Current Content
(a) Generally, DoD shall acquire cloud computing services using commercial terms and conditions that are consistent with Federal law, and an agency’s needs, including those requirements specified in this subpart. Some examples of commercial terms and conditions are license agreements, End User License Agreements (EULAs), Terms of Service (TOS), or other similar legal instruments or agreements. Contracting officers shall incorporate any applicable service provider terms and conditions into the contract by attachment or other appropriate mechanism. Contracting officers shall carefully review commercial terms and conditions and consult counsel to ensure these are consistent with Federal law, regulation, and the agency’s needs.
(b)(1) Except as provided in paragraph (b)(2) of this section, the contracting officer shall only award a contract to acquire cloud computing services from a cloud service provider (e.g., contractor or subcontractor, regardless of tier) that has been granted provisional authorization by Defense Information Systems Agency, at the level appropriate to the requirement, to provide the relevant cloud computing services in accordance with the Cloud Computing Security Requirements Guide (SRG) (version in effect at the time the solicitation is issued or as authorized by the contracting officer) found at https://public.cyber.mil/dccs/ .
(2) The contracting officer may award a contract to acquire cloud computing services from a cloud service provider that has not been granted provisional authorization when—
(i) The requirement for a provisional authorization is waived by the DoD Chief Information Officer; or
(ii) The cloud computing service requirement is for a private, on-premises version that will be provided from U.S. Government facilities. Under this circumstance, the cloud service provider must obtain a provisional authorization prior to operational use.
(c) When contracting for cloud computing services, the contracting officer shall ensure the following information is provided by the requiring activity:
(1) Government data and Government-related data descriptions.
(2) Data ownership, licensing, delivery and disposition instructions specific to the relevant types of Government data and Government-related data (e.g., DD Form 1423, Contract Data Requirements List; work statement task; line item). Disposition instructions shall provide for the transition of data in commercially available, or open and non-proprietary format (and for permanent records, in accordance with disposition guidance issued by National Archives and Record Administration).
(3) Appropriate requirements to support applicable inspection, audit, investigation, or other similar authorized activities specific to the relevant types of Government data and Government-related data, or specific to the type of cloud computing services being acquired.
(4) Appropriate requirements to support and cooperate with applicable system-wide search and access capabilities for inspections, audits, investigations.
Change History
| Detected | Type | Summary |
|---|---|---|
| detected 2026-04-17 | PGI_MODIFIED | PGI 239.7602-1 updated: 12 lines added, 1 lines removed |
View diff--- previous +++ current @@ -1 +1,13 @@ -(c)(6) When the clause at DFARS 252.239-7010 applies, the contracting officer shall provide the contractor with the name of the responsible Government official to contact in response to any spillage occurring in connection with the cloud computing services being provided. The requiring activity will provide the contracting officer with the name of the responsible official in accordance with agency procedures, as required by Enclosure 7 of DoDM 5200.01-V3, DoD Information Security Program: Protection of Classified Information.+(a) Generally, DoD shall acquire cloud computing services using commercial terms and conditions that are consistent with Federal law, and an agency's needs, including those requirements specified in this subpart. Some examples of commercial terms and conditions are license agreements, End User License Agreements (EULAs), Terms of Service (TOS), or other similar legal instruments or agreements. Contracting officers shall incorporate any applicable service provider terms and conditions into the contract by attachment or other appropriate mechanism. Contracting officers shall carefully review commercial terms and conditions and consult counsel to ensure these are consistent with Federal law, regulation, and the agency's needs. (b)(1) Except as provided in paragraph (b)(2) of this section, the contracting officer shall only award a contract to acquire cloud computing services from a cloud service provider (e.g., contractor or subcontractor, regardless of tier) that has been granted provisional authorization by Defense Information Systems Agency, at the level appropriate to the requirement, to provide the relevant cloud computing services in accordance with the Cloud Computing Security Requirements Guide (SRG) (version in effect at the time the solicitation is issued or as authorized by the contracting officer) found at + +https://public.cyber.mil/dccs/ + +. +(2) The contracting officer may award a contract to acquire cloud computing services from a cloud service provider that has not been granted provisional authorization when-- +(i) The requirement for a provisional authorization is waived by the DoD Chief Information Officer; or +(ii) The cloud computing service requirement is for a private, on-premises version that will be provided from U.S. Government facilities. Under this circumstance, the cloud service provider must obtain a provisional authorization prior to operational use. +(c) When contracting for cloud computing services, the contracting officer shall ensure the following information is provided by the requiring activity: +(1) Government data and Government-related data descriptions. +(2) Data ownership, licensing, delivery and disposition instructions specific to the relevant types of Government data and Government-related data (e.g., DD Form 1423, Contract Data Requirements List; work statement task; line item). Disposition instructions shall provide for the transition of data in commercially available, or open and non-proprietary format (and for permanent records, in accordance with disposition guidance issued by National Archives and Record Administration). +(3) Appropriate requirements to support applicable inspection, audit, investigation, or other similar authorized activities specific to the relevant types of Government data and Government-related data, or specific to the type of cloud computing services being acquired. +(4) Appropriate requirements to support and cooperate with applicable system-wide search and access capabilities for inspections, audits, investigations. |
||