The United States Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) are proposing to amend the Federal Acquisition Regulation (FAR) in an effort to implement the National Archives and Records Administration’s Controlled Unclassified Information (CUI) Program that enacted under an executive order.
On Wednesday the FAR Council issued the long-awaited CUI rule, which could change how contractors are provided with the guidance needed to identify and safeguard the CUI they receive when obtaining federal contractors.
As the National Law Review explained, “For nearly 15 years, contractors have struggled to determine what information meets this definition,” and added that the federal government will still “implement the bulk of the CUI Rule through a new FAR clause.”
What is CUI?
Controlled Unclassified Information (CUI) is information that while not classified, still requires protection and controls on its distribution.
As a category of information within the U.S. Federal Government, it can include Personally Identifiable Information (PII), Sensitive Personally Identifiable Information (SPII), Proprietary Business Information (PBI), Unclassified Controlled Technical Information (UCTI), Sensitive but Unclassified (SBU), international agreements, procurement and acquisition information, and law enforcement-sensitive information.
Calls for Compliance With NIST and CMMC Program
The CUI Rule change calls for compliance with NIST SP 800-171, Revision 2, or controls in NIST SP 8053 – depending on the type of information systems that are used to process, store, or transmit CUI.
However, Revision 3 of the National Institute of Standard and Technology’s (NIST’s) Special Publication (SP) 800-171 was published last May. It contains security controls that were intended to help government contractors safeguard CUI received or generated in the course of contract performance.
Last August, the Pentagon also proposed amending the DFARS to incorporate contractual requirements associated with the Cybersecurity Maturity Model Certification program (CMMC) to verify contractor implementation of security controls through a proposed rule published in the Federal Register.
What does this mean exactly?
As Lindy Kyzer, director of content at ClearanceJobs, wrote last year, “The move by NIST to more unambiguous guidance more tightly tied to other efforts to streamline the Defense Industrial Base, specifically the implementation of CMMC, is a step in the right direction. Too many companies today are marching to their own CUI beat. Like many things in the contracting space, it’s taken several years for clarity in contract rules and awards when it comes to CUI. And there will be more contract clean up and clarification needed in the years to come.
“New NIST guidance also includes updated assessment procedures, which will hopefully help more individual security officers and companies to ensure they’re maintaining compliance, without creating redundant or excessive policies around CUI,” she continued.
Reporting Requirements Changing
FAR 52.204-XX further introduced two new reporting requirements.
The first will require that contractors be subject to a new cyber incident reporting requirement and must report any suspected or confirmed “CUI incident” that may occur on a non-federal information system within eight hours of discovery to a yet-to-be-identified agency official. Moreover, if a contractor is found to be at fault for the CUI incident, the contractor “may be” liable for costs incurred by the government in responding to and mitigating the incident.
In addition, contractors are required to notify their contracting officer within eight hours of the discovery of any information that the contractor may “believe” includes CUI, even if it is not identified in the SF XXX or is not marked or properly marked as required. Contractors are expected to “appropriately safeguard” any of that information while the contracting officer determines whether it is CUI or not.
Review Period Posted
The proposed rule has a comment period that will end on March 17. As the comments submitted will be made public, those offer comments are asked not to include any “sensitive personal information or proprietary information” or information that individuals “would not want publicly disclosed.”
