United States: DHS Implements New Security And Privacy Measures For Controlled Unclassified Information

The Department of Homeland Security amended its regulations due to the urgent need to protect Controlled Unclassified Information.

TAKEAWAYS

• The final rule requires Department of Homeland Security (DHS) contractors to protect Controlled Unclassified Information (CUI) using security controls that differ from the controls required by other agencies.
• It also sets forth new, onerous cybersecurity incident reporting requirements for DHS contractors handling CUI, including extremely short timeframes for notifying the Department of security incidents—in some cases in as little as one hour.
• Contractors may be required to provide credit monitoring services to any affected individual whose information was under the control of the contractor at the time of a cybersecurity incident.

On June 21, 2023, the Department of Homeland Security (DHS or Department) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) to add requirements for DHS contractors to protect Controlled Unclassified Information (CUI) and to report cyber incidents. The final rule follows a 2017 proposed rule and builds on existing DHS security policy by updating an existing HSAR clause and creating two new HSAR clauses. The final rule imposes significant new obligations on DHS contractors that extend beyond the obligations imposed by the Department of Defense (DOD) and other agencies. In addition, the clause requires DHS contractors to protect CUI using different security controls than those required by the DOD.

The updates to HSAR 3052.204-71 (Contractor Employee Access) provide that the purpose of the rule is to ensure "adequate security" of CUI in circumstances where federal government contractor or subcontractor personnel (1) have access to CUI, (2) collect or maintain CUI on behalf of the Department or one of its component agencies, or (3) operate federal information systems, including contractor information systems operating on behalf of the Department, that collect, process, store or transmit CUI. In that regard, the final rule requires such contractors to comply with CUI handling requirements set forth in "DHS policies and procedures in effect at the time of contract award," and not with the security controls contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This is notable because the DOD's existing regulations require contractors to protect CUI using the NIST SP 800-171 controls. DHS's final rule, in contrast, states that the NIST SP 800-171 controls are not appropriate but does not explain why. Regardless of DHS's reasons for requiring different controls, contractors working for both agencies will now need to ensure that they are in compliance with the NIST SP 800-171 controls, as well as DHS policies and procedures, which could change over time.¹

Next, the final rule creates a new HSAR clause, HSAR 3052.204–7X (Safeguarding of Controlled Unclassified Information). This clause imposes significant reporting obligations on contractors by requiring them to report known or suspected incidents that involve the CUI within eight (8) hours. Moreover, the new clause requires contractors to report incidents involving Personally Identifiable Information (PII) or Sensitive Personally Identifiable Information (SPII) within one hour of discovery. Contractors are then required to update their reports with 13 pieces of additional information within 24 hours. Thus, DHS's new requirements are significantly more onerous than the 72-hour reporting requirement contained in DFARS 252.204-7012. The clause also requires contractors to destroy or return to DHS all CUI using the guidelines in NIST SP 800–88 (Guidelines for Media Sanitization) and submit a certification to the contracting officer confirming the return of destruction of CUI.

The second new clause created by the final rule, HSAR 3052.204–7Y (Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents), sets forth notification procedures and requirements for contractors to, in the event of an incident, notify any individual whose PII and/or SPII was under the control of the contractor or resided in the information system at the time of the incident. Further, the clause requires that, in the event of an incident, contracting officers may require contactors to provide credit monitoring services to any affected individual whose PII or SPII was under the control of the contractor at the time of the incident. The contractor must provide these credit monitoring services for at least 18 months from the date it first notified the individual.

The final rule will be included in DHS solicitations starting on July 21, 2023. Given the extensive obligations contained in this rule, DHS contractors should work quickly to determine whether the final rule will apply to procurements they are competing for and to determine whether they are in compliance with it. This is especially true since the final rule notes that the Government "may elect to conduct periodic reviews to ensure that the security requirements contained in contracts are being implemented and enforced."

Footnotes

1. HSAR 3052.204-71 has also been updated to remove references to "sensitive information" and replaced them with "CUI," which is defined as:

[A]ny information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.

This definition is consistent with the definition of CUI found in 32 C.F.R. § 2002.4(h) and is similar to the definition of CUI found in FAR Supplement (DFARS) 252.204-7012.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.