The U.S. Department of Homeland Security (DHS) has issued comprehensive cybersecurity regulations aimed at protecting Controlled Unclassified Information (CUI). These regulations were long-awaited, as the original proposed rules were released in January 2017 and dovetail with existing and forthcoming requirements from the U.S. Department of Defense (DoD) and Federal Acquisition Regulatory Council (FAR Council). They are effective July 21, 2023, modify and add to the Homeland Security Acquisition Regulations (HSAR) and will be inserted into forthcoming solicitations, including commercial contracts issued under Federal Acquisition Regulation (FAR) Part 12.
A Closer Look at the Regulations
These regulations not only dictate how contractors are required to protect CUI, but they also dictate new reporting requirements, should a cybersecurity incident occur and, in some circumstances, require third-party assessments. These regulations will impose additional costs on contractors, but DHS states that such costs are necessary to protect CUI and other critical information:
DHS recognizes there are significant costs associated with these requirements; however, the persistent and prevalent nature of cyber-attacks on both government and private sector networks has shown that this is a necessary expense. DHS fully expects its contractors to reflect these costs in the price and cost proposals they submit to the Department.
There are three regulations of interest:
- HSAR 3052.204-71 Contractor Employee Access is applicable when contractor or subcontractor employees will have access to CUI (as defined in the regulation) or government facilities. It requires employee security screenings and training.
- HSAR 204-72 Safeguarding of Controlled Unclassified Information is applicable when employees of contractors or subcontractors will have access to CUI (as defined in the regulation) or if the contractor or subcontractor is collecting or maintaining CUI on behalf of the agency. It requires contractors to comply with security requirements set forth by DHS. There is also an incident reporting requirement (one hour for incidents involving Personally Identifiable Information (PII) and Sensitive PII (SPII), and eight hours for other incidents).
- HSAR 3052.204-73 Notification and Credit Monitoring Requirements for PII Incidents is applicable when a contractor or subcontractor employees have access to PII and requires the contractor to notify impacted individuals of the incident within five business days. The contracting officer may also require credit monitoring.
Interestingly, the rules issued by DHS do not use the security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as a baseline, but instead rely on the security controls outlined by DHS. These controls can be changed at any time. NIST SP 800-171 is the expected baseline for forthcoming FARs for the protection of CUI and is currently the baseline for DoD’s regulations for CUI security. In the rule’s commentary, DHS offers explanation as to why utilizing NIST SP 800-171 was not appropriate here.
The security standards currently required by DHS (which, again, can change at any time) include DHS Management Directives 11042.1 and 11056.1, and DHS Sensitive Systems Policy Directive 4300A. The list includes eight separate security policies as well as personnel security policies, privacy safeguards and training requirements. Like the U.S. Department of Veterans Affairs (VA), DHS has developed bespoke policies and security requirements for the protection of CUI. To the point, DHS states in the commentary to the rule that it is in the process of updating these policies:
DHS, like many other Departments and agencies, is still in the process of implementing the CUI Program. This process includes an update to internal policies and procedures related to CUI. Once these policies and procedures have been drafted and finalized, they will replace the policies and procedures currently listed on the publicly facing website. These policies and procedures are required to address all elements of the CUI Program and extend beyond the protection of CUI in information systems. For example, the new policies and procedures also will address training, handling, transmission, marking requirements, incident reporting, etc. The current DHS-specific policies and procedures on the publicly facing website address these requirements and the new policies and procedures will as well. As such, compliance with these policies and procedures is mandatory.
Once updated, by virtue of the rule, compliance of these new policies may be required with little notice.
The dissimilarities to other existing federal government standards do not end there: DHS also developed a definition of CUI that diverges from existing definitions at DoD, for example. Under the DHS cybersecurity regulations, CUI is “is any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Continuing, DHS states that this “includes” protected critical infrastructure, sensitive security information, information “regarding developing or current technology,” physical security information and PII, among other things. Contrast this with the definition of CUI set out by DoD in DFARS 252.204-7012, which provides that CUI is information that “requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies,” but also points to the CUI registry for the categories of information included in the definition. It remains to be seen whether DHS expects the list in the regulation to be exhaustive or examples of the types of information it expects to be categorized at CUI. In response to a question about this rule, DHS acknowledged that the protection requirements here would layer on top of the existing governmentwide FAR effort for the protection of CUI:
DHS is a participant on the FAR team responsible for drafting the FAR language that will implement the CUI Program and has determined that the issuance of a FAR CUI rule does not eliminate the need for DHS to identify its agency-specific requirements for CUI and the methodology it uses to ensure that Federal information systems, which includes contractor information systems operated on behalf of the agency, that collect, process, store, or transmit CUI are adequately protected.
This signals the overall direction of cybersecurity requirements in the federal government: There will be a FAR-based baseline (above and beyond the current requirements specified in FAR 52.204-21), with agencies staking out specific additional requirements for contractors working within those specific agencies such as DHS, VA and DoD. While this may be the best option from the standpoint of protecting CUI and other similar information, it will add significant cost and compliance burdens to contractors that wish to work with multiple agencies.
Additional Requirements Under the New Regulations
Applicable Systems and Information
The basic requirements in the regulation are applicable when CUI is being handled as part of the contractual requirements. Other requirements in the rule will only be triggered when a contractor has access to a government system or is operating a system on behalf of DHS.
DHS seeks to eliminate common confusion in the industry about which information would be subject to security requirements by issuing a Security Requirements Traceability Matrix (SRTM) with each solicitation. The SRTM will identify “security controls that must be implemented on an information system that collects, processes, stores, or transmits CUI…”
Under HSAR 3052.204-71, employees with access to CUI or government facilities will have to undergo a security screening and training. More specifically, contractor employees will be fingerprinted and must be cleared prior to working on a contract. Contracting officers may prohibit employees from working on a contract if the government determines their continued employment is contrary to public policy because of “carelessness, insubordination, incompetence, or security concerns.” Further, approved employees must receive training within 60 days of contract award and refresher training every two years. These requirements must be flowed down to subcontractors where subcontractor employees will have access to CUI, government facilities or information resources.
If an employee will have access to “information resources,” which is defined as “information and related resources, such as personnel, equipment, funds, and information technology,” HSAR 3052.204-71 requires the use of Alternate I with additional requirements. They include an additional security briefing, additional training, execution of a nondisclosure agreement and restrictions on the use of such material. Further, access to or the assistance in the “development, operation, management, or maintenance” of DHS information technology systems is limited to U.S. citizens unless the contractor secures a waiver.
The regulations make clear that contractors handling CUI must comply with the security standards outlined by DHS. As noted in the commentary to the rule, these standards are currently being updated, so contractors should continue to monitor whether they are in compliance with the requirements as they evolve. Because the rules merely point to a website, no further rulemaking will be required prior to the implementation of these new requirements.
All known or suspected “incidents” are subject to breach notification requirements, with the definition of “incident” in the regulations being broad. Besides occurrences that “[a]ctually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system,” incidents also include anything that “[c]onstitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.” For example, CUI spilling into other contractor systems would trigger an incident report. In the discussion preceding the rule, DHS states that “CUI spills onto internal contractor information systems are considered incidents and are subject to the incident reporting and response requirements of clause 3052.204–7X, Safeguarding of Controlled Unclassified Information.”
All incidents (no matter whether it is a prime or subcontractor-generated incident) must be reported to the DHS Component Security Operations Center. Subcontractors must also notify their prime contractors that an incident report was made.
Contractors reporting an incident must do so within eight hours unless PII is involved, which accelerates the timeline to one hour. Also, contractors are required to report 13 pieces of data within 24 hours, including the government programs involved, location and date/time of the incident, server names where CUI resided and a description of the PII or SPII contained within the system.
Contractors must also support any government investigation that includes everything from providing log files to inspections of facilities.
Additional Requirements for Federal Systems
For contractors that are operating federal systems or contractor information systems on behalf of DHS that contain CUI, there are additional requirements.
- Contractors must obtain an Authority to Operate (ATO) prior to handling CUI in a federal system. The regulations provide that the ATO is made at the sole discretion of the government and can be revoked at any time.
- Contractors must complete the Security Authorization (SA) process consistent with DHS Policy Directive 4300A. The SA contains “Security Plan, Contingency Plan, Contingency Plan Test Results, Configuration Management Plan, Security Assessment Plan, Security Assessment Report, and Authorization to Operate Letter. Additional documents that may be required include a Plan(s) of Action and Milestones and Interconnection Security Agreement(s)” and must be validated by a third-party and submitted and approved 30 days prior to the operation of the information system. The SA package must be reviewed every three years.
- Contractors must obtain a third-party assessment to validate the controls in place for the information system consistent with NIST SP 800-53. As noted above, the third-party assessor must also review the SA package.
- Contractors must subject themselves to periodic reviews from DHS or other agencies at DHS’ discretion to ensure all security requirements are being followed. These reviews include full access to systems, facilities and personnel.
- Contractors must abide by reporting and continuous monitoring requirements outlined in the rule.
No matter whether a contractor operates a federal system or not, these requirements represent a significant escalation of cybersecurity requirements for contractors doing business with DHS. Contractors should carefully study the requirements to ensure they are compliant with these standards and others across the government.