FARS Clause 252.239-7010, Cloud Computing Services, applies when a cloud solution is being used to process data on the DoD’s behalf, or DoD is contracting with a Cloud Service Provider to host or process data in a cloud. DFARS Clause 252.239-7010 requires the cloud service provider to comply with the DoD Cloud Computing Security Requirements Guide and with the requirements for cyber incident reporting and damage assessment. DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, applies when a contractor intends to use an external cloud service provider to April 2, 2018 rev 1 54 stores, process, or transmit covered defense information in the performance of a contract. DFARS Clause 252.204-7012 requires the cloud service provider to meet security requirements equivalent to those established for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.

Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1