We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
AWS cloud regions and services help customers address the Defense Federal Acquisition Regulation Supplement (DFARS) cyber security requirements. DFARS implements and supplements the Federal Acquisition Regulation (FAR) and is administered by the Department of Defense (DoD). The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures.
AWS offers a wide variety of FedRAMP Moderate and High Authorized services and solutions that meet the DFARS requirements for Cloud Service Provider (CSP) security. The AWS FedRAMP services in scope can be found at AWS Services in Scope by Compliance Program page.
The clause at DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting is included in all DoD contracts , except contracts for Commercial Off the Shelf (COTS) items, and requires contractors to provide “adequate security” on covered contractor systems.
What is Covered Defense Information?
Covered defense information is a term used to identify information that requires protection under DFARS clause 252.204-7012 and is consistent with DoD Controlled Unclassified Information (CUI).
Like CUI, covered defense information applies to DoD controlled unclassified information, as described in DoDI 5200.48, Controlled Unclassified Information, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.
How is Adequate Security defined under DFARS 252.204-7012?
DFARS clause 252.204-7012 defines "Adequate security" as the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. The specific protective measures called out in DFARS 252.204-7012 are NIST SP 800-171 and the FedRAMP Moderate baseline, as applicable.
Adequate Security on the contractor’s own information systems (i.e. information systems that are not part of an Information Technology (IT) service or system operated on behalf of the Government). DFARS 252.204-7012 requires the implementation of the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
Adequate Security if a contractor uses a CSP DFARS 252.204-7012 states that, "If the contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in the performance of this contract, the contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline."
What is NIST SP 800-171?
NIST SP 800-171 is a National Institute of Standards and Technology (NIST) Special Publication (SP) that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012.
NIST SP 800-171 includes 110 security controls taken from 14 security control families in NIST SP 800 — 53 Security and Privacy Controls for Federal Information Systems and Organizations.
What does DFARS 252.204-7012 mean by “Security Requirements Equivalent to the FedRAMP Moderate Baseline”?
As provided in the clause, the FedRAMP Moderate Baseline is the standard for Cloud Service Providers for protecting CUI across federal government agencies. The Moderate impact level is appropriate for CSPs that will handle government data that is not publicly available.
The FedRAMP Moderate baseline includes 325 security controls taken from 17 security control families in NIST SP 800 — 53 Security and Privacy Controls for Federal Information Systems and Organizations.
How can DIB contractor determine whether a CSP has security equivalent to the FedRAMP Moderate baseline?
The most reliable way to ensure that a CSP has security at least equivalent to the FedRAMP moderate baseline is to choose a CSP that has achieved a FedRAMP Moderate (or High) Authorization and is listed on the FedRAMP Marketplace list of Authorized providers. These CSP have undergone a rigorous assessment and authorization process. This includes completing the FedRAMP Lifecycle steps of FedRAMP Ready, FedRAMP In Process, and finally FedRAMP Authorized.
AWS services in the AWS standard cloud region services are authorized at the FedRAMP Moderate baseline and AWS GovCloud (US) region services are authorized at the FedRAMP High baseline.
What are the Cyber Incident Reporting requirements in DFARS 252.204-7012?
DFARS 252.204-7012 (b)2(ii)D also states that the contractor shall require and ensure that a CSP complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
The requirements found in paragraphs (c) through (g) of DFARS 252.204-7012 are a subset of and map directly to security controls on the FedRAMP Moderate baseline.
DFARS 252.204-7019 – Notice of NIST SP 800-171 DOD Assessment Requirements
DFARS 252.204-7019 clause notifies the contractor to record their NIST SP 800-171 compliance within the Supplier Performance Risk System (SPRS). Under the clause, each contractor must maintain a current NIST SP 800-171 DoD Assessment within SPRS. Contractors are required to have a Basic, Medium, or High assessment completed at least every three years and ensure that it is appropriately reported within SPRS. Basic Assessment: Similar to the self-assessments / self-attestations taking place since 2018, this assessment requires a System Security Plan (SSP) or Plans to be submitted. Medium and High Assessments: NIST SP 800-171 800-171 assessments run by the Defense Contract Management Agency (DCMA).
DFARS 252.204.7020 – NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020 applies to covered contractor information systems and requires contractors to provide the Government access to its facilities, systems, and personnel any time the DoD is renewing or conducting a Medium or High assessment. Much like DFARS 252.204-7012, the DFARS 252.204-7020 clause will appear in all DoD solicitations and contracts, task orders, or delivery orders except for those that are solely for the acquisition of COTS items. The clause provides definitions for Basic, Medium and High Assessments.
DFARS 252.204-7021 – Cybersecurity Maturity Model Certification Requirements
The Cybersecurity Maturity Model Certification (CMMC) requirements are introduced into the federal regulatory framework with the addition of DFARS 252.204-7021. This clause will support the DoD’s phased rollout of CMMC, and is required in all contracts, task orders, solicitations, etc. will have CMMC requirements included by October 1, 2025.
The CMMC Model will include three levels; Level 1 Foundational, which will require 17 basic safeguarding practices; Level 2 Advanced, which will mirror the NIST SP 800-171 (110 controls); and Level 3 Expert, which will be based on a subset of NIST SP 800-171 SP 800-172 requirements. Find more details on our CMMC page.
For more information about the AWS solutions and services that support our customers’ DFARS, NIST SP 800-171 or CMMC requirements, please contact us at cmmconaws@amazon.com.
Have Questions? Connect with an AWS Business Representative
