Microsoft Expands Support for the DIB – Announcing Support for DFARS in Azure Commercial

 DFARS Clause Requirements

Microsoft Commitment

(a) Definitions

*Not applicable, as its purpose is to provide context for the document.

(b) Requirements pertaining to provision of Adequate security

Microsoft maintains a Federal Risk and Authorization Management Program (FedRAMP) High Provisional Authorization to Operate (P-ATO) for "Microsoft - Azure Commercial Cloud" and for "Microsoft - Azure Government (includes Dynamics 365)".

(c) Cyber incident reporting requirement

Microsoft reports security incidents in accordance with the FedRAMP obligations and Microsoft’s contractual commitments.

• Microsoft’s Online Services Terms (last updated in May 2020), has a section pertaining Security Incident Notification covering breach of security and response measures that include notification of the impacted customer, investigation of the security incident, and providing the customer with detailed information about the incident. Additionally, these measures include taking reasonable steps to mitigate the effects and to minimize any damage resulting from the security incident.
• Microsoft Azure’s System Security Plan (SSP) states that the notification timeline obligation starts when the official Security Incident declaration occurs. Due to competing notification requirements, Security Response follows the most aggressive timeline based on the impacted customer base. Customers, DPAs, and data subjects shall be notified (each as applicable) within 72 hours of the declaration timestamp.
• Microsoft Azure’s Incident Management Standard Operating Procedure (SOP) also states that notification is done to all customers within 72 hours of incident declaration. Microsoft will provide an initial report to the customer for a declared Security Incident on the timelines provided in accordance with customer contractual commitments. Microsoft treats DoS attack as availability outages and not security incidents. Microsoft promptly reports services outages via the Service Health Dashboard. In these cases, the U.S. Computer Emergency Readiness Team (US-CERT) is not notified. Malicious code that does not result in improper access to customer data is not reported to the customer or US-CERT. Microsoft does not access Customer Data except to provide the service, and does not examine Customer Data to determine if it is specifically regulated under Customer contracts with third parties. Microsoft will work with the Customer to identify any Customer Data involved in a Security Incident so that the Customer can determine if it meets the reporting obligations for “Cyber Incidents” under the DFARS.

(d) Malicious software

Microsoft works with Customers to submit malicious software found in Azure or Azure Government to the DoD Cyber Crime Center (DC3), when appropriate. Malicious software protection measures are in place for the Microsoft Azure system as follows:

• Platform as a Service: Microsoft Azure assets are protected from malicious software using anti-malware software. Anti-malware software helps provide both preventive and detective control over malicious software. Anti-malware tools that detect files determined to be malicious sends alerts to the appropriate Microsoft personnel, triggering the incident response process.
• Infrastructure as a Service: The customer is responsible for ensuring that they employ malicious code protection at information system entry and exit points to detect and eradicate malicious code and use code protection mechanisms to protect assets from malicious software.
• Microsoft Azure utilizes Windows Defender and ClamAV as its host based malicious code protection mechanism to detect malicious code. In addition to signature-based detection mechanisms, these tools also utilize behavior monitoring, network inspection, and/or heuristics to detect malicious code that may be missed by signature-based methods.

Additionally, Microsoft Azure’s Incident Management SOP states that malicious code that does not result in improper access to customer data is not reported to the customer or US-CERT.

(e) Media preservation and protection

Microsoft preserves and protects Customer Data in accordance with the Azure System Security Plan and the Online Services Terms. Except for free trials, Microsoft will retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration, or termination of Customer’s subscription so that Customer may extract the data.

Any physical or virtual systems impacted by Security Incidents are treated in accordance with Microsoft’s incident response processes.

Microsoft commitments regarding Security Incident notification would continue to support preservation and access to preserved forensics.

(f) Access to additional information or equipment necessary for forensic analysis

Microsoft makes commitment in the Online Services Terms to provide detailed information to customers, agencies, and DoD upon request.

• Per the Online Services Terms for “Security Incident Notification”, if Microsoft becomes aware of any unlawful access to any Customer Data stored on Microsoft’s equipment or in Microsoft’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Customer Data (each a “Security Incident”), Microsoft will promptly (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

(g) Cyber incident damage assessment activities

Microsoft will support its customers with the damage assessment activities to investigate the cyber incident. Audit and monitoring data are retained for at least 90 days to support investigation of security incidents.

(h) – (j)

*Not applicable, as the onus is on the DoD for this requirement.

(k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data.

All in-scope applicable laws and regulations covered by FedRAMP (and other) authorizations are being met as it pertains to the interception, monitoring, access, use, and disclosure of electronic communications and data. For details, as it pertains to customers, refer to the publicly available Microsoft Online Services Terms and service level agreements.

(l) Other safeguarding or reporting requirements

Microsoft requires all contractors and subcontractors to safeguard data and report cyber incidents as with prescribed methods and timelines defined by Microsoft policies and procedures, whether pertaining to its unclassified information systems (as required by other applicable clauses) or as a result of other applicable U.S. Government statutory or regulatory requirements.

(m) Subcontracts

While this portion is only applicable to Government contracts, Microsoft maintains commitment in meeting the requirement of inclusion of the required language regarding DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information) in contracts and sub-contracts.