Class Deviation 2015-O0011
Contracting for Cloud Services

Effective immediately, contracting officers shall follow the attached requirements (DFARS subpart 239.99, Cloud Computing (DEVIATION 2015-O0011)) and use the attached clause (DFARS 252.239-7999, Cloud Computing Services (DEVIATION 2015-O0011) (FEB 2015)) in contracts, task orders, and delivery orders in acquisitions for, or that may involve, cloud computing services.

The substance of this class deviation is addressed in DFARS Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services. Until the DFARS revisions contained in that case become effective, the information collection requirements (e.g., section 6.4 of the Cloud Computing Security Requirements Guide (SRG) referenced at 239.9902-1(C)(1)) of the attached deviation are not enforceable by the Government.

The deviation requires that the contracting officer, in conjunction with the requiring activity, ensure that any selected cloud computing solution is configured, deployed, and managed to meet the security, privacy, and other requirements of the organization, including applicable elements of the Federal Information Security Management Act of 2002 (FISMA) and the associated NIST standards and special publications (e.g., FIPS 199, FIPS 200, SP 800-53).

This class deviation remains in effect until incorporated in the DFARS or otherwise rescinded.

Effective Date: February 9, 2015 (8 years ago)
Expire Date: None Given
Incorporated: October 21, 2016 (6 years ago)
Official Documents: Memo
Official Attachments: 1
This is not a government website. Visitors should not rely upon information contained on this website as a substitute for consulting official government publications.0