Blogs

Posted on Tuesday, August 14, 2018

Which Security Requirements Apply When Using Cloud Service Providers to Process and Store CDI?

On April 2, 2018, the Department of Defense issued an extensive set of Frequently Asked Questions (FAQs) regarding implementation of the DFARs Cybersecurity Clause (252.204-7012), NIST 800-171 and the Cloud Computing Clauses (252.239-7009 & -7010).  These FAQs shed further light on what the Department expects and will expect from the contractors subject to these clauses.  This is a continuation of our key takeaways from the FAQs (read Part I, Part II, and Part III).

This article reviews the impact of these regulations when a cloud solution is being used to process data for a Covered Contractor or for or on behalf of the DoD.

In the FAQs, DoD explained when the Cloud Computing Services Clause (DFARS 252.239-7010) applies and when the Cybersecurity Clause (252.204-7012) clause applies.

The Cloud Computing Services clause (-7010) applies when a cloud solution is being used to process data for the DoD or on its behalf, including when DoD is contracting with a cloud services provider for its own operations.  It does not apply to commercial cloud service providers when operated as an extension of a contractor’s internal IT system.

The Covered Defense Information (CDI) safeguarding clause (-7012) applies when a contractor intends to use an external cloud services provider (CSP) to process CDI for the contractor for a covered contract as an extension of the contractor’s own internal information system.

DoD also provided guidance regarding the flow-down requirements of contractors using CSPs, though it expressed some flexibility in the application of the clause from what was in the final rule.  That is, the FAQ indicated that the actual cyber contract clause may not have to be flowed down to a contractor’s CSP, so long as contractors impose the relevant cyber incident reporting and support duties on their CSPs.

Here is the back story. The DFARs clause requires contractors to provide DoD access to information and equipment necessary to conduct a forensic analysis after a cyber incident. This requirement is statutorily-based, so it applies as well to the contractor’s CSP.

Therefore, the regulation requires that the covered contractor ensure that the CSP complies with the cyber incident reporting, malicious software, media preservation and government access to information and equipment requirements of the clause whether or not the clause is technically flowed-down.

The apparent wiggle room differs from the plain wording of the final rule, which said that the clause was to be included in CSP subcontracts “without alteration, except to identify the parties.”  It explained that a contractor must review and, if necessary, require their CSP to modify their normal commercial terms of use.  But by the time the FAQs were written, there seemed to be recognition that that task could be a tall order, since CSPs are generally not focused on or even aware of NIST requirements.

This may have resulted in the FAQ’s apparent flexibility in how the contract clause’s requirements are imposed on CSPs.

Accordingly, Q&A 101 says that DoD will normally not require physical access to a CSP so long as the cloud provider captures, preserves and protects images and the status of affected systems as required by the clause.  Since these requirements are not standard to CSP terms of use, the contractor must ensure that these obligations are imposed on its CSP.

Q&A 103 then adds that the contractor “normally does not ‘flow down’ the DFARS clause to the CSP, but must ensure that he can continue to meet the DFARs clause requirements.”  Bottom line:  The substantive obligations must be imposed on the CSP, whether or not a technical flow-down occurs.

Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, legal updates, events, and more. This post was published in the August 2018 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.

Steve Britt is a Partner at Berenzweig Leonard LLP. Steve leads the firm’s Cybersecurity Law practice and can be reached at SBritt@BerenzweigLaw.com.