FedRAMP's Standard Contractual Clauses
The Tip of the Night for April 18, 2018 discussed FedRAMP, the federal cloud computing security program. FedRAMP has a manual of standard contractual clauses which may be useful to consult when considering what language to add to service agreements.
With cloud computing spreading data across international boundaries on different servers and posing problems for determining which country's law govern the data, FedRAMP recommends a provision specifying 'data jurisdiction' - based on where the 'data at rest' or back-up is located.
Provisions are recommended for retaining audit records online for 90 days, and Department of Defense and National Archives and Records Administration guidelines are to be followed for the systems implemented to store the records.
Agreements are to specify that incidents are reported to the US-CERT (the United States Computer Emergency Readiness Team), and breaches involving PII must be disclosed within 1 hour of their discovery.
Provisions for a specific cryptographic standard (FIPS 140-2) for secure communications; a method of multi-factor authentication; and the encryption of electronic media are also included.