CybersecurityFlows Down to Subs

DFARS 252.239-7010Cloud Computing Services

Overview

This clause establishes requirements for cloud computing services used in DoD contracts. Cloud service providers must meet FedRAMP authorization requirements and comply with the DoD Cloud Computing Security Requirements Guide (SRG). Data must be stored within the United States unless specifically authorized otherwise.

When Does This Apply?

Contracts that involve the use of cloud computing services to process, store, or transmit DoD data, including CUI and other sensitive information.

Key Requirements

1Obtain FedRAMP authorization at the required impact level
2Comply with DISA Cloud Computing Security Requirements Guide (SRG)
3Store data within the United States unless authorized otherwise
4Report cloud security incidents per DFARS 252.204-7012 requirements

Flowdown to Subcontractors

Yes — DFARS 252.239-7010 flows down to subcontractors. All subcontractors in the supply chain must comply with this clause when applicable.

Related NIST 800-171 Controls

3.13.1 3.13.16 3.1.1

Frequently Asked Questions

What is DFARS 252.239-7010?

DFARS 252.239-7010 (Cloud Computing Services) This clause establishes requirements for cloud computing services used in DoD contracts. Cloud service providers must meet FedRAMP authorization requirements and comply with the DoD Cloud Computing Se

Does DFARS 252.239-7010 flow down to subcontractors?

Yes, DFARS 252.239-7010 flows down to subcontractors. All applicable subcontractors must comply with this clause.

When does DFARS 252.239-7010 apply?

Contracts that involve the use of cloud computing services to process, store, or transmit DoD data, including CUI and other sensitive information.

Free Compliance Tools

🛡

CUI Auditor

Audit your tech stack for CUI handling gaps across 80+ enterprise tools.

🗺

CUI Flow Mapper

Map how CUI flows through your organization and identify spillage risks.

✅

FedRAMP Finder

Search 80+ FedRAMP-authorized products by category and authorization level.

Is your tech stack DFARS 252.239-7010 compliant?

Run our free CUI Auditor to check if your tools meet this clause's requirements.

Audit Your Tech Stack Free

Track DFARS 252.239-7010 compliance changes with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

Discussion

Share your experience implementing this in your organization.

Join the Club to unlock joining discussions

Free membership — access intelligence, save your work, and more.

Create free account

← All DFARS Clauses

DFARS 252.239-7010Cloud Computing Services

Overview

When Does This Apply?

Contracts that involve the use of cloud computing services to process, store, or transmit DoD data, including CUI and other sensitive information.

Key Requirements

1Obtain FedRAMP authorization at the required impact level
2Comply with DISA Cloud Computing Security Requirements Guide (SRG)
3Store data within the United States unless authorized otherwise
4Report cloud security incidents per DFARS 252.204-7012 requirements

Flowdown to Subcontractors

Yes — DFARS 252.239-7010 flows down to subcontractors. All subcontractors in the supply chain must comply with this clause when applicable.

Related NIST 800-171 Controls

3.13.1 3.13.16 3.1.1

Frequently Asked Questions

What is DFARS 252.239-7010?

Does DFARS 252.239-7010 flow down to subcontractors?

Yes, DFARS 252.239-7010 flows down to subcontractors. All applicable subcontractors must comply with this clause.

When does DFARS 252.239-7010 apply?

Contracts that involve the use of cloud computing services to process, store, or transmit DoD data, including CUI and other sensitive information.

Is your tech stack DFARS 252.239-7010 compliant?

Run our free CUI Auditor to check if your tools meet this clause's requirements.

Audit Your Tech Stack Free

Track DFARS 252.239-7010 compliance changes with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

Discussion

Share your experience implementing this in your organization.

Join the Club to unlock joining discussions

Free membership — access intelligence, save your work, and more.

Create free account

DFARS 252.239-7010Cloud Computing Services

Overview

When Does This Apply?

Key Requirements

Flowdown to Subcontractors

Related NIST 800-171 Controls

Frequently Asked Questions

What is DFARS 252.239-7010?

Does DFARS 252.239-7010 flow down to subcontractors?

When does DFARS 252.239-7010 apply?

Related Guides

Free Compliance Tools

Discussion

DFARS 252.239-7010Cloud Computing Services

Overview

When Does This Apply?

Key Requirements

Flowdown to Subcontractors

Related NIST 800-171 Controls

Frequently Asked Questions

What is DFARS 252.239-7010?

Does DFARS 252.239-7010 flow down to subcontractors?

When does DFARS 252.239-7010 apply?

Related Guides

Free Compliance Tools

Discussion