What data residency requirements apply under 252.239-7010?

All DoD data — including backups and disaster recovery copies — must be stored and processed within the United States and its territories. Data may not be routed through or processed in foreign jurisdictions, even temporarily. This includes data centers operated by U.S. companies abroad.

Can we use commercial cloud providers like AWS or Azure for DoD work?

Yes, but only their government cloud regions (AWS GovCloud, Azure Government, Google Government Cloud) that are FedRAMP authorized at the appropriate impact level. Standard commercial regions do not meet data residency requirements.

What is the incident reporting requirement under 252.239-7010?

Report cloud incidents to the Contracting Officer and the DoD Cyber Crime Center within 72 hours of discovery. Cloud provider incidents affecting DoD data must also be reported, even if you did not cause the incident.

Does 252.239-7010 apply to Software-as-a-Service (SaaS) tools?

Yes. If you use a SaaS tool that processes or stores DoD data — including productivity apps, collaboration tools, or development platforms — it must meet 252.239-7010 requirements. Assess all tools in your supply chain before using them on DoD work.

High RiskDFARSCybersecurity

252.239-7010 — Cloud Computing Services

Last updated: 2026-04-09

Researched by the BidStride Research Team

What This Clause Requires

Sets requirements for cloud computing services used to perform DoD contracts, including data residency (US-only), FedRAMP requirements, and incident reporting.

Official Regulation Text

See 48 CFR 252.239-7010 for the full regulatory text. This clause governs the use of cloud computing services for DoD contracts. All DoD data must be stored and processed within the United States, cloud services must be FedRAMP authorized, and incidents must be reported within 72 hours.
Source: eCFR, 48 CFR 252.239-7010

Compliance Checklist

Store and process all DoD data exclusively within the United States
Obtain FedRAMP authorization at applicable impact level
Report incidents within 72 hours
Maintain visibility into cloud architecture for Government review

Flow-Down to Subcontractors

Flow-down required

This clause must be included in subcontracts with all subcontractors at all tiers where the subcontractor will perform work covered by this clause. Typically appears in contract Sections H, I.

Frequently Asked Questions

BidStride automatically scans your RFPs for 252.239-7010

Stop hunting through solicitations manually. BidStride identifies every FAR and DFARS clause in your RFP, flags risk level, and surfaces compliance requirements before you submit your bid.

This summary is for informational purposes only and reflects the BidStride Research Team's plain-English interpretation of the regulation. It is not legal advice and does not constitute an attorney-client relationship. Always consult the official Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS) text and qualified legal counsel for compliance decisions.