Alex Rossino, a principal research analyst at Deltek, has said companies that provide cloud services to the Defense Department should consider three potential implications of a Defense Federal Acquisition Regulation Supplement clause and one of those is the use of the clause in solicitations.
Rossino wrote in a blog entry posted Wednesday that DoD contracting staff may alter a contract to “retroactively“ apply the DFARS clause 252.204-7012, which seeks to protect covered defense data stored in contractors' infrastructure from cyber attacks.
“Not being in compliance from the beginning of contract award could cause headaches if a problem arises later,“ Rossino noted.
He also discussed the potential use of the clause in the source selection process and its relation to vendors' compliance with the National Institute of Standards and Technology Special Publication 800-171.
“To be safe, it is probably worthwhile to have NIST SP 800-171 compliance documentation in order before submitting proposals,“ Rossino said.
He also cited the potential advantage to vendors of incorporating into proposals a plan on how to implement an automated mechanism to track the status of DOD security requirements on cloud platforms.
Rossino added that DoD's office of defense procurement and acquisition policy addressed such factors in a 27-page frequently asked questions the agency issued in January about the enforcement of new network penetration reporting rules as part of the DFARS clause.