The Department of Defense Updates Security Requirements for Cloud Services

Client Alert | 1 min read | 02.01.22

The Department of Defense (DoD) recently published Version 1, Release 4 of its Cloud Computing Security Requirements Guide (SRG). The SRG outlines the administrative, technical, and physical security controls and requirements to be followed by contractors providing cloud services to the DoD pursuant to DFARS 252.239-7010, Cloud Computing Services.

The first update in almost five years, Release 4:

Reduces the differences between FedRAMP and DoD requirements for cloud services and provides additional guidance with regard to reciprocity between the two authorization regimes;
Updates the requirements for cloud services handling personally identifiable and protected health information;
Introduces the possibility of higher authorization levels for cloud services offering the DoD physical, rather than logical, separation from other tenants;
Clarifies guidance with regard to cloud access points through which a cloud service connects to the DoD’s network; and
Makes a number of additional changes to modernize requirements, clarify ambiguities, and reduce redundancy.

The SRG instructs contractors currently providing cloud services to the DoD to transition to the requirements in Release 4 as soon as practical but not later than one year after the SRG’s publication. Contractors interested in providing cloud services to the DoD should prepare for an assessment against the new requirements, as Release 4 became effective upon publication.

Contacts

Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Garylene (Gage) Javier
Counsel
She/Her/Hers
- Washington, D.C.
  - D | +1.202.654.6743
Z2phdmllckBjcm93ZWxsLmNvbSA=
Kate M. Growley
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 4 min read | 12.04.25

District Court Grants Preliminary Injunction Against Seller of Gray Market Snack Food Products

On November 12, 2025, Judge King in the U.S. District Court for the Western District of Washington granted in part Haldiram India Ltd.’s (“Plaintiff” or “Haldiram”) motion for a preliminary injunction against Punjab Trading, Inc. (“Defendant” or “Punjab Trading”), a seller alleged to be importing and distributing gray market snack food products not authorized for sale in the United States. The court found that Haldiram was likely to succeed on the merits of its trademark infringement claim because the products at issue, which were intended for sale in India, were materially different from the versions intended for sale in the U.S., and for this reason were not genuine products when sold in the U.S. Although the court narrowed certain overbroad provisions in the requested order, it ultimately enjoined Punjab Trading from importing, selling, or assisting others in selling the non-genuine Haldiram products in the U.S. market....

Client Alert | 21 min read | 12.04.25
Highlights: CMS’s Proposed Rule for Medicare Part C & D (CY 2027 NPRM)
Client Alert | 5 min read | 12.02.25
CARB Delays Enforcement of California’s Climate-Related Financial Risk Report Law (SB 261) and Issues New Guidance on Climate Disclosure Requirements in SB 261 and SB 253
Client Alert | 11 min read | 12.01.25
EU AI Act, GDPR, and Digital Laws Changes Proposed

View All Insights