What is a DOD contractor

Defense Federal Acquisition Regulation Supplement (DFARS) Defense Federal Acquisition Regulation Supplement (DFARS)

  • 3 minutes to read

OVERVIEW OF DFARSDFARS overview

On October 21, 2016, the Department of Defense (DoD) published its final rule supplementing the Defense Federal Acquisition Regulation Supplement (DFARS) and mandatory protection and cyber reporting obligations for defenders whose information systems process, store, or transmit Covered Defense Information (CDI) On October 21, 2016, the Department of Defense (DoD) issued its Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) and imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI).

The final DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber ‚Äč‚ÄčIncident Reporting) contains safeguards that include reporting requirements for cyber incidents and additional considerations for cloud service providers Reporting) specifies safeguards to include cyber incident reporting requirements and additional considerations for cloud service providers. December 2017 ". Per DFARS 252.204-7012, all DoD contractors and the defense industrial base are required to comply with DFARS requirements for adequate security 'as soon as practical, but not later than December 31, 2017.'

Microsoft and DFARS

Microsoft Government Cloud services help the United States defense industrial base and defense contractor customers meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to cloud service providers. If defenders are required to meet DFARS clause 252.204-7012 in contracts, Microsoft can support the requirements that cloud service providers for Azure Government and Office 365 US When defense contractors are required to comply with DFARS clause 252.204-7012 in contracts, Microsoft can support the requirements applicable to cloud service providers for Azure Government and Office 365 U.S. Government Defense services. Both services demonstrate support for the capabilities necessary for customers to comply with the DFARS 7012 clauses through their L5 accreditation to the Department of Defense Security Requirements Guide.

Learn how to accelerate your DFARS deployment with our Azure Security and Compliance Blueprint: Download the Azure - Blueprint DFARS Customer Responsibilities Matrix

Microsoft in-scope cloud services

Covered services for DoD Impact Level 5

Audits, reports, and certificates

Frequently asked questions

What DFARS requirements are Microsoft Azure Government and Office 365 U.S. Government Defense supported?Which DFARS requirements are supported by Microsoft Azure Government and Office 365 U.S. Government Defense?

Azure Government and Office 365 U.S. Government Defense enables our defense company's customers to meet the DFARS requirements enumerated in DFARS clauses 252.204-7012 for cloud service providers. Azure Government and Office 365 U.S. Government Defense allow our defense industrial base and defense contractor customers to meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to cloud service providers.

Has an independent assessor verified that Azure Government and Office 365 U.S. Government Defense support the DfARS requirements?Has an independent assessor validated that Azure Government and Office 365 U.S. Government Defense supports DFARS requirements?

Yes, a third-party assessment organization has verified that the Azure Government and Office 365 U.S. Government Defense cloud service offering meets the applicable requirements of DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). Government Defense cloud service offering meets the applicable requirements of DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information).

What is the relationship between Controlled Unclassified Information (CUI) and Covered Defense Information (CDI)?What is the relationship between Controlled Unclassified Information (CUI) and covered defense information (CDI)?

CUI is information that requires safeguarding or disseminating controls according to law, regulation, or government-wide policy. The CUI registration identifies approved The CUI Registry identifies approved CUI categories and subcategories.

CDI is controlled technical information or other information (as described in the CUI Registry) that requires safeguarding or dissemination controls and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DoD in connection with the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract

Do all Microsoft services meet the "reasonable security requirements" for "covered defense information" under the DFARS regulation?Do all Microsoft services meet the 'adequate security' requirements applicable to 'covered defense information' under the DFARS regulation?

In October 2016, the Department of Defense (DoD) published a final rule to implement Defense Federal Acquisition Regulation Supplement (DfARS) clauses that apply to all DoD contractors who process "covered defense information" through their information systems In October 2016, the Department of Defense (DoD) promulgated a final rule implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all DoD contractors who process, store, or transmit 'covered defense information' through their information systems The rule states that such systems must meet the security requirements set out in NIST SP 800-171, Protecting Controlled Unclassified Information in nonfederal information systems and organizations, or an "alternative, but equally effective security measure", which is specified by the DoD commissioner The rule states that such systems must meet the security requirements set forth in NIST SP 800-171, Protecting Controlled Unclassified Information in nonfederal information systems and organizations, or an 'alternative, but equally effective, security measure' that is approved by the DoD contracting officer.And where a DoD contractor uses an External cloud service provider to process, store, or transmit covered defense information, such provider must meet security requirements that are equivalent to the FedRAMP Moderate baseline.

The following Microsoft Cloud Services have received moderate FedRAMP authorization and are suitable for DFARS: Azure Government, Dynamics 365 U.S. Government, Office 365 U.S. Government and Office 365 U.S. Government Defense. The following Microsoft cloud services have received a FedRAMP moderate authorization and are adequate for DFARS: Azure Government, Dynamics 365 U.S. Government, Office 365 U.S. Government, and Office 365 U.S. Government Defense.

Additionally, Microsoft offerings outside of the FedRAMP certified boundary that can potentially be used by DoD contractors to process, store, or transmit "Covered Defense Information" will be reviewed to meet a compliance deadline of December 31, 2017. Also, Microsoft offers outside the FedRAMP-certified boundary that could potentially be used by DoD contractors to process, store, or transmit 'covered defense information' are undergoing a review to meet a December 31, 2017, compliance deadline Document how these internal and customer-facing services comply with NIST SP 800-171 or an acceptable security equivalent to meet dfARS-relevant clauses acceptable security equivalent, to meet the DFARS relevant clauses.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks.Compliance Manager offers a premium template for building an assessment for this regulation.Locate the template on the page Assessment templates in the Compliance Manager Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

ResourcesResources