Important Takeaways from DHS’s Proposed Rule on Controlled Unclassified Information

CybersecurityThe Department of Homeland Security (DHS) has now officially entered the government data security fray with its own proposed rule (HSAR Case 2015-001; 82 FR 6429; Jan. 19, 2017) for safeguarding Controlled Unclassified Information (CUI).

We have previously commented on the National Archives and Record Administration’s Final Rule on CUIthe Department of Defense’s rules on Controlled Defense Information, and the morass of federal data security rules generally.

The DHS’s CUI rule adds yet another layer of complexity, as federal contractors and subcontractors are now faced with the prospect of having to comply with different rules for different agencies.  This notion runs counter to the intent of Executive Order 13556 (75 FR 68675; Nov. 4, 2010), which sought to standardize the treatment of CUI across government.

Below are some observations about the DHS’s proposed rule:

  • Handling of CUI. Requirements for the handling of CUI are described only very generally in the proposed rule and new DHS FAR Supplement clause (3052.204-7X, Safeguarding of Controlled Unclassified Information).  Contractors are to provide “adequate security” to protect CUI.  “Adequate security” is defined as appropriate security given the risk of disclosure.  For further guidance, contractors are referred to a DHS website that will contain a section titled “Security and Training Requirements for Contractors.”  The policies and procedures found on the website are incorporated by reference into contracts and subcontracts via the new clause.  The DHS seems to expect these policies and procedures will change over time, as the applicable requirements for any given contract are those “in effect at the time of contract award.”
  • Definition of CUI. CUI is defined in the proposed rule as any unclassified information created or possessed by the government or by a contractor “that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”  The proposed rule then specifies 12 categories and subcategories as examples of DHS-related CUI, including Chemical-terrorism Vulnerability Information (CVI), Protected Critical Infrastructure Information (PCII), Homeland Security Agreement Information, Homeland Security Enforcement Information, Information Systems Vulnerability Information (ISVI), Personally Identifiable Information (PII), and Sensitive PII (SPII).
  • Authority to Operate. For those contractors seeking to operate DHS information systems, the proposed rule sets forth the process by which companies may obtain the requisite security authorization to do so.  Notably, the process requires comprehensive testing and evaluation, an independent third-party assessment, a security review, regular reporting, and continuous monitoring.
  • Incident Reporting. Both contractors and subcontractors must report known or suspected data breach or compromise incidents.  For those incidents (or possible incidents) involving PII and/or SPII, a report must be made to the DHS within one hour of discovery.  All other incidents must be reported within eight hours.  Contractors who have incidents involving PII and/or SPII are also required to notify affected individuals and, where appropriate, to provide credit-monitoring services.
  • Mandatory Flowdown. The proposed HSAR clause 3052.204-7X must be included in all contracts and subcontracts, at any tier, that will (1) have access to CUI, (2) collect or maintain CUI on an agency’s behalf, or (3) operate a Federal information system or contractor information system that collects, processes, stores, or transmits CUI.
  • Broader Context. This DHS proposed rule is part of a broader initiative within the DHS concerning IT security generally.  Consistent with this approach, the DHS issued additional proposed rules simultaneously with the CUI rule to address IT security awareness training (HSAR Case 2015-002) and Privacy Act training (HSAR Case 2015-003).

Comments on the proposed rule are due on or before March 20, 2017.  We will continue to provide updates as comments are received and the rule is finalized.