The Department of Defense Updates Security Requirements for Cloud Services

Client Alert | 1 min read | 02.01.22

The Department of Defense (DoD) recently published Version 1, Release 4 of its Cloud Computing Security Requirements Guide (SRG). The SRG outlines the administrative, technical, and physical security controls and requirements to be followed by contractors providing cloud services to the DoD pursuant to DFARS 252.239-7010, Cloud Computing Services.

The first update in almost five years, Release 4:

Reduces the differences between FedRAMP and DoD requirements for cloud services and provides additional guidance with regard to reciprocity between the two authorization regimes;
Updates the requirements for cloud services handling personally identifiable and protected health information;
Introduces the possibility of higher authorization levels for cloud services offering the DoD physical, rather than logical, separation from other tenants;
Clarifies guidance with regard to cloud access points through which a cloud service connects to the DoD’s network; and
Makes a number of additional changes to modernize requirements, clarify ambiguities, and reduce redundancy.

The SRG instructs contractors currently providing cloud services to the DoD to transition to the requirements in Release 4 as soon as practical but not later than one year after the SRG’s publication. Contractors interested in providing cloud services to the DoD should prepare for an assessment against the new requirements, as Release 4 became effective upon publication.

Contacts

Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner and Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 7 min read | 06.24.26

DOJ’s National Security Division Announces First Declination Under New Corporate Enforcement Policy With Parallel BIS Settlement

On June 17, 2026, the U.S. Department of Justice’s (DOJ( National Security Division (NSD) announced that it had issued a declination for Robert Bosch GmbH (Bosch) relating to potential violations of the Export Control Reform Act, 50 U.S.C. § 4819 (ECRA). Specifically, the DOJ declined to criminally prosecute Bosch’s violations of the Export Administration Regulations’ (EAR) Foreign Direct Product Rule (FDPR), which apparently resulted from two Bosch subsidiaries’ export of products and software manufactured with equipment that was the direct product of U.S. software or technology to Huawei Technologies Co., Ltd. and its “Entity List” affiliates, including Huawei Tech. Investment Co., Ltd., Hong Kong (collectively, Huawei). The same day, the U.S. Department of Commerce Bureau of Industry and Security (BIS) announced a parallel civil administrative settlement with Bosch....

Client Alert | 3 min read | 06.24.26
OhioHealth Settlement and White House Report Signal Broader Federal Focus on Restrictive Hospital Contracting
Client Alert | 4 min read | 06.23.26
EPA Hands Over AI Data Center Regulation to States and Communities to Develop Best Practices
Client Alert | 3 min read | 06.22.26
Timing Is Everything: GAO Dismisses Three Protests Filed Before the Solicitation Deadline but After GAO’s Daily Cutoff Time

View All Insights