The Department of Defense Updates Security Requirements for Cloud Services

Client Alert | 1 min read | 02.01.22

The Department of Defense (DoD) recently published Version 1, Release 4 of its Cloud Computing Security Requirements Guide (SRG). The SRG outlines the administrative, technical, and physical security controls and requirements to be followed by contractors providing cloud services to the DoD pursuant to DFARS 252.239-7010, Cloud Computing Services.

The first update in almost five years, Release 4:

Reduces the differences between FedRAMP and DoD requirements for cloud services and provides additional guidance with regard to reciprocity between the two authorization regimes;
Updates the requirements for cloud services handling personally identifiable and protected health information;
Introduces the possibility of higher authorization levels for cloud services offering the DoD physical, rather than logical, separation from other tenants;
Clarifies guidance with regard to cloud access points through which a cloud service connects to the DoD’s network; and
Makes a number of additional changes to modernize requirements, clarify ambiguities, and reduce redundancy.

The SRG instructs contractors currently providing cloud services to the DoD to transition to the requirements in Release 4 as soon as practical but not later than one year after the SRG’s publication. Contractors interested in providing cloud services to the DoD should prepare for an assessment against the new requirements, as Release 4 became effective upon publication.

Contacts

Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner and Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 3 min read | 06.12.26

DOJ Guidance Backs Away From Disparate Impact Liability

On June 9, 2026, the U.S. Department of Justice (DOJ) issued a formal opinion concluding that the Equal Opportunity Employment Commission’s (EEOC) existing interpretations of Title VII of the Civil Rights Act of 1964 (Title VII) disparate-impact liability, including the Uniform Guidelines on Employee Selection Procedures (UGESP), are unconstitutional. According to the opinion, EEOC’s prior interpretations contemplate liability based on disproportionately adverse effects alone, without regard to an employer’s likely intent, rather than treating disparate impact as an evidentiary mechanism to “smoke out” intentional discrimination. DOJ found that this approach functions as a “qualified racial-proportionality mandate” that places “a racial thumb on the scales, often requiring employers to evaluate the racial outcomes of their policies, and to make decisions based on (because of) those racial outcomes.” The opinion fulfills one mandate of Executive Order 14281, which rejected disparate-impact liability insofar as it “creates a near insurmountable presumption that unlawful discrimination exists wherever there are any differences in outcomes among different [demographic groups].”...

Client Alert | 4 min read | 06.12.26
Auto Dealers: The FTC Is Back in the Driver’s Seat — Warning Letters Signal Renewed Federal Scrutiny
Client Alert | 13 min read | 06.12.26
EU Cyber Resilience Act Countdown: 11 September 2026 Incident/Vulnerability Reporting Deadline Less Than 100 Days Away
Client Alert | 4 min read | 06.12.26
National Security Memorandum Aims to Accelerate Deployment of AI and Streamline Procurement Aligned to Administration Policies

View All Insights