Pursuant to Executive Order 13,556 and as forecasted in the draft of the National Institute for Standards and Technology’s (“NIST”) Special Publication (“SP”) 800-171, the National Archives and Record Administration (“NARA”) released on May 8, 2015 a proposed rule addressing the government-wide designation and safeguarding of Controlled Unclassified Information[1] (“CUI”) (“the Proposed CUI Rule” or “the Rule”).  On June 18, 2015, NIST released the final version of SP 800-171, which provides guidance for protecting the confidentiality of CUI residing in nonfederal information systems.

SP 800-171 also includes interpretations of and best practices for compliance with the Proposed CUI Rule.  As a result, reading SP 800-171 in conjunction with the Proposed CUI Rule suggests that contractors may soon face significant additional burdens for safeguarding government information on their systems.

Background

Due to the government’s ever-increasing reliance on external service providers to carry out its missions and business functions, SP 800-171 was created to assist federal agencies in protecting CUI on nonfederal systems.  The guidance therein applies to “components of nonfederal information systems that process, store, or transmit CUI, or that provide security protection for such components.”  The Proposed CUI Rule furthers the purpose of SP 800-171 by requiring agencies to include a provision to comply with the Rule’s requirements in all contracts with contractors who will “handle CUI.”

The Proposed CUI Rule includes several key elements:

  • The CUI Registry: A publicly-accessible central repository for information, guidance, policy, and requirements for handling CUI. The Registry designates what level of control is required for a given category of CUI.
  • CUI Categories and Subcategories: Constitute the exclusive means of designating CUI throughout the executive branch, which identify unclassified information that requires safeguarding or dissemination controls. CUI must be designated only by use of the categories and subcategories approved by the CUI Executive Agent (NARA).
  • Safeguarding: States that agencies “must apply information system requirements to CUI that are consistent with already-required NIST standards and guidelines and OMB policies” but does not specify which standards should apply.
  • Accessing and Disseminating: Sets forth procedures for agencies to disseminate and permit access to CUI.
  • Decontrolling: Sets forth procedures for agencies to decontrol CUI.
  • Marking: Sets forth procedures and directions for conspicuously marking CUI.

With regard to contractors, the most critical element is the safeguarding requirement, which, in conjunction with SP 800-171, may impose new burdens.

Safeguarding CUI

The Proposed CUI Rule requires agencies (and contractors by extension) to safeguard CUI under one of two standards:

  • CUI Basic: A default set of standards all agencies must apply to all CUI unless the CUI Registry designates the relevant information as CUI Specified. The Rule does not explain what this baseline standard requires.  For example, the standards in SP 800-171 are not explicitly cited as requirements in the Proposed CUI Rule.
  • CUI Specified: Sets of standards that apply to CUI categories and subcategories that have specific handling standards required by law, regulation, or government-wide policies.

Although the exact baseline standard is unclear, the Proposed CUI Rule compels agencies handling CUI to comply with, at a minimum, Federal Information Processing Standards (“FIPS”) Publication 199, FIPS 200, NIST SP 800-53, and NIST SP 800-60.  Accordingly, SP 800-171 interprets this to mean that “a similar level of protection is needed” for CUI processed, stored, or transmitted on contractors’ systems.  This is why the standards included in SP 800-171 are tailored to maintain CUI confidentiality on nonfederal systems.  It stands to reason that the standards in SP 800-171 will become the baseline standard, but, as mentioned above, the Proposed CUI Rule does not so state.  Contractors should review SP 800-171 carefully because some of the suggested best practices may prove challenging for contractors to implement.

For example, SP 800-171 suggests a best practice that nonfederal organizations segregate their information systems or system components.  Specifically, SP 800-171 suggests that contractors handling CUI designate specific information systems for the processing, storage, or transmission of CUI, in order to limit the scope of the CUI security requirements to those particular systems, and that “[i]solating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach . . . to satisfy the requirements and protect the confidentiality of CUI.”  Thus, NIST appears to recommend that contractors invest in the development of their own fortified subnetworks dedicated to processing CUI that are logically segregated from the rest of their corporate networks, or develop standalone or “air-gapped” systems that provide similar protections.  Depending on the contractor, this simply may not be practical.

Impact on Contractors

The bottom line for contractors is that the final CUI Rule will impose additional security controls on contractors.  Although the Rule seeks to harmonize the approach that agencies take to designate and safeguard CUI, as currently drafted, it is unclear which controls will apply at the CUI Basic and CUI Specified levels.  For example, the interaction between CUI Basic controls and the controls imposed by DFARS 252.204-7012 for unclassified controlled technical information (“UCTI”) remains unclear.  Unless these types of issues are clarified in the final rule, contractors may need to ensure their information systems include the appropriate controls for all applicable cybersecurity regulations, or maintain separate systems for CUI Basic contracts and each CUI Specified contract.

Comments on the Proposed CUI Rule are due July 7, 2015.

[1] CUI is defined as “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.