Microsoft logo on desktop

What Tighter Auditing from DCMA Means for Cloud Service Providers

Cloud services have become integral to many organizations, including Department of Defense (DOD) contractors. However, using cloud platforms that handle Controlled Unclassified Information (CUI) comes with stringent security requirements from the Defense Contract Management Agency (DCMA).

The DCMA is taking an increasingly meticulous approach to evaluating cloud service providers (CSPs) that lack formal FedRAMP Moderate Authorization yet claim equivalency. The DOD has established that equivalency demands a BoE reflecting 100% compliance with the FedRAMP moderate security control baseline, including all supporting documentation. Failure to present an adequate BoE during DCMA audits can have severe consequences for defense contractors.

If a CSP cannot produce the complete BoE defined by DOD guidance, its clients risk receiving a -203 score, signifying non-compliance, which could limit their ability to secure future defense contracts.

 

How CyberSheath helps contractors

CyberSheath recently supported a multi-location manufacturing client during a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment. This client had Microsoft GCC-High Services within its approved authorization boundary.

DCMA auditors requested the Microsoft GCC-H BoE and made clear that failure to provide all the items defined in the DOD memorandum could have resulted in non-compliance. Fortunately, CyberSheath’s skilled Compliance Analysts thoroughly validated the full BoE before the assessment, ensuring the client avoided any compliance issues.

Many organizations do not request, review, or have the entirety of the BoE before the assessment. Additionally, many do not understand the intricacies of the BoE to determine if all the items were received. This lack of preparation can lead to compliance failures with far-reaching consequences. Managed services partners should be able to provide you with the reassurance and confidence that your documentation package is ready for assessment prior to your audit.

 

A partner for CSPs

A trusted managed services partner who is well-versed in BoE requirements is crucial for defense contractors and CSPs. Any gaps could jeopardize a contractor’s compliance standing and ability to secure DOD contracts, which CSPs should prioritize fixing on behalf of their customers. With compliance obligations greater than ever for DOD contractors, CSPs need to fortify their compliance posture with a defensible BoE today.

Reach out to our experts, who can help you be prepared for your DIBCAC audit when the time comes.