Jane Edwards
Alex Rossino, a principal research analyst at Deltek, has said companies that provide cloud services to the Defense Department should consider three potential implications of a Defense Federal Acquisition Regulation Supplement clause and one of those is the use of the clause in solicitations.
Rossino wrote in a blog entry posted Wednesday that DoD contracting staff may alter a contract to “retroactively“ apply the DFARS clause 252.204-7012, which seeks to protect covered defense data stored in contractors“™ infrastructure from cyber attacks.
“Not being in compliance from the beginning of contract award could cause headaches if a problem arises later,“ Rossino noted.
He also discussed the potential use of the clause in the source selection process and its relation to vendors“™ compliance with the National Institute of Standards and Technology Special Publication 800-171.
“To be safe, it is probably worthwhile to have NIST SP 800-171 compliance documentation in order before submitting proposals,“ Rossino said.
He also cited the potential advantage to vendors of incorporating into proposals a plan on how to implement an automated mechanism to track the status of DOD security requirements on cloud platforms.
Rossino added that DoD“™s office of defense procurement and acquisition policy addressed such factors in a 27-page frequently asked questions the agency issued in January about the enforcement of new network penetration reporting rules as part of the DFARS clause.
