The Department of Homeland Security weighed in on the question of data security by proposing a new rile (HSAR Case 2015-001; 82 FR 6429; Jan. 19, 2017) for safeguarding Controlled Unclassified Information (CUI).

Also, the National Archives and Record Administration's Final Rule on CUI,  and the Department of Defense's rules on Controlled Defense Information, are among the snarl of rules that have been proposed.

The DHS's CUI rule would add another layer of complexity, as federal contractors and subcontractors are now faced with the prospect of having to comply with different sets of rules from different agencies.  Counter to the intent of Executive Order 13556 released in 2010, which sought to standardize the treatment of CUI across government.

Here are some features of  DHS"s proposed rule:

Handling of CUI.

Requirements for the handling of CUI are described only very generally in the proposed rule and new DHS FAR Supplement clause (3052.204-7X, Safeguarding of Controlled Unclassified Information).  Contractors are to provide "adequate security" to protect CUI.  "Adequate security" is defined as appropriate security given the risk of disclosure.  For further guidance, contractors are referred to a DHS website that will contain a section titled "Security and Training Requirements for Contractors."  The policies and procedures found on the website are incorporated by reference into contracts and subcontracts via the new clause.  The DHS seems to expect these policies and procedures will change over time, as the applicable requirements for any given contract are those "in effect at the time of contract award."

Definition of CUI.

CUI is defined in the proposed rule as any unclassified information created or possessed by the government or by a contractor "that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls."  The proposed rule then specifies 12 categories and subcategories as examples of DHS-related CUI, including Chemical-terrorism Vulnerability Information (CVI), Protected Critical Infrastructure Information (PCII), Homeland Security Agreement Information, Homeland Security Enforcement Information, Information Systems Vulnerability Information (ISVI), Personally Identifiable Information (PII), and Sensitive PII (SPII).

Authority to Operate.

For those contractors seeking to operate DHS information systems, the proposed rule sets forth the process by which companies may obtain the requisite security authorization to do so.  Notably, the process requires comprehensive testing and evaluation, an independent third-party assessment, a security review, regular reporting, and continuous monitoring.

Incident Reporting.

Both contractors and subcontractors must report known or suspected data breach or compromise incidents.  For those incidents (or possible incidents) involving PII and/or SPII, a report must be made to the DHS within one hour of discovery.  All other incidents must be reported within eight hours.  Contractors who have incidents involving PII and/or SPII are also required to notify affected individuals and, where appropriate, to provide credit-monitoring services.

Mandatory Flowdown.

The proposed HSAR clause 3052.204-7X must be included in all contracts and subcontracts, at any tier, that will (1) have access to CUI, (2) collect or maintain CUI on an agency's behalf, or (3) operate a Federal information system or contractor information system that collects, processes, stores, or transmits CUI.

Broader Context. This DHS proposed rule is part of a broader initiative within the DHS concerning IT security generally.  Consistent with this approach, the DHS issued additional proposed rules simultaneously with the CUI rule to address IT security awareness training (HSAR Case 2015-002) and Privacy Act training (HSAR Case 2015-003).

The rule is open for comments until March 20, 2017.