On June 21, 2023, DHS published a final rule that amends the Homeland Security Acquisition Regulation (HSAR) both by modifying the existing regulations through removing and updating existing clauses and by adding new contract clauses to include certain requirements for the safeguarding of Controlled Unclassified Information (CUI). The final rule, first released in proposed form by DHS in January 2017, implements security and privacy measures to safeguard CUI and facilitates improved incident reporting to DHS . DHS has said the new measures are “necessary because of the urgent need to protect CUI and respond appropriately when DHS contractors experience incidents with DHS information,” in light of “[p]ersistent and pervasive high-profile breaches of Federal information” in government contracts.
Below we summarize certain key requirements from the rule, consider how the new DHS rule may impact government contractors, and discuss best practices for contractors impacted by the rule.
Department of Homeland Security Final Rule on Safeguarding CUI
At a high level, the rule “strengthens and expands existing HSAR language to ensure adequate security when: (1) contractor and/or subcontractor employees will have access to CUI; (2) CUI will be collected or maintained on behalf of the agency; or (3) Federal information systems, which include contractor information systems operated on behalf of the agency, are used to collect, process, store, or transmit CUI.” Government contractors should take particular note of the three DHS contract clauses covered by the rule and discussed in more detail below.
3052.204–71 Contractor Employee Access Clause
The first contract clause in the DHS rule concerns contractor employee access to CUI. The clause is required in DHS contracts when contractor and/or subcontractor personnel require “recurring access to government facilities or access to CUI.” In particular, “Contractor employees” working on contracts that incorporate the clause will be required to “complete such forms as may be necessary for security or other reasons, including the conduct of background investigations to determine suitability” and to submit such forms as directed by the contracting officer. The contracting officer will have the authority to require to the contractor to prohibit individuals from working on the contract if determined to be contrary to the public interest for any reason, including carelessness and incompetence. Additionally, “[a]ll Contractor employees requiring recurring access to government facilities or access to CUI or information resources are required to have a favorably adjudicated background investigation prior to commencing work [on their respective contracts] unless this requirement is waived under departmental procedures.” Additional security requirements apply where contractor employees need access to Federal information systems during contract performance.
The clause also contains a very broad non-disclosure prohibition stating that contractors “shall not disclose, orally or in writing, CUI for any other purpose to any person unless authorized in writing by the Contracting Officer.” Given the continuing challenge that contractors (and the government) face with regard to identifying which data relating to a contract qualifies as CUI, many contractors may default to taking an expansive view of what qualifies as CUI. Moreover, this provision imposes training requirements addressing the protection and disclosure of CUI on contractor employees who will access CUI under the contract. This training must take place no later than 60 days after contract award, with refresher training every two years. Finally, this clause must be flowed down to all subcontractors “at any tier where the subcontractor may have access to government facilities, CUI, or information resources.”
3052.204–72 and ALT.1 Safeguarding of Controlled Unclassified Information Clause
The second contract clause imposes precautions that contractors must take to safeguard and properly handle CUI, incident reporting and response requirements, and a requirement to sanitize government and government-activity related files and information upon conclusion of the contract. The base clause applies when contractor and/or subcontractor employees will have access to CUI; or CUI will be collected or maintained on behalf of DHS. The ALT 1 version of the clause applies to information system that a contractor is operating on behalf of DHS, which is used to collect, process, store, or transmit CUI. Under the ALT 1 version of the clause, contractors cannot operate a system on behalf of DHS until they receive an authority to operation (ATO).
Regarding the handling of CUI, “Contractors and subcontractors must provide adequate security to protect CUI from unauthorized access and disclosure.” In turn, the regulations define “Adequate security” to mean compliance with “DHS policies and procedures in effect at the time of contract award.” Additionally, the clause prohibits contractors from maintaining Sensitive Personally Identifiable Information (SPII) in their invoicing, billing, or other recordkeeping systems. The clause requires contractors to report known or suspected incidents involving Personally Identifiable Information (PII) or SPII within 1 hour of discovery, and other incidents within 8 hours of discovery. It further specifies that CUI must only be transmitted via email through encrypted means or within secure communications systems. The safeguarding requirements include a link to DHS policies and procedures in place at the time of award, which include numerous directives, handbooks, guidelines, and templates.
Although HSAR 3052.204–72 addresses obligations of contractors employees who access CUI, it specifically reserves any statement as to security safeguards on nonfederal information systems that store, process, or transmit CUI, indicating that “[t]he rule is intentionally silent on the security requirements applicable to nonfederal information systems because NARA is working with the FAR Councils, in which DHS is a participant, to develop a FAR CUI rule that addresses the requirements nonfederal information systems must meet before processing, storing, or transmitting CUI.” Instead, the clause formalizes certain processes where a contract operates an information system on behalf of a federal agency that is used to store, process, or transmit CUI (i.e., federal information systems), including ATO procedures and continuous monitoring obligations.
3052.204–73 Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents Clause
The third, and final, contract clause relates to notification and credit monitoring requirements for PII. After an incident involving PII or SPII occurs, the clause requires contractors to “notify any individual whose PII or SPII was either under the control of the Contractor or resided in an information system under control of the Contractor at the time the incident occurred” within 5 business days of being directed to do so by their Contracting Officer. The rule presumably is targeting DHS employee PII or SPII that is “under the control of the Contractor” or “resid[es] in an information system under control of the Contractor”, rather than contractor employee information.
The final rule will take effect thirty days after its publication in the Federal Register, on July 21, 2023.
Takeaways for Government Contractors
DHS’s new final rule is the most recent cybersecurity regulation at the federal level, and it explicitly recognizes that additional FAR rules are expected. Its publication, however, highlights several important takeaways for those in the contractor community.
Employee Vetting Requirements.
The rule imposes stringent vetting requirements where contractor employees require access to CUI in performance of a DHS contract. This is a broad requirement that could potentially impact a large portion of a contractor’s workforce where those employees perform work for DHS. Additionally, the rule leaves open the possibility that vetting requirements may vary by contract. Contractors should ensure that the costs of these efforts are appropriately built into their cost or pricing proposal. Contractors should also develop a clear understanding of who within their workforce could potentially access CUI relating to a DHS contract (including third parties), and take steps to ensure that access is appropriately restricted to those employees unless they are read on to the contract.
Reporting Requirements.
The rule significantly shortens applicable incident reporting timelines as compared to other agencies. For example, the Department of Defense requires contractors to report cybersecurity incidents within 72 hours of discovery. As noted above, the DHS rule requires incidents to be reported within 8 hours of discovery, and incidents involving PII or SPII within 1 hour of discovery. Contractors should accordingly take steps to revise their incident reporting policies appropriately to ensure that these timeframes are met.
Identification of CUI.
The significant safeguarding, incident reporting, training, and background investigation requirements imposed by this rule are all premised on contractors being able to determine which employees are accessing CUI, including which data the contractor generates during performance of a contract qualifies as CUI. Effective communication both with the government and contractor employees will be necessary to ensure that contractors and the government are aligned on which data are CUI, thereby triggering some of these requirements.
Forthcoming FAR Rules.
This rule foreshadows the publication of three long-awaited FAR rules. The first is a rule (FAR Case 2017-016) that would provide implementing regulations to address agency policies for “designating, safeguarding, disseminating, marking, decontrolling and disposing of CUI.” As noted above, a common understanding of what data qualifies as CUI is the cornerstone to safeguarding the data and to recognizing when an incident occurs. In addition, two other related FAR rules are expected to “standardiz[e]common cybersecurity contractual requirements across Federal agencies (FAR Case 2021-019),” and impose Executive Branch-wide requirements for reporting cyber incidents and sharing information about cyber threats (FAR Case 2021-017). As of June 23, 2023, drafts of all three proposed rules had been sent to OIRA for final review before publication. Contractors should continue to track the progress of these three key proposed rules, as they will supplement DHS’s new final rule and also impose common baseline cybersecurity requirements for all federal agencies.