DHS Issues Final Rule Regulating Federal Contractors’ Handling of Controlled Unclassified Information

July 19, 2023

On June 21, 2023, the U.S. Department of Homeland Security (DHS) issued a long-anticipated cybersecurity final rule (DHS Final Rule), which revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation (HSAR) related to contractors’ handling of Controlled Unclassified Information (CUI). The DHS Final Rule is effective July 21, 2023, and is likely to significantly complicate DHS contractors’ cybersecurity compliance programs.

The DHS Final Rule is a notable development, in part, because it diverges from other current and forthcoming government cybersecurity guidance, including (1) the Department of Defense Federal Acquisition Regulation Supplement (DFARS) clause at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting; (2) the Federal Acquisition Regulatory (FAR) Council’s proposed rulemaking regarding the protection of CUI; and (3) existing CUI security protocols outlined in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Both the DHS Final Rule and the FAR Council’s forthcoming actions signal potentially significant regulatory changes on the horizon. Against this significant and changing backdrop, contractors should begin to evaluate these provisions now to allow sufficient time to prepare for changing cybersecurity compliance obligations.

The DHS Final Rule implements a number of significant unique cybersecurity requirements, including the following:

  • Broad definition of CUI. DHS uniquely interprets the term CUI broadly to include “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” The rule provides 11 categories and numerous subcategories of CUI included under this definition, which seemingly expands beyond the National Archives and Records Administration definitions that are in effect under the DFARS requirements.
  • Restrictions on contractor employee access to CUI (HSAR 3052.204-71). DHS will require security screening and training for contractor or subcontractor employees who have access to CUI or government facilities.
  • Security requirements for handling CUI and incident reporting requirements (HSAR 3052.204-72). The DHS Final Rule establishes security requirements for employees of contractors or subcontractors who have access to CUI or who collect or maintain CUI for DHS; requires CUI incidents (broadly defined) to be reported no later than eight hours following the incident, or no later than one hour for incidents involving personally identifiable information (PII) or sensitive PII (SPII). This significantly expands the scope and accelerates the timing for reporting of security incidents beyond what is prescribed in the DFARS requirements.
  • Notification and credit monitoring requirements for PII incidents (HSAR 3052.204-73). The DHS Final Rule further requires contractors or subcontractors whose employees gain access to PII or SPII to notify individuals impacted by any security incident within five business days of the incident and empowers contracting officers to require that contractors provide (and potentially pay for) credit monitoring and other services following PII incidents.

In support of these changes, the DHS Final Rule explains that the anticipated CUI rule being promulgated by the FAR Council “does not eliminate the need for DHS to identify its agency-specific requirements for CUI” and its protection. Indeed, rather than relying on NIST SP 800-171, DHS has supplied its own cybersecurity policies, including DHS Management Directives 11042.1 and 11056.1 and DHS Sensitive Systems Policy Directive 4300A, which are tailored to DHS’ cybersecurity protection needs and subject to ongoing change. The DHS final rule states that DHS is in the process of updating these and other cybersecurity policies and procedures, particularly those related to “training, handling, transmission, marking requirements, incident reporting, etc.”

Further, although the DHS Final Rule had been pending since January 2017, the agency incorporated little of the feedback contractor industry groups submitted. Instead, the DHS final rule contains only minor changes, including a clarification that subcontractors experiencing incidents must both report such incidents to DHS and notify the prime contractor that the subcontractor has submitted the report.

Because NIST SP 800-171 provides the baseline CUI regulatory requirements for many agencies’ security standards, DHS’ establishment of its own CUI-related security requirements further muddies an already complex regulatory landscape. While the DHS Final Rule acknowledges that NIST SP 800-171 provides “baseline information security requirements” for CUI, it justifies the agency’s unique requirements based on the Federal Information Security Modernization Act of 2014 (FISMA), which DHS states authorizes it to “require a confidentiality impact level above moderate through agreements with non-executive branch entities.” In so doing, DHS effectively blends the NIST SP 800-171 baseline standard with the more complex FISMA cybersecurity requirements standards. A similar custom standard was initially proposed by the Department of Defense under the original iteration of the Cybersecurity Maturity Model Certification (CMMC) program. The Department of Defense has since retreated from this position, in large part based on contractors’ concerns related to the implementation of various nonstandard cybersecurity requirements. It is yet to be seen how DHS will approach these similar challenges.

It is also unclear at this stage whether DHS’ issuance of its own cybersecurity regulations will have any impact on NIST’s proposed revisions. Contractors have been hopeful that, through CMMC and the FAR Council’s process, the government would adopt a uniform cybersecurity requirement for the federal contracting industry. The Final Rule could be an omen, however, that even once NIST SP 800-171 Revision 3 and the general FAR CUI rule are issued, federal agencies may nonetheless continue to develop a patchwork of agency-specific rules on top of the general NIST and FAR CUI requirements. Consequently, over the coming months and years, contractors must be prepared to face additional burdens related to cybersecurity compliance and also may need to adapt their compliance efforts to different agencies’ unique standards, particularly considering the enforcement risks arising out of the Department of Justice’s cyber fraud initiative.

About McGuireWoods’ Government Investigations & White Collar Litigation Department
McGuireWoods’ Government Investigations & White Collar Litigation Department, which includes members of the Government Contracts and Data Privacy and Security groups, is a nationally recognized team of more than 80 attorneys representing Fortune 100 and other companies and individuals in the full range of civil and criminal investigations and enforcement matters, including litigation and action under the False Claims Act. The False Claims Act team includes former federal prosecutors and civil and white collar criminal litigators with experience in this unique area of law. The team also taps attorneys from the firm’s other practice groups and firm subsidiary McGuireWoods Consulting LLC. Strategically centered in Washington, D.C., McGuireWoods’ Government Investigations & White Collar Litigation Department has been honored as a Law360 Practice Group of the Year and earned the trust of international companies and individuals through excellent representation in some of the most notable enforcement matters over the past decade. For more information on McGuireWoods’ False Claims Act practice, download this brochure: False Claims Act Investigations, Litigation and Enforcement