Effective immediately, contracting officers shall follow the attached requirements (DFARS subpart 239.99, Cloud Computing (DEVIATION 2015-O0011)) and use the attached clause (DFARS 252.239-7999, Cloud Computing Services (DEVIATION 2015-O0011) (FEB 2015)) in contracts, task orders, and delivery orders in acquisitions for, or that may involve, cloud computing services.
The substance of this class deviation is addressed in DFARS Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services. Until the DFARS revisions contained in that case become effective, the information collection requirements (e.g., section 6.4 of the Cloud Computing Security Requirements Guide (SRG) referenced at 239.9902-1(C)(1)) of the attached deviation are not enforceable by the Government.
The deviation requires that the contracting officer, in conjunction with the requiring activity, ensure that any selected cloud computing solution is configured, deployed, and managed to meet the security, privacy, and other requirements of the organization, including applicable elements of the Federal Information Security Management Act of 2002 (FISMA) and the associated NIST standards and special publications (e.g., FIPS 199, FIPS 200, SP 800-53).
This class deviation remains in effect until incorporated in the DFARS or otherwise rescinded.