GET THE FACTS. Ask your Cloud Service Provider about FAR 52.204-21.
To verify whether your Cloud Service Provider is complying with FAR rule 52.204-21,
follow these due diligence steps.
1. Understand your Cloud provider’s hosting model, and ask for the location of your hosted data.
Do they outsource delivery, storage and system hosting and maintenance to a third-party facility or service (like AWS), or do they own and control their infrastructure platform?
2. Ask your Cloud Service Provider to outline who has access to hosting equipment and systems, data bases, and data transfer services.
These access details should be specifically enumerated in the provider's audit report.
3. Ask to see the CLOUD SERVICE PROVIDER’S audit report — NOT their infrastructure partners’ reports.
The Cloud Service Provider should present its own AICPA SOC2 Type II audit report.
4. If the Cloud Service Provider uses third-party consultants or subcontractors, ask how these external parties’ audits align with the provider’s audit.
You may also request audit reports directly from the provider’s subs.
5. If your contracts or customers require ITAR compliance, ask your Cloud Service Provider if their facilities are in the continental United States,
and if their employees (and subs, if they use them) are U.S. citizens.
6. If your contracts or customers require FEDRAMP compliance (or associated NIST and FISMA rules),
ask your Cloud Service Provider if your hosted data is Encrypted At Rest.
Keep in mind that most states have now matched Massachusetts’ leading MA201 personnel privacy standards, which not only apply to your places of performance but also to where your employees reside.
7. It’s a smart practice to ask your Cloud Service Provider if they are MA201 compliant.
Though June 15, 2016 marks the beginning of an important mandate for government contractors and their information systems, most Cloud Service Providers should already meet FAR 52.204-21 “basic safeguarding measures,” if they’re serious about the security of their customers’ systems and data.
Now is the time to find out.
To learn more about FAR 52.204-21 and Cloud Hosting and Security models, read or download the TBS whitepaper, FAR 52.204-21, SOC2 Security Controls and TBS Enterprise Cloud Hosting, or contact TBS at Info@TBS-llc.com or 703.444.6562 x1.