On August 26, 2015, the DoD published an Interim Rule to implement DoD policy on the acquisition of cloud services. This Interim Rule provides a list of terms and conditions regarding cloud computing services to be used in DoD contracts for information technology services as well as introduces the requirement that offerors responding to DoD solicitations for information technology services must identify whether cloud computing services will be used in the resultant contract.
The Interim Rule adopts the policy that DoD’s cloud acquisitions should use commercial terms and conditions (such as those in End User License Agreements (EULAs) or Terms of Service (TOS)) to the extent that they are consistent with federal law and the agency’s needs. DoD’s embrace of commercial terms comes at an interesting time, given the General Services Administration’s recent class deviation that – at least in part – undermines the enforceability of certain terms in commercial supplier agreements.
The Interim Rule establishes uniform terms and conditions to be included in solicitations and contracts for information technology services. These terms and conditions cover:
- Cloud computing security requirements (including the requirement that cloud computing services providers maintain all Government data within the 50 states, the District of Columbia, or outlying areas of the United States unless otherwise authorized);
- Limitations on access to, and use and disclosure of Government data and Government-related data;
- The contractor’s obligation in the case of a cyber incident to report the incident, preserve and protect media, allow DoD with access to additional information or equipment for purposes of a forensic analysis, and provide all damage assessment information;
- Records management and facility access;
- The contractor’s obligation to notify the Contracting Officer of third party requests for access to Government data or Government-related data;
- The contractor’s obligations to address spillage in compliance with agency procedures; and
- A flowdown requirement that the substance of the clause be included in all subcontracts that involve or may involve cloud services, including subcontractors for commercial items.
The Interim Rule impacts more than just cloud service providers seeking to sell their services to DoD. The DoD has proposed that all solicitations for information technology services contain a clause that requires contractors to indicate whether the use of cloud computing is anticipated under the resulting contract or any subcontracts. Should a contractor indicate that it does not anticipate using cloud computing services in the resultant contract, the contractor would have to obtain the Contracting Officer’s approval prior to using cloud computing services.
Both new provisions – 252.239-7009, Representation of Use of Cloud Computing, and 252.239-7010, Cloud Computing Services – will be used in procurements for information technology services, including commercial item acquisitions under FAR part 12.
A brief background on DoD’s cloud computing acquisition strategy is necessary in order to place the import of this Interim Rule into context. In June 2012, the DoD Chief Information Officer (CIO) appointed the Defense Information Systems Agency (DISA) as DoD’s Enterprise Cloud Service Broker (ECSB) and required DoD components to acquire cloud services through the ECSB or obtain a waiver. This brokerage system was created to enable DoD components to use commercial cloud services that met FedRAMP low and moderate control levels, and make them available to other DOD components through standardized contracts and leveraged authorization packages. In a December 15, 2014 memo, entitled “Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services,” the DoD CIO lifted the requirement that DoD components purchase through the ECSB. DoD components are now allowed to acquire cloud services directly so long as it is done in accordance with the security requirements outlined in FedRAMP (the minimum security baseline for all DoD cloud services) and the DoD’s Cloud Computing Security Requirements Guide (SRG) (developed by DISA for more sensitive DoD unclassified data or missions and published in January 2015). The Interim Rule implements the new policies developed within the DoD CIO’s December 15, 2014 memo as well as the SRG Version 1, Release 1 to ensure uniform application when contracting for cloud services across the DoD.
Comments on the Interim Rule, which separately addresses possible expansion of the DFARS Safeguarding Rule, are due on or before October 26, 2015.