is the reason why few to none have seen it show up within a contract, those contracts already contain the DFARS 7012 reference, and it’s just assumed to be covered by those requirements. 7010’s general security requirements are addressed in 3 main points:
- Approval. If the Contractor decides they want to use a cloud computing service in the performance of a contract after having indicated in their offer that they did NOT intend on using a cloud computing service in the performance of the contract, they can’t just willy-nilly start using a cloud service. They must first get approval from the Contracting Officer (CO).
- Ready yourself. The Contractor must implement an entirely separate set of safeguards and controls in accordance with the Cloud Computing Security Requirements Guide (SRG). The only exception to these requirements being applied is if the CO notified the contractor that the DoD’s Chief Information Officer has waived them
- Keep it in the US. The Contractor must keep/maintain ALL Government Data (not just Export Controlled: ITAR/EAR) that isn’t physically located on DoD Premises within the United States or outlying areas.
There are some other requirements in sections (C) - (L) related to topics like malicious software discovery, cyber incident damage assessments, pillage, and other obvious requirements; many of which are defined by the Contracting Officer on how they are to be carried out. However, I would like to spend some time on the requirements under section (B). The first requirement from the list seems pretty straightforward. Simply make sure you get approval from the Contracting Officer before you add a cloud computing service to the performance of the contract. However, the second and third points breed some concerns.
The big question I had was what are the requirements found in the Cloud Computing SRG? To answer this, you have to navigate to the DoD Cyber Exchange where you can get helpful resources like the STIG templates and other publicly available documentation from DISA. The link to the Cyber Exchange’s website for the SRG documentation is included in the DFARS 7010 body. Once there, you can download the most recent SRG package and start to review the requirements. One thing right out of the gate you start to notice as you read through this document is that it is quite long and full of Risk Management Framework (RMF) and FedRAMP jargon.
In essence, the Cloud Computing SRG lays out the impact levels based on the information that would be stored, processed, and/or transmitted by the Cloud Service and the security requirements and controls that must be implemented for those respective impact levels. It also outlines the process of acquiring a Provisional Authorization and dictates the parameter values for the FedRAMP+ requirements against their respective Impact Levels. For Controlled Unclassified Information (CUI), the DFARS reference to these requirements would mean that the Cloud Service Provider and/or platform would need to meet the requirements listed under Impact Level 4 according to the SRG. However, it’s important to mention that the Impact Levels found within this document are not the same as the default impact levels normally associated with RMF.
The DoD emphasizes, in section 3.7 of the SRG, “DOD Impact Levels segregate major types of information into ‘buckets’ depending on the information’s audience and sensitivity. This requires different protections and treatments than the basic RMF information categorization of Low, Moderate, and High used by FedRAMP” and “Impact Levels do not apply to FedRAMP baselines. Impact Levels are a DOD construct only. It is inaccurate to refer to a DOD PA for a given DOD Impact Level as a FedRAMP Impact Level number.” This means that, although the requirements for the protection of CUI in the cloud are still heavily based on moderate (or high depending on the organization’s approach) baseline NIST 800-53 controls, there are more requirements specific to Cloud Services that are going to operate on behalf of the government.
We also need to take a moment to address the other concerning requirement I mentioned earlier. According to section (b)(3), contractors must keep ALL government data within the U.S. (and outlying areas; more on that in a moment), unless they receive written (I.e., explicit) instructions on another location where the data is to reside. It then makes this little statement: “...in accordance with DFARS 239.7602-2”. Oh geez, another DFARS reference?! When will it end? Thankfully this DFARS is short, sweet, and to-the-point; simply clarifying the requirement that an Authorizing Official (AO) for the System must authorize exceptions to the requirement of keeping all government data within the 50 U.S. States, the District of Columbia, and Outlying areas. It also specifies that the Contracting Officer (CO) must notify the contractor on the location outside the 50 U.S. States, the District of Columbia, and outlying areas of the United States that the AO has authorized for Government Data to be maintained/located. By the way, if you’re unfamiliar with what the “Outlying Areas of the United States” refers to, it normally describes U.S. territories and States that aren’t part of the Continental/Contiguous United States (CONUS), also known as Outside [the] Contiguous United States (OCONUS).
You talking to Me?
This brings us back to DFARS 252.204-7012. Contractors are already extremely stressed about the 110 controls/320 objectives that they’re obligated to implement based on NIST 800-171 R2 and the CMMC Assessment guidance. Many of them already know they’ve got a long journey ahead of pulling teeth from management to get them to fund the implementation of said requirements.
So, Steve, you’re now telling me I have even more requirements that no one ever told me about? Answer: not necessarily. The purpose of this article is to educate those who’ve never considered this part of the regulation while also clarifying its applicability. Requirements outlined in this section of the DFARS are specifically for “covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government.”
In short, the DFARS 252.239-7010 clause only applies to contractors who are spinning up and running an environment in the cloud that is owned by the Government and on its behalf. This does not apply to your GCC-High Microsoft 365 tenant (although Microsoft does attest to Impact Level 4 equivalency for GCC High with a Provisional Authorization for DoD Tenants). This does not apply to your secure enclave solution. For cloud services being used by the contractor where CUI may be transmitted, processed, and/or stored, the contractor will still need to apply the respective requirements: FedRAMP Moderate equivalency, Cyber incident reporting capabilities, media preservation and protection, etc. The organization also needs to apply its policies and procedures to the use of these services as well as the respective NIST 800-171/CMMC requirements (audit logging, session timeout, access control, etc.) In scope cloud services will still need to show up on the SSP and system diagrams. The Data Flow Diagram should include details on how CUI will flow in that cloud service all the same.
For contractors who do spin up and operate those environments for the Government, you’ll probably be made very aware of the requirements that must be followed as part of that Authority to Operate (ATO) package. The Authorizing Official and/or the Contracting Officer may never even mention DFARS 7010. I say this because I have yet to hear someone talk about it in discussions related to their experience with DoD contracts. However, taking a nice stroll down the SRG path might help you know what to expect and keep you in the loop on what the requirements will be.
Sanity Check
I feel like there’s a fatal flaw in the way government requirements are communicated to contractors. I say this with a lot of empathy for organizations that see the DFARS 252.204-7012/7019/7020 requirements being shoved in their face and are just trying to figure out what they need to do to keep the ship afloat and meet their contractual obligations. In doing so, they might stumble upon requirements like these in their research and succumb to analysis paralysis and extra stress as they try to move forward. Not to mention that the SRG requirements are lengthy and may be hard to read and understand when all you want to do is maintain your contracts and get the work done. My encouragement to contractor personnel is this: When you come across obscure and, oftentimes, overwhelming regulations that you think might apply to your company, get clarification and confirmation from your Contracting Officer. Be intentional about finding out what exactly is expected of you and (to save your sanity) what’s not applicable to your organization and system(s). I’d also encourage contractors to seek guidance from others in the industry on how they approach these requirements. If DFARS 7010 applies to you and your information systems, it’s likely that you’ll already know it and will have already been in contact with the AO and CO about the requirements. In short, don’t pull your hair out or spew your coffee over regulatory requirements that don’t apply to your organization. If you’ve not been approached regarding the FedRAMP/RMF process for a cloud service you’re managing for a contract, focus your efforts on implementing the requirements that are certain (I.e., NIST SP 800-171), improve and update your SPRS score, and stay up-to-date on government requirements that apply to contractors so you’re as prepared as you can be.