As someone new to USAID contracting and running a small business, I am curious to ask anyone their thoughts on this new FAR clause (Basic Safeguarding of Covered Contractor Information Systems (Jun 2016))
Based on the blogs I have read, this clause will likely be included in most future contracts. As a small business, we use google apps, dropbox, sales applications, and other 3rd party applications that are cloud based because of their affordability and practicality (we don't need an IT team). Provided we win future contracts with this clause, we will surely have "Federal Contract information" as defined in this clause on all of these cloud-based systems and applications.
The clause does not specifically mention cloud computing or prescribe any controls or requirements that directly address the use of cloud solutions. But the way I read the clause, my company does not have control over the employees at Amazon, for example (where many of 3rd party apps store their data), so we can not really know who has access to the data. It is unclear to me whether this clause will eventually make cloud computing and communication unallowable for contractors unless all servers are in-house.
Furthermore, I am concerned that this has the potential of placing a large financial burden on small businesses to finance and restructure how information is stored and communicated. Does anyone have any thoughts, or am I worrying about this too much?