Microsoft is furthering its commitment to U.S. Department of Defense (DoD) contractors and the Defense Industrial Base (DIB) by announcing support for Defense Federal Acquisition Regulation Supplement (DFARS) requirements for Azure Government Services. This allows DoD's mission partners to host Covered Defense Information (CDI) in Microsoft's secure, compliant cloud dedicated to US government workloads.
DFARS 252.204-7012 specifies required contract clauses related safeguarding Covered Defense Information and cyber incident reporting requirements for cloud service providers (CSPs). Compliance with DFARS requirements for adequate security under DFARS 252.204-7012(b) is required 'as soon as practical, but no later than December 31, 2017' for all DoD contractors and the DIB per DFARS 252.204-7012.
- DFARS 252.204-7012 (b) (2) (II) (D) - Azure Government has undergone independent, third-party audits and has a Provisional Authority to Operate (P-ATO) at the FedRAMP High baseline. The security requirements supported by our FedRAMP High P-ATO exceed those in the "adequate security" provisions of DFARS 252.204-7012 and can be leveraged by customers to support their DoD contracts and meet the requirements for those services in scope of the FedRAMP P-ATO.
- DFARS 252.204-7012 (c) Cyber Incident Reporting - Microsoft has implemented robust security practices and processes for cyber incident reporting in Azure Government per its FedRAMP obligations and Microsoft's Online Services Terms that meet and exceed the requirements for those services in scope of the FedRAMP P-ATO.
- DFARS 252.204-7012 (d) Malicious Software & (e) Media preservation and protection - Azure Government meets the requirements for those in-scope services through its support for FedRAMP core control SI-3, Malicious Code Protection, and FedRAMP controls for Incident Response and Media Protection, all of which are tested as part of annual assessments to validate the controls are implemented and provide the commensurate levels of protections.
- DFARS 252.204-7012 (f) Access to additional information or equipment necessary for forensic analysis - Microsoft makes commitments in its Online Services Terms to provide detailed information related to Security Incident Notification to the customer and the DoD upon request.
- DFARS 252.204-7012 (g) Cyber incident damage assessment activities - Microsoft supports its customers with the damage assessment activities to investigate the cyber incident. Audit and monitoring data are designed to be retained for at least 90 days to support the investigation of security incidents.
Azure Government has been validated by independent, third-party attestation and provide our DIB and defense contractor customers services designed to meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to CSPs. Defense contractors required to include the DFARS clause 252.204-7012 in contracts can have confidence that Microsoft is able to accept the flow down terms applicable to cloud service providers (CSPs) for Azure Government Services covered by our FedRAMP High P-ATO. This is significant as the DoD and its mission partners continue to expand adoption of commercial cloud computing in support of contracts for programs and mission systems.
Microsoft is committed to supporting DoD contractors and the DIB. In announcing support for DFARS requirements, we are continuing to build upon the foundation of previous announcements of Azure Government support for building ITAR capable systems, and our DoD Impact Level 4 and DoD Impact Level 5 provisional authorizations.
Office 365 US Government Defense is also able to accept the flow down terms based on FedRamp+ requirements. For more details on Office 365 US Government Defense please visit the Service Description (http://aka.ms/o365usgovservicedescription) and contact your Microsoft representative.
We welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails, click "Subscribe by Email" on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.