|
@@ -1,32 +1,29 @@
|
|
|
1
1
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
-
<!DOCTYPE dita
|
|
3
|
-
|
|
4
|
-
<
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
class="- topic/topic concept/concept ">
|
|
10
|
-
<title class="- topic/title ">
|
|
11
|
-
<ph props="autonumber" class="- topic/ph ">252.239-7010</ph> Cloud Computing Services.</title>
|
|
12
|
-
<conbody outputclass="clause" class="- topic/body concept/conbody ">
|
|
13
|
-
<p class="- topic/p ">As prescribed in
|
|
14
|
-
<xref outputclass="fm:ParaNumOnly"
|
|
15
|
-
href="239.7604.dita#DFARS_239.7604"
|
|
16
|
-
base="DFARS-239.7604"
|
|
17
|
-
class="- topic/xref ">239.7604</xref>
|
|
2
|
+
<!DOCTYPE dita PUBLIC "-//OASIS//DTD DITA Composite//EN" "ditabase.dtd">
|
|
3
|
+
<dita xmlns:ditaarch="http://dita.oasis-open.org/architecture/2005/" ditaarch:DITAArchVersion="1.2" domains="(topic task) (topic concept) (topic concept glossentry) (topic concept glossgroup) (topic reference) (topic troubleshooting++task) (topic task) (topic abbrev-d) a(props deliveryTarget) (topic equation-d) (topic hazard-d) (topic hi-d) (topic indexing-d) (topic markup-d) (topic mathml-d) (topic pr-d) (topic relmgmt-d) (topic sw-d) (topic svg-d) (topic ui-d) (topic ut-d) (topic markup-d xml-d) (topic task strictTaskbody-c) ">
|
|
4
|
+
<concept id="DFARS_252.239-7010" ditaarch:DITAArchVersion="1.2" class="- topic/topic concept/concept ">
|
|
5
|
+
<title class="- topic/title "><ph props="autonumber" class="- topic/ph ">252.239-7010</ph> Cloud Computing Services.</title>
|
|
6
|
+
<conbody outputclass="clause" class="- topic/body concept/conbody ">
|
|
7
|
+
<p class="- topic/p ">As prescribed in
|
|
8
|
+
<xref outputclass="fm:ParaNumOnly" href="239.7604.dita#DFARS_239.7604" base="DFARS-239.7604" class="- topic/xref ">239.7604</xref>
|
|
18
9
|
(b), use the following clause:</p>
|
|
19
|
-
|
|
10
|
+
<p outputclass="Ctr_SmCaps" class="- topic/p ">CLOUD
|
|
20
11
|
COMPUTING SERVICES (JAN 2023)</p>
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
12
|
+
<info li_elems="0"/>
|
|
13
|
+
<ol>
|
|
14
|
+
<li>
|
|
15
|
+
<p outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(a)</ph><i class="+ topic/ph hi-d/i ">Definitions.</i>As used in this clause<i class="+ topic/ph hi-d/i ">—</i></p>
|
|
16
|
+
</li>
|
|
17
|
+
<li>
|
|
18
|
+
<p class="- topic/p " outputclass="List1">“Authorizing official,” as described in DoD
|
|
24
19
|
Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology
|
|
25
20
|
(IT), means the senior Federal official or executive with the authority to formally
|
|
26
21
|
assume responsibility for operating an information system at an acceptable level of risk
|
|
27
22
|
to organizational operations (including mission, functions, image, or reputation),
|
|
28
23
|
organizational assets, individuals, other organizations, and the Nation.</p>
|
|
29
|
-
|
|
24
|
+
</li>
|
|
25
|
+
<li>
|
|
26
|
+
<p class="- topic/p " outputclass="List1">“Cloud computing” means a model for enabling
|
|
30
27
|
ubiquitous, convenient, on-demand network access to a shared pool of configurable
|
|
31
28
|
computing resources (e.g., networks, servers, storage, applications, and services) that
|
|
32
29
|
can be rapidly provisioned and released with minimal management effort or service
|
|
@@ -34,97 +31,174 @@
|
|
|
34
31
|
self-service, broad network access, resource pooling, rapid elasticity, and measured
|
|
35
32
|
service. It also includes commercial offerings for software-as-a-service,
|
|
36
33
|
infrastructure-as-a-service, and platform-as-a-service.</p>
|
|
37
|
-
|
|
34
|
+
</li>
|
|
35
|
+
<li>
|
|
36
|
+
<p class="- topic/p " outputclass="List1">“Compromise” means disclosure of information to
|
|
38
37
|
unauthorized persons, or a violation of the security policy of a system, in which
|
|
39
38
|
unauthorized intentional or unintentional disclosure, modification, destruction, or loss
|
|
40
39
|
of an object, or the copying of information to unauthorized media may have occurred.</p>
|
|
41
|
-
|
|
40
|
+
</li>
|
|
41
|
+
<li>
|
|
42
|
+
<p class="- topic/p " outputclass="List1">“Cyber incident” means actions taken through the
|
|
42
43
|
use of computer networks that result in a compromise or an actual or potentially adverse
|
|
43
44
|
effect on an information system and/or the information residing therein.</p>
|
|
44
|
-
|
|
45
|
+
</li>
|
|
46
|
+
<li>
|
|
47
|
+
<p class="- topic/p " outputclass="List1">“Government data” means any information,
|
|
45
48
|
document, media, or machine readable material regardless of physical form or
|
|
46
49
|
characteristics, that is created or obtained by the Government in the course of official
|
|
47
50
|
Government business.</p>
|
|
48
|
-
|
|
51
|
+
</li>
|
|
52
|
+
<li>
|
|
53
|
+
<p class="- topic/p " outputclass="List1">“Government-related data” means any information,
|
|
49
54
|
document, media, or machine readable material regardless of physical form or
|
|
50
55
|
characteristics that is created or obtained by a contractor through the storage,
|
|
51
|
-
processing, or communication of Government data. This does not include contractor
|
|
56
|
+
processing, or communication of Government data. This does not include contractor's
|
|
52
57
|
business records e.g. financial records, legal records etc. or data such as operating
|
|
53
58
|
procedures, software coding or algorithms that are not uniquely applied to the
|
|
54
59
|
Government data.</p>
|
|
55
|
-
|
|
60
|
+
</li>
|
|
61
|
+
<li>
|
|
62
|
+
<p class="- topic/p " outputclass="List1">“Information system” means a discrete set of
|
|
56
63
|
information resources organized for the collection, processing, maintenance, use,
|
|
57
64
|
sharing, dissemination, or disposition of information.</p>
|
|
58
|
-
|
|
65
|
+
</li>
|
|
66
|
+
<li>
|
|
67
|
+
<p class="- topic/p " outputclass="List1">“Media” means physical devices or writing
|
|
59
68
|
surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks,
|
|
60
69
|
large-scale integration memory chips, and printouts onto which information is recorded,
|
|
61
70
|
stored, or printed within an information system.</p>
|
|
62
|
-
|
|
71
|
+
</li>
|
|
72
|
+
<li>
|
|
73
|
+
<p class="- topic/p " outputclass="List1">“Spillage” security incident that results in the
|
|
63
74
|
transfer of classified or controlled unclassified information onto an information system
|
|
64
75
|
not accredited (i.e., authorized) for the appropriate security level.</p>
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
76
|
+
</li>
|
|
77
|
+
<li>
|
|
78
|
+
<p outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(b)</ph><i class="+ topic/ph hi-d/i ">Cloud computing security requirements.</i> The requirements of this clause are applicable when using cloud computing to provide information technology services in the performance of the contract.</p>
|
|
79
|
+
<info li_elems="0"/>
|
|
80
|
+
<ol>
|
|
81
|
+
<li>
|
|
82
|
+
<p outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph> If the Contractor indicated in its offer that it “does not anticipate the use of cloud computing services in the performance of a resultant contract,” in response to provision
|
|
83
|
+
<xref outputclass="fm:ParaNumOnly" href="252.239-7009.dita#DFARS_252.239-7009" base="i1383749" class="- topic/xref ">252.239-7009</xref>
|
|
71
84
|
, Representation of Use of Cloud Computing, and after the award of this contract, the Contractor proposes to use cloud computing services in the performance of the contract, the Contractor shall obtain approval from the Contracting Officer prior to utilizing cloud computing services in performance of the contract.</p>
|
|
72
|
-
|
|
85
|
+
</li>
|
|
86
|
+
<li>
|
|
87
|
+
<p outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> The Contractor shall implement and maintain
|
|
73
88
|
administrative, technical, and physical safeguards and controls with the security level
|
|
74
89
|
and services required in accordance with the Cloud Computing Security Requirements Guide
|
|
75
90
|
(SRG) (version in effect at the time the solicitation is issued or as authorized by the
|
|
76
91
|
Contracting Officer) found at
|
|
77
|
-
<i>
|
|
78
|
-
<xref href="https://public.cyber.mil/dccs/dccs-documents/"
|
|
79
|
-
format="html"
|
|
80
|
-
scope="external">https://public.cyber.mil/dccs/dccs-documents/</xref>
|
|
81
|
-
</i>
|
|
92
|
+
<i><xref href="https://public.cyber.mil/dccs/dccs-documents/" format="html" scope="external">https://public.cyber.mil/dccs/dccs-documents/</xref></i>
|
|
82
93
|
unless notified by the Contracting Officer that this requirement has been waived by
|
|
83
94
|
the DoD Chief Information Officer.
|
|
84
95
|
</p>
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
class="- topic/xref ">239.7602-2</xref>
|
|
96
|
+
</li>
|
|
97
|
+
<li>
|
|
98
|
+
<p outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(3)</ph> The Contractor shall maintain within the United States or outlying areas all Government data that is not physically located on DoD premises, unless the Contractor receives written notification from the Contracting Officer to use another location, in accordance with DFARS
|
|
99
|
+
<xref outputclass="fm:ParaNumOnly" href="239.7602-2.dita#DFARS_239.7602-2" base="i1380412" class="- topic/xref ">239.7602-2</xref>
|
|
90
100
|
(a).</p>
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
101
|
+
<info li_elems="2"/>
|
|
102
|
+
</li>
|
|
103
|
+
</ol>
|
|
104
|
+
</li>
|
|
105
|
+
<li>
|
|
106
|
+
<p outputclass="List1" class="- topic/p ">
|
|
107
|
+
<ph props="autonumber" class="-topic/ph">(c)</ph>
|
|
108
|
+
<i class="+ topic/ph hi-d/i ">Limitations on access to, and use and disclosure of Government data and Government-related data.</i>
|
|
109
|
+
</p>
|
|
110
|
+
<info li_elems="0"/>
|
|
111
|
+
<ol>
|
|
112
|
+
<li>
|
|
113
|
+
<p outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph> The Contractor shall not access, use, or disclose Government data unless specifically authorized by the terms of this contract or a task order or delivery order issued hereunder.</p>
|
|
114
|
+
<info li_elems="0"/>
|
|
115
|
+
<ol>
|
|
116
|
+
<li>
|
|
117
|
+
<p outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(i)</ph> If authorized by the terms of this contract or a task order or delivery order issued hereunder, any access to, or use or disclosure of, Government data shall only be for purposes specified in this contract or task order or delivery order.</p>
|
|
118
|
+
</li>
|
|
119
|
+
<li>
|
|
120
|
+
<p outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(ii)</ph> The Contractor shall ensure that its employees are subject to all such access, use, and disclosure prohibitions and obligations.</p>
|
|
121
|
+
</li>
|
|
122
|
+
<li>
|
|
123
|
+
<p outputclass="List3" class="- topic/p "><ph props="autonumber" class="-topic/ph">(iii)</ph> These access, use, and disclosure prohibitions and obligations shall survive the expiration or termination of this contract.</p>
|
|
124
|
+
<info li_elems="2"/>
|
|
125
|
+
</li>
|
|
126
|
+
</ol>
|
|
127
|
+
</li>
|
|
128
|
+
<li>
|
|
129
|
+
<p outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> The Contractor shall use Government-related data only to manage the operational environment that supports the Government data and for no other purpose unless otherwise permitted with the prior written approval of the Contracting Officer.</p>
|
|
130
|
+
<info li_elems="2"/>
|
|
131
|
+
</li>
|
|
132
|
+
</ol>
|
|
133
|
+
</li>
|
|
134
|
+
<li>
|
|
135
|
+
<p class="- topic/p " outputclass="List1"><ph props="autonumber" class="-topic/ph">(d)</ph><i class="+ topic/ph hi-d/i ">Cloud computing
|
|
99
136
|
services cyber incident reporting.</i> The Contractor shall report all cyber
|
|
100
137
|
incidents that are related to the cloud computing service provided under this contract.
|
|
101
138
|
Reports shall be submitted to DoD via <xref href="http://dibnet.dod.mil/" format="html" scope="external"/>. </p>
|
|
102
|
-
|
|
103
|
-
|
|
139
|
+
</li>
|
|
140
|
+
<li>
|
|
141
|
+
<p outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(e)</ph><i class="+ topic/ph hi-d/i ">Malicious software</i>. The Contractor or subcontractors that discover and isolate malicious software in connection with a reported cyber incident shall submit the malicious software in accordance with instructions provided by the Contracting Officer.</p>
|
|
142
|
+
</li>
|
|
143
|
+
<li>
|
|
144
|
+
<p class="- topic/p " outputclass="List1"><ph props="autonumber" class="-topic/ph">(f)</ph><i class="+ topic/ph hi-d/i ">Media
|
|
104
145
|
preservation and protection</i>. When a Contractor discovers a cyber incident has
|
|
105
146
|
occurred, the Contractor shall preserve and protect images of all known affected
|
|
106
147
|
information systems identified in the cyber incident report (see paragraph (d) of this
|
|
107
148
|
clause) and all relevant monitoring/packet capture data for at least 90 days from the
|
|
108
149
|
submission of the cyber incident report to allow DoD to request the media or decline
|
|
109
150
|
interest.</p>
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
151
|
+
</li>
|
|
152
|
+
<li>
|
|
153
|
+
<p outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(g)</ph><i class="+ topic/ph hi-d/i ">Access to additional information or equipment necessary for forensic analysis.</i>Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.</p>
|
|
154
|
+
</li>
|
|
155
|
+
<li>
|
|
156
|
+
<p outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(h)</ph><i class="+ topic/ph hi-d/i ">Cyber incident damage assessment activities</i>. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (f) of this clause.</p>
|
|
157
|
+
<info li_elems="0"/>
|
|
158
|
+
<ol>
|
|
159
|
+
<li>
|
|
160
|
+
<ol>
|
|
161
|
+
<li>
|
|
162
|
+
<p outputclass="List3" class="- topic/p ">
|
|
163
|
+
<ph props="autonumber" class="-topic/ph">(i)</ph>
|
|
164
|
+
<i class="+ topic/ph hi-d/i ">Records management and facility access.</i>
|
|
165
|
+
</p>
|
|
166
|
+
<info li_elems="1"/>
|
|
167
|
+
</li>
|
|
168
|
+
</ol>
|
|
169
|
+
</li>
|
|
170
|
+
<li>
|
|
171
|
+
<p outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(1)</ph> The Contractor shall provide the Contracting Officer all Government data and Government-related data in the format specified in the contract.</p>
|
|
172
|
+
</li>
|
|
173
|
+
<li>
|
|
174
|
+
<p outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(2)</ph> The Contractor shall dispose of Government data and Government-related data in accordance with the terms of the contract and provide the confirmation of disposition to the Contracting Officer in accordance with contract closeout procedures.</p>
|
|
175
|
+
</li>
|
|
176
|
+
<li>
|
|
177
|
+
<p outputclass="List2" class="- topic/p "><ph props="autonumber" class="-topic/ph">(3)</ph> The Contractor shall provide the Government, or its authorized representatives, access to all Government data and Government-related data, access to contractor personnel involved in performance of the contract, and physical access to any Contractor facility with Government data, for the purpose of audits, investigations, inspections, or other similar activities, as authorized by law or regulation.</p>
|
|
178
|
+
<info li_elems="2"/>
|
|
179
|
+
</li>
|
|
180
|
+
</ol>
|
|
181
|
+
</li>
|
|
182
|
+
<li>
|
|
183
|
+
<p class="- topic/p " outputclass="List1"><ph props="autonumber" class="-topic/ph">(j)</ph><i class="+ topic/ph hi-d/i ">Notification of
|
|
118
184
|
third party access requests.</i> The Contractor shall notify the Contracting Officer
|
|
119
185
|
promptly of any requests from a third party for access to Government data or
|
|
120
186
|
Government-related data, including any warrants, seizures, or subpoenas it receives,
|
|
121
187
|
including those from another Federal, State, or local agency.</p>
|
|
122
|
-
|
|
188
|
+
</li>
|
|
189
|
+
<li>
|
|
190
|
+
<p class="- topic/p " outputclass="List1">The Contractor shall cooperate with the
|
|
123
191
|
Contracting Officer to take all measures to protect Government data and
|
|
124
192
|
Government-related data from any unauthorized disclosure.</p>
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
193
|
+
</li>
|
|
194
|
+
<li>
|
|
195
|
+
<p outputclass="List1" class="- topic/p "><ph props="autonumber" class="-topic/ph">(k)</ph><i class="+ topic/ph hi-d/i ">Spillage.</i>Upon notification by the Government of a spillage, or upon the Contractor's discovery of a spillage, the Contractor shall cooperate with the Contracting Officer to address the spillage in compliance with agency procedures.</p>
|
|
196
|
+
</li>
|
|
197
|
+
<li>
|
|
198
|
+
<p class="- topic/p " outputclass="List1"><ph props="autonumber" class="-topic/ph">(l)</ph><i class="+ topic/ph hi-d/i ">Subcontracts</i>. The Contractor shall include this clause, including this paragraph (l), in all subcontracts that involve or may involve cloud services, including subcontracts for commercial services.</p>
|
|
199
|
+
</li>
|
|
200
|
+
</ol>
|
|
201
|
+
<p outputclass="Endofclause" class="- topic/p ">(End of clause)</p>
|
|
202
|
+
</conbody>
|
|
203
|
+
</concept>
|
|
130
204
|
</dita>
|