(a) Generally, the DoD shall acquire cloud computing services using commercial terms and conditions that are consistent with Federal law, and an agency's needs, including those requirements specified in this subpart. Some examples of commercial terms and conditions are license agreements, End User License Agreements (EULAs), Terms of Service (TOS), or other similar legal instruments or agreements. Contracting officers shall incorporate any applicable service provider terms and conditions into the contract by attachment or other appropriate mechanism. Contracting officers shall carefully review commercial terms and conditions and consult counsel to ensure these are consistent with Federal law, regulation, and the agency's needs.
(b) The contracting officer shall only award a contract to acquire cloud computing services from any cloud service provider (e.g., contractor or subcontractor, regardless of tier) that has been granted provisional authorization by Defense Information Systems Agency, at the level appropriate to the requirement, to provide the relevant cloud computing services in accordance with the Cloud Computing Security Requirements Guide (SRG) (version in effect at the time the solicitation is issued or as authorized by the contracting officer) found at http:// iase.disa.mil/ cloud-- security/ Pages/ index.aspx. Provisional authorization processes are also available at the SRG Web site. Cloud service providers with existing provisional authorization are listed at http://www.disa.mil/ Computing/ Cloud-Services/ Cloud-Support.
(c) When contracting for cloud computing services, the contracting officer shall ensure the following information is provided in the purchase request--
(1) Government data and Government-related data descriptions;
(2) Data ownership, licensing, delivery and disposition instructions specific to the relevant types of Government data and Government-related data (e.g., CDRL, SOW task, line item). Disposition instructions shall provide for the transition of data in commercially available, or open and non-proprietary format (and for permanent records, in accordance with disposition guidance issued by National Archives and Record Administration);
(3) Appropriate limitations and requirements regarding contractor and third-party access to, and use and disclosure of, Government data and Government-related data;
(4) Appropriate requirements to support applicable inspection, audit, investigation, or other similar authorized activities specific to the relevant types of Government data and Government-related data, or specific to the type of cloud computing services being acquired;
(5) Appropriate requirements to support and cooperate with applicable system-wide search and access capabilities for inspections, audits, investigations, litigation, eDiscovery, records management associated with the agency's retention schedules, and similar authorized activities; and
(6) A requirement for the contractor to coordinate with the responsible Government official designated by the contracting officer, in accordance with agency procedures, to respond to any spillage occurring in connection with the cloud computing services being provided.