DFARS and CMMC

DFARS overview

Defense contractors whose information systems process, store, or transmit covered defense information (CDI) must comply with the Department of Defense (DoD) Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, which specifies requirements for the protection of controlled unclassified information (CUI) in accordance with NIST SP 800-171, cyber incident reporting obligations, and other considerations for cloud service providers. All DoD contractors are required to comply with DFARS requirements for adequate security “as soon as practical, but not later than 31 December 2017”.

In September 2020, DoD published a DFARS Interim Rule that established three new DFARS requirements and expanded upon the initial DFARS 252.204-7012 clause.

  • DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements mandates that the DIB contractor undergo self-assessments that meet the NIST SP 800-171 DoD Assessment Methodology at least every three years. Summary level scores of these assessments shall be posted in the DoD Supplier Performance Risk System (SPRS).
  • DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements requires that the DIB contractor provide access to their facilities, systems, and personnel when DoD is conducting a Medium or High NIST SP 800-171 assessment.
  • DFARS 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirements stipulates that the DIB contractor shall have current (not older than 3 years) CMMC certificate at the CMMC level required for the contract and maintain the CMMC certification at the required level for the duration of the contract.

These changes ensure that standalone self-attestation of compliance with DFARS 252.204-7012 by the Defense Industrial Base (DIB) contractors will no longer be sufficient to meet DoD contractual requirements. Instead, DoD has mandated that DIB contractors furnish evidence of both the DFARS 252.204-7012 self-attestation and an independent third-party Cybersecurity Maturity Model Certification (CMMC) to qualify for DoD contracts.

CMMC overview

The Cybersecurity Maturity Model Certification is a new framework developed by DoD that requires formal third-party audits of DIB contractor cybersecurity practices. The audits are conducted by independent CMMC third-party assessor organizations (C3PAO) accredited by the CMMC Accreditation Body. CMMC expands upon DFARS 252.204-7012 while adding a third-party audit and certification requirement. It represents an evolution of DoD efforts to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) processed by the DIB. CMMC requirements are evolving as the framework is still being finalized.

CMMC introduces stronger accountability for the prime contractor to ensure that appropriate security requirements are met across their supply chain. A prime contractor must validate appropriate levels of subcontractor compliance to reinforce security across the entire supply chain prior to contract award.

Note

CMMC is not applicable directly to cloud services, which is why there is no corresponding certification for a cloud services platform such as Azure. Instead, CMMC is intended to assess a DIB contractor's implementation of processes and practices associated with the achievement of a target cybersecurity maturity level. A DIB contractor who provides a cloud-based solution must ensure that the underlying cloud services platform maintains a minimum of FedRAMP Moderate authorization. CMMC requirements are subject to change as the framework is being finalized.

CMMC certification will become a pre-requisite for DoD contract award. CMMC requires an evaluation of the contractor’s technical security controls, process maturity, documentation, policies, and processes to ensure security and resiliency. Pursuant to the CMMC framework, the DoD will assign a maturity level 1-5 to individual functions of each DoD procurement, starting with basic FCI safeguarding at Level 1, moving to broad CUI protection at Level 3, and culminating with reducing the risk from advanced persistent threats (APT) and nation state activity at Levels 4 and 5. Each level is composed of practices and processes that a contractor must demonstrate to achieve that level of certification. For more information, see CMMC Model and Assessment Guides.

Azure support for DFARS and CMMC

Both Azure and Azure Government have FedRAMP High authorizations in place that address security controls related to the safeguarding of FCI, CUI, and CDI. Both cloud environments provide the same controls for data encryption, including support for customer-managed encryption keys stored in FIPS 140-2 validated hardware security modules (HSMs) managed by Azure Key Vault. Moreover, an accredited third-party assessment organization (3PAO) has attested that both Azure and Azure Government meet the applicable requirements of DFARS Clause 252.204-7012.

Azure provides:

  • FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).

Azure Government provides:

  • FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).
  • DoD Cloud Computing Security Requirements Guide (SRG) Impact Level 5 (IL5) Provisional Authorization (PA).
  • A contract amendment to help defense contractors meet the requirements in the DFARS Clause 252.204-7012 that apply to cloud service providers. When defense contractors are required to include the DFARS Clause 252.204-7012 flow-downs in subcontracts, Microsoft can accept the flow-down terms applicable to cloud service providers for Azure Government. For assistance with the contract amendment, contact your Microsoft account manager or licensing specialist.

Microsoft Product Placemat for CMMC Level 3 (public preview) is an interactive dashboard representing how Microsoft cloud services satisfy requirements for CMMC practices. The user interface resembles a periodic table of CMMC practice families. The default view illustrates the practices with Microsoft coverage that are inherited from the underlying cloud platform. It also depicts practices for shared coverage where the underlying cloud platform contributes coverage for specific practices but requires additional customer configuration to satisfy the full-coverage requirements. Customer implementation guidance and practice implementation details are documented for each practice that aligns with Microsoft coverage or shared coverage. This capability enables you to drill down into each practice to discover customer-owned actions needed to meet practice requirements for CMMC compliance. For more information and to download the public preview, see Microsoft Product Placemat for CMMC Level 3.

For additional customer assistance, Microsoft provides Azure Blueprints, which is a service that helps customers deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. For example, Azure Blueprints provides policies to help customers comply with FedRAMP Moderate, FedRAMP High, DoD IL4, and DoD IL5 requirements. For more information, see Azure Blueprints samples.

  • To help customers deploy a core set of policies for any Azure-based architecture that must implement controls for CMMC Level 3, Azure has released the Azure Blueprint for CMMC Level 3. When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.
  • Moreover, Microsoft has released a DFARS customer responsibility matrix for Azure Government to document Microsoft compliance status and identify customer responsibilities for compliance with DFARS Clause 252.204-7012 requirements.

Applicability

  • Azure
  • Azure Government

Services in scope

  • Azure services in scope for DFARS reflect Azure FedRAMP High scope.
  • Azure Government services in scope for DFARS reflect Azure Government FedRAMP High scope.

Office 365 and DFARS

For more information about Office 365 compliance, see Office 365 DFARS documentation.

Attestation documents

You can access audit reports and certificates in the Azure or Azure Government portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using direct links based on your subscription (login required):

The following documents are available:

  • Azure Commercial - Attestation of Compliance with DFARS
  • Azure Government - Attestation of Compliance with DFARS

An accredited third-party assessment organization (3PAO) has attested that Azure (also known as Azure Commercial) and Azure Government meet the applicable requirements of DFARS Clause 252.204-7012. You must have an existing subscription or free trial account in Azure or Azure Government to download the 3PAO attestation letters.

Frequently asked questions

Which DFARS requirements are supported by Azure?
Azure and Azure Government can help defense industrial base customers meet the requirements stated in the DFARS clause 252.204-7012 that apply to cloud service providers.

What is the relationship between controlled unclassified information (CUI) and covered defense information (CDI)?
CUI is information that requires safeguarding or disseminating controls according to law, regulation, or government-wide policy. The CUI Registry identifies approved CUI categories and subcategories.

CDI is controlled technical information or other information (as described in the CUI Registry) that requires safeguarding or dissemination controls and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Where can I get the Azure DFARS attestation documents?
For links to attestation documentation, see Attestation documents. You must have an existing subscription or free trial account in Azure or Azure Government to login. You can then download Azure and Azure Government DFARS attestation letters produced by an accredited third-party assessment organization (3PAO). These letters attest that Azure and Azure Government meet the applicable requirements of DFARS Clause 252.204-7012.

How do Azure services meet the adequate security requirements pertinent to DFARS and CMMC?
In October 2016, the Department of Defense (DoD) promulgated a final rule implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all DoD contractors who process, store, or transmit covered defense information through their information systems. The rule states that such systems must meet the security requirements set forth in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, or an “alternative, but equally effective, security measure” that is approved by the DoD contracting officer. And where a DoD contractor uses an external cloud service provider to process, store, or transmit covered defense information, such provider must meet security requirements that are equivalent to the FedRAMP Moderate baseline.

Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the Joint Authorization Board (JAB), which represents the highest bar for FedRAMP compliance. NIST SP 800-171 mapping tables in Appendix D (D1 through D14) provide control mapping between CUI security requirements and relevant security controls in NIST SP 800-53, indicating that NIST SP 800-171 represents a subset of the NIST SP 800-53 controls for which Azure and Azure Government have already been assessed and authorized under the FedRAMP program. Consequently, customers can be assured that FedRAMP High baseline addresses fully and exceeds the requirements of NIST SP 800-171. All Azure and Azure Government services that have received FedRAMP High authorization conform to the NIST SP 800-171 requirements and can accommodate customers looking to deploy CUI workloads.

Additionally, Azure Government maintains a DoD IL5 Provisional Authorization (PA), which adds additional controls and control enhancements to exceed the FedRAMP High baseline. Azure Government also provides a contract amendment to accept the DFARS Clause 252.204-7012 subcontract flow-downs applicable to cloud service providers.

Should I use Azure or Azure Government for workloads that are subject to CMMC?
Both Azure and Azure Government can accommodate DIB customers who are subject to CMMC compliance obligations. Customers can obtain CMMC certification for solutions deployed to either cloud environment. The decision will rest with our customers based on their business requirements and target DoD contracts. Most DIB contractors are best aligned with Azure Government, which provides an additional layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons. However, the need for CMMC certification is not a deciding factor for choosing your cloud environment.

Resources