DFARS Clause 252.204-7012: The DoD Data Security Rule Cloud Providers Should Know

Published: December 09, 2015

Acquisition ReformCloud ComputingCONGRESSDEFENSEPolicy and Legislation

DFARS clause 252.204-7012, modified in September 2015, gives defense authorities access to vendor systems if that system hosts defense data. The clause is mandatory in all new contracts and may be added to existing contracts at a contracting officer’s discretion.

In September 2015, procurement officials modified a clause in the regulations that guide IT procurement by organizations within the Department of Defense. Becoming familiar with this rule is important for cloud services providers seeking to do business with the DoD. The modified Defense Federal Acquisition Regulation Supplement (DFARS) clause, number 252.204-7012, entitled “Safeguarding Covered Defense Information and Cyber Incident Reporting” outlines the measures, responsibilities, and reporting requirements for contractors who host defense data. The clause was changed to comply with Section 941 of the National Defense Authorization Act for Fiscal Year 2013 and Section 1632 of the NDAA for Fiscal Year 2015. As a reminder of what those provisions call for, the Defense Procurement Acquisition Policy (DPAP) office summarizes them as follows:

“Section 941 … requires cleared defense contractors to report penetrations of networks and information systems and allows DoD personnel access to equipment and information to assess the impact of reported penetrations. Section 1632 … requires that a contractor designated as operationally critical must report each time a cyber incident occurs on that contractor’s network or information systems.”

In these sections, Congress effectively mandated that commercial networks contracted by defense organizations are extensions of government systems. This will not come as a surprise to companies that have been doing business with the DoD for a while, but it might be news to new vendors seeking to get in on the ground floor while the DoD is expanding its use of commercial cloud services. Deciding if you want your system to be part of the defense information “ecosystem” is a business decision each vendor will have to make.

The other point worth knowing in regard to 252.204-7012 is that its inclusion in all solicitations and contracts is now required. This includes “solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items.” The DPAP explains that “the clause is not required to be applied retroactively, but that does not preclude a contracting officer from modifying an existing contract to add the clause in accordance with the terms of the contract” (Emphasis mine).

This is the real news – that a vendor’s business system, which it originally contracted out for DoD use without having to allow defense authorities access, can now be subjected to that access without prior approval. After all, approval is what a contract is based on, right? It’s an agreement reached by two parties for goods and/or services provided at a settled price and according to agreed upon terms.

Allowing defense authorities access to vendor systems is neither good nor bad, it is now simply a part of doing business with the DoD. Vendors will need to decide if providing access is acceptable to them, a decision that could prove disruptive if a contracting officer decides two years into a one-plus-four effort that 252.204-7012 should apply. Should that happen, the vendor (particularly if they are small) will be hard-pressed in today’s era of compressed margins to walk away from a previously sealed deal, even if its terms have suddenly changed.