Defense Federal Acquisition Regulation Supplement (DFARS)
On October 21, 2016, the Department of Defense (DoD) issued its Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) and imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI).
The final DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) specifies safeguards to include cyber incident reporting requirements and additional considerations for cloud service providers. Per DFARS 252.204-7012, all DoD contractors and the defense industrial base are required to comply with DFARS requirements for adequate security 'as soon as practical, but not later than December 31, 2017.'
Microsoft and DFARS
Microsoft Government Cloud services help the United States defense industrial base and defense contractor customers meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to cloud service providers. When defense contractors are required to comply with DFARS clause 252.204-7012 in contracts, Microsoft can support the requirements applicable to cloud service providers for Azure Government and Office 365 U.S. Government Defense services. Both services demonstrate support for the capabilities necessary for customers to comply with the DFARS 7012 clauses through their L5 accreditation to the Department of Defense Security Requirements Guide.
Learn how to accelerate your DFARS deployment with our Azure Security and Compliance Blueprint: Download the Azure — Blueprint DFARS Customer Responsibilities Matrix
Microsoft in-scope cloud services
Covered services for DoD Impact Level 5
Audits, reports, and certificates
- Microsoft Cloud Services Authorizations
- Azure P-ATO Letter Signed March 3, 2017
- See additional audit reports
Frequently asked questions
Which DFARS requirements are supported by Microsoft Azure Government and Office 365 U.S. Government Defense?
Azure Government and Office 365 U.S. Government Defense allow our defense industrial base and defense contractor customers to meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to cloud service providers.
Has an independent assessor validated that Azure Government and Office 365 U.S. Government Defense supports DFARS requirements?
Yes, a third-party assessment organization has attested that the Azure Government and Office 365 U.S. Government Defense cloud service offering meets the applicable requirements of DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information).
What is the relationship between Controlled Unclassified Information (CUI) and covered defense information (CDI)?
CUI is information that requires safeguarding or disseminating controls according to law, regulation, or government-wide policy. The CUI Registry identifies approved CUI categories and subcategories.
CDI is controlled technical information or other information (as described in the CUI Registry) that requires safeguarding or dissemination controls and is either:
- Marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DoD in connection with the performance of the contract or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract
Do all Microsoft services meet the 'adequate security' requirements applicable to 'covered defense information' under the DFARS regulation?
In October 2016, the Department of Defense (DoD) promulgated a final rule implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all DoD contractors who process, store, or transmit 'covered defense information' through their information systems. The rule states that such systems must meet the security requirements set forth in NIST SP 800-171, Protecting Controlled Unclassified Information in nonfederal information systems and organizations, or an 'alternative, but equally effective, security measure' that is approved by the DoD contracting officer. And where a DoD contractor uses an external cloud service provider to process, store, or transmit covered defense information, such provider must meet security requirements that are equivalent to the FedRAMP Moderate baseline.
The following Microsoft cloud services have received a FedRAMP moderate authorization and are adequate for DFARS: Azure Government, Dynamics 365 U.S. Government, Office 365 U.S. Government, and Office 365 U.S. Government Defense.
Also, Microsoft offerings outside the FedRAMP-certified boundary that could potentially be used by DoD contractors to process, store, or transmit 'covered defense information' are undergoing a review to meet a December 31, 2017, compliance deadline. Microsoft is working to document how these internal and customer-facing services comply with NIST SP 800-171 or an acceptable security equivalent, to meet the DFARS relevant clauses.
Use Microsoft Compliance Manager to assess your risk
Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.