Is Your Cloud Service Provider Making You Non-Compliant With the DFARS 252.204-7012 Regulation?
As a defense contractor, you might have considered using a cloud service provider (CSP). There are many options available for you to choose from. Today, with the Federal Risk and Authorization Management Program (FedRAMP) equivalent and cyber reporting requirement mandated for CSPs, it is even more difficult to evaluate a viable CSP. Many organizations have found success by requiring their CSP to sign a Statement of Work (SOW) demonstrating how they have implemented the FedRAMP moderate baseline. The FedRAMP requirements include additional controls above the standard NIST baseline controls in NIST SP 800-53 rev4 for low and moderate systems. These additional controls address the unique elements of cloud computing to ensure all federal data is secure in cloud environments.
The DFARS 7012 states the following:
If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
How do you choose a CSP that allows you to successfully meet the intent of the 7012 requirements? Look for these things:
Ensure your CSP has documented how it meets the requirements found in the controls of a FedRAMP moderate baseline. Without this, you as an organization will not be compliant with the 7012 regulation. It is not to say that the CSP must be FedRAMP accredited, but they must have equivalent controls implemented that would meet the intent of every control required for a moderate baseline.
Ensure your CSP has a documented process on how it intends to address sections C through G of the 7012 clause for cyber incident reporting. The CSP must provide (1) how they meet the FedRAMP requirement and (2) the cyber incident reporting requirement in place.
A CSP is not required to implement NIST SP 800-171. The NIST 800-171 document lists the 110 adequate security controls called out in the 7012 to be implemented internally by a defense contractor, not a CSP.
Your CSP must sign a contract stating it will meet the necessary requirements as well as how it plans on meeting those requirements. As a defense contractor, the responsibility rests on you to make sure your organization and CSP are meeting requirements imposed by the 7012 regulation in order to maintain compliancy.
Your CSP should disclose documentation on how it is meeting the FedRAMP moderate baseline and cyber incident reporting section C through G, and how it intends to maintain these requirements. If your CSP is not willing to sign a contract stating how it meets these requirements, according to the DFARS 7012 regulation, you cannot use that provider for your organization.
Do you currently use an external CSP in support of a defense contract? If so, it is imperative to ensure your CSP meets the requirements set forth in the DFARS 7012 regulation. Until this has been addressed, your organization will not officially be 7012 compliant.