The Defense Counterintelligence and Security Agency has released an industry security letter, or ISL, clarifying the process for verifying government contracting activity authorization for the use of commercial cloud services — a.k.a. CCS — by a contractor in performing work on a classified contract as required by DFARS, or the Defense Federal Acquisition Regulation Supplement.
The ISL also includes information on the revision made to instructions for DD Form 254 concerning contract security classification specification, DCSA said Thursday.
The agency issued the letter to inform cleared vendors and DOD components of developments under the National Industrial Security Program, or NISP.
According to the letter, the DCSA NISP authorizing official may authorize Impact Level 6 under one of the provided methods to verify the contract requirement.
In the event that a contractor later decides that it anticipates using CCS in performing contract work, a clause in DFARS states that the company should seek approval from the contracting officer before using cloud services, according to the document.
“Proof of the contracting officer’s approval may be accepted in a variety of forms, to include an email from the contracting officer or empowered official,” the letter reads.