National Association of Government Contractors

Homeland Security Proposes New Data Security Rule

The Department of Homeland Security weighed in on the question of data security by proposing a new rile (HSAR Case 2015-001; 82 FR 6429; Jan. 19, 2017) for safeguarding Controlled Unclassified Information (CUI).

Also, the National Archives and Record Administration's Final Rule on CUI,  and the Department of Defense's rules on Controlled Defense Information, are among the snarl of rules that have been proposed.

The DHS's CUI rule would add another layer of complexity, as federal contractors and subcontractors are now faced with the prospect of having to comply with different sets of rules from different agencies.  Counter to the intent of Executive Order 13556 released in 2010, which sought to standardize the treatment of CUI across government.

Here are some features of  DHS"s proposed rule:

Handling of CUI.

Requirements for the handling of CUI are described only very generally in the proposed rule and new DHS FAR Supplement clause (3052.204-7X, Safeguarding of Controlled Unclassified Information).  Contractors are to provide "adequate security" to protect CUI.  "Adequate security" is defined as appropriate security given the risk of disclosure.  For further guidance, contractors are referred to a DHS website that will contain a section titled "Security and Training Requirements for Contractors."  The policies and procedures found on the website are incorporated by reference into contracts and subcontracts via the new clause.  The DHS seems to expect these policies and procedures will change over time, as the applicable requirements for any given contract are those "in effect at the time of contract award."

Definition of CUI.

CUI is defined in the proposed rule as any unclassified information created or possessed by the government or by a contractor "that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls."  The proposed rule then specifies 12 categories and subcategories as examples of DHS-related CUI, including Chemical-terrorism Vulnerability Information (CVI), Protected Critical Infrastructure Information (PCII), Homeland Security Agreement Information, Homeland Security Enforcement Information, Information Systems Vulnerability Information (ISVI), Personally Identifiable Information (PII), and Sensitive PII (SPII).

Authority to Operate.

For those contractors seeking to operate DHS information systems, the proposed rule sets forth the process by which companies may obtain the requisite security authorization to do so.  Notably, the process requires comprehensive testing and evaluation, an independent third-party assessment, a security review, regular reporting, and continuous monitoring.

Incident Reporting.

Both contractors and subcontractors must report known or suspected data breach or compromise incidents.  For those incidents (or possible incidents) involving PII and/or SPII, a report must be made to the DHS within one hour of discovery.  All other incidents must be reported within eight hours.  Contractors who have incidents involving PII and/or SPII are also required to notify affected individuals and, where appropriate, to provide credit-monitoring services.

Mandatory Flowdown.

The proposed HSAR clause 3052.204-7X must be included in all contracts and subcontracts, at any tier, that will (1) have access to CUI, (2) collect or maintain CUI on an agency's behalf, or (3) operate a Federal information system or contractor information system that collects, processes, stores, or transmits CUI.

Broader Context. This DHS proposed rule is part of a broader initiative within the DHS concerning IT security generally.  Consistent with this approach, the DHS issued additional proposed rules simultaneously with the CUI rule to address IT security awareness training (HSAR Case 2015-002) and Privacy Act training (HSAR Case 2015-003).

The rule is open for comments until March 20, 2017. 

« Back to News

News & Tips
Government contractor news & industry tips from a source you can trust. Sign up for our weekly updates to stay informed and get involved. Easily unsubscribe at any time.

Our Insider's Guide Series was developed as an easy-to-understand series of guides to assist you through the government procurement process.

National Association of Government Contractors
1250 Connecticut Ave NW
Suite 200
Washington, DC 20036
Phone: 202-465-3750
Toll Free: 1.800.979.NAGC
LinkedIn Facebook Twitter

FedEx Shipping Discount
Office Depot Member Program
American Express
OneMain Financial Loans
Paychex Payroll Processing
NAGC Health

Privacy Policy | Subscriber Agreement & Terms of Use | Purchase Policy | Data & Cookies
Copyright © 2004 - 2018 National Association of Government Contractors.   All Rights Reserved. Geotrust RapidSSL