Pursuant to Executive Order 13,556 and as forecasted in the draft of the National Institute for Standards and Technology’s (“NIST”) Special Publication (“SP”) 800-171, the National Archives and Record Administration (“NARA”) released on May 8, 2015 a proposed rule addressing the government-wide designation and safeguarding of Controlled Unclassified Information[1] (“CUI”) (“the Proposed CUI Rule” or “the Rule”). On June 18, 2015, NIST released the final version of SP 800-171, which provides guidance for protecting the confidentiality of CUI residing in nonfederal information systems.
SP 800-171 also includes interpretations of and best practices for compliance with the Proposed CUI Rule. As a result, reading SP 800-171 in conjunction with the Proposed CUI Rule suggests that contractors may soon face significant additional burdens for safeguarding government information on their systems.
Background
Due to the government’s ever-increasing reliance on external service providers to carry out its missions and business functions, SP 800-171 was created to assist federal agencies in protecting CUI on nonfederal systems. The guidance therein applies to “components of nonfederal information systems that process, store, or transmit CUI, or that provide security protection for such components.” The Proposed CUI Rule furthers the purpose of SP 800-171 by requiring agencies to include a provision to comply with the Rule’s requirements in all contracts with contractors who will “handle CUI.”
The Proposed CUI Rule includes several key elements:
- The CUI Registry: A publicly-accessible central repository for information, guidance, policy, and requirements for handling CUI. The Registry designates what level of control is required for a given category of CUI.
- CUI Categories and Subcategories: Constitute the exclusive means of designating CUI throughout the executive branch, which identify unclassified information that requires safeguarding or dissemination controls. CUI must be designated only by use of the categories and subcategories approved by the CUI Executive Agent (NARA).
- Safeguarding: States that agencies “must apply information system requirements to CUI that are consistent with already-required NIST standards and guidelines and OMB policies” but does not specify which standards should apply.
- Accessing and Disseminating: Sets forth procedures for agencies to disseminate and permit access to CUI.
- Decontrolling: Sets forth procedures for agencies to decontrol CUI.
- Marking: Sets forth procedures and directions for conspicuously marking CUI.
With regard to contractors, the most critical element is the safeguarding requirement, which, in conjunction with SP 800-171, may impose new burdens.
Safeguarding CUI
The Proposed CUI Rule requires agencies (and contractors by extension) to safeguard CUI under one of two standards:
- CUI Basic: A default set of standards all agencies must apply to all CUI unless the CUI Registry designates the relevant information as CUI Specified. The Rule does not explain what this baseline standard requires. For example, the standards in SP 800-171 are not explicitly cited as requirements in the Proposed CUI Rule.
- CUI Specified: Sets of standards that apply to CUI categories and subcategories that have specific handling standards required by law, regulation, or government-wide policies.
Although the exact baseline standard is unclear, the Proposed CUI Rule compels agencies handling CUI to comply with, at a minimum, Federal Information Processing Standards (“FIPS”) Publication 199, FIPS 200, NIST SP 800-53, and NIST SP 800-60. Accordingly, SP 800-171 interprets this to mean that “a similar level of protection is needed” for CUI processed, stored, or transmitted on contractors’ systems. This is why the standards included in SP 800-171 are tailored to maintain CUI confidentiality on nonfederal systems. It stands to reason that the standards in SP 800-171 will become the baseline standard, but, as mentioned above, the Proposed CUI Rule does not so state. Contractors should review SP 800-171 carefully because some of the suggested best practices may prove challenging for contractors to implement.
For example, SP 800-171 suggests a best practice that nonfederal organizations segregate their information systems or system components. Specifically, SP 800-171 suggests that contractors handling CUI designate specific information systems for the processing, storage, or transmission of CUI, in order to limit the scope of the CUI security requirements to those particular systems, and that “[i]solating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach . . . to satisfy the requirements and protect the confidentiality of CUI.” Thus, NIST appears to recommend that contractors invest in the development of their own fortified subnetworks dedicated to processing CUI that are logically segregated from the rest of their corporate networks, or develop standalone or “air-gapped” systems that provide similar protections. Depending on the contractor, this simply may not be practical.
Impact on Contractors
The bottom line for contractors is that the final CUI Rule will impose additional security controls on contractors. Although the Rule seeks to harmonize the approach that agencies take to designate and safeguard CUI, as currently drafted, it is unclear which controls will apply at the CUI Basic and CUI Specified levels. For example, the interaction between CUI Basic controls and the controls imposed by DFARS 252.204-7012 for unclassified controlled technical information (“UCTI”) remains unclear. Unless these types of issues are clarified in the final rule, contractors may need to ensure their information systems include the appropriate controls for all applicable cybersecurity regulations, or maintain separate systems for CUI Basic contracts and each CUI Specified contract.
Comments on the Proposed CUI Rule are due July 7, 2015.
[1] CUI is defined as “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”