Blog Post

Public Sector Blog
6 MIN READ

Microsoft Expands Support for the DIB – Announcing Support for DFARS in Azure Commercial

RichardWakeman's avatar
Feb 23, 2021

 

Microsoft is furthering its commitment to U.S. Department of Defense (DoD) contractors and the Defense Industrial Base (DIB) by announcing support for Defense Federal Acquisition Regulation Supplement (DFARS) requirements for Azure Commercial cloud services. This extends the existing commitment to support DFARS in the Azure Government cloud services.

 

Microsoft Azure Commercial and Azure Government cloud offerings both meet the applicable requirements of the DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). Specifically, the requirements within the Clause that are applicable to the Cloud Service Provider (CSP) and their commitment to fulfill these requirements are provided in the table below.

 

 

 DFARS Clause Requirements

Microsoft Commitment

(a) Definitions

 

*Not applicable, as its purpose is to provide context for the document.

 

(b) Requirements pertaining to provision of Adequate security

 

Microsoft maintains a Federal Risk and Authorization Management Program (FedRAMP) High Provisional Authorization to Operate (P-ATO) for "Microsoft - Azure Commercial Cloud" and for "Microsoft - Azure Government (includes Dynamics 365)".

 

(c) Cyber incident reporting requirement

 

Microsoft reports security incidents in accordance with the FedRAMP obligations and Microsoft’s contractual commitments.

 

  • Microsoft’s Online Services Terms (last updated in May 2020), has a section pertaining Security Incident Notification covering breach of security and response measures that include notification of the impacted customer, investigation of the security incident, and providing the customer with detailed information about the incident. Additionally, these measures include taking reasonable steps to mitigate the effects and to minimize any damage resulting from the security incident.
  • Microsoft Azure’s System Security Plan (SSP) states that the notification timeline obligation starts when the official Security Incident declaration occurs. Due to competing notification requirements, Security Response follows the most aggressive timeline based on the impacted customer base. Customers, DPAs, and data subjects shall be notified (each as applicable) within 72 hours of the declaration timestamp.
  • Microsoft Azure’s Incident Management Standard Operating Procedure (SOP) also states that notification is done to all customers within 72 hours of incident declaration. Microsoft will provide an initial report to the customer for a declared Security Incident on the timelines provided in accordance with customer contractual commitments. Microsoft treats DoS attack as availability outages and not security incidents. Microsoft promptly reports services outages via the Service Health Dashboard. In these cases, the U.S. Computer Emergency Readiness Team (US-CERT) is not notified. Malicious code that does not result in improper access to customer data is not reported to the customer or US-CERT. Microsoft does not access Customer Data except to provide the service, and does not examine Customer Data to determine if it is specifically regulated under Customer contracts with third parties. Microsoft will work with the Customer to identify any Customer Data involved in a Security Incident so that the Customer can determine if it meets the reporting obligations for “Cyber Incidents” under the DFARS.

(d) Malicious software

 

Microsoft works with Customers to submit malicious software found in Azure or Azure Government to the DoD Cyber Crime Center (DC3), when appropriate. Malicious software protection measures are in place for the Microsoft Azure system as follows:

 

  • Platform as a Service: Microsoft Azure assets are protected from malicious software using anti-malware software. Anti-malware software helps provide both preventive and detective control over malicious software. Anti-malware tools that detect files determined to be malicious sends alerts to the appropriate Microsoft personnel, triggering the incident response process.
  • Infrastructure as a Service: The customer is responsible for ensuring that they employ malicious code protection at information system entry and exit points to detect and eradicate malicious code and use code protection mechanisms to protect assets from malicious software.
  • Microsoft Azure utilizes Windows Defender and ClamAV as its host based malicious code protection mechanism to detect malicious code. In addition to signature-based detection mechanisms, these tools also utilize behavior monitoring, network inspection, and/or heuristics to detect malicious code that may be missed by signature-based methods.

Additionally, Microsoft Azure’s Incident Management SOP states that malicious code that does not result in improper access to customer data is not reported to the customer or US-CERT.

 

(e) Media preservation and protection

 

Microsoft preserves and protects Customer Data in accordance with the Azure System Security Plan and the Online Services Terms. Except for free trials, Microsoft will retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration, or termination of Customer’s subscription so that Customer may extract the data.

 

Any physical or virtual systems impacted by Security Incidents are treated in accordance with Microsoft’s incident response processes.

 

Microsoft commitments regarding Security Incident notification would continue to support preservation and access to preserved forensics.

 

(f) Access to additional information or equipment necessary for forensic analysis

 

Microsoft makes commitment in the Online Services Terms to provide detailed information to customers, agencies, and DoD upon request.

 

  • Per the Online Services Terms for “Security Incident Notification”, if Microsoft becomes aware of any unlawful access to any Customer Data stored on Microsoft’s equipment or in Microsoft’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Customer Data (each a “Security Incident”), Microsoft will promptly (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

 

(g) Cyber incident damage assessment activities

 

Microsoft will support its customers with the damage assessment activities to investigate the cyber incident. Audit and monitoring data are retained for at least 90 days to support investigation of security incidents.

 

(h) – (j)

 

*Not applicable, as the onus is on the DoD for this requirement.

 

(k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data.

 

All in-scope applicable laws and regulations covered by FedRAMP (and other) authorizations are being met as it pertains to the interception, monitoring, access, use, and disclosure of electronic communications and data. For details, as it pertains to customers, refer to the publicly available Microsoft Online Services Terms and service level agreements.

 

(l) Other safeguarding or reporting requirements

 

Microsoft requires all contractors and subcontractors to safeguard data and report cyber incidents as with prescribed methods and timelines defined by Microsoft policies and procedures, whether pertaining to its unclassified information systems (as required by other applicable clauses) or as a result of other applicable U.S. Government statutory or regulatory requirements.

 

(m) Subcontracts

 

While this portion is only applicable to Government contracts, Microsoft maintains commitment in meeting the requirement of inclusion of the required language regarding DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information) in contracts and sub-contracts.

 

 

 

Azure Commercial and Azure Government cloud offerings have been validated by independent, third-party attestation and provide our DIB and defense contractor customers services designed to meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to CSPs. Defense contractors required to include the DFARS clause 252.204-7012 in contracts can have confidence that Microsoft is able to accept the flow down terms applicable to cloud service providers (CSPs) for Azure Government Services covered by our FedRAMP High P-ATO. This is significant as the DoD and its mission partners continue to expand adoption of commercial cloud computing in support of contracts for programs and mission systems.

 

Note: While Azure Commercial meets the CSP requirements for DFARS 7012, this by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with the US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) for data handling of Controlled Unclassified Information (CUI). For more information, please refer to:
Understanding Compliance Between Microsoft 365 Commercial, Government and DoD Offerings

 

 

Appendix

 

Please follow me here and on LinkedIn. Here are my additional blog articles:

 

 

Blog Title

Aka Link

New! ND-ISAC MSCloud - Reference Identity Architectures for the US Defense Industrial Base

https://aka.ms/ND-ISAC/IdentityWP 

Microsoft CMMC Acceleration Update

https://aka.ms/CMMC/Acceleration

History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government

https://aka.ms/USSovereignCloud

Gold Standard! Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

https://aka.ms/MSGovCompliance

The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In

https://aka.ms/AA6frar

Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants

https://aka.ms/AA6seih

Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants

https://aka.ms/AA6vf3n

Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring

https://aka.ms/AA6xn69

Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty

https://aka.ms/CUISovereignty

Microsoft expands qualification of contractors for government cloud offerings

https://aka.ms/GovCloudEligibility 

Updated Nov 03, 2023
Version 2.0