*This is the fourth post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides a compliance checklist for contracting for cloud services regulations relating to the new DoD cyber security regulations and also details the ramifications for failure to comply to the regulations.
- Advise the Contracting Officer if you will use cloud computing to provide information technology services in the performance of the contract. If you decide to later propose to use cloud computing services, obtain written approval to do so by the Contracting Officer prior to utilizing cloud computing services in performance of the contract. (Source: DFARS 252.239-7010(b)(1)
- Implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG) version in effect at the time the solicitation is issued or as authorized by the Contracting Officer. (You can find the SRG here.) (Source: DFARS 252.239-7010(b)(2)
- Have system-wide search and access capabilities for inspections, audits, investigations, litigation, eDiscovery, records management associated with the agency’s retention schedules, and similar authorized activities. (Source: DFARS 239-7602(c)(5)
- Locate the cloud computing services within the United States or outlying areas unless you receive written notification from the Contracting Officer to use another location. (Source: DFARS 239.7602-2(a)
- Only use the Government data for authorized purposes specified in the contract, task order, or delivery order and do not access, use, or disclose the Government data unless specifically authorized to do so. (Source: DFARS 252.239-7010(c)(1)-(2)
- Report all cyber incidents related to the cloud computing service provided under the contract. (Source: DFARS 252.239-7010(d)
- Identify, isolate, and provide a forensics copy of the malicious software in accordance with instructions by the Contracting Officer. (Source: DFARS 252.239-7010(e)
- Preserve and protect images of all known affected information systems and all relevant monitoring/packet data for at least 90 days from submission of the cyber incident report to allow DoD to request the media or decline interest. (Source: DFARS 252.239-7010(f)
- Provide access upon request by DoD to additional information or equipment necessary to conduct a forensic analysis. (Source: DFARS 252.239-7010(g)
- If DoD elects to conduct a damages assessment, provide all of the damage assessment information gathered in connection with the media preservation and protection provisions of DFARS 252.239-7010(f). (Source: DFARS 252.239-7010(h)
- Provide the Contracting Officer all Government data and Government-related data in the format specified in the contract. (Source: DFARS 252.239-7010(i)(1)
- Dispose of Government data and Government-related data in accordance with the terms of the contract and provide confirmation of the disposition to the Contracting Officer. (Source: DFARS 252.239-7010(i)(2)
- Provide access to all Government data and Government-related data, access to contractor personnel involved in the performance of the contract, and physical access to any contractor facility with Government data for audits, investigations, inspections, or other similar activities as authorized by law or regulation. (Source: DFARS 252.239-7010(i)(3)
- Notify the Contracting Officer of any third party requests to access the Government data or Government-related data. (Source: DFARS 252.239-7010(j)
- Upon the Government’s notification of spillage or the contractor’s discovery of spillage, cooperate with the Contracting Officer to address the spillage in compliance with agency procedures. (Source: DFARS 252.239-7010(k)
- Include the substance of this clause in all subcontracts that involve or may involve cloud services, including subcontracts for commercial services. (Source: DFARS 252.239-7010(l)
Ramifications for Failing to Employ Adequate Security
A cyber incident reported by a prime or subcontractor shall not, by itself, be interpreted as evidence that the prime or subcontractor has failed to provide adequate information safeguards. DFARS 204.7302(d). However, a breach of these regulations may result in criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United States, and civil actions for damages and other appropriate remedies by the third party that reported the cyber incident, as a third-party beneficiary of this clause. DFARS 252.204-7009(b)(5).
For more information on achieving compliance with the new regulations or submitting comments, you may contact the author Bill Wagner. Bill holds the CIPP/G, CIPP/US, CPCU designations, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production, and serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.