Microsoft is furthering its commitment to U.S. Department of Defense (DoD) contractors and the Defense Industrial Base (DIB) by announcing support for Defense Federal Acquisition Regulation Supplement (DFARS) requirements for Azure Commercial cloud services. This extends the existing commitment to support DFARS in the Azure Government cloud services.
Microsoft Azure Commercial and Azure Government cloud offerings both meet the applicable requirements of the DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). Specifically, the requirements within the Clause that are applicable to the Cloud Service Provider (CSP) and their commitment to fulfill these requirements are provided in the table below.
DFARS Clause Requirements |
Microsoft Commitment |
(a) Definitions |
*Not applicable, as its purpose is to provide context for the document.
|
(b) Requirements pertaining to provision of Adequate security |
Microsoft maintains a Federal Risk and Authorization Management Program (FedRAMP) High Provisional Authorization to Operate (P-ATO) for "Microsoft - Azure Commercial Cloud" and for "Microsoft - Azure Government (includes Dynamics 365)".
|
(c) Cyber incident reporting requirement |
Microsoft reports security incidents in accordance with the FedRAMP obligations and Microsoft’s contractual commitments.
|
(d) Malicious software |
Microsoft works with Customers to submit malicious software found in Azure or Azure Government to the DoD Cyber Crime Center (DC3), when appropriate. Malicious software protection measures are in place for the Microsoft Azure system as follows:
Additionally, Microsoft Azure’s Incident Management SOP states that malicious code that does not result in improper access to customer data is not reported to the customer or US-CERT.
|
(e) Media preservation and protection |
Microsoft preserves and protects Customer Data in accordance with the Azure System Security Plan and the Online Services Terms. Except for free trials, Microsoft will retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration, or termination of Customer’s subscription so that Customer may extract the data.
Any physical or virtual systems impacted by Security Incidents are treated in accordance with Microsoft’s incident response processes.
Microsoft commitments regarding Security Incident notification would continue to support preservation and access to preserved forensics.
|
(f) Access to additional information or equipment necessary for forensic analysis |
Microsoft makes commitment in the Online Services Terms to provide detailed information to customers, agencies, and DoD upon request.
|
(g) Cyber incident damage assessment activities |
Microsoft will support its customers with the damage assessment activities to investigate the cyber incident. Audit and monitoring data are retained for at least 90 days to support investigation of security incidents.
|
(h) – (j) |
*Not applicable, as the onus is on the DoD for this requirement.
|
(k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data. |
All in-scope applicable laws and regulations covered by FedRAMP (and other) authorizations are being met as it pertains to the interception, monitoring, access, use, and disclosure of electronic communications and data. For details, as it pertains to customers, refer to the publicly available Microsoft Online Services Terms and service level agreements.
|
(l) Other safeguarding or reporting requirements |
Microsoft requires all contractors and subcontractors to safeguard data and report cyber incidents as with prescribed methods and timelines defined by Microsoft policies and procedures, whether pertaining to its unclassified information systems (as required by other applicable clauses) or as a result of other applicable U.S. Government statutory or regulatory requirements.
|
(m) Subcontracts |
While this portion is only applicable to Government contracts, Microsoft maintains commitment in meeting the requirement of inclusion of the required language regarding DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information) in contracts and sub-contracts.
|
Azure Commercial and Azure Government cloud offerings have been validated by independent, third-party attestation and provide our DIB and defense contractor customers services designed to meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to CSPs. Defense contractors required to include the DFARS clause 252.204-7012 in contracts can have confidence that Microsoft is able to accept the flow down terms applicable to cloud service providers (CSPs) for Azure Government Services covered by our FedRAMP High P-ATO. This is significant as the DoD and its mission partners continue to expand adoption of commercial cloud computing in support of contracts for programs and mission systems.
Note: While Azure Commercial meets the CSP requirements for DFARS 7012, this by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with the US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) for data handling of Controlled Unclassified Information (CUI). For more information, please refer to:
Understanding Compliance Between Microsoft 365 Commercial, Government and DoD Offerings
Appendix
Please follow me here and on LinkedIn. Here are my additional blog articles:
Blog Title |
Aka Link |
New! ND-ISAC MSCloud - Reference Identity Architectures for the US Defense Industrial Base |
|
Microsoft CMMC Acceleration Update |
|
History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government |
|
Gold Standard! Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings |
|
The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In |
|
Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants |
|
Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants |
|
Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring |
|
Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty |
|
Microsoft expands qualification of contractors for government cloud offerings |