Cloud Services can be used. However, there are two conditions to consider; the first, the storage of non-government-controlled information in the cloud is without restriction. The second, the storage of government-controlled information, Covered Defense Information (CDI), must meet the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline, as outlined below.
“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in the performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (HTTPS:// www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”
Source: CFR 252.204–7012 Safeguarding covered defense information and cyber incident reporting.