Three Takeaways from the New DoD Network Penetration FAQs for Cloud Services Providers

In late January 2017, the Department of Defense published a 27 page document containing answers to frequently asked questions about the department’s implementation of new rules concerning network penetration reporting and contracting for cloud services. As a reminder, the rules that the FAQ document concern are part of DFARS clause 252.204-7012, “Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting.” This clause, according to the Office of Defense Procurement and Acquisition Policy (DPAP), “was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes.”

After reading through the FAQs, here are three responses provided by the DPAP that should be of interest to vendors offering cloud solutions to the DoD.

Use in Solicitations – Clause 252.204-7012 is not required for solicitations and contracts if they are for the acquisition of COTS items alone. Be aware, however, that DoD contracting personnel may apply the clause retroactively by modifying an existing contract to add the clause.

Potential Implication – Not being in compliance from the beginning of contract award could cause headaches if a problem arises later. Vendors will need to weigh risk vs. cost options.

Use in Source Selection – The DPAP notes that Clause 252.204-7012 “is not structured to require contractor compliance with NIST SP 800-171 as a mandatory evaluation factor in the source selection process, but the requiring activity is not precluded from stating in the solicitation that it will consider compliance with NIST SP 800-171 as part of the source selection process.”

Potential Implication – Requiring compliance with NIST SP 800-171 is more likely to be used for service requirements that the DoD considers extremely sensitive. This means mission critical systems hosted in commercial clouds. To be safe, it is probably worthwhile to have NIST SP 800-171 compliance documentation in order before submitting proposals.

Monitoring of DoD Requested Security Requirements – The DoD has not set up a mechanism for monitoring the status of security requirements on vendor systems post-award, explaining that “contractor compliance … would be subject to any existing generally applicable contractor compliance monitoring mechanisms.”

Potential Implication – Without monitoring, the only way that DoD will know if a contractor system is in compliance is either through a technical audit or as the result of a security breach. Vendors who go the extra step of voluntarily proposing an automated compliance monitoring mechanism or report as part of their bid could achieve a competitive advantage because it reassures the program office that their system is compliant from the outset of use/implementation.

Summing up, DFARS Clause 252.204-7012 concerns what the DPAP refers to as “Covered Defense Information (CDI).” This information is directly related to systems dealing with supplies or services that the government has designated “as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.” In other words, the rules for protecting CDI described in DFARS clause 252.204-7012 govern services supporting mission critical DoD operations. Industry can take this as a solid sign that the DoD intends to use commercial cloud services for mission critical systems and applications.