Defense Federal Acquisition Regulation Supplement (DFARS)

DFARS overview

On October 21, 2016, the Department of Defense (DoD) issued its Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) and imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI).

The final DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) specifies safeguards to include cyber incident reporting requirements and additional considerations for cloud service providers. Per DFARS 252.204-7012, all DoD contractors and the defense industrial base are required to comply with DFARS requirements for adequate security 'as soon as practical, but not later than December 31, 2017.'

Microsoft and DFARS

Microsoft Government Cloud services help the United States defense industrial base and defense contractor customers meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to cloud service providers. When defense contractors are required to comply with DFARS clause 252.204-7012 in contracts, Microsoft can support the requirements applicable to cloud service providers for Azure Government and Office 365 U.S. Government Defense services. Both services demonstrate support for the capabilities necessary for customers to comply with the DFARS 7012 clauses through their L5 accreditation to the Department of Defense Security Requirements Guide.

Microsoft in-scope cloud platforms & services

Covered services for DoD Impact Level 5

  • Azure and Azure Government
  • Office 365 U.S. Government and Office 365 U.S. Government Defense

Azure, Dynamics 365, and DFARS

For more information about Azure, Dynamics 365, and other online services compliance, see the Azure DFARS offering.

Office 365 and DFARS

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
GCC Microsoft Entra ID, Compliance Manager, Delve, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, Stream
GCC High Microsoft Entra ID, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business
DoD Microsoft Entra ID, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, Power BI, SharePoint Online, Skype for Business

Office 365 Audits, reports, and certificates

Frequently asked questions

Which DFARS requirements are supported by Office 365 U.S. Government Defense?

Office 365 U.S. Government Defense allows our defense industrial base and defense contractor customers to meet the DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to cloud service providers.

Has an independent assessor validated that Office 365 U.S. Government Defense supports DFARS requirements?

Yes, a third-party assessment organization has attested that the Office 365 U.S. Government Defense cloud service offering meets the applicable requirements of DFARS Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information).

What is the relationship between Controlled Unclassified Information (CUI) and covered defense information (CDI)?

CUI is information that requires safeguarding or disseminating controls according to law, regulation, or government-wide policy. The CUI Registry identifies approved CUI categories and subcategories.

CDI is controlled technical information or other information (as described in the CUI Registry) that requires safeguarding or dissemination controls and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DoD in connection with the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract

Do all Microsoft Office 365 services meet the 'adequate security' requirements applicable to 'covered defense information' under the DFARS regulation?

In October 2016, the Department of Defense (DoD) promulgated a final rule implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all DoD contractors who process, store, or transmit 'covered defense information' through their information systems. The rule states that such systems must meet the security requirements set forth in NIST SP 800-171, Protecting Controlled Unclassified Information in nonfederal information systems and organizations, or an 'alternative, but equally effective, security measure' that is approved by the DoD contracting officer. And where a DoD contractor uses an external cloud service provider to process, store, or transmit covered defense information, such provider must meet security requirements that are equivalent to the FedRAMP Moderate baseline.

The following Microsoft Office 365 cloud services have received a FedRAMP moderate authorization and are adequate for DFARS: Office 365 U.S. Government, and Office 365 U.S. Government Defense.

Also, Microsoft offerings outside the FedRAMP-certified boundary that could potentially be used by DoD contractors to process, store, or transmit 'covered defense information' are undergoing a review to meet a December 31, 2017, compliance deadline. Microsoft is working to document how these internal and customer-facing services comply with NIST SP 800-171 or an acceptable security equivalent, to meet the DFARS relevant clauses.

Use Microsoft Purview Compliance Manager to assess your risk

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources