The DoD has implemented stringent new requirements in DFARS 252.204-7012 to protect against the loss, misuse, unauthorized access, or modification of protected information and the systems that contain that information. It further imposes cyber incident reporting requirements. Defense Industrial Base contractors need assurance that their subcontractors also meet these requirements. It’s especially crucial when they are providing information systems that are hosting covered data.
Microsoft Azure Government enables Defense Industrial Base companies to build systems with assurance that they will inherit controls and processes meeting the broad set of DFARS requirements. Our control implementations meet NIST SP 800-171 (https://www.microsoft.com/en-us/TrustCenter/Compliance/DISA). We have implemented and routinely exercised a robust incident reporting process. As a Cleared Defense Contractor (CDC) we can acquire DOD-approved medium assurance certificates to report cyber incidents. Additional strengths include malware detection and reporting, and data and media disposal methodologies that meet DoD standards. As required by the nature of DoD data and Export Controls, all data is maintained and administration performed within U.S. Jurisdictions by personnel meeting DoD standards.
An additional challenge for some DIB contractors is they will have multiple U.S. Government contracts that handle Controlled Unclassified Information (CUI), Federal civilian and covered defense information. Thus, they are subject to multiple security compliance standards. Azure Government provides a single platform that meets the most stringent controls associated with the current mix of applicable standards. Besides DISA Impact Level 4 Provisional Authorization and the FedRAMP High and Moderate JAB Provisional ATOs, DIB customers further benefit from Azure Government features and services that support ITAR obligations. (https://www.microsoft.com/en-us/TrustCenter/Compliance/itar). Our newly released Using Azure Government with ITAR Controlled Data describes the principles for securing services and applications, in addition to providing guidance and best practices on how to apply these principles.
We welcome your comments and suggestions to help us improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails by clicking “Subscribe by Email!” on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.