On April 2, 2018, the Department of Defense issued an extensive set of Frequently Asked Questions (FAQs) regarding implementation of the DFARs Cybersecurity Clause (252.204-7012), NIST 800-171 and the Cloud Computing Clauses (252.239-7009 & -7010). These FAQs shed further light on what the Department expects and will expect from the contractors subject to these clauses. This is a continuation of our key takeaways from the FAQs (read Part I, Part II, and Part III).
This article reviews the impact of these regulations when a cloud solution is being used to process data for a Covered Contractor or for or on behalf of the DoD.
In the FAQs, DoD explained when the Cloud Computing Services Clause (DFARS 252.239-7010) applies and when the Cybersecurity Clause (252.204-7012) clause applies.
The Cloud Computing Services clause (-7010) applies when a cloud solution is being used to process data for the DoD or on its behalf, including when DoD is contracting with a cloud services provider for its own operations. It does not apply to commercial cloud service providers when operated as an extension of a contractor’s internal IT system.
The Covered Defense Information (CDI) safeguarding clause (-7012) applies when a contractor intends to use an external cloud services provider (CSP) to process CDI for the contractor for a covered contract as an extension of the contractor’s own internal information system.
DoD also provided guidance regarding the flow-down requirements of contractors using CSPs, though it expressed some flexibility in the application of the clause from what was in the final rule. That is, the FAQ indicated that the actual cyber contract clause may not have to be flowed down to a contractor’s CSP, so long as contractors impose the relevant cyber incident reporting and support duties on their CSPs.
Here is the back story. The DFARs clause requires contractors to provide DoD access to information and equipment necessary to conduct a forensic analysis after a cyber incident. This requirement is statutorily-based, so it applies as well to the contractor’s CSP.
Therefore, the regulation requires that the covered contractor ensure that the CSP complies with the cyber incident reporting, malicious software, media preservation and government access to information and equipment requirements of the clause whether or not the clause is technically flowed-down.
This may have resulted in the FAQ’s apparent flexibility in how the contract clause’s requirements are imposed on CSPs.
Q&A 103 then adds that the contractor “normally does not ‘flow down’ the DFARS clause to the CSP, but must ensure that he can continue to meet the DFARs clause requirements.” Bottom line: The substantive obligations must be imposed on the CSP, whether or not a technical flow-down occurs.
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, legal updates, events, and more. This post was published in the August 2018 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.