Defense Federal Acquisition Regulation Supplement (DFARS)

DFARS overview

Defense contractors whose information systems process, store, or transmit covered defense information (CDI) must comply with the Department of Defense (DoD) Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, which specifies requirements for the protection of controlled unclassified information (CUI) in accordance with NIST SP 800-171, cyber incident reporting obligations, and other considerations for cloud service providers. All DoD contractors are required to comply with DFARS requirements for adequate security.

In September 2020, DoD published a DFARS Interim Rule that established three new DFARS requirements and expanded upon the initial DFARS Clause 252.204-7012:

• DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements mandates that the DIB contractor undergo self-assessments that meet the NIST SP 800-171 DoD Assessment Methodology at least every three years. Summary level scores of these assessments shall be posted in the DoD Supplier Performance Risk System (SPRS).
• DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements requires that the DIB contractor provide access to their facilities, systems, and personnel when DoD is conducting a Medium or High NIST SP 800-171 assessment.
• DFARS 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirements stipulates that the DIB contractor shall have current (not older than 3 years) CMMC certificate at the CMMC level required for the contract and maintain the CMMC certification at the required level for the duration of the contract.

These changes ensure that standalone self-attestation of compliance with DFARS 252.204-7012 by the Defense Industrial Base (DIB) contractors will no longer be sufficient to meet DoD contractual requirements. Instead, DoD has mandated that DIB contractors furnish evidence of both the DFARS 252.204-7012 self-attestation and an independent third-party Cybersecurity Maturity Model Certification (CMMC) to qualify for DoD contracts.

Azure support for DFARS

Both Azure and Azure Government provide the same controls for data encryption, including support for customer-managed encryption keys stored in FIPS 140 validated hardware security modules (HSMs) managed by Azure Key Vault. Moreover, an accredited third-party assessment organization (3PAO) has attested that both Azure and Azure Government meet the applicable requirements of the DFARS Clause 252.204-7012.

The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the National Institute of Standards and Technology (NIST) SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). Implementation of the FedRAMP High baseline ensures that Azure Commercial and Azure Government cloud service offerings comply with the DFARS Clause 252.204-7012, using the systems and practices that are currently in place and validated as part of annual assessments.

Mapping tables in the NIST SP 800-171 Appendix D (D1 through D14) provide control mapping between CUI security requirements and relevant security controls in NIST SP 800-53, indicating that NIST SP 800-171 represents a subset of the NIST SP 800-53 controls for which Azure has already been assessed and authorized under FedRAMP. Therefore, you can be assured that FedRAMP High baseline addresses fully and exceeds the requirements of NIST SP 800-171. All Azure and Azure Government services that have received FedRAMP High P-ATO conform to the NIST SP 800-171 requirements and can accommodate customers looking to deploy CUI workloads.

Note

For more information about Azure support for NIST SP 800-171, see the Azure NIST SP 800-171 documentation.

Both Azure and Azure Government provide:

• FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). FedRAMP High P-ATO addresses security controls related to the safeguarding of federal contract information (FCI), controlled unclassified information (CUI), and covered defense information (CDI).
• Attestation of compliance with the DFARS Clause 252.204-7012 provided by an independent third-party assessment organization (3PAO) that is accredited by FedRAMP. See Attestation documents for more information.

Azure Government offers extra assurances:

• DoD Cloud Computing Security Requirements Guide (SRG) Impact Level 4 (IL4) and Impact Level 5 (IL5) provisional authorizations (PA) issued by the Defense Information Systems Agency (DISA).
• Contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to FedRAMP High, DoD IL4, and DoD IL5 compliance domains and controls:

• Azure
  • FedRAMP High Azure regulatory compliance built-in initiative
• Azure Government
  • FedRAMP High Azure Government regulatory compliance built-in initiative
  • DoD IL4 Azure Government regulatory compliance built-in initiative
  • DoD IL5 Azure Government regulatory compliance built-in initiative

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each FedRAMP High, DoD IL4, and DoD IL5 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Microsoft has released a DFARS customer responsibility matrix for Azure Government to document Microsoft compliance status and identify customer responsibilities for compliance with DFARS Clause 252.204-7012 requirements. DFARS customer responsibility matrix can be downloaded from the Service Trust Portal (STP) Azure Security and Compliance Blueprints section under DoD Blueprints.

Applicability

• Azure
• Azure Government

Services in scope

• Azure services in scope for DFARS reflect the Azure FedRAMP High P-ATO scope.
• Azure Government services in scope for DFARS reflect the Azure Government FedRAMP High P-ATO scope.

For more information, see Cloud services in audit scope.

Office 365 and DFARS

For more information about Office 365 compliance, see Office 365 DFARS documentation.

Attestation documents

For instructions on how to access attestation documents, see Audit documentation. The following attestation letters are available from the Service Trust Portal (STP) United States Government section:

• Azure Commercial – Attestation of Compliance with DFARS
• Azure Government – Attestation of Compliance with DFARS

An accredited third-party assessment organization (3PAO) has attested that Azure (also known as Azure Commercial) and Azure Government meet the applicable requirements of the DFARS Clause 252.204-7012.

Frequently asked questions

Which DFARS requirements are supported by Azure?
Azure and Azure Government can help you meet the requirements stated in the DFARS Clause 252.204-7012 that apply to cloud service providers.

Can Azure help customers subject to CMMC compliance obligations?
Yes. For more information, see Azure CMMC documentation.

What is the relationship between controlled unclassified information (CUI) and covered defense information (CDI)?
CUI is information that requires safeguarding or disseminating controls according to law, regulation, or government-wide policy. The CUI Registry identifies approved CUI categories and subcategories.

CDI is controlled technical information or other information (as described in the CUI Registry) that requires safeguarding or dissemination controls and is either:

• Marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or
• Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Where can I get the Azure DFARS attestation documents?
For links to attestation documentation, see Attestation documents.

How do Azure services meet the adequate security requirements pertinent to DFARS?
In October 2016, the Department of Defense (DoD) promulgated a final rule implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all DoD contractors who process, store, or transmit covered defense information through their information systems. The rule states that such systems must meet the security requirements set forth in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, or an “alternative, but equally effective, security measure” that is approved by the DoD contracting officer. Where a DoD contractor uses an external cloud service provider to process, store, or transmit covered defense information, such provider must meet security requirements that are equivalent to the FedRAMP Moderate baseline.

Azure and Azure Government maintain a FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB), which represents the highest bar for FedRAMP compliance. NIST SP 800-171 mapping tables in Appendix D (D1 through D14) provide control mapping between CUI security requirements and relevant security controls in NIST SP 800-53, indicating that NIST SP 800-171 represents a subset of the NIST SP 800-53 controls for which Azure and Azure Government have already been assessed and authorized under FedRAMP. Therefore, you can be assured that FedRAMP High baseline addresses fully and exceeds the requirements of NIST SP 800-171. All Azure and Azure Government services that have received FedRAMP High authorization conform to the NIST SP 800-171 requirements, and can help you deploy CUI workloads. For more information about Azure support for NIST SP 800-171, see the Azure NIST SP 800-171 documentation.

Moreover, both Azure and Azure Government have received attestation letters of compliance with the DFARS Clause 252.204-7012 provided by an independent third-party assessment organization (3PAO) that is accredited by FedRAMP. See Attestation documents for more information.

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Microsoft 365 compliance offerings
• Compliance on the Microsoft Trust Center
• What is Azure Government?
• Explore Azure Government
• Microsoft for defense and intelligence
• DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
• CUI Registry and CUI Category List
• NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations