As the IT world migrates to the cloud, many customers must implement security standards and controls. This blog can help clarify ambiguity around the Defense Federal Acquisition Regulation Supplement (DFARS) standard and how the standard and related controls apply to a use case and deployment. The following post is a series of blogs explaining various security standards’ applicability to commercial entities doing business with the US government. This blog aims to help customers looking to migrate existing or build new solutions on Oracle Cloud Infrastructure (OCI) and platform-as-a-service (PaaS) in the US Government data center regions.
What DFARS means
DFARS exists to support US national security, ensuring that government contractors doing business with the United States Armed Forces provide technology, programs, and products with a focus on security. DFARS is an extension of the Federal Acquisition Regulation (FAR), but these regulations are Department of Defense (DoD)-specific. These regulation supplements are based on adherence to the standards and controls included within NIST SP 800-171.
As an Oracle customer providing services to the DoD in the Defense Industrial Base (DIB) sector, you might be required to certify your organization or service. All commercial entities are considered as DIBs if they create or possess controlled unclassified information (CUI). While DFARS doesn’t have an accreditation body, DIBs can self-certify by demonstrating adherence to the 110 controls detailed in NIST SP 800-171. To make a more robust assertion than self-certifying, DIBs need to engage a third-party assessment organization (3PAO) to review the compliance posture of their environment.
DFARS is not accreditation that a cloud service provider (CSP) can achieve, and the CSP doesn’t own all the controls that DFARS outlines. The outlines are an example of a standard aligned with a shared responsibility model. A CSP can assist an end user in achieving DFARS compliance by offering cloud services with certain demonstrated and proven controls.
For example, a cloud provider can achieve FedRAMP accreditation, which certifies the controls that the DFARS requires, depending on the level, such as FedRAMP low, moderate, or high. The end user service provider can use these controls, reducing the effort to demonstrate compliance with their overall solution.
Where OCI comes in
OCI’s US Government cloud offerings have achieved FedRAMP High JAB accreditation, as have all the infrastructure and platform services generally available in those regions. Oracle Cloud US Government regions provide an excellent platform to host a service or organization seeking DFARS compliance by reducing compliance effort through our proven FedRAMP certification.
Oracle’s dedicated compliance team is poised to help customers in pursue of DFARS compliance using products like Oracle Cloud for Government and a rich suite of software- and platform-as-a-service offerings, software applications, tools, and multidecade experience of supporting the US Department of Defense.
For more information, see the following resources: