Answer the following questions:

Slides:



Advertisements
Similar presentations
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Advertisements

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Data Ownership Responsibilities & Procedures
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
IS Audit Function Knowledge
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Security Policies Group 1 - Week 8 policy for use of technology.
Cloud Computing Guide & Handbook SAI USA Madhav Panwar.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Complying With The Federal Information Security Act (FISMA)
Federalwide Assurance Presentation for IRB Members.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Cloud Computing. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable.
NIST Special Publication Revision 1
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.
COMPETITION REQUIREMENTS
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Drs. Krishna and Webb October 31,  6  6.1  6.2  6.3  6.4  7.1, 7.2, 7.3, 7.4  7  7.3  7.4  LUNCH ANSI Training 2013: Webb/Krishna.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
International Atomic Energy Agency Roles and responsibilities for development of disposal facilities Phil Metcalf Workshop on Strategy and Methodologies.
Business & Contracting – Module 7 ELO-170Identify risks of not having a direct contractual relationship with the cloud service provider. ELO-180Match cloud-related.
Managing a “Data Spill”
Definitions – Module 8 CLE - Module 9 - Definitions1.
Software Acquisition Management. Cloud Computing 2.
Business & Contracting – Module 6 ELO 6.1Identify the Cloud-related guidance when contracting for cloud services ELO 6.2Identify contract and legal considerations.
State of Georgia Release Management Training
Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.
ISA 201 Intermediate Information Systems Acquisition.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Consent to Subcontract Breakout Session # D12 Name: Rita Wells Daniel Johnson Anthony Simmons Date:July 12, 2011 Time:11:15 – 12:30.
Small Business and Subcontracting. Subcontracting for Small Business 6 steps to successful subcontracting 6. Report Contractor performance 1. Consider.
1DoD Cloud Computing Read the provided excerpts from - The “25 Point Implementation Plan to Reform Federal IT” - DoD Cloud Computing Strategy - The National.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Dr. Ir. Yeffry Handoko Putra
Nassau Association of School Technologists
Safeguarding CDI - compliance with DFARS
Chapter 6: Securing the Cloud
ISA 201 Intermediate Information Systems Acquisition
Safeguarding Covered Defense Information
Consent to Subcontract
VIRTUALIZATION & CLOUD COMPUTING
Recommendation 6: Using ‘cloud computing’ to meet the societal need ‘Faster and transparent access to public sector services’ Cloud computing Faster and.
Small Business and Subcontracting.
Introduction to the Federal Defense Acquisition Regulation
Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.
CNIT131 Internet Basics & Beginning HTML
Bob Siegel President Privacy Ref, Inc.
Red Flags Rule An Introduction County College of Morris
Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.
DFARS Cybersecurity Requirements
Spencer County Public Schools Responsible Use Policy for Technology and Related Devices Spencer County Public Schools has access to and use of the Internet.
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Operationalizing Export Certification and Regionalization Programmes
Fundamental Concepts and Models
Omnibus IV Contracting Strategy Michael D’Alessandro
Export Controls – Export Provisions in Research Agreements
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Answer the following questions:
Radiopharmaceutical Production
City & County of San Francisco Technology Purchasing Guidelines
Cloud Computing for Wireless Networks
Presentation transcript:

Answer the following questions: Exercise 1 – Team 1 Read the Information Technology Business Case Analysis from the Department of the Navy, My Navy Portal – Hosting Initiative Answer the following questions: What were the discriminating factors used in the analysis of alternatives for the My Navy Portal (MNP) Business Case Analysis (BCA)? What quantitative measures were used to evaluate the alternatives? What cloud service model and cloud deployment model is being considered for MNP? What information impact level is the data and mission that would be stored and processed in the CSO? What are the four alternatives evaluated for the MNP BCA, and what four alternatives were considered to be non-viable alternatives? Why were they considered non-viable? Is there someplace to check to see if they are currently non-viable? Could they have been considered? If so, what would need to completed? Summarize the analysis of the four alternatives. Which alternative had the highest security risk? Which alternative was recommended? How did they or how would you justify the recommendation? How are they recommending to manage the risk? What is still required before MNP can be operationalized? DoD Cloud Computing

Exercise 1 Notional Answer What were the discriminating factors used in the analysis of alternatives for the My Navy Portal (MNP) Business Case Analysis (BCA)? What quantitative measures were used to evaluate the alternatives? What cloud service model and cloud deployment model is being considered for MNP? What information impact level is the data and mission that would be stored and processed in the CSO? What are the four alternatives evaluated for the MNP BCA, and what four alternatives were considered to be non-viable alternatives? Why were they considered non-viable? Is there someplace to check to see if they are currently non-viable? Could they have been considered, what would need to completed? Summarize the analysis of the four alternatives. Which alternative had the highest security risk? Which alternative was recommended? How did they or how would you justify the recommendation? How are they recommending to manage the risk? What is still required before MNP can be operationalized? What were the discriminating factors used in the analysis of alternatives for the My Navy Portal (MNP) Business Case Analysis (BCA)? What quantitative measures were used to evaluate the alternatives? The analysis examines discriminating factors that include portal deployment and consolidation, Identity and Access Management (IDAM), scalability, reliability, maintainability, sustainability, security, and logistics. The analysis quantitatively describes the alternatives in terms of requirements, cost, and risk. 2. What cloud service model and cloud deployment model is being considered for MNP? What information impact level is the data and mission that would be stored and processed in the CSO? It’s hard to tell exactly what the CSO required. At a minimum, it appears they are looking for Infrastructure as a Service, since that is what DISA’s milCloud is, and there is some language that mentions hosting of applications. It’s possible that Platform as a Service is required. Deployment model would be either Private or Community cloud for Information Impact Level 4 missions. Only IIL 2 can be stored or processed on Private clouds. 3. What are the four alternatives evaluated for the MNP BCA, and what four alternatives were considered to be non-viable alternatives? Why were they considered non-viable? Is there someplace to check to see if they are currently non-viable? Could they have been considered, what would need to completed? The four alternatives considered: Navy Enterprise Data Center, Next Generation Enterprise Networks (NGEN) Data Center, Amazon Web Service Gov Cloud, DISA’s milCloud. The four alternatives considered to be non-viable were considered non-viable since they did not meet the security impact level requirements of MNP (i.e. did not have a DoD PA for IIL 4 for their CSO): • Hewlett-Packard Cloud, • Autonomic Resources Cloud Platform, • CGI Federal Cloud, and • Microsoft Azure Government IaaS – Microsoft Corporation. The DISA Cloud Service Catalog would indicate whether these CSPs’ CSOs have received a DoD PA for IIL 4. Just because they didn’t have a DoD PA for IIL 4 doesn’t mean they couldn’t be considered, but the mission owner for MNP would have to gone through the rest of the Assessment and Authorization process to get the DoD PA for IIL 4. Summarize the analysis of the four alternatives. Which alternative had the highest security risk? Which alternative was recommended? How did they or how would you justify the recommendation? How are they recommending to manage the risk? See the table in the BCA for the results. AWS GovCloud had the highest security risk, but it was still the recommended solution. Their recommendation is based upon AWS has the most effective impact analysis, AWS has the lowest LCCE, and while AWS has the highest risk, primarily due to security concerns and the fact that it is new and has not previously been used by PMW 240 or other Navy customers. However, the higher risk is expected and when monetized does not increase the LCCE above the alternatives, such that AWS remains the most cost effective solution. The mitigation strategy was to hire a full time equivalent information assurance specialist. 5. What is still required before MNP can be operationalized? It still needs an Authority to Operate (ATO) from the Authorizing Official responsible for MNP. DoD Cloud Computing

Exercise 2 – Team 2 Read and summarize the Army CIO’s Memo and Encl 2 and identify how the Army’s process is similar to, or dissimilar from, the DoD CIO’s updated guidance Read the “FedRAMP Security Assessment Framework V 2.1” Explain the purpose of FedRAMP Explain the concept of “Do Once, Use Many Times” what must be completed individually. What are the duties and responsibilities of a Cloud Service Provider? DoD Cloud Computing

Exercise 2 Notional Answer FedRAMP is a U.S. Government program to standardize how the Federal Information Security Management Act (FISMA) applies to cloud computing services. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud based services. “Do once, use many times” intends to reduce cost, time and staff required for security assessments and process monitoring reports DoD leverages FedRAMP Joint Assessment Board Provisional Authorizations and non-DoD US Gov’t Federal Agency ATO packages residing in the FedRAMP Secure Repository when assessing a CSO for a DoD PA Security Assessment Packages, FedRAMP and DoD PAs can be used many times An ATO needs to be granted by the Component Authorizing Official, it could be reused if your mission falls under a Component AO’s existing ATO CSP Duties: Implement security controls based upon FedRAMP security baseline. Create security assessment packages in accordance with FedRAMP requirements. Contract with an independent 3PAO to perform initial system assessment and required ongoing assessments and authorizations. Maintain Continuous Monitoring programs. Comply with Federal Requirements for Change Control and Incident Reporting. Army CIO Memo/policy established the Army Application Migration Business Office. Army is suppose to migrate to DoD-approved hosting facilities to include commercial options. They are to complete rationalization and disposition. Disposition of “kill” is to terminate a program New, sustain or modernize the mission owner is to complete the Information Technology Cost Benefit Analysis which fulfills the requirement to complete the IT Business Case Analysis. For migration, mission owners are to work with AAMBO to migrate mission to a commercial service provider. Need to assess against information impact levels, using the CC SRG and the RMF process to obtain Authorization Official’s Authority to Operate. Summarize Enc 2: See what they come up with. There is some good information about what missions cannot be moved off premise, such as weapon system, command and control, etc. DoD Cloud Computing

Exercise 3 – Team 3 Given that a DoD Agency desires migrating its military medical files and email capability to the cloud, Determine the Information Impact Level of the proposed data to be moved to the cloud Identify which of the three cloud service models the agency could use from a commercial CSP Recommend a cloud deployment model or models appropriate for the agency’s requirement. Where could the data be stored for this mission? Conduct Internet research to identify a viable commercial solution and describe what steps have been taken so far What are some of the contract clauses that you would want to make sure were included in the Performance Work Statement with the Cloud Service Provider? DoD Cloud Computing

Exercise 3 Notional Solution Given that a DoD Agency desires migrating its military medical files and email capability (IIL 4) to the cloud, Identify which of the three cloud service models the agency could use from a commercial cloud service provider – SaaS, IaaS Identify the characteristics of the model(s) – Vendor manages applications for email, vendor provides storage for medical files Give examples of how the agency could use the models to perform its health services mission – less focus on managing the IT network and applications and more attention on health care Recommend a cloud deployment model or models for the agency’s health services mission – Private or Community Conduct Internet research to identify a viable commercial solution and describe what steps have been taken so far – Amazon Web Services GovCloud (IaaS) and DoD Oracle Service Cloud (SaaS) (ELOs 31.1.1.9, 31.1.1.10, 31.1.1.11, 31.1.1.12, 31.1.1.14) Cloud service offerings that were granted DoD PAs: AINS eCase. Service Model: Platform as a Service (PaaS) and Software as a Service (SaaS). FedRAMP Agency ATO by Department of Housing and Urban Development (HUD) Akamai Content Delivery Services. Service Model: Infrastructure as a Service (IaaS). FedRAMP JAB PA Amazon Redshift. Service Model: Infrastructure as a Service (IaaS). FedRAMP Agency ATO by Department of Health and Human Services AT&T Storage as a Service (STaaS). Service Model: Infrastructure as a Service (IaaS) . FedRAMP JAB PA Autonomic Resources Cloud Platform (ARC-P). Service Model: Infrastructure as a Service (IaaS) . FedRAMP JAB PA Clear Government Solutions FedGRID Government Community Cloud. Service Model: Infrastructure as a Service (IaaS) . FedRAMP JAB PA Concurrent Technologies Corporation Unclassified Remote Hosted Desktops (URHD). Service Model: Software as a Service (SaaS) . FedRAMP JAB PA Economic Systems Federal Human Resources Navigator (FHR Navigator). Service Model: Software as a Service (SaaS) . FedRAMP JAB PA Edge Hosting CloudPlus – Managed Cloud for Secure Windows and Linux Application Hosting. Service Model: Platform as a Services (PaaS) and Infrastructure as a Service (IaaS). FedRAMP Agency ATO by Department of Labor IBM SmartCloud for Government. Service Model: Infrastructure as a Service (IaaS) . FedRAMP JAB PA Lockheed Martin SolaS-I Government Community Cloud. Service Model: Infrastructure as a Service (IaaS) . FedRAMP JAB PA MicroPact Product Suite. Service Model: Platform as a Service (PaaS). FedRAMP Agency ATO by Department of the Interior Microsoft Office 365 Multi-Tenant & Supporting Services Including Azure Active Directory. Service Model: Software as a Service (SaaS). FedRAMP Agency ATO by Department of Health and Human Services Microsoft Windows Azure Public Cloud Solution. Service Model: Infrastructure as a Service (IaaS) . FedRAMP JAB PA OMB MAX General Support Services. Service Model: Infrastructure as a Service (IaaS). FedRAMP Agency ATO by Office of Management and Budget (OMB) OMB MAX.gov Shared Services. Service Model: Platform as a Service (PaaS) and Software as a Service (SaaS). FedRAMP Agency ATO by Office of Management and Budget (OMB) Oracle Federal Managed Cloud Services. Service Model: Platform as a Service (PaaS) . FedRAMP JAB PA Oracle Service Cloud. Service Model: SaaS. FedRAMP JAB PA Salesforce Government Cloud. Service Model: Platform as a Service and Software as a Service (SaaS). FedRAMP Agency ATO by Department of Health and Human Services SecureKey Briidge.net ExchangeT for Connect.Gov. Service Model: Software as a Service (SaaS) . FedRAMP JAB PA US Treasury Workplace.gov Community Cloud. Service Model: PaaS, SaaS. FedRAMP Agency ATO by Department of the Treasury USDA National Information Technology Center. Service Model: Infrastructure as a Service (IaaS). FedRAMP Agency ATO by United States Department of Agriculture Verizon Enterprise Cloud Federal Edition. Service Model: Infrastructure as a Service. FedRAMP Agency ATO by Department of Health and Human Services DoD Cloud Computing

Exercise Team 4 – Team 4 Given that a DoD Agency desires migrating its public affairs news files to the cloud, Determine the Information Impact Level of the proposed data to be moved to the cloud Identify which of the three cloud service models the agency could use from a commercial CSP Recommend a cloud deployment model or models for the agency’s public affair mission Where could the data be stored for this mission? Conduct Internet research to identify a viable commercial solution and describe what steps have been taken so far What are some of the contract clauses that you would want to make sure were included in the Performance Work Statement with the Cloud Service Provider? SLIDE INFORMATION*************************************************************************************************************************** *Slide Type: Exercise (Content or Exercise) *Supporting ELOs ID: (ELOs 31.1.1.9, 31.1.1.10, 31.1.1.11, 31.1.1.12, 31.1.1.14) *Policy / Directive / Standard / DTM ID: ********************************************************************************************************************************************************** Key Points: Review the exercise tasks Key Questions to Ask and Anticipated Answers: Terms \ Definitions \ Acronyms: DoD Cloud Computing

Exercise 4 Notional Answer Information Impact Level 2 Cloud Service Model: Infrastructure as a Service Cloud Deployment Model: Public is acceptable for IIL 2 and public facing data, such as information approved for public release IIL 2 data must be hosted at locations in the U.S., U.S. territories, or DoD controlled locations unless the location is authorized by the AO From the DoD Cloud Service Catalog: CGI Federal – IaaS Cloud DoD-approved Commercial Cloud Service with a DoD PA. It provides Virtual Machine and Web Hosting services in the cloud DoD Cloud Computing

Exercise Team 5 – Team 5 Given that a weapon system program office desires migrating its acquisition files and email capability to the cloud, Determine the Information Impact Level of the proposed data to be moved to the cloud Identify which of the three cloud service models the agency could use from a CSP Recommend a cloud deployment model What architectural concepts are required? What limitations are there on the CSP? Conduct Internet research to identify a viable commercial solution and describe what steps have been taken so far What are some of the contract clauses that you would want to make sure were included in the Performance Work Statement with the Cloud Service Provider? SLIDE INFORMATION*************************************************************************************************************************** *Slide Type: Exercise (Content or Exercise) *Supporting ELOs ID: (ELOs 31.1.1.9, 31.1.1.10, 31.1.1.11, 31.1.1.12, 31.1.1.14) *Policy / Directive / Standard / DTM ID: ********************************************************************************************************************************************************** Key Points: Review the exercise tasks Key Questions to Ask and Anticipated Answers: Terms \ Definitions \ Acronyms: DoD Cloud Computing

Exercise 5 Notional Answer Information Impact Level 5 Cloud Service Model: Software as a Service Cloud Deployment Model: Private/Community IIL 5 data must be hosted at locations in the U.S., U.S. territories, or DoD controlled locations without exception A Boundary Cloud Access Point is required A Cyber Defense Service Provider is required From the DoD Cloud Service Catalog: MS-O365-vNext DoD-approved Commercial Cloud Service with a DoD PA. MS-O365-vNext equipment is physically housed within secure cage environments DoD Cloud Computing

Exercise 3-5 Notional Answer for Contract Clauses Solicitation Provisions (DFARS 252.239-7010) Cloud computing services cyber incident reporting Malicious software Media preservation and protection Access to additional information or equipment for forensic analysis Cyber incident damage assessment activities Records management and facility access Notification of third party access requests Spillage Subcontracts SLIDE INFORMATION*************************************************************************************************************************** *Slide Type: Solicitation Provisions ELO 31.1.1.26 Identify contract considerations for cloud services acquisition. *Policy / Directive / Standard / DTM ID: DFARS Subpart 239.76 Cloud Computing DFARS 252.239-7010 Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) ********************************************************************************************************************************************************** Key Points: Cyber Incident Reporting Requirements A cyber incident is an action(s) taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. The contract with the CSP must require appropriate reporting for a cyber incident. Conduct Review: The contract must state that the contractor must conduct a review for evidence of compromise of covered defense information whenever the contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information therein. A covered contractor information system is an information system that is owned or operated, by or for, a contractor, and that processes, stores, or transmits covered defense information. Covered defense information is unclassified information provided to a contractor that is controlled technical information, critical information, export control, or other information that is required to be safeguarded by the government. The contract must also state that the contractor must rapidly report the cyber incident to DoD. Submit Software: The contract must include instructions that require the contractor to submit any malicious software that it discovers and isolates in connection with the reported cyber incident. Provide Access: The contract must outline steps the contractor will take to provide access upon request by DoD during a forensic analysis or damage assessment. When a contractor discovers a cyber incident has occurred, the contractor shall provide DoD with access to additional information or equipment that is necessary for a forensic analysis or damage assessment.  The contractor shall also preserve and protect images of all known affected information systems identified and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report. DoD has the right to request the media or decline interest within that time period. Damage Assessment: If DoD elects to conduct a damage assessment, the contracting officer will request that the contractor provide all of the damage assessment information gathered in accordance with the forensic analysis requirements of the contract. Prior to initiating damage assessment activities, the Procurement Contracting Officer (PCO) shall verify that the contract(s) identified in the cyber incident report includes DFARS 252.204-7012. If the contract does not contain the clause, the PCO shall notify the requiring activity that damage assessment activities, if required, may be determined to constitute a change to the contract. In cases of cyber incidents involving multiple contracts, a single contracting officer will be designated to coordinate with the contractor regarding media submission. If the requiring activity requests the contracting officer to obtain media from the contractor, as defined in DFARS 252.204-7012, the contracting officer shall: Provide a written request for the media Provide the contractor with the instructions for media submission Provide a copy of the request to U.S. DoD Cyber Crime Center (DC3) (dcise@dc3.mil) and the requiring activity Cloud Personnel Requirements (Access): The contracting officer must clearly spell out all requirements for key personnel, minimum proficiency levels/training, proper conduct of staff, and expectations regarding the management of staff. The contracting officer is responsible for ensuring that the CSP personnel screening and personnel access rules and procedures are appropriate for the information impact level of the CSO and that the CSP is in compliance with the SRG requirements for the personnel. All contractor employees who will have access to government data, the architecture that supports government data, or any physical or logical devices/code must be required to pass the appropriate background investigation required by the Government in compliance with HSPD-12. At a minimum, they must pass a National Agency Check and Inquiries (NACI) investigation and be a U.S. person as defined in Executive Order 12333. Spillage: When classified or controlled unclassified information is transferred onto an information system not accredited (i.e., authorized) for the security level of the transferred information, this is known as spillage. Upon notification by the government of a spillage, or upon the contractor’s discovery of a spillage, the contractor shall cooperate with the contracting officer to address the spillage in compliance with agency procedures. Subcontracting: The contracting officer needs to ensure that all of the terms and conditions in the contracts are included in any subcontract agreements that the CSP has with its providers of services.  Privity of Conctracts is a term in contract law that states that the terms of a contract are only binding on the parties that sign the contract. This means that the government has no ability to enforce the terms of the contract between the prime contractor (in this case, the CSP) and the subcontractor. (After all, the government does not have a direct relationship with the subcontractors.) The contracting officer also needs to ensure that the prime contractor (the CSP) maintains operational configuration control and control of government data. Again, all of these terms must be spelled out in the contract between the Component and the CSP because that is the contract that the government can enforce. Key Questions to Ask and Anticipated Answers: Ask the students if they have any ideas why these provisions need to be included and what the contractor needs to do to satisfy the provisions. The answers are provided above in the Key Points. Contract clauses: 252.239-7010 Cloud Computing Services. As prescribed in 239.7603(b), use the following clause: Cloud Computing Services (AUG 2015) Back to Top (a) Definitions. As used in this clause— Authorizing official, as described in DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), means the senior Federal official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Cloud computing means a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This includes other commercial terms, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software-as-a-service, infrastructure-as-a-service, and platform-as-a-service. Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Government data means any information, document, media, or machine readable material regardless of physical form or characteristics, that is created or obtained by the Government in the course of official Government business. Government-related data means any information, document, media, or machine readable material regardless of physical form or characteristics that is created or obtained by a contractor through the storage, processing, or communication of Government data. This does not include contractor's business records e.g. financial records, legal records etc. or data such as operating procedures, software coding or algorithms that are not uniquely applied to the Government data. Media means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system. Spillage security incident that results in the transfer of classified or controlled unclassified information onto an information system not accredited (i.e., authorized) for the appropriate security level. (b) Cloud computing security requirements. The requirements of this clause are applicable when using cloud computing to provide information technology services in the performance of the contract. (1) If the Contractor indicated in its offer that it “does not anticipate the use of cloud computing services in the performance of a resultant contract,” in response to provision 252.239-7009, Representation of Use of Cloud Computing, and after the award of this contract, the Contractor proposes to use cloud computing services in the performance of the contract, the Contractor shall obtain approval from the Contracting Officer prior to utilizing cloud computing services in performance of the contract. (2) The Contractor shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG) (version in effect at the time the solicitation is issued or as authorized by the Contracting Officer) found at http://iase.disa.mil/cloud_security/Pages/index.aspx; (3) The Contractor shall maintain within the United States or outlying areas all Government data that is not physically located on DoD premises, unless the Contractor receives written notification from the Contracting Officer to use another location, in accordance with DFARS 239.7602-2(a). (c) Limitations on access to, and use and disclosure of Government data and Government-related data. (1) The Contractor shall not access, use, or disclose Government data unless specifically authorized by the terms of this contract or a task order or delivery order issued hereunder. (i) If authorized by the terms of this contract or a task order or delivery order issued hereunder, any access to, or use or disclosure of, Government data shall only be for purposes specified in this contract or task order or delivery order. (ii) The Contractor shall ensure that its employees are subject to all such access, use, and disclosure prohibitions and obligations. (iii) These access, use, and disclosure prohibitions and obligations shall survive the expiration or termination of this contract. (2) The Contractor shall use Government-related data only to manage the operational environment that supports the Government data and for no other purpose unless otherwise permitted with the prior written approval of the Contracting Officer. (d) Cloud computing services cyber incident reporting. The Contractor shall report all cyber incidents that are related to the cloud computing service provided under this contract. Reports shall be submitted to the Department of Defense via http://dibnet.dod.mil/. (e) Malicious software. The Contractor or subcontractors that discover and isolate malicious software in connection with a reported cyber incident shall submit the malicious software in accordance withinstructions provided by the Contracting Officer. (f) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (d) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. (g) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis. (h) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (f) of this clause. (i) Records management and facility access. (1) The Contractor shall provide the Contracting Officer all Government data and Government-related data in the format specified in the contract. (2) The Contractor shall dispose of Government data and Government-related data in accordance with the terms of the contract and provide the confirmation of disposition to the Contracting Officer in accordance with contract closeout procedures. (3) The Contractor shall provide the Government, or its authorized representatives, access to all Government data and Government-related data, access to contractor personnel involved in performance of the contract, and physical access to any Contractor facility with Government data, for the purpose of audits, investigations, inspections, or other similar activities, as authorized by law or regulation. (j) Notification of third party access requests. The Contractor shall notify the Contracting Officer promptly of any requests from a third party for access to Government data or Government-related data, including any warrants, seizures, or subpoenas it receives, including those from another Federal, State, or Local agency. The Contractor shall cooperate with the Contracting Officer to take all measures to protect Government data and Government-related data from any unauthorized disclosure. (k) Spillage. Upon notification by the Government of a spillage, or upon the Contractor's discovery of a spillage, the Contractor shall cooperate with the Contracting Officer to address the spillage in compliance with agency procedures. (l) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (l), in all subcontracts that involve or may involve cloud services, including subcontracts for commercial items. Terms \ Definitions \ Acronyms: DoD Cloud Computing