By Alan Chvotkin, Partner at Centre Law & Consulting
In March 2016, pursuant to an initial Obama Executive Order, the National Archives published its long-awaited final regulations covering how agencies must deal with controlled unclassified information, or CUI. CUI is information that requires safeguarding or dissemination controls pursuant to, and consistent with, applicable law, regulations and government-wide policies but the information is not classified.
The CUI Program is an unprecedented initiative to standardize practices across more than 100 separate departments and agencies, as well as state, local, tribal and private sector entities, academia and industry. It eliminates the inconsistent and oft-undefined terms such as “for official use only” or “sensitive but unclassified.” This standardization is designed to enable timely and consistent information sharing and increase transparency throughout the federal government and with non-federal stakeholders. There are 20 different categories of information included in the National Archives “registry” of the types of data that might qualify as CUI, along with guidance on the special marking that must be added to each type of information to be protected.
But even seven years after the final program rules were published, along with numerous training and instructional guides for agencies and stakeholders, the program remains a work in process.
For example, the Federal Acquisition Regulation published its initial version of the contractors’ government-wide CUI contract clause [FAR 52.204-21] in 2016. The Department of Defense also issued its first version of a contractor CUI contract clause in 2016 dealing with CUI and DoD’s unique subset of data called “Covered Defense Information” [DFARS 252.204-7012]. Both clauses require contractors to provide “adequate security” for covered CUI that is processed, stored, or transmitted on a contractor’s internal information system or network. However, the Department of Defense did not issue its first internal program instruction until March 2020, while the Environmental Protection Agency rolled out its program as recently as Feb. 2023.
As part of the implementation requirement, both the FAR and DFARS clauses require contractors to implement the National Institute of Standards and Technology Special Publication 800-171 to safeguard covered CUI information that is stored on contractor internal systems. This NIST document, first published in 2015, provides a single, government-wide set of performance-based CUI security requirements, although it intentionally recognizes that there is no single or prescribed manner by which a contractor may implement these requirements.
NIST updates SP 800-171
In May 2023, NIST published for public comment Revision 3 of SP 800-171, adding several new requirements to the prior version, including new families of security requirements and an allowance for federal agencies to customize specific parameters to support an agency’s mission or business function, and to manage risk. Comments on the draft Revision 3 are due by July 14 and NIST plans to publish a final version in early 2024.
It is important for contractors that may have access to CUI to fully understand the current NIST 800-171 provisions and how the changes in Revision 3 may affect their existing policies and internal controls. By re-baselining a contractor’s internal policies and controls now, even before Revision 3 is finalized, contractors will know exactly what adjustments will be required and will have their assessments and roadmaps ready to go when the NIST Revision 3 is finalized.
DHS issues final CUI acquisition rule
On June 21, the Department of Homeland Security issued a final rule to amend the Homeland Security Acquisition Regulation and provide for the safeguarding DHS’s specific CUI information. The rule becomes effective on July 21. The rule is seven pages long but the helpful explanatory material accompanying the Federal Register publication is 37 pages. A proposed rule was published in 2017 with 14 sets of public comments filed.
The purpose of the rule is to implement security and privacy measures to safeguard DHS’ CUI and facilitate improved incident reporting. The final rule strengthens and expands existing DHS acquisition language to ensure adequate security when contractor and subcontractor employees have access to CUI, when CUI will be collected or maintained, or when federal or contractor information systems are used to collect, process, store or transmit CUI. Among other provisions, the rule identifies CUI handling requirements and security processes and procedures, identifies incident reporting requirements, and requires contractors to have in place procedures and the capability to notify, and to provide credit monitoring services, to any individual whose personally identifiable information was under the control of the contractor or resided in the information system at the time of the incident.
While the DHS HSAR rule is new, and has been in gestation for over six years, the federal government’s CUI program has matured significantly over that time, even if government-wide implementation has been slow to be adopted by many federal agencies. Nevertheless, DHS has identified important department-specific requirements that contractors doing business with DHS need to be aware of and be prepared to comply with. While the core NIST and government-wide CUI program requirements are the foundations upon which the DHS rule is built, there are still DHS-specific requirements that impose additional contractor compliance obligations and process changes.
Conclusion
The foundational, government-wide CUI program provides important protections for properly marked, government-generated information. It also provides a uniform baseline for contractors who work across federal agencies to plan for and implement standardized policies and information technology controls, based on the core National Archives regulations and the NIST family of controls. But the 20 unique families of CUI data and markings—and the specialized requirements that can be and have been imposed by many departments and agencies such as DoD and DHS—means that contractors are still required to be aware of and proactive in implementing such unique provisions and carefully guarding data that is properly restricted.
