Defense Federal Acquisition Regulation Supplement (DFARS)

DFARS overview

Defense contractors whose information systems process, store, or transmit covered defense information (CDI) must comply with the Department of Defense (DoD) Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, which specifies requirements for the protection of controlled unclassified information (CUI) in accordance with NIST SP 800-171, cyber incident reporting obligations, and other considerations for cloud service providers. All DoD contractors are required to comply with DFARS requirements for adequate security.

In September 2020, DoD published a DFARS Interim Rule that established three new DFARS requirements and expanded upon the initial DFARS Clause 252.204-7012:

  • DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements mandates that the DIB contractor undergo self-assessments that meet the NIST SP 800-171 DoD Assessment Methodology at least every three years. Summary level scores of these assessments shall be posted in the DoD Supplier Performance Risk System (SPRS).
  • DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements requires that the DIB contractor provide access to their facilities, systems, and personnel when DoD is conducting a Medium or High NIST SP 800-171 assessment.
  • DFARS 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirements stipulates that the DIB contractor shall have current (not older than 3 years) CMMC certificate at the CMMC level required for the contract and maintain the CMMC certification at the required level for the duration of the contract.

These changes ensure that standalone self-attestation of compliance with DFARS 252.204-7012 by the Defense Industrial Base (DIB) contractors will no longer be sufficient to meet DoD contractual requirements. Instead, DoD has mandated that DIB contractors furnish evidence of both the DFARS 252.204-7012 self-attestation and an independent third-party Cybersecurity Maturity Model Certification (CMMC) to qualify for DoD contracts.

Azure support for DFARS

Both Azure and Azure Government provide the same controls for data encryption, including support for customer-managed encryption keys stored in FIPS 140 validated hardware security modules (HSMs) managed by Azure Key Vault. Moreover, an accredited third-party assessment organization (3PAO) has attested that both Azure and Azure Government meet the applicable requirements of DFARS Clause 252.204-7012.

Both Azure and Azure Government provide:

  • FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). FedRAMP High P-ATO addresses security controls related to the safeguarding of federal contract information (FCI), controlled unclassified information (CUI), and covered defense information (CDI).
  • Contract amendment to help defense contractors meet the requirements in the DFARS Clause 252.204-7012 that apply to cloud service providers. When defense contractors are required to include the DFARS Clause 252.204-7012 flow-downs in subcontracts, Microsoft can accept the flow-down terms applicable to cloud service providers for Azure Government. For assistance with the contract amendment, contact your Microsoft account manager or licensing specialist.

Azure Government offers extra assurances:

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to FedRAMP High, DoD IL4, and DoD IL5 compliance domains and controls:

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each FedRAMP High, DoD IL4, and DoD IL5 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Microsoft has released a DFARS customer responsibility matrix for Azure Government to document Microsoft compliance status and identify customer responsibilities for compliance with DFARS Clause 252.204-7012 requirements. DFARS customer responsibility matrix can be downloaded from the Service Trust Portal (STP) Azure Security and Compliance Blueprints section under DoD Blueprints.

Applicability

  • Azure
  • Azure Government

Services in scope

  • Azure services in scope for DFARS reflect Azure FedRAMP High scope.
  • Azure Government services in scope for DFARS reflect Azure Government FedRAMP High scope.

Office 365 and DFARS

For more information about Office 365 compliance, see Office 365 DFARS documentation.

Attestation documents

You can access audit reports and certificates in the Azure or Azure Government portal by navigating to Home > Microsoft Defender for Cloud > Regulatory compliance > Audit reports or using direct links based on your subscription (sign in required):

The following documents are available:

  • Azure Commercial – Attestation of Compliance with DFARS
  • Azure Government – Attestation of Compliance with DFARS

An accredited third-party assessment organization (3PAO) has attested that Azure (also known as Azure Commercial) and Azure Government meet the applicable requirements of DFARS Clause 252.204-7012. You must have an existing subscription or free trial account in Azure or Azure Government to download the 3PAO attestation letters.

Frequently asked questions

Which DFARS requirements are supported by Azure?
Azure and Azure Government can help you meet the requirements stated in the DFARS Clause 252.204-7012 that apply to cloud service providers.

Can Azure help customers subject to CMMC compliance obligations?
Yes. For more information, see Azure CMMC documentation.

What is the relationship between controlled unclassified information (CUI) and covered defense information (CDI)?
CUI is information that requires safeguarding or disseminating controls according to law, regulation, or government-wide policy. The CUI Registry identifies approved CUI categories and subcategories.

CDI is controlled technical information or other information (as described in the CUI Registry) that requires safeguarding or dissemination controls and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Where can I get the Azure DFARS attestation documents?
For links to attestation documentation, see Attestation documents. You must have an existing subscription or free trial account in Azure or Azure Government to sign in. You can then download Azure and Azure Government DFARS attestation letters produced by an accredited third-party assessment organization (3PAO). These letters attest that Azure and Azure Government meet the applicable requirements of DFARS Clause 252.204-7012.

How do Azure services meet the adequate security requirements pertinent to DFARS?
In October 2016, the Department of Defense (DoD) promulgated a final rule implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all DoD contractors who process, store, or transmit covered defense information through their information systems. The rule states that such systems must meet the security requirements set forth in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, or an “alternative, but equally effective, security measure” that is approved by the DoD contracting officer. Where a DoD contractor uses an external cloud service provider to process, store, or transmit covered defense information, such provider must meet security requirements that are equivalent to the FedRAMP Moderate baseline.

Azure and Azure Government maintain a FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB), which represents the highest bar for FedRAMP compliance. NIST SP 800-171 mapping tables in Appendix D (D1 through D14) provide control mapping between CUI security requirements and relevant security controls in NIST SP 800-53, indicating that NIST SP 800-171 represents a subset of the NIST SP 800-53 controls for which Azure and Azure Government have already been assessed and authorized under FedRAMP. Therefore, you can be assured that FedRAMP High baseline addresses fully and exceeds the requirements of NIST SP 800-171. All Azure and Azure Government services that have received FedRAMP High authorization conform to the NIST SP 800-171 requirements, and can help you deploy CUI workloads.

Moreover, both Azure and Azure Government provide contract amendments to help defense contractors meet the requirements in the DFARS Clause 252.204-7012 that apply to cloud service providers. When defense contractors are required to include the DFARS Clause 252.204-7012 flow-downs in subcontracts, Microsoft can accept the flow-down terms applicable to cloud service providers for Azure and Azure Government.

Resources