Rule2023-11270
Homeland Security Acquisition Regulation; Safeguarding of Controlled Unclassified Information
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
June 21, 2023
Effective
July 21, 2023
Issuing agencies
Homeland Security Department
Abstract
DHS is issuing a final rule to amend the Homeland Security Acquisition Regulation (HSAR) to modify a subpart, remove an existing clause and reserve the clause number, update an existing clause, and add two new contract clauses to address requirements for the safeguarding of Controlled Unclassified Information (CUI). This final rule implements security and privacy measures to safeguard CUI and facilitate improved incident reporting to DHS. These measures are necessary because of the urgent need to protect CUI and respond appropriately when DHS contractors experience incidents with DHS information.
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 118 (Wednesday, June 21, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 118 (Wednesday, June 21, 2023)]
[Rules and Regulations]
[Pages 40560-40603]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-11270]
[[Page 40559]]
Vol. 88
Wednesday,
No. 118
June 21, 2023
Part V
Department of Homeland Security
-----------------------------------------------------------------------
48 CFR Parts 3001, 3002, 3004, et al.
Homeland Security Acquisition Regulation; Safeguarding of Controlled
Unclassified Information; Final Rule
��Federal Register / Vol. 88 , No. 118 / Wednesday, June 21, 2023 /
Rules and Regulations��
[[Page 40560]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
48 CFR Parts 3001, 3002, 3004 and 3052
[HSAR Case 2015-001; DHS Docket No. DHS-2017-0006]
RIN 1601-AA76
Homeland Security Acquisition Regulation; Safeguarding of
Controlled Unclassified Information
AGENCY: Office of the Chief Procurement Officer, Department of Homeland
Security (DHS).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: DHS is issuing a final rule to amend the Homeland Security
Acquisition Regulation (HSAR) to modify a subpart, remove an existing
clause and reserve the clause number, update an existing clause, and
add two new contract clauses to address requirements for the
safeguarding of Controlled Unclassified Information (CUI). This final
rule implements security and privacy measures to safeguard CUI and
facilitate improved incident reporting to DHS. These measures are
necessary because of the urgent need to protect CUI and respond
appropriately when DHS contractors experience incidents with DHS
information.
DATES: This final rule is effective July 21, 2023.
FOR FURTHER INFORMATION CONTACT: Shaundra Ford, Procurement Analyst,
DHS, Office of the Chief Procurement Officer, Acquisition Policy and
Legislation, (202) 447-0056, or email <a href="/cdn-cgi/l/email-protection#357d667467755d441b515d461b525a43"><span class="__cf_email__" data-cfemail="39716a786b795148175d514a175e564f">[email protected]</span></a>. When using
email, include HSAR Case 2015-001 in the subject line.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. Purpose of the Regulatory Action
B. Legal Authority
C. Costs and Benefits
II. Background
III. Discussion and Analysis
A. Significant Changes From Proposed Rule
B. Discussion of Public Comments and Responses
1. General
2. Alignment With FISMA, E.O. 13556 (Controlled Unclassified
Information), and Its Implementing Regulation at 32 CFR Part 2002
(Controlled Unclassified Information)
3. Applicability of NIST SP 800-171
4. ATO Requirements
5. CUI Registry
6. DHS Internal Policies and Procedures
7. Definitions
8. Reciprocity in Interagency Regulations and Information
Security Requirements
9. Incident Reporting and Response
10. Privacy Requirements
11. Sanitization of Government and Government-Activity-Related
Files and Information
12. Subcontractor Flow-Down Requirements
13. Requirements Applicable to Educational Institutions
14. Self-Deleting Requirements
15. Applicability to Service Contracts
16. Costs
IV. Statutory and Regulatory Requirements
A. Executive Orders 12866 and 13563
1. Outline of the Analysis
2. Summary of the Analysis
3. Subject-by-Subject Analysis
4. Summary
5. Regulatory Alternatives
B. Regulatory Flexibility Act
1. A Statement of the Need for, and Objectives of, the Rule
2. A Statement of the Significant Issues Raised by the Public
Comments in Response to the IRFA, a Statement of the Assessment of
the Agency of Such Issues, and a Statement of Any Changes Made to
the Proposed Rule as a Result of Such Comments
3. The Response of the Agency to Any Comments Filed by the Chief
Counsel for Advocacy of the SBA in Response to the Proposed Rule,
and a Detailed Statement of Any Change Made to the Proposed Rule as
a Result of the Comments
4. A Description of and an Estimate of the Number of Small
Entities to Which the Rule Will Apply or an Explanation of Why No
Such Estimate is Available
5. A Description of the Projected Reporting, Recordkeeping, and
Other Compliance Requirements of the Rule, Including an Estimate of
the Classes of Small Entities That Will Be Subject to the
Requirement and the Type of Professional Skills Necessary for
Preparation of the Report or Record
6. A Description of the Steps the Agency Has Taken To Minimize
the Significant Economic Impact on Small Entities Consistent With
the Stated Objectives of Applicable Statutes, Including a Statement
of the Factual, Policy, and Legal Reasons for Selecting the
Alternative Adopted in the Final Rule and Why Each of the Other
Significant Alternatives to the Rule Considered by the Agency That
Affects the Impact on Small Entities Was Rejected
C. Paperwork Reduction Act
Table of Abbreviations
ATO Authority to Operate
BAA Buy American Act
CAGE Commercial and Government Entity
CIO Chief Information Officer
COR Contracting Officer's Representative
CSO Chief Security Officer
CUI Controlled Unclassified Information
CVI chemical-terrorism vulnerability information
DHS Department of Homeland Security
DoD Department of Defense
EA Executive Agent
E.O. Executive Order
FAR Federal Acquisition Regulation
FedRAMP Federal Risk and Authorization Management Program
FIPS Federal Information Processing Standards
FISMA Federal Information Security Modernization Act of 2014
FPDS Federal Procurement Data System
FR Federal Register
FRFA final regulatory flexibility analysis
FTE full-time equivalent
FY Fiscal Year
GFE government-furnished equipment
GSA General Services Administration
HIPAA Health Insurance Portability and Accountability Act
HSAR Homeland Security Acquisition Regulation
IRFA initial regulatory flexibility analysis
ISAC Information Sharing and Analysis Center
ISAO Information Sharing and Analysis Organization
IT information technology
NAICS North American Industry Classification System
NARA National Archives and Records Administration
NIST National Institute of Standards and Technology
NPRM notice of proposed rulemaking
OIRA Office of Information and Regulatory Affairs
OMB Office of Management and Budget
PCII protected critical infrastructure information
PII Personally Identifiable Information
POA&M Plans of Action and Milestones
POC Point of Contact
PSC Product and Service Code
RFA Regulatory Flexibility Act of 1980, as amended by the Small
Business Regulatory Enforcement Fairness Act of 1996
SA Security Authorization
SBA Small Business Administration
SME subject-matter expert
SOC Security Operations Center
SP Special Publication
SPII Sensitive Personally Identifiable Information
SRTM Security Requirements Traceability Matrix
SSI Sensitive Security Information
TAA Trade Agreements Act
TSA Transportation Security Administration
UEI Unique Entity Identifier
US-CERT United States Computer Emergency Readiness Team
I. Executive Summary
A. Purpose of the Regulatory Action
The purpose of this final rule is to implement security and privacy
measures to safeguard CUI and facilitate improved incident reporting to
DHS. This final rule does not apply to classified information. These
measures are necessary because of the urgent need to protect CUI and
respond appropriately when DHS contractors experience incidents with
DHS information. Persistent and pervasive high-profile breaches of
Federal information continue to demonstrate the need to ensure that
information security protections are clearly, effectively, and
[[Page 40561]]
consistently addressed in contracts. This final rule strengthens and
expands existing HSAR language to ensure adequate security when: (1)
contractor and/or subcontractor employees will have access to CUI; (2)
CUI will be collected or maintained on behalf of the agency; or (3)
Federal information systems, which include contractor information
systems operated on behalf of the agency, are used to collect, process,
store, or transmit CUI. Specifically, the final rule:
<bullet> Identifies CUI handling requirements and security
processes and procedures applicable to Federal information systems,
which include contractor information systems operated on behalf of the
agency;
<bullet> Identifies incident reporting requirements, including
timelines and required data elements, inspection provisions, and post-
incident activities;
<bullet> Requires certification of sanitization of government and
government-activity-related files and information; and
<bullet> Requires contractors to have in place procedures and the
capability to notify and provide credit monitoring services to any
individual whose Personally Identifiable Information (PII) or Sensitive
PII (SPII) was under the control of the contractor or resided in the
information system at the time of the incident.
B. Legal Authority
This rule addresses the safeguarding requirements specified in the
Federal Information Security Modernization Act of 2014 (FISMA) (44
U.S.C. 3551, et seq.); Office of Management and Budget (OMB) Circular
A-130, Managing Information as a Strategic Resource; relevant National
Institute of Standards and Technology (NIST) guidance; Executive Order
(E.O.) 13556, Controlled Unclassified Information (75 FR 68675, Nov. 9,
2010), and its implementing regulation at 32 CFR part 2002; and the
following OMB memoranda: M-17-12, Preparing for and Responding to a
Breach of Personally Identifiable Information; M-14-03, Enhancing the
Security of Federal Information and Information Systems; and Reporting
Instructions for FISMA and Agency Privacy Management as identified in
various OMB memoranda.
C. Costs and Benefits
The final rule will apply to DHS contractors that require access to
CUI, collect or maintain CUI on behalf of the Government, or operate
Federal information systems, which include contractor information
systems operating on behalf of the agency, that collect, process,
store, or transmit CUI. DHS estimates the final rule will have an
annualized cost that ranges from $15.32 million to $17.28 million at a
discount rate of 7 percent and a total 10-year cost that ranges from
$107.62 million to $121.37 million at a discount rate of 7 percent. The
primary contributors to these costs are the independent assessment
requirement and reporting and recordkeeping requirements. There are
additional small, quantified costs from rule familiarization and
security review processes. DHS was unable to quantify costs associated
with incident reporting requirements, PII and SPII notification
requirements, credit monitoring requirements and they are therefore
discussed qualitatively. DHS was unable to quantify the cost savings or
benefits associated with the rule. However, the final rule is expected
to produce cost savings by reducing the time required to grant an ATO,
reducing DHS time reviewing and reissuing proposals because contractors
are better qualified, and reducing the time to identify a data breach.
The final rule also produces benefits by better notifying the public
when their data are compromised, requiring the provision of credit
monitoring services so that the public can better monitor and avoid
costly consequences of data breaches, and reducing the severity of
incidents through timely incident reporting.
II. Background
DHS published a notice of proposed rulemaking (NPRM) in the Federal
Register at 82 FR 6429 on January 19, 2017, to implement adequate
security and privacy measures to safeguard CUI from unauthorized access
and disclosure and facilitate improved incident reporting to DHS.
Fourteen respondents submitted public comments in response to the
proposed rule. This final rule incorporates the reasoning of the
proposed rule except as reflected elsewhere in this preamble.
III. Discussion and Analysis
DHS reviewed the public comments in the development of the final
rule. A certain number of the comments received were outside the scope
of the rule. A discussion of the comments within the scope of the rule
and the changes made to the rule as a result of those comments is
provided, as follows:
A. Significant Changes From Proposed Rule
1. HSAR 3052.204-71, Contractor Employee Access, is revised as
follows:
<bullet> Revised paragraph (a) to remove the definition of
``sensitive information'' and replace it with the definition of
``CUI'';
<bullet> Revised paragraph (b) to remove the definition of
``information technology resources'' and replace it with the definition
of ``information resources'';
<bullet> Replaced all references to ``sensitive information'' with
``CUI'' and all references to ``information technology resources'' with
``information resources'';
<bullet> Revised paragraph (e) to clarify that both initial and
refresher training concerning the protection and disclosure of CUI is
required;
<bullet> Revised paragraph (g) of Alternate I to make clear that
additional training on certain CUI categories may be required if
identified in the contract; and
<bullet> Replaced the reference to ``statement of work'' in
paragraph (h) of Alternate I with ``contract.''
2. Restructured clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information, as follows:
<bullet> Made the requirements of paragraph (c), Authority to
Operate, into Alternate I to the basic clause; and
<bullet> Made the requirements of paragraphs (f), PII and SPII
Notification Requirements, and (g), Credit Monitoring Requirements,
into a separate clause at 3052.204-7Y, Notification and Credit
Monitoring Requirements for Personally Identifiable Information
Incidents. This includes clarifying updates to the PII and SPII
Notification Requirements section.
3. Revised requirements of restructured clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information, as follows:
<bullet> Made clear that both contractors and subcontractors are
responsible for reporting known or suspected incidents to the
Department;
<bullet> Made clear that subcontractors are required to notify the
prime contractor that they have reported a known or suspected incident
to the Department;
<bullet> Increased the amount of time a vendor must retain
monitoring/packet capture data from 90 days to 180 days; and
<bullet> Revised the requirements for when prime contractors must
include clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information, in subcontracts.
4. Made clarifying edits to the definitions of the following terms:
Controlled Unclassified Information, Sensitive Security Information,
Homeland Security Agreement Information, Information Systems
Vulnerability Information, Personnel Security Information, Privacy
Information, and Sensitive Personally Identifiable Information.
[[Page 40562]]
5. Made additional amendments to paragraph (b) of clause 3052.212-
70 to add clause 3052.204-7Y, Notification and Credit Monitoring
Requirements for Personally Identifiable Information Incidents.
B. Discussion of Public Comments and Responses
1. General
Comment: Two comments requested that the Department withdraw the
proposed rule. One of the comments requested that DHS grant an
extension of the comment period if the rule was not going to be
withdrawn. The other comment stated that the rule was ill-considered
and was not properly coordinated with other agencies that follow and
support the principles in 32 CFR part 2002. The comment also stated the
rulemaking adds burdens to DHS and its contractors that differ from
what is required or expected by others and requested that DHS delay
implementation of the entire rule or suspend the rulemaking process
altogether pending further progress with the expected general Federal
Acquisition Regulation (FAR) CUI rule.\1\
---------------------------------------------------------------------------
\1\ Rulemaking to implement the National Archives and Records
Administration (NARA) CUI program (see E.O. 13556 and 32 CFR part
2002).
---------------------------------------------------------------------------
Response: Given the nature of this rule, and the prevalent and
persistent nature of cyber-attacks impacting both public and private
networks, DHS declines the respondents' request to withdraw this rule.
Failure to proceed with this rule places at risk both the Department's
CUI and the information systems where CUI resides, which would be in
contravention to the Department's mission and to the public interest.
In addition, DHS will neither delay nor suspend this rulemaking pending
progress on the FAR CUI rule. A 30-day extension of the comment period
from March 20, 2017, to April 19, 2017, was granted. Additionally, DHS
conducted extensive interagency coordination while developing this
rule, including coordination with NARA. Also, the FAR CUI rule does not
eliminate the need for DHS to proceed with this rulemaking. DHS is a
participant on the FAR team responsible for drafting the FAR language
that will implement the CUI Program and has determined that the
issuance of a FAR CUI rule does not eliminate the need for DHS to
identify its agency-specific requirements for CUI and the methodology
it uses to ensure that Federal information systems, which includes
contractor information systems operated on behalf of the agency, that
collect, process, store, or transmit CUI are adequately protected.
Also, DHS does not agree that this rulemaking adds burdens to DHS and
its contractors that differ substantively from what is required or
expected by other agencies as the requirements for Federal information
systems are largely based in statute, i.e., FISMA (44 U.S.C. 3551, et
seq.), and implementing policies promulgated by OMB and NIST. Agency
specific requirements such as an independent assessment and security
review are not in conflict with these requirements. They are at the
discretion of the agency, considered industry best practices, and are
actually becoming more pervasive Governmentwide. Notwithstanding this,
DHS has determined that information security is of paramount importance
and is prepared to accept the cost impacts stemming from vendor
compliance with these requirements.
Comment: One respondent stated that the rule does not clearly
articulate how requirements would be applied to professional service
providers, what safeguards they would be obligated to provide, or how
they would be assessed by DHS.
Response: Clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information, clearly identifies the requirements
applicable to contractors that access or develop CUI under DHS
contracts, as well as the information security requirements applicable
to Federal information systems, which include contractor information
systems operated on behalf of the agency. The applicability of these
requirements does not change depending on the type of contractor. As
such, there is no need to identify requirements applicable to the
subset of contractors that fall within the professional services
community.
Comment: One respondent proposed that DHS use a server that
requires verification from a higher ranking official so that the
information does not enter the wrong hands, such as an extremist group.
The respondent also recommended that there should be logins for each
official that could be listed on public servers, as long as the server
was American, and that citizens trying to access the information should
pass a background check to make sure they are not a threat.
Response: The commenter has oversimplified the process by which DHS
should ensure CUI is adequately protected, and DHS has made no
corresponding changes to the rule. While DHS and its contractors
routinely use servers, logins, and passwords to control access on
networks and information systems, this is only a subset of the actions
required to ensure CUI and the information systems where CUI resides
are adequately protected. Making login information publicly available
is a violation of information security policy. Also, limiting servers
used by the Department and its contractors to those manufactured only
in the United States does not ensure the security of the server and
violates statutory requirements that govern Federal procurements. DHS,
like other Departments and agencies, adheres to FAR part 25, Foreign
Acquisition, when purchasing supplies. FAR part 25 details the
application of the Buy American Act (BAA) and the Trade Agreements Act
(TAA), including the dollar thresholds at which the TAA supersedes the
BAA and nondomestic trading partners receive equal treatment with
domestic sources. Additionally, the Department already has in place
background investigation requirements for Federal employees and
contractors that have access to CUI. Where the Department has
determined access to CUI must be limited to U.S. citizens and lawful
permanent residents, DHS policies and regulations already reflect those
requirements.
Comment: One respondent stated that the proposed rule is very
important considering how open information is in this day and age,
adding that this rule will help secure important information about the
U.S. Government.
Response: DHS agrees that this rule is important and that its
requirements will help ensure the security of important government
information.
Comment: One respondent stated that small businesses should be
concerned by this rule, citing that DHS acknowledged that the rule is a
``significant'' regulatory action that will impact small business. The
respondent stated that there is nothing specific in the rule to assure
the small business community that it will be able to comply.
Response: This rule is a ``significant'' regulatory action that
will have an impact on small business; however, this comment implies
that all small businesses will be impacted equally, which is not the
case. Small businesses that routinely provide services to the
Government that rely on Federal information systems, which include
contractor information systems operated on behalf of an agency, already
are positioned to implement these requirements and always have been
required to do so under DHS contracts. Information security and
information security requirements applicable to Federal information
systems are not based on the size of a particular business but rather
on the sensitivity of
[[Page 40563]]
the information and the impact(s) of unauthorized access to such
information. Applying a lesser standard because a business voluntarily
operating in this space is considered small would be untenable and in
contravention to the mission of the Department. Additionally, it is
important to note that DHS's commitment to small business participation
is unparalleled, as evidenced by the Department's 12 consecutive
ratings of ``A'' or higher on the Small Business Administration's (SBA)
Small Business Procurement Scorecard (see <a href="https://www.sba.gov/document/support-department-homeland-security-contracting-scorecard">https://www.sba.gov/document/support-department-homeland-security-contracting-scorecard</a>). The
Department expressed in the proposed rule its interest in receiving
comments from small business concerns related to this rule and has
thoroughly considered and adjudicated all comments received.
Comment: One respondent stated that guidance on DHS CUI
requirements for cleared facilities should be consistent with
Department of Defense (DoD) cleared facility requirements.
Response: The protection of classified information at contractor
locations, whether cleared by DoD or another government agency, is
outside the scope of this regulation. CUI is protected according to the
underlying law, regulation, or Governmentwide policy. DHS does not have
the broad authority to waive CUI safeguarding or dissemination
requirements that differ from those of classified information.
Comment: One respondent questioned if the proposed rule covers
sharing of information on software vulnerabilities with Information
Sharing and Analysis Organizations (ISAOs) or Information Sharing and
Analysis Centers (ISACs). The respondent also questioned if the ISAOs
or ISACs require flow-down of the clauses to ensure that their members
provide adequate protection in accordance with the DHS proposed rule.
The respondent stated such a requirement would impose a significant
barrier for private sector entities to participate in information
sharing.
Response: DHS shares information with ISAOs and ISACs through
information sharing agreements between the Government and the ISAO/
ISAC, not through contracts. Generally, information sharing agreements
do not include the clauses.
2. Alignment With FISMA, E.O. 13556 (Controlled Unclassified
Information), and Its Implementing Regulation at 32 CFR Part 2002
(Controlled Unclassified Information)
Comment: Several respondents stated that the proposed rule is not
consistent with FISMA, E.O. 13356, and 32 CFR part 2002.
Response: (a) Alignment with FISMA: The rule is fully consistent
with FISMA. FISMA and its predecessor, the Federal Information Security
Management Act of 2002, require that agency heads provide ``information
security protections commensurate with the risk and magnitude of the
harm resulting from unauthorized access, use, disclosure, disruption,
modification, or destruction of--(i) information collected or
maintained by or on behalf of the agency; and (ii) information systems
used or operated by an agency or by a contractor of an agency or other
organization on behalf of an agency . . . .'' See, e.g., 44 U.S.C.
3554(a)(1)(A). The rule is consistent with these requirements by
requiring that information collected or maintained on behalf of the
Department and information systems used or operated by an agency or by
a contractor of an agency or other organization on behalf of an agency
are adequately protected. The rule does this in two ways by
identifying: (1) requirements and DHS policies and procedures for
handling and protecting CUI collected and maintained on behalf of the
Department; and (2) security requirements and procedures for
information systems used or operated by a contractor on behalf of an
agency.
(b) Alignment with E.O. 13556 and 32 CFR part 2002: The rule is
fully consistent with E.O. 13556 and 32 CFR part 2002 (81 FR 63324,
Sept. 14, 2016). The NARA CUI rule requires Departments and agencies to
develop internal policies and procedures to implement the requirements
of the CUI Program.\2\ These policies and procedures are subject to
review and approval by the CUI Executive Agent (EA) before they are
finalized. In addition, the NARA CUI rule establishes baseline
information security requirements necessary to protect CUI Basic \3\ on
nonfederal information systems by mandating the use of NIST Special
Publication (SP) 800-171, Protecting Controlled Unclassified
Information in Nonfederal Information Systems and Organizations, when
establishing security requirements to protect CUI's confidentiality on
nonfederal information systems. However, consistent with 32 CFR
2002.14(a)(3) and (g), ``[a]gencies may increase CUI Basic's
confidentiality impact level above moderate only internally, or by
means of agreements with agencies or non-executive branch entities
(including agreements for the operation of an information system on
behalf of the agencies).'' Relatedly, 32 CFR 2002.4(c) states that
agreements ``include, but are not limited to, contracts, grants,
licenses, certificates, memoranda of agreement/arrangement or
understanding, and information-sharing agreements or arrangements.''
Therefore, DHS can require a confidentiality impact level above
moderate through agreements with non-executive branch entities.
Nonetheless, the information system security requirements of this rule
are focused on those applicable to Federal information systems.
---------------------------------------------------------------------------
\2\ The NARA CUI rule is implemented at 32 CFR part 2002 (81 FR
63324). That regulation describes the executive branch's CUI Program
and establishes policy for designating, handling, and decontrolling
information that qualifies as CUI. The CUI Program standardizes the
way the executive branch handles information that requires
protection under laws, regulations, or Governmentwide policies but
that does not qualify as classified under E.O. 13526, Classified
National Security Information (Dec. 29, 2009), or any predecessor or
successor order, or the Atomic Energy Act of 1954 (42 U.S.C. 2011,
et seq.), as amended.
\3\ CUI Basic is the subset of CUI for which the authorizing
law, regulation, or Governmentwide policy does not set out specific
handling or dissemination controls. Agencies handle CUI Basic
according to the uniform set of controls set forth in 32 CFR part
2002 and the CUI Registry. CUI Basic controls apply whenever CUI
Specified ones do not cover the involved CUI. CUI Specified is the
subset of CUI in which the authorizing law, regulation, or
Governmentwide policy contains specific handling controls that it
requires or permits agencies to use that differ from those for CUI
Basic. The CUI Registry indicates which laws, regulations, and
Governmentwide policies include such specific requirements. CUI
Specified controls may be more stringent than, or may simply differ
from, those required by CUI Basic; the distinction is that the
underlying authority spells out specific controls for CUI Specified
information and does not for CUI Basic information. CUI Basic
controls apply to those aspects of CUI Specified where the
authorizing laws, regulations, and Governmentwide policies do not
provide specific guidance.
---------------------------------------------------------------------------
Comment: One respondent stated that the revisions to the HSAR must
be coordinated as part of the DHS implementation of the CUI Program,
per the milestones established by CUI Notice 2016-01, Implementation
Guidance for the Controlled Unclassified Information Program.
Response: CUI Notice 2016-01, Implementation Guidance for the
Controlled Unclassified Information Program, was superseded by CUI
Notice 2020-01, CUI Program Implementation Guidelines, issued May 14,
2020. Neither of the CUI Notices provide guidance on coordination of
rulemakings. Nonetheless, DHS conducted extensive interagency
coordination while developing this rule, including coordination with
NARA.
Comment: One respondent stated that the proposed rule federalizes
contractor systems that are not used in an
[[Page 40564]]
operational capacity on behalf of the Government.
Response: The rule does not federalize contractor systems that are
not used in an operational capacity on behalf of the Government.
Conversely, it recognizes that there are circumstances when contractor
information systems are operated on behalf of an agency. When this is
the case, the contractor information system is considered a Federal
information system and is subject to the same information system
security requirements required for Federal information systems. The
rule identifies the security requirements and processes such systems
must meet before they are able to operate on behalf of the agency.
These requirements are now provided as Alternate I to the basic clause.
The rulemaking does not identify any information system security
requirements or processes for information systems that are not
categorized as Federal information systems. The applicability of the
basic clause is not predicated on the type of information system, i.e.,
Federal or nonfederal. The basic clause is limited to definitions, DHS
CUI handling requirements, incident reporting and response
requirements, and sanitization requirements. These requirements exist
whenever CUI will be accessed or developed under a contract regardless
of the type of information system involved in contract performance.
This is the reason why the basic clause is more broadly applicable. DHS
was intentionally silent in this rule on the requirements applicable to
nonfederal information systems as that was never the purpose of this
rulemaking, and the FAR CUI rule is intended to address the
requirements for these information systems.
Comment: One respondent requested that DHS revise the scope of its
rule to clarify or remove the language related to accessing CUI.
Response: Contractors and subcontractors that have access to CUI
are responsible for ensuring the information is handled and safeguarded
appropriately and reporting any known or suspected incidents regarding
the information for which they have access. As such, DHS declines to
revise the scope of the rule to clarify or remove language related to
accessing CUI.
Comment: One respondent expressed concern that clause 3004.470-3
requires that ``CUI be safeguarded wherever such information resides,''
including on both ``contractor-owned and/or operated information
systems operating on behalf of the agency'' as well as ``any situation
where contractor and/or subcontractor employees may have access to
CUI.'' The respondent also expressed concern that contracting officers
are required to insert clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information, in all solicitations and contracts where
contractor and/or subcontractor employees will have access to CUI and
that the clause requires contractors provide ``adequate security to
protect CUI,'' which ``includes compliance with DHS policies and
procedures in effect at the time of contract award. These policies and
procedures are accessible at <a href="https://www.dhs.gov/dhs-security-and-training-requirements-contractors">https://www.dhs.gov/dhs-security-and-training-requirements-contractors</a>.'' Another respondent similarly
stated that inclusion of these statements improperly subjects all
contractors and all contractor information systems to DHS agency-
specific standards.
Response: Some of the policies and procedures currently posted to
the DHS publicly facing website predate the CUI E.O. and the NARA CUI
rule. DHS, like many other Departments and agencies, is still in the
process of implementing the CUI Program. This process includes an
update to internal policies and procedures related to CUI. Once these
policies and procedures have been drafted and finalized, they will
replace the policies and procedures currently listed on the publicly
facing website. These policies and procedures are required to address
all elements of the CUI Program and extend beyond the protection of CUI
in information systems. For example, the new policies and procedures
also will address training, handling, transmission, marking
requirements, incident reporting, etc. The current DHS-specific
policies and procedures on the publicly facing website address these
requirements and the new policies and procedures will as well. As such,
compliance with these policies and procedures is mandatory.
It appears that the respondents have focused on the information
system security policies that are incorporated into the rule without
also considering the other policies and procedures identified, all of
which have varying applicability depending on the specifics of the
contract. For example, one of the policies referenced governs the
Department's background investigation process and security requirements
applicable to individuals who have access to the Department's sensitive
but unclassified information, now known as CUI. It is both necessary
and appropriate that DHS mandate that its contractors comply with these
requirements. Anything less is inconsistent with the mission of the
Department, has the potential to place important government information
at risk, and is contrary to the public interest. Like many of the other
DHS policies referenced, the need to comply with this requirement is
based on access to the information, not whether a Federal information
system or nonfederal information system will process, store, or
transmit the data. Also, the applicability of the information system
security policies is specifically defined in the text of clause
3052.204-7X, Safeguarding of Controlled Unclassified Information.
Specifically, Alternate I, Authority to Operate, documents the
applicability of DHS Sensitive Systems Policy Directive 4300A and DHS
4300A Sensitive Systems Handbook. The prescription for Alternate I is
clear that these requirements are applicable when Federal information
systems, which include contractor information systems operated on
behalf of the agency, are used to collect, process, store, or transmit
CUI. In addition, the first sentence of proposed paragraph (c),
Authority to Operate, of clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information, specifically stated that its requirements are
``applicable only to Federal information systems, which include[ ]
contractor information systems operating on behalf of the agency.'' As
such, it is clear that it is not the intent of the Department to levy
the requirements in these policies and procedures on contractor
information systems that are not operated on its behalf. Lastly, the
basic clause is limited to definitions, DHS CUI handling requirements,
incident reporting and response requirements, and sanitization
requirements. These requirements exist whenever CUI will be accessed or
developed under a contract regardless of the type of information system
involved in contract performance. This is the reason why the basic
clause is more broadly applicable.
Also, the statements in paragraph (a) of clause 3004.470-3, Policy,
are levied on DHS contractors through the inclusion of clause 3052.204-
7X, Safeguarding of Controlled Unclassified Information, in the
solicitation and resultant contract. Absent inclusion of the clause in
the contract, the requirements are not applicable.
Comment: One respondent stated that the proposed rule fails to
reflect the information systems safeguarding requirements of the CUI
Federal regulation (32 CFR part 2002) and allows DHS full discretion on
what electronic safeguarding controls to apply to contractors for any
category of CUI. The respondent asserted that the
[[Page 40565]]
rule makes no distinction operationally in the way nonfederal
contractor information systems and DHS agency information systems are
treated, a distinction made in the CUI regulation (32 CFR part 2002)
and in FISMA.
Response: The respondent is incorrect that the rule: (1) allows DHS
full discretion on what electronic safeguarding controls to apply to
contractors for any category of CUI; and (2) makes no distinction
between nonfederal contractor information systems and the Federal
information systems. DHS understands that the information security
requirements applicable to Federal information systems differ from the
requirements applicable to nonfederal information systems, as
referenced in footnote 5 of the proposed rule, which advised that DHS
is aware NIST Special Publication 800-171, Protecting Controlled
Unclassified Information in Nonfederal Information Systems and
Organizations, was released in June 2015 to provide federal agencies
with recommended requirements for protecting the confidentiality of
Controlled Unclassified Information on non-Federal information systems.
However, the information system security requirements in this proposed
rulemaking are focused on Federal information systems, which include
contractor information systems operating on behalf of an agency, and
consistent with 32 CFR part 2002, these information systems are not
subject to the requirements of NIST Special Publication 800-171.
DHS also makes this distinction in the prescription for Alternate
I, Authority to Operate, to clause 3052.204-7X, Safeguarding of
Controlled Unclassified Information. It specifies that these
requirements are applicable when Federal information systems, which
include contractor information systems operated on behalf of the
agency, are used to collect, process, store, or transmit CUI.
Additionally, the first sentence of paragraph (c), Authority to
Operate, of clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information, in the proposed rule stated ``[t]his subsection is
applicable only to Federal information systems, which include[ ]
contractor information systems operating on behalf of the agency.'' As
such, the Department has made clear it understands there are differing
requirements for nonfederal information systems and has not, through
the rule, retained full discretion on what electronic safeguarding
controls to apply to contractors for any category of CUI.
Comment: One respondent expressed concerns regarding clause
3004.470-4(a), which states ``subcontractor employee access to CUI or
government facilities must be limited to U.S. citizens and lawful
permanent residents.'' The respondent stated that this limitation is
not a legal requirement and recommended that access to government
facilities be treated as a separate and distinct issue from the issue
of access to CUI and that access limitations for CUI be based on the
associated legal requirement as outlined in the NARA CUI rule.
Response: This recommendation is outside the scope of this
regulation. DHS notes that although CUI Basic does not inherently
convey citizenship or residency requirements, some of the limited
dissemination caveats that can be appended to CUI Basic do. While 32
CFR part 2002 does standardize the safeguarding and dissemination
requirements that can be imposed on those with whom CUI is shared, the
determination and decision to share CUI information remains subject to
agency policy and discretion.
3. Applicability of NIST SP 800-171
Comment: Several respondents raised concerns regarding the
applicability of NIST SP 800-171. Some of the respondents correctly
recognized that the information system security requirements in the
proposed rule are specific to Federal information systems, which
include contractor information systems operated on behalf of the
Government. These respondents expressed concern that the rule did not
address the information system security requirements applicable to
nonfederal information systems and requested that DHS identify the
information system security requirements applicable to nonfederal
information systems either through this rulemaking or another one.
Response: DHS does not accept the suggestion to identify the
information system security requirements applicable to nonfederal
information systems. The rule is intentionally silent on the security
requirements applicable to nonfederal information systems because NARA
is working with the FAR Councils, in which DHS is a participant, to
develop a FAR CUI rule that addresses the requirements nonfederal
information systems must meet before processing, storing, or
transmitting CUI. As such, there is no need for the Department to
identify requirements applicable to nonfederal information systems in
this rulemaking, as inclusion would be duplicative and redundant to the
work of the FAR Councils.
Comment: Several respondents did not recognize that the scope of
the information system security requirements in the proposed rule were
specific to Federal information systems and believed that the
Department either conflated the two different categories of information
systems (i.e., Federal and nonfederal) or was incorrectly applying
requirements for Federal information systems to nonfederal information
systems (i.e., contractor information systems that are not operated on
behalf of the Department). These respondents either requested that DHS
refine the scope of the rule to exclude contractor information systems
or explicitly identify NIST SP 800-171 as the applicable security
standard for contractor information systems. One respondent stated that
the proposed rule requires contracting officers to insert proposed
clause 305.204-7X, Safeguarding of Controlled Unclassified Information,
too often (i.e., any time the contractor or subcontractor will have
access to CUI regardless of the type of information system being used).
Response: DHS does not accept the recommendation to modify the
scope of the rule to exclude contractor information systems or
explicitly identify NIST SP 800-171 as the applicable security standard
for such systems. There is a misconception among industry actors that
NIST SP 800-171 is the only policy that must be followed when CUI is
provided or accessed under a contract. This is not correct. As
discussed in the preamble of the proposed rule, OMB Circular A-130,
Managing Information as a Strategic Resource, makes clear that a
contractor information system can be considered a Federal information
system if it operates on behalf of an agency. Specifically, Circular A-
130 defines a Federal information system as an information system used
or operated by an agency or by a contractor of an agency or by another
organization on behalf of an agency. In accordance with FISMA,
Departments and agencies are responsible for determining when a
contractor information system is operated on its behalf. As such, a
blanket exclusion of contractor information systems absent a
determination of the type of system (i.e., Federal or nonfederal) is
not appropriate.
When the Government determines that a contractor information system
is being operated on its behalf, that information system is considered
a Federal information system and subject to the requirements of NIST SP
800-53, Security and Privacy Controls for Information Systems and
Organizations.
[[Page 40566]]
Alternatively, NIST SP 800-171 is applicable ``(1) when the CUI is
resident in a nonfederal system and organization; (2) when the
nonfederal organization is not collecting or maintaining information on
behalf of a federal agency or using or operating a system on behalf of
an agency; and (3) where there are no specific safeguarding
requirements for protecting the confidentiality of CUI prescribed by
the authorizing law, regulation, or governmentwide policy for the CUI
category listed in the CUI Registry'' (emphasis original; footnote
omitted).
Generally speaking, should the Government determine that a
contractor information system is not operated on its behalf, NIST SP
800-171 is applicable. However, consistent with 32 CFR 2002.14(a)(3)
and (g), ``[a]gencies may increase CUI Basic's confidentiality impact
level above moderate only internally, or by means of agreements with
agencies or non-executive branch entities (including agreements for the
operation of an information system on behalf of the agencies).''
Relatedly, 32 CFR 2002.4(c) states that agreements ``include, but are
not limited to, contracts, grants, licenses, certificates, memoranda of
agreement/arrangement or understanding, and information-sharing
agreements or arrangements.'' Therefore, Departments and agencies can
require a confidentiality impact level above moderate for nonfederal
information systems through agreements with non-executive branch
entities. Nonetheless, the information system security requirements of
this rule, including those in DHS Sensitive Systems Policy Directive
4300A and DHS 4300A Sensitive Systems Handbook, are specific to Federal
information systems.
As stated in the preamble of the proposed rule, the Government
believed that requirements of proposed clause 3052.204-7X, Safeguarding
of Controlled Unclassified Information, were written in such a way that
they would be self-deleting when they are not applicable to a
solicitation or contract. For example, the first sentence of paragraph
(c), Authority to Operate, of the proposed clause stated ``[t]his
subsection is applicable only to Federal information systems, which
include[ ] contractor information systems operating on behalf of the
agency.'' This section of the clause also defined the applicability of
DHS Sensitive Systems Policy Directive 4300A and DHS 4300A Sensitive
Systems Handbook, making clear these policies are applicable only to
Federal information systems. Additional examples include language for
the notification and credit monitoring requirements stating that the
applicability is limited to incidents involving PII or SPII. The
remaining requirements of the proposed clause did not include any
caveats on their applicability because compliance with them is
mandatory regardless of the type of information system (i.e., Federal
information system or nonfederal information system).
However, DHS believes the concerns raised regarding proper
understanding of the applicability of the requirements of proposed
clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information, are legitimate. In response, DHS has: (1) made the
requirements of paragraph (c), Authority to Operate, Alternate I to the
basic clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information; and (2) made the requirements of paragraphs (f), PII and
SPII Notification Requirements, and (g), Credit Monitoring
Requirements, a separate clause at 3052.204-7Y titled Notification and
Credit Monitoring Requirements for Personally Identifiable Information
Incidents. As a result of these changes, basic clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information, is limited to the
following provisions: paragraphs (a), Definitions; (b), Handling of
Controlled Unclassified Information; (c), Incident Reporting
Requirements; (d), Incident Response Requirements; (e), Certification
of Sanitization of Government and Government-Activity-Related Files and
Information; (f), Other Reporting Requirements; and (g), Subcontracts.
Compliance with these requirements is mandatory regardless of the
information system type (i.e., Federal information system or nonfederal
information system). Alternate I to the basic clause is applicable when
Federal information systems, which include contractor information
systems operated on behalf of the agency, are used to collect, process,
store, or transmit CUI. New clause 3052.204-7Y, Notification and Credit
Monitoring Requirements for Personally Identifiable Information
Incidents, is applicable to solicitations and contracts where a
contractor will have access to PII. These changes were made to: (1)
ensure that DHS contractors clearly understand the scope and
applicability of the various requirements contained in proposed clause
3052.204-7X, Safeguarding of Controlled Unclassified Information; (2)
make clear that the Authority to Operate (ATO) requirements of the
clause are only applicable to Federal information systems, which
include contractor information systems operated on behalf of the
agency; and (3) ensure that DHS contractors understand credit
monitoring and notification requirements are only applicable when the
solicitation and contract require contractor access to PII.
Comment: Several respondents raised concerns about footnote 5 in
the proposed rule. The footnote advised that DHS is aware NIST Special
Publication 800-171, Protecting Controlled Unclassified Information in
Nonfederal Information Systems and Organizations, was released in June
2015 to provide federal agencies with recommended requirements for
protecting the confidentiality of Controlled Unclassified Information
on non-Federal information systems. However, the information system
security requirements in this proposed rulemaking are focused on
Federal information systems, which include contractor information
systems operating on behalf of an agency, and consistent with 32 CFR
part 2002, these information systems are not subject to the
requirements of NIST Special Publication 800-171.
One respondent interpreted the footnote to mean that DHS believes
NIST SP 800-171 is applicable to nonfederal entities that handle,
process, use, share, or receive CUI. One respondent raised concerns
that the proposed rule was not consistent with the footnote because the
rule requires in clause 3004.470-3(a) that CUI be safeguarded in ``any
situation where contractor and/or subcontractor employees may have
access to CUI.'' Another respondent stated that the footnote downplays
the applicability of NIST SP 800-171 and implies that the guidance is
for the more limited set of systems covered by NIST SP 800-53. The same
respondent advised that in other parts of the rule, contractors'
internal business systems that do fall under the provisions of NIST SP
800-171 are specifically called out. Specific actions requested
include:
<bullet> Moving the content of footnote 5 to the Background section
to improve the clarity of the scope of the rule and avoid unnecessary
misinterpretations and misunderstandings;
<bullet> Making clear that the proposed rule does not apply to
contractor information systems;
<bullet> Clarifying that the ``adequate security'' requirements of
the rule do not apply to internal contractor information systems that
are not operated on behalf of an agency, and stressing that the use of
sanitization procedures for CUI spills onto internal contractor
information systems, instead of requiring ``adequate security''
[[Page 40567]]
implementation on systems ``regardless of where'' the CUI may reside;
and
<bullet> Clarifying that contractors are not responsible for
implementing the ``adequate security'' requirements on government-
furnished equipment (GFE) that contractors operate in their own
internal contractor environment, unless specifically agreed between the
DHS procuring activity (i.e., contracting office) and the contractor.
Response: There appears to be a misunderstanding within industry
regarding the applicability of NIST SP 800-171. Categorization as a
nonfederal entity does not mean the security requirements for
information systems used by a nonfederal entity default to those
provided for in NIST SP 800-171. The Government must first determine if
the contactor information system is operated on its behalf, thus making
the information a Federal information system. If the Government
determines the contractor information system is operated on its behalf,
then the system is required to comply with NIST SP 800-53. Generally
speaking, if the Government determines that the contractor information
system is not operated on its behalf, NIST SP 800-171 is applicable.
The Government's determination of the type of system, Federal versus
nonfederal, must be made before any decision can be made on the
security requirements applicable to the information system.
Commenters are incorrect in stating that the proposed rule is not
consistent with the footnote by requiring that CUI be safeguarded in
``any situation where contractor and/or subcontractor employees may
have access to CUI.'' CUI is required to be handled properly and
adequately safeguarded at all times. As previously stated, it appears
that the respondents have focused on the information system security
policies that are incorporated into the rule with no regard for the
other policies and procedures identified, all of which have varying
applicability depending on the specifics of the contract. The only
requirement in proposed clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information, applicable to information systems was
paragraph (c), Authority to Operate. The remaining requirements of the
proposed clause, namely paragraphs (b), Handling of Controlled
Unclassified Information, (d), Incident Reporting Requirements, (e),
Incident Response Requirements, (f), PII and SPII Notification
Requirements, (g), Credit Monitoring Requirements, (h), Certificate of
Sanitization of Government and Government-Activity-Related Files and
Information, (i), Other Reporting Requirements, and (j), Subcontracts,
are applicable regardless of the type of information system (i.e.,
Federal or nonfederal), as well as when information systems are not
used and only paper documents are available under the contract. DHS
Sensitive Systems Policy Directive 4300A and DHS 4300A Sensitive
Systems Handbook are only applicable to Federal information systems.
The prescription for Alternate I is clear that the ATO requirements are
applicable only when Federal information systems, which include
contractor information systems operated on behalf of the agency, are
used to collect, process, store, or transmit CUI. Additionally, the
proposed rule made clear this point by specifically stating in the
first sentence of paragraph (c), Authority to Operate, of clause
3052.204-7X, Safeguarding of Controlled Unclassified Information, that
the ``subsection is applicable only to Federal information systems,
which include[ ] contractor information systems operating on behalf of
the agency.''
The footnote is no longer included in the rule and DHS has provided
significant information regarding the applicability of NIST SP 800-171
throughout the Discussion and Analysis section of the rule. These
statements not only address the applicability of the publication to
nonfederal information systems, but they also address the ability of
Departments and agencies to increase CUI Basic's confidentiality impact
level above moderate on nonfederal systems (i.e., beyond the
requirements of NIST SP 800-171), pursuant to the terms of an agreement
as provided for in 32 CFR part 2002.
DHS declines the recommendation to clarify that the rule is not
applicable to contractor information systems. As previously stated, the
only requirement in the proposed rule specific to information systems
was paragraph (c), Authority to Operate, in clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information; in this final
rule, the requirements of that paragraph have been made into Alternate
I to the basic clause. All the other requirements are applicable
regardless of the type of information system (i.e., Federal or
nonfederal), as well as when information systems are not used, making
the requirements applicable to contractors that access or develop CUI
under DHS contracts. Also, absent a determination of the status of the
contractor information system as Federal or nonfederal, it would be
inappropriate for DHS to state that the rule is not applicable to
contractor information systems.
DHS declines the recommendation to clarify that the ``adequate
security'' requirements of the rule do not apply to internal contractor
information systems that are not operated on behalf of an agency, and
stress that the use of sanitization procedures for CUI spills onto
internal contractor information systems, instead of requiring
``adequate security'' implementation on systems ``regardless of where''
the CUI may reside. The requirement for adequate security is not solely
specific to information systems. Adequate security includes ensuring
security protections are applied commensurate with the risk resulting
from unauthorized access, use, disclosure, disruption, modification or
destruction of the information. It also includes ensuring information
contractors and subcontractors host on information systems on behalf of
the agency, as well as information systems and applications used by the
agency, operate effectively and provide appropriate protections related
to confidentiality, integrity, and availability.
Additionally, paragraph (b)(1) of clause 305.204-7X, Safeguarding
of Controlled Unclassified Information, requires contractors and
subcontractors to provide adequate security to protect CUI from
unauthorized access and disclosure. This includes complying with DHS
policies and procedures, accessible at <a href="https://www.dhs.gov/dhs-security-and-training-requirements-contractors">https://www.dhs.gov/dhs-security-and-training-requirements-contractors</a>, in effect when the
contract is awarded.
A review of the policies and procedures on the referenced website
would demonstrate that the applicability of the various policies and
procedures depends on the requirements of each contract, including the
type(s) of CUI accessed or developed under the contract. In addition,
the clause makes clear that the information system security policies
and procedures on the website are only applicable to Federal
information systems. Also, the respondent is incorrect that internal
contractor information systems that are not operated on behalf of the
agency should not be required to have adequate security. If such a
system includes the Department's CUI, it is imperative that adequate
security of the system be maintained. Nonetheless, the information
system security requirements of this rule are limited to Federal
information systems. The purpose of this rule is the safeguarding of
CUI, so it would be inappropriate to assert that DHS was attempting to
apply security standards to contractor information systems that do not
contain CUI. Also, ``CUI spills onto internal
[[Page 40568]]
contractor information systems'' are considered incidents and are
subject to the incident reporting and response requirements of clause
3052.204-7X, Safeguarding of Controlled Unclassified Information.
DHS declines the recommendation to clarify that contractors are not
responsible for implementing the ``adequate security'' requirements on
GFE that contractors operate in their own internal contractor
environment, unless specifically agreed between the DHS procuring
activity and the contractor. Clause 3052.204-7X Safeguarding of
Controlled Unclassified Information, is clear on the applicability of
the information system security requirements and, as such, there is no
need to state within the text of the clause that the requirements are
not applicable to GFE.
4. ATO Requirements
Comment: One respondent stated that it appears as if the
requirements of paragraph (c)(1)(i) of proposed clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information, would apply only
to an information system that is in development and the security
authorization (SA) package must be submitted before the system goes
operational.
Response: The respondent is partially correct. The SA package must
be submitted and ATO granted before a Federal information system, which
includes a contractor information system operated on behalf of the
agency, can be used to collect, process, store, or transmit CUI.
However, the requirement for submission of a SA package is not limited
to information systems that are under development. Whether the Federal
information system is under development or already in existence, before
it can be used to collect, process, store, or transmit CUI it must
receive an ATO from DHS and the requirements for submission of the SA
package must be met.
Comment: The same respondent questioned if the ATO requirements are
applicable to nonfederal information systems. If so, the respondent
stated that the clause should state when the SA package for these
systems must be submitted as well as clarify the applicability of the
independent assessment and which standard (i.e., NIST SP 800-53 or NIST
SP 800-171) will be used to determine compliance.
Response: The prescription for Alternate I identifies that these
requirements are applicable when Federal information systems, which
include contractor information systems operated on behalf of the
agency, are used to collect, process, store, or transmit CUI.
Additionally, the first sentence of paragraph (c), Authority to
Operate, in proposed clause 3052.204-7X, Safeguarding Controlled
Unclassified Information, stated ``[t]his subsection is applicable only
to Federal information systems, which include[ ] contractor information
systems operating on behalf of the agency.'' As such, the information
system security requirements of the clause are applicable only to
Federal information systems. As previously stated, DHS is intentionally
silent on the requirements applicable to nonfederal information systems
as the FAR CUI rule is intended to address the requirements for these
information systems. Inclusion of such requirements in this rule would
be duplicative and redundant to the work of the FAR Councils.
Comment: One respondent stated that the proposed clause could be
interpreted to require that contractors meet the security requirements
of NIST SP 800-53 when safeguarding CUI at DHS prior to collecting,
processing, storing, or transmitting CUI. The respondent also stated
that a contractor will need to have gone through the DHS ATO process
and demonstrated its capabilities to meet the requirements of the
proposed clause. The respondent raised concerns that such a process
thwarts the ``do once, use many'' efficiencies established under the
Federal Risk and Authorization Management Program (FedRAMP).
Additionally, the respondent stated that absent definitive guidance on
the timing of the ATO, unnecessary expenses may be incurred by
potential offerors, or competition may be needlessly stifled,
precluding access to best commercial solutions and innovative new
technology.
Response: Consistent with FISMA and its implementing Governmentwide
policies, Federal information systems, which include contractor
information systems operated on behalf of the Government, are required
to receive an ATO before they can collect, process, store, or transmit
Federal information. This requirement does not mean that a contractor's
information system must have received an ATO from the Department before
a contractor responds to a DHS solicitation. To require a contractor to
obtain an ATO before contract award is costly and unnecessarily
burdensome, and it could potentially place contractors in the position
to incur costs that they would have no possibility to recoup. Clause
3052.204-7X, Safeguarding of Controlled Unclassified Information,
documents the timeline and process contractors must comply with to
receive an ATO from the Department and it is clear that this process
takes place after a contract award is made.
Comment: One respondent asserted that DHS should tie new regulatory
requirements on cybersecurity controls to FedRAMP. Another respondent
stated that the rule does not recognize or accommodate the use of cloud
services.
Response: FedRAMP addresses requirements for cloud computing. To
the extent a contractor is proposing a cloud solution to the
Department, DHS would comply with FedRAMP policies and procedures. This
includes the expectation that contractors would rely on the documents
the cloud service provider used to obtain its provisional ATO under
FedRAMP and modify them to reflect any additional requirements
necessary to provide the specific services required by the Department.
Comment: One respondent stated that the proposed process will
impose significant responsibilities on DHS, will require a great
expense to the contractor, and will end up limiting competition.
Response: DHS recognizes there are significant costs associated
with these requirements; however, the persistent and prevalent nature
of cyber-attacks on both government and private sector networks has
shown that this is a necessary expense. DHS fully expects its
contractors to reflect these costs in the price and cost proposals they
submit to the Department.
Comment: Two respondents raised concerns regarding the
applicability of the rule to contracts awarded using the procedures of
FAR part 12, Acquisition of Commercial Items. The respondents stated
that applying the requirements of the rule to contracts awarded under
the procedures of this FAR part impact the Department's access to
innovative technology and increase the number of obstacles to market
entry to the DHS supply chain for these companies as well as new start-
ups with innovative technical ideas. The respondents recommended that
DHS exclude commercial items from the requirements of the rule.
Response: DHS relies extensively on commercial contractors to
provide services that include access to and the processing, storing,
and transmitting of CUI. Eliminating this large pool of contractors
from compliance with these requirements is untenable. It is not only
inconsistent with the mission of the Department, but it is also
contrary to the public interest. DHS has determined that the costs
associated with compliance with the security requirements of this rule
are a necessary
[[Page 40569]]
expense to ensure DHS CUI is adequately protected.
Comment: One respondent recommended that DHS specify if the
Department will be the arbiter of compliance or if contractor self-
assessments will suffice, the latter of which is the preference of the
respondent.
Response: Clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information, is clear that a contractor operating a
Federal information system, which includes a contractor information
system operated on behalf of the agency, must receive an independent
assessment. Specifically, the clause requires contractors have an
independent third party validate the security and privacy controls in
place for the information system(s). Validation includes reviewing and
analyzing the SA package and reporting on technical, operational and
other deficiencies as outlined in NIST Special Publication 800-53,
Security and Privacy Controls for Information Systems and
Organizations. Deficiencies must be addressed before the SA package is
submitted to the COR for review. DHS will review the independent
assessment and, in conjunction with its own analysis, determine if an
ATO should be granted.
Comment: One respondent recommended if DHS will be responsible for
determining if a contractor has implemented adequate security that the
rule clarify how any determination of adequacy will be made. The
respondent requested that the authority be placed at a level higher
than the contracting officer, such as the Chief Information Officer
(CIO), to ensure a more uniform application across DHS. The respondent
also recommended that DHS include further guidance on this subject on
the cited website to explain to contractors how this standard will be
applied.
Response: Clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information, consistently has identified that the
Component or Headquarters CIO, or designee, is responsible. Alternate
I, which incorporates paragraph (c) of the proposed clause, states that
``[t]he Contractor shall not collect, process, store, or transmit CUI
within a Federal information system until an ATO has been granted by
the Component or Headquarters CIO, or designee.'' Alternate I makes
clear that these requirements are only applicable to Federal
information systems and the Component or Headquarters CIO, or designee,
is responsible for determining if a contractor has implemented adequate
security.
DHS declines the recommendation to add further guidance on this
topic on the publicly facing website. Adequate security means ensuring
security protections are applied commensurate with the risk resulting
from unauthorized access, use, disclosure, disruption, modification or
destruction of the information. It also includes ensuring information
contractors and subcontractors host on information systems on behalf of
the agency, as well as information systems and applications used by the
agency, operate effectively and provide appropriate protections related
to confidentiality, integrity, and availability.
Additionally, paragraph (b)(1) of clause 3052.204-7X, Safeguarding
of Controlled Unclassified Information, requires contractors and
subcontractors to provide adequate security to protect CUI from
unauthorized access and disclosure. This includes complying with DHS
policies and procedures, accessible at <a href="https://www.dhs.gov/dhs-security-and-training-requirements-contractors">https://www.dhs.gov/dhs-security-and-training-requirements-contractors</a>, in effect when the
contract is awarded.
As it relates to the information system security portion of the
adequate security requirements, the process to obtain an ATO is clearly
described in the text of clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information. The remaining adequate security requirements
are documented in the policies and procedures on the publicly facing
website. As such, no additional guidance on adequate security is
required.
Comment: One respondent recommended that DHS establish mechanisms
through which contractors can obtain sufficient clarity during the
proposal stage both to determine whether CUI will be processed under
the contract and, if yes, to assess whether they can comply with such
safeguarding obligations.
Response: DHS shared this concern when developing the proposed rule
and indicated as such in the preamble of the proposed rule by stating
that feedback from industry consistently has indicated the need for
transparency and clear and concise requirements as it relates to
information security. This concern led DHS to establish in the proposed
rule a process by which DHS contractors will be aware of the security
requirements they must meet when responding to DHS solicitations that
require a contractor to collect, process, store, or transmit CUI.
Previously, information security requirements were either embedded in a
requirements document (i.e., Statement of Work, Statement of
Objectives, or Performance Work Statement) or identified through
existing clause 3052.204-70, Security Requirements for Unclassified
Information Technology Requirements. This approach: (1) created
inconsistencies in the identification of information security
requirements for applicable contracts; (2) required the identification
and communication of security controls for which compliance was
necessary after contract award had been made; and (3) resulted in
delays in contract performance. Clause 3052.204-7X, Safeguarding of
Controlled Unclassified Information, substantially mitigates the
concerns with DHS's previous approach. Through the government-provided
Security Requirements Traceability Matrix (SRTM), contractors will know
at the solicitation level the security requirements with which they
must comply. The SRTM identifies the security controls that must be
implemented on an information system that collects, processes, stores,
or transmits CUI and that are necessary for the contractor to prepare
its SA package. Clear identification of these requirements at the
solicitation level affords contractors the ability to: (1) assess their
qualifications and ability to fully meet the Government's requirements;
(2) make informed business decisions when deciding to compete on the
Government's requirements; and (3) engage subcontractors, if needed,
early in the process to enable them to be fully responsive to the
Government's requirements. The rule states that ``[t]he SA package
shall be developed using the government-provided Security Requirements
Traceability Matrix and SA templates.'' Any concerns regarding the SRTM
can be raised and resolved using traditional solicitation processes.
Comment: One respondent recommended that DHS consider implementing
a review process for ensuring that contractors can propose alternative,
but equally effective, controls, an approach used by DoD in its
information safeguarding rulemaking. The respondent recommended that
the process also include a procedure through which contractors can
obtain confirmation that a particular control is unnecessary. The
respondent also recommended that DHS clarify the process for making
such determinations and that contractors be permitted to make such
determinations on an individual basis.
Response: DHS declines these recommendations given that the ability
for a contractor to engage on security measures included in the SRTM,
which includes the applicability of the control
[[Page 40570]]
and implementation method, is inherent in the Department's SA process.
In addition, because the SRTM will be included in all applicable
solicitations, any concerns regarding the SRTM can be raised and
resolved using traditional solicitation processes. As such, there is no
need to add language to the clause to identify this capability.
Comment: One respondent stated that the government-supplied SRTM
has the potential to be a useful tool to help ensure its members'
ability to be responsive to the Government's security requirements. The
respondent was unclear whether an SRTM will be provided with each
solicitation or only in cases where a contractor will be operating an
information technology (IT) system on behalf of the Government. The
respondent requested that all DHS solicitations include: (1) a
description of whether CUI Basic and/or CUI Specified information will
be collected, processed, stored, or transmitted by the contractor on
behalf of DHS during the course of the project; and (2) a list of
applicable security requirements, including any requirements for CUI
Specified information that must be protected on nonfederal information
systems at higher than the CUI Basic ``moderate'' confidentiality level
of the NIST SP 800-171 standards.
Response: The information system security requirements in this rule
are focused on those applicable to Federal information systems, which
include contractor information systems operated on behalf of the
agency. As previously stated, the requirements applicable to nonfederal
information systems will be addressed in the FAR CUI rule, and as such,
they are not addressed in this rulemaking. For the purposes of the
information systems subject to this rulemaking, an SRTM will be
included in all applicable solicitations using the controls from NIST
SP 800-53. The type(s) of CUI provided and/or developed under the
contract also will be identified in the solicitation. Apart from using
NIST SP 800-171 as a baseline for the security controls, DHS does not
anticipate a change to the process of providing an SRTM and identifying
the type(s) of CUI provided or developed under a contract where
nonfederal information systems are used. However, this process cannot
be fully defined until the FAR CUI rule is finalized.
Comment: One respondent raised concerns regarding the security
review requirements of paragraph (c)(3) of clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information. The respondent
stated that proper control of information is already outlined in the
applicable law, regulation, and Governmentwide policy that applies to
that information and that compliance with contract terms is already
included in agreement terms. The commenter requested that DHS take an
approach similar to DoD and either use existing FAR processes and
procedures to facilitate these requirements or identify them at the
contract level in lieu of specifying the requirements in the clause.
Response: The ability to perform periodic security reviews is an
important mechanism for the Department to consistently ensure
contractors are and remain compliant with the security requirements
contained in their contracts. This is borne out by the prevalent and
persistent nature of cyber-attacks against both public and private
networks and information systems. Although the Department is reserving
the right to perform random security reviews, the Department will be
judicious in its use and will coordinate appropriately with contractors
to ensure operations are not unduly impacted. It is also important to
note that reciprocity among agency regulations is outside the scope of
this rule.
5. CUI Registry
Comment: Several respondents raised concerns that the rule proposed
included categories of CUI that are not included in the CUI Registry
maintained by NARA. In support of these concerns, respondents cited
various sections of 32 CFR part 2002, such as ``[a]gencies may use only
those categories or subcategories approved by the CUI EA [established
by E.O. 13556 as NARA] and published in the CUI Registry to designate
information as CUI.'' 32 CFR 2002.12(b).
Response: Based on the number of comments related to DHS's
inclusion of new categories and subcategories of CUI in the proposed
rule, it appears there is: (1) a misperception among our industry
partners that the CUI Registry cannot change; and (2) a
misunderstanding of the process by which agencies can add new
categories to the CUI Registry. The categories and subcategories of
information in the CUI Registry are not static. E.O. 13556, Controlled
Unclassified Information, establishes a process to add new categories
and subcategories of CUI. DHS's addition of new CUI categories and
subcategories is in line with the procedures established by E.O. that
require that the category or subcategory of information be in a law,
regulation, or Governmentwide policy. DHS proposed the new categories
and subcategories of CUI through the regulatory process (i.e., its
NPRM) and received provisional approval from NARA for the proposed
categories. As a result of this approval, these categories now appear
in the CUI registry.
Comment: One respondent advised that restating CUI categories
increases administrative burdens. The same respondent also raised
concerns that paragraph (b), Handling of Controlled Unclassified
Information, of clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information, refers contractors back to DHS policies and
procedures and advised that DHS should instead refer contractors to the
CUI Registry and avoid duplicative descriptions of CUI. The respondent
also stated that DHS defined Operations Security Information too
broadly and that it could be interpreted to include almost any
information. Multiple respondents raised the same concern about the
Department's definition of Homeland Security Agreement Information. One
respondent stated that the definition is vague and overly broad and
does not comport with either the definition of CUI set forth in 32 CFR
part 2002 or the categories or subcategories of CUI included in the CUI
Registry, while other respondents stated that the definition allows DHS
to determine what Homeland Security Agreement Information is on a case-
by-case basis in individual contracts. Another stated that the
parameters for Homeland Security Agreement Information are very
uncertain and seemingly could apply to any information included in such
agreements.
Response: The CUI Registry does not describe safeguarding and
dissemination requirements in sufficient detail to allow for general
users to properly protect information without supplemental guidance. In
most instances, it is only a citation of a law, regulation, or
Governmentwide policy. With regard to Operations Security Information,
the definition used in this regulation has been updated and is derived
from the definition ``Operations Security (OPSEC)'' from National
Security Presidential Memorandum 28, which was issued in January 2021.
While agreeing that the category is broad, DHS also believes it
necessary, much like other similarly broad categories, such as privacy
and law enforcement information. DHS is unable to address it solely in
specific contracts or project guidance as such a practice would by
definition be an ad-hoc agency practice existing outside of a law,
regulation, or Governmentwide policy and, thus, contrary to E.O. 13556.
[[Page 40571]]
Instead, DHS opted to define this protection within the scope of this
regulation.
With regard to Homeland Security Agreement Information, in
furtherance of the Department's core missions of (1) preventing
terrorism and enhancing security, (2) securing and managing the
borders, (3) Homeland Security Agreement Information enforcing and
administering immigration laws, (4) safeguarding and securing
cyberspace, and (5) ensuring resilience to disasters, DHS enters into
thousands of information sharing agreements with State, local, and
private sector entities. The information being shared is often
sensitive, thus requiring protections from public disclosure, but does
not easily fall into one of the other CUI categories. DHS has
historically protected this information as For Official Use Only, the
DHS precursor to the CUI regime. While the definition of Homeland
Security Agreement Information is admittedly broad, fulfilling core DHS
missions while protecting sensitive information shared with DHS by our
nonfederal partners requires such flexibility. DHS finalizes the CUI
categories as proposed and declines to make changes in response to
public comments.
Comment: One respondent stated the rule does not discuss who has
the responsibility to identify or designate DHS CUI; whether any
safeguarding obligations also apply to other categories or
subcategories of CUI as listed in the CUI Registry; what relationship
must exist between the presence of information that could be CUI and a
contractual obligation to DHS; or how the agency will respond, advise,
or adjudicate any questions as to application, administration,
implementation, or enforcement of the safeguarding obligation.
Response: The purpose of this rulemaking is to clearly identify
contractor responsibilities with respect to safeguarding CUI and
identify security requirements and processes applicable to Federal
information systems, which include contractor information systems
operated on behalf of the Government. Identification of individuals/
organizations within the Department responsible for designating CUI and
safeguards applicable to CUI does not achieve this end. Also, a
specific process on how the agency will respond, advise, or adjudicate
any questions as to application, administration, implementation, or
enforcement of the safeguarding obligation is also unnecessary. Should
an issue or concern arise, it can be handled through traditional
contract administration practices.
6. DHS Internal Policies and Procedures
Comment: One respondent expressed concern that the ``adequate
security'' requirements in paragraph (b), Handling of Controlled
Unclassified Information, in clause 3052.204-7X, Safeguarding of
Controlled Unclassified Information, refer to security standards in
DHS-specific documents (as opposed to security standards designed for
use across the executive branch) that are hosted on a DHS website. The
respondent expressed concern that DHS may unilaterally change these
security standards from time to time, causing significant adverse
effects to contractors without giving them a meaningful opportunity to
comment on these changes. Based on this concern, the respondent
proposed the following revision (revision in bold type):
Adequate security includes compliance with DHS policies and
procedures in effect at the time of contract award. These policies
and procedures are accessible at <a href="https://www.dhs.gov/dhs-security-and-training-requirements-contractors">https://www.dhs.gov/dhs-security-and-training-requirements-contractors</a>. Changes to policies and
procedures will be identified by version controls and
implementations of these new versions will only occur after the
contractors affected by the change are allowed time to comment on
changes that will affect a contract's cost and/or schedule.
Response: DHS does not accept the recommendation to add language to
clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information, documenting how and when updates to the Department's
policies and procedures will be handled after a contract has been
awarded. DHS employs version control on all internal policies and
procedures. Contractors are not afforded the opportunity to comment on
internal policies and procedures of Federal agencies when they are
developed or when they are updated. Any impacts to DHS contractors as a
result of updates to policies and procedures will be handled through
the normal contract administration process, which already allows a
contractor to assess the impact of the change and request consideration
from the Government prior to implementation of the change. As such,
there is no need to add specific language in the clause allowing a
contractor to review and assess impacts to contract schedules and
costs.
7. Definitions
Comment: Multiple respondents requested that DHS include the
definition of ``on behalf of an agency'' consistent with 32 CFR part
2002. Another respondent stated that the rule does not clearly define
the term ``nonfederal information system'' as storing or handling CUI
only incidental to providing a service or product to the Government,
nor does it apply ``on behalf of an agency'' in a manner consistent
with 32 CFR part 2002.
Response: DHS intentionally excluded the ``on behalf of an agency''
definition provided in the NARA CUI rule from this rulemaking. The
phrase ``on behalf of an agency'' is already rooted in statute and is
used extensively in FISMA. FISMA designates the Director of the OMB as
being responsible for ``developing and overseeing the implementation of
policies, principles, standards, and guidelines on information
security. . . .'' 44 U.S.C. 3553(a)(1). As such, any definition of the
phrase ``on behalf of an agency'' must be provided in FISMA policy and
guidance issued by OMB after going through the appropriate interagency
coordination process to assess the wide-ranging implications of
defining this term. In the case of the NARA CUI rule, that has not
happened. In addition, the NARA CUI rule addresses a small subset of
the issues covered by FISMA. For example, FISMA applies to all
information, not just CUI. In addition, FISMA requires agencies to
provide information security protections related to the integrity,
confidentiality, and availability of all information (including CUI).
The NARA CUI rule relates only to a subset of these concerns,
specifically confidentiality of CUI.
The rule defines a Federal information system as ``an information
system used or operated by an agency or by a Contractor of an agency or
by another organization on behalf of an agency.'' This definition was
taken directly from OMB Circular A-130. Defining a Federal information
system is sufficient for the purposes of this rulemaking as an
information system, in the context of this rule, is either Federal or
nonfederal. Including a definition of a nonfederal information system
is not necessary as it logically follows that a nonfederal information
system is the opposite of a Federal information system. Also,
``nonfederal information system'' is not defined in Governmentwide
policy. Lastly, the information system security requirements of this
rule are limited to Federal information systems.
8. Reciprocity in Interagency Regulations and Information Security
Requirements
Comment: Multiple respondents raised concerns that the requirements
of the rule are not the same as other rules related to CUI issued by
other Departments and agencies, such as DoD,
[[Page 40572]]
and requested that DHS revise this rule to be consistent with those
rules. Respondents also stated that there is a lack of consistency
between DHS and DoD incident reporting requirements on what constitutes
timely reporting of breaches. Because companies often do work for
multiple Federal agencies, the respondent stated that it is important
to have a consistent approach Governmentwide so that companies can set
up a single compliant system and process.
Response: Reciprocity in information security policies and
regulations and incident reporting requirements among Departments and
agencies is outside the scope of this regulation. The purpose of this
rulemaking is to ensure that DHS contractors adequately protect CUI
received under DHS contracts. As such, the focus of this rule is
properly limited to the interests and mission needs of the Department.
Additionally, this rule is fully consistent with all applicable
statutes, regulations, and Governmentwide policies applicable to CUI
and information systems. With regard to reciprocity in information
security policies, DHS finalizes the rule as proposed and declines to
make changes in response to public comments.
Comment: One respondent expressed concern that the rule fails to
emphasize the need for reciprocity across Federal agencies and the
requirement to rely upon provisional authorizations and ATOs already
obtained through other Federal agencies.
Response: The focus of this rule is properly limited to the
interests and requirements of DHS. As such, reciprocity across the
Federal government and the requirement to rely upon provisional
authorizations and ATOs obtained from other Departments and agencies is
beyond the scope of this rule. However, nothing in the rule prevents a
contractor from submitting a SA package that was previously approved by
another Department, agency, or DHS Component. DHS will consider
existing SA packages and test results, as appropriate. It is quite
possible that such a submission would expedite the approval process to
obtain an ATO from DHS.
9. Incident Reporting and Response
Comment: Several respondents stated that the DHS requirement to
report incidents involving PII or SPII within 1 hour of discovery, and
all other incidents within 8 hours of discovery, is unreasonably short
and inconsistent with other government requirements. One respondent
stated that it is important to have a consistent approach
Governmentwide so that companies can set up a single compliant system
and process. One respondent recommended DHS extend the reporting
timeframes to 8 hours for known incidents and 72 hours for suspected
incidents involving contractors' internal information systems. One
respondent suggested DHS extend the timeframe for reporting known or
suspected incidents on contractor information systems not operated on
behalf of the Department to 72 hours. Another respondent requested that
DHS revise its incident reporting requirement to exclude reporting when
the contractor information system is not operated on behalf of the
Department.
Response: The requirement to report incidents impacting PII within
1 hour of discovery is documented in OMB memorandum M-18-02, Fiscal
Year 2017-2018 Guidance on Federal Information Security and Privacy
Management Requirements, and in United States Computer Emergency
Readiness Team (US-CERT) Federal Incident Notification Guidelines. The
8-hour reporting timeline for incidents impacting all other categories
of CUI came from the Department's review of its internal policies and
procedures for other categories of CUI. Specifically, the Department
reviewed its policies for chemical-terrorism vulnerability information
(CVI), protected critical infrastructure information (PCII), and
sensitive security information (SSI) (categories of information for
which the Department is statutorily responsible) and determined that
the existing reporting timeline for incidents impacting these
information categories is 8 hours. The Department considered creating a
separate reporting timeline for PII, CVI, PCII, and SSI and
establishing a different reporting timeline for the remaining
categories of CUI and determined that having multiple reporting
timelines would create confusion and could potentially result in
incidents not being timely reported to the Department. It is also
important to note that Departments and agencies must report information
security incidents where the confidentiality, integrity, or
availability of a Federal information system is potentially compromised
to US-CERT within 1 hour of being identified by the agency's top-level
Computer Security Incident Response Team, Security Operations Center
(SOC), or IT department. As it relates to the incident reporting
timelines required by DoD, reciprocity among agency regulations is
outside the scope of this rule.
DHS does not accept the recommendation to extend the reporting
requirement for known or suspected incidents on contractor information
systems that are not operated on behalf of the Department (i.e., a
nonfederal information system). The importance of CUI is not changed by
being on a nonfederal information system. As such, DHS will not hold
nonfederal information systems that contain the Department's CUI to a
lower standard than Federal information systems that contain the same
information.
DHS also does not accept the recommendation that incidents
impacting CUI on a contractor's internal information systems should not
be reported to the Department. A suspected or known incident impacting
the Department's CUI should always be reported. To require anything
less would be contrary to the public interest and the mission of the
Department.
Comment: One respondent asked DHS to clarify that if a
subcontractor experiences an incident, the subcontractor is required to
submit the incident report to DHS, but the subcontractor also must
notify the prime contractor (or next higher tier contractor) that it
submitted the report.
Response: DHS accepts this recommendation. DHS included paragraph
(j), Subcontracts, in proposed clause 3052.204-7X, Safeguarding of
Controlled Unclassified Information, to make clear that the
requirements of the clause must be included in the terms and conditions
of subcontract agreements, making subcontractors responsible for
complying with the requirements of the clause. However, to make clear
the Department's intent to require that subcontractors report incidents
that occur in their facilities and information systems, DHS has revised
proposed paragraph (d) (now paragraph (c)), Incident Reporting
Requirements, to add subcontractor reporting responsibilities.
Comment: One respondent raised concerns that the incident response
requirements in paragraphs (e)(3) and (5) of proposed clause 3052.204-
7X, Safeguarding of Controlled Unclassified Information, state the
following: ``(3) Incident response activities determined to be required
by the Government may include, but are not limited to, the following:
(i) Inspections, (ii) Investigations . . .'' and ``(5) The Government,
at its sole discretion, may obtain assistance from other Federal
agencies and/or third-party firms to aid in incident response
activities.'' The respondent recommended that the clause clarify how a
contractor's confidential and privileged information will be protected
in a case where the Government elects to conduct such inspections and
investigations,
[[Page 40573]]
particularly with the assistance of third-party firms.
Response: DHS does not accept the recommendation to identify in the
text of the clause how a contractor's confidential and privileged
information will be protected when third-party firms assist with the
Department's incident response activities. However, DHS's current
processes account for the protection of this information when third-
party firms are used. DHS will continue to protect against the
unauthorized use or disclosure of information received or obtained from
contractors under clause 3052.204-7X, Safeguarding of Controlled
Unclassified Information. Contractors from third-party firms that
assist in the Government's incident response activities are required to
sign nondisclosure agreements. Additionally, both DHS and its
contractors that report suspected or known incidents are required to
complete a formal Rules of Engagement before incident response
activities begin. The Rules of Engagement documents the security
mechanisms that will be used to ensure the protection of information
received during the Department's incident response activities.
Comment: One respondent stated that the incident reporting
obligation does not limit the scope of reportable incidents to Federal
information systems or even contractor information systems that contain
Federal information. Because this distinction is not made, the
respondent asserted that the rule could be read to require a contractor
to report to DHS any incident impacting its own internal information
systems, regardless of whether the incident has any likelihood of
impacting the DHS CUI resident on that information system. The
respondent recommended that DHS harmonize its reporting obligations
with any reporting obligations currently under consideration by the FAR
Councils in conjunction with its work on the FAR CUI rule.
Response: DHS disagrees that incidents should be reported to the
Department only after the contractor determines it is likely the
incident will impact/has impacted the DHS CUI resident on the
information system. If DHS CUI is resident on an information system
where a suspected or known incident occurs, contractors are required to
report that incident to the Department. Additionally, it is clear from
the title and substance of this rule that the focus is ensuring the
adequate security of CUI, in general and when resident on an
information system. To imply that this rule is requiring that suspected
or known incidents must be reported on any and all information systems,
including those that do not include the Department's CUI, is
unreasonable and false. DHS is a participant on the FAR team
responsible for drafting the FAR CUI rule and has not identified any
conflicts between this rule and the work taking place with the FAR
team.
Comment: One respondent stated that the requirement to report all
known and suspected incidents may result in a substantial number of
false positives that would be unduly burdensome for both DHS and its
contractors.
Response: The respondent is correct that the incident reporting
requirements of the clause may result in a number of ``false
positives'' being reported to the Department. DHS expects that this may
be the case and is structured to receive and resolve the anticipated
number of incidents to be reported under this clause. Given the
persistent and prevalent nature of cyber-attacks against both public
and private networks and information systems, it is increasingly
imperative that the Department is timely notified of any suspected or
known incidents impacting information systems where the Department's
CUI resides.
Comment: One respondent stated that paragraphs (e), Incident
Response Requirements, and (f), PII and SPII Notification Requirements,
of proposed clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information, should be revised to be consistent with the current OMB
directive. The Discussion and Analysis section of the proposed rule
stated that ``[t]he timing for reporting incidents involving PII or
SPII is consistent with OMB Memorandum M-07-16, Safeguarding Against
and Responding to the Breach of Personally Identifiable Information.''
The respondent advised that the OMB memorandum cited was superseded on
January 3, 2017, by OMB Memorandum M-17-12, Preparing for and
Responding to a Breach of Personally Identifiable Information. The
respondent recommended that DHS update the rule and proposed clause to
reflect the current OMB memorandum.
Response: DHS accepts the recommendation and has updated the
relevant portions of the rule to ensure consistency with OMB M-17-12,
Preparing for and Responding to a Breach of Personally Identifiable
Information.
10. Privacy Requirements
Comment: One respondent raised a concern regarding paragraph (b)(3)
of proposed clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information, which prohibits a contractor from maintaining SPII in its
invoicing, billing, and other recordkeeping systems. The respondent
stated that some recordkeeping systems may have appropriate protections
in place for safeguarding SPII while other systems may not. Because of
this gap, the respondent recommended that contractors be required to
protect SPII as required by law and be permitted to choose how best to
meet that obligation given the nature of their information systems. The
contractor also stated that the requirement would be prohibitive for an
institution of higher education accepting a contract.
Response: DHS does not accept the respondent's recommendation. DHS
has made a business decision based on previous incident response
activities that DHS contractors are not authorized to maintain the
Department's SPII in their invoicing, billing, and other recordkeeping
systems.
Comment: One respondent raised concerns with paragraph (f)(1) of
proposed clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information, which states that ``[t]he Contractor shall not proceed
with notification unless directed in writing by the Contracting
Officer.'' The respondent expressed concern that the SPII or PII also
might fall under the Health Insurance Portability and Accountability
Act (HIPAA) or other Federal breach reporting requirements. If so, the
respondent said, the language may present a conflict as to when and how
to notify someone of the breach of their personal information. The
respondent also stated that while it is unlikely that an institution
would be notifying individuals of breaches within 5 days of the
incident, an institution may choose to notify another government
official, such as the Secretary of Health and Human Services, if the
incident also constitutes a breach under HIPAA. Because there is no
other section of the clause clearly delineating the process to notify
other governmental bodies, as may be required by State or Federal law,
the respondent recommends revising the language as follows (revision in
bold type):
The Contractor may notify other state or federal government
agencies as required by law, but must copy the Contracting Officer
on any reports made to other federal or state agencies. The
Contractor shall not proceed with notification to individuals or
entities outside of the government unless directed in writing by the
Contracting Officer.
Response: DHS partially accepts the recommendation. Proposed clause
[[Page 40574]]
3052.204-7X, Safeguarding of Controlled Unclassified Information,
identifies requirements for reporting suspected or confirmed PII
incidents as required by internal DHS policy and OMB memorandum M-17-
12, Preparing for and Responding to a Breach of Personally Identifiable
Information. Such requirements are identified in the DHS Incident
Handling Guidance and are implemented in proposed clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information. Nonetheless, this
clause was not intended to preempt contractors from reporting PII
incidents under any applicable law. To ensure this point is clear, the
statement was amended to add language allowing for compliance with
applicable laws. Also, it is important to note the Department's
timeline for notifying individuals pertains to when a contractor
receives a notification request from the contracting officer; it is not
related to the date the incident is reported.
Comment: One respondent recommended DHS consider extending the 5-
day notification requirement to affected individuals to enable
contractors to dedicate resources to remediation and investigation
activities in the initial days after a breach. The respondent stated
that the 5-day notification period is substantially shorter than most
State reporting obligations (30-45 days in many States). The respondent
asserted that many companies reflect these State time periods for
providing notifications to affected individuals and raised concerns
that the notification timeline will detract from a contractor's ability
to meaningfully respond to the incident.
Response: DHS does not accept the recommendation. The Department is
requiring that contractors notify the individual whose PII and/or SPII
was under the control of the contractor or resided in its systems at
the time of the incident not later than 5 business days after being
directed to notify individuals, unless otherwise approved by the
Contracting Officer (emphasis added). The 5-business day notification
period is only to address the time period in which the contractor must
prepare and mail the notification to the individual, after being
directed to do so by the Contracting Officer. It is completely
unrelated to the timing of incident notification.
Comment: One respondent raised concerns with paragraph (g), Credit
Monitoring Requirements, of proposed clause 3052.204-7X, Safeguarding
of Controlled Unclassified Information. The section requires the
contractor to provide credit monitoring services, including call center
services, if directed by the Contracting Officer, to any individual
whose PII or SPII was under the control of the contractor, or resided
in the information system, at the time of the incident for a period
beginning the date of the incident and extending not less than 18
months from the date the individual is notified. The respondent
recommends that contractor's internal information systems be excepted
from this requirement.
Response: DHS does not accept the recommendation to exclude
contractor information systems from the credit monitoring requirements
in clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information. The respondent is attempting to draw a distinction where
there is none. Unauthorized access to or disclosure of the Department's
PII on a contractor's internal information system has the same level of
importance and potential impact as it would on a Federal information
system. To the extent a contractor's internal information system
contains PII provided by the Government or generates PII on behalf of
the Government and is subject to a known or suspected incident that
impacts the PII, the contractor is responsible for providing
notification and credit monitoring if the Government determines it is
appropriate to do so. Any stance to the contrary is inconsistent with
the public interest and the mission of the Department.
Comment: One respondent stated that the HSAR should include a
requirement that the DHS procuring activity and the contractor
explicitly agree on whether and to what extent the contractor has
credit monitoring and call center obligations as part of a specific
contract. The respondent stated that the agreement should specifically
clarify whether these obligations extend to the contractor in relation
to GFE that the contractor operates in its own internal contractor
environment.
Response: Paragraphs (f), PII and SPII Notification Requirements,
and (g), Credit Monitoring Requirements, of proposed clause 3052.204-
7X, Safeguarding of Controlled Unclassified Information, state that
those requirements are only applicable when an incident involves PII or
SPII. To ensure that contractors understand when these requirements are
applicable, DHS is making these requirements a separate clause at
3052.204-7Y titled Notification and Credit Monitoring Requirements for
Personally Identifiable Information Incidents. The applicability of new
clause 3052.204-7Y, Notification and Credit Monitoring Requirements for
Personally Identifiable Information Incidents, is limited to
solicitations and contracts where a contractor will have access to PII.
This change ensures DHS contractors understand credit monitoring and
notification requirements are only applicable when the solicitation and
contract require contractor access to PII.
The decision to provide notification and credit monitoring services
is specific to each incident. As such, a blanket determination cannot
be made that these services will be required each time a known or
suspected incident is reported that impacts PII. The intent of the
clause is to ensure that the Government can timely notify individuals
impacted by an incident and provide them with credit monitoring
services if and when the Government determines it is appropriate to do
so. Paragraph (b)(2) of clause 3052.204-7Y, Notification and Credit
Monitoring Requirements for Personally Identifiable Information
Incidents, states that ``[a]ll determinations by the Department related
to notifications to affected individuals and/or Federal agencies and
related services (e.g., credit monitoring) will be made in writing by
the Contracting Officer.'' Therefore, the Contracting Officer will
advise contractors of their requirements depending on the incident on a
case-by-case basis. Depending on the severity of the incident, credit
monitoring may not be necessary in one instance, but may be in another.
11. Sanitization of Government and Government-Activity-Related Files
and Information
Comment: One respondent questioned the implementation of paragraph
(h), Certificate of Sanitization of Government and Government-Activity-
Related Files and Information, of proposed clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information. The clause states
``the Contractor shall return all CUI to DHS and/or destroy it
physically and/or logically as identified in the contract.'' The
respondent asked where such information would be identified in the
contract, specifically whether the information would be identified in
the clause, the Statement of Work, or some other attachment. The
respondent also stated that it would be helpful to see the DHS language
that identifies how a contractor is to destroy CUI physically and/or
logically.
Response: DHS will identify in the Statement of Work, Statement of
Objectives, Performance Work Statement, or specification if and when
CUI is required to be returned,
[[Page 40575]]
physically and/or logically destroyed, or both. Clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information, states that
destruction of the CUI ``shall conform to the guidelines for media
sanitization contained in NIST SP 800-88, Guidelines for Media
Sanitization.'' As such, no additional instruction on how to physically
or logically destroy CUI is necessary.
Comment: One respondent noted that the sanitization requirement is
contrary to data use rights typical for an institution of higher
education environment. The respondent stated that it is very common for
higher education institutions to maintain files and data associated
with research under U.S. Government contracts and grants that will be
used for follow-on research and that CUI may be resident on contractor
information systems. The respondent recommended that the language be
revised to indicate that the contractor must return or destroy the CUI
when it is specified by the individual contract. The respondent also
recommended DHS use the requirements under NIST SP 800-171, which
includes a media sanitization protocol.
Response: Proposed paragraph (h), Certificate of Sanitization of
Government and Government-Activity-Related Files and Information,
requires contractors to return all CUI to DHS and/or destroy it
physically and/or logically using the guidelines in NIST SP 800-88,
Guidelines for Media Sanitization. Contractors must also certify and
confirm sanitization and submit the certification to the COR and
contracting officer.
However, to ensure that media is returned and destroyed only when
the Government has determined it to be appropriate to do so, the
language is revised to state that CUI must be returned and/or destroyed
unless the contract states that return or destruction of CUI is not
required. Also, the media sanitization requirements in the clause do
not conflict with the media sanitization protocols in NIST SP 800-171
as the sanitization requirements in this publication are taken from
NIST SP 800-88.
12. Subcontractor Flow-Down Requirements
Comment: Multiple respondents expressed concern that paragraph (j),
Subcontracts, of proposed clause 3052.204-7X, Safeguarding of
Controlled Unclassified Information, requires contractors to ``insert
this clause in all subcontracts and require subcontractors to include
this clause in all lower-tier subcontracts.'' The respondent stated
that this language appears to require contractors to flow down the
clause to subcontractors that have no role in receiving or creating CUI
in performance of the contract. The respondent stated that this is
inconsistent with the applicability described in the preamble to the
proposed rule and recommended that the language be updated accordingly.
Response: DHS agrees with the recommendation. Proposed paragraph
(j) (now paragraph (g)), Subcontracts, has been revised to require
contractors flow down the clause only to subcontracts involving CUI.
13. Requirements Applicable to Educational Institutions
Comment: One respondent noted that paragraph (a) of proposed clause
3004.470-4 states that ``[n]either the basic clause nor its alternates
should ordinarily be used in contracts with educational institutions.''
The respondent stated that it would be helpful for DHS to indicate what
specific contract clauses they expect to use with educational
institutions, and what controls (such as, for example, those described
in NIST SP 800-171) would be required to be in place to protect CUI
information received pursuant to those clauses. The respondent
recommended that, in the case of contracts requiring an institution of
higher education to have access to CUI, or to collect or maintain CUI
on behalf of the agency, DHS use the baseline requirement of
``moderate'' security controls for CUI Basic information, as described
in NIST SP 800-171. The respondent stated that protections required in
addition to those present under CUI Basic should be implemented through
the CUI Registry's CUI Specified mechanisms to reflect the requirements
of applicable law, regulations, or Governmentwide policy requiring
supplemental controls, and should be specifically identified in the
governing contract. The respondent also requested that information that
does not meet the definition of CUI, such as vendor proprietary
information, be specifically identified in the contract, along with the
level of protection that must be afforded to such information. The
respondent stated that this approach would reduce the substantial
administrative and financial burdens to the institutions, funding
agencies, and their external partners and will allow institutions of
higher education to adopt the compliance solutions that work best with
their existing information systems and practices.
Response: The statement that ``[n]either the basic clause nor its
alternates should ordinarily be used in contracts with educational
institutions'' is only applicable to clause 3052.204-71, Contractor
Employee Access. It is also important to note that this statement does
not prohibit the Department from including the clause or its alternates
in contracts with educational institutions when it is determined to be
necessary. The recommendation that DHS should indicate what specific
contract clauses it expects to use and security controls required to be
in place to protect CUI when contracting with educational institutions
implies the Department should use a lesser information security
standard when contracting with these organizations. This is not the
case. The security requirements required are those discussed in this
rule. Additionally, information that is neither CUI nor classified is
not required to be protected.
As previously stated, Federal information systems, which include
contractor information systems operated on behalf of the agency, are
subject to the requirements of NIST SP 800-53. Generally speaking,
should the Government determine that a contractor information system is
not operated on its behalf, NIST SP 800-171 is applicable instead of
NIST SP 800-53. However, consistent with 32 CFR 2002.14(a)(3) and (g),
``[a]gencies may increase CUI Basic's confidentiality impact level
above moderate only internally, or by means of agreements with agencies
or non-executive branch entities (including agreements for the
operation of an information system on behalf of the agencies).''
Relatedly, 32 CFR 2002.4(c) states that agreements ``include, but are
not limited to, contracts, grants, licenses, certificates, memoranda of
agreement/arrangement or understanding, and information-sharing
agreements or arrangements.'' Therefore, DHS can require a
confidentiality impact level above moderate through agreements with
non-executive branch entities and does not need an update to the CUI
Registry to do so. DHS will determine if an information system is
Federal or nonfederal, perform the necessary risk assessment consistent
with Departmental policy, and identify the security controls
contractors must meet through an SRTM. The SRTM will be included in the
solicitation to ensure contractors clearly understand the security
requirements they must meet before responding to the solicitation.
Apart from using NIST SP 800-171 as a baseline for the security
controls, DHS does not anticipate a change to the
[[Page 40576]]
process of providing an SRTM and identifying the type(s) of CUI
provided or developed under a contract where nonfederal information
systems are used. However, this process cannot be fully defined until
the FAR CUI rule is finalized.
14. Self-Deleting Requirements
Comment: DHS invited comments on the self-deleting requirements in
proposed clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information. One respondent raised concerns with the use of self-
deleting requirements and requested that DHS consider the use of
alternates to help parties achieve certainty about their
responsibilities to implement the requirements of the clause.
Response: DHS agrees with the commenter that the use of alternates
will increase certainty among DHS contractors on their responsibilities
to comply with the requirements of clause 3052.204-7X, Safeguarding of
Controlled Unclassified Information. As such, DHS has: (1) made the
requirements of paragraph (c), Authority to Operate, Alternate I to the
basic clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information; and (2) made the requirements of paragraphs (f), PII and
SPII Notification Requirements, and (g), Credit Monitoring
Requirements, a separate clause at 3052.204-7Y titled Notification and
Credit Monitoring Requirements for Personally Identifiable Information
Incidents.
As a result of these changes, basic clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information, is limited to the
following provisions: paragraphs (a), Definitions; (b), Handling of
Controlled Unclassified Information; (c), Incident Reporting
Requirements; (d), Incident Response Requirements; (e), Certification
of Sanitization of Government and Government-Activity-Related Files and
Information; (f), Other Reporting Requirements; and (g), Subcontracts.
Compliance with these requirements is mandatory regardless of the
information system type (i.e., Federal information system or nonfederal
information system). Alternate I to the basic clause is applicable when
Federal information systems, which include contractor information
systems operated on behalf of the agency, are used to collect, process,
store, or transmit CUI. New clause 3052.204-7Y, Notification and Credit
Monitoring Requirements for Personally Identifiable Information
Incidents, is applicable to solicitations and contracts where a
contractor will have access to PII. These changes were made to: (1)
ensure DHS contractors clearly understand the scope and applicability
of the various requirements contained in clause 3052.204-7X,
Safeguarding of Controlled Unclassified Information; (2) make clear
that the ATO requirements of the clause are only applicable to Federal
information systems, which include contractor information systems
operated on behalf of the agency; and (3) ensure DHS contractors
understand credit monitoring and notification requirements are only
applicable when the solicitation and contract require contractor access
to PII.
15. Applicability to Service Contracts
Comment: The proposed rule requested comments on making proposed
clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information, applicable to all service contracts with the understanding
that the clause would be self-deleting if it does not apply. One
respondent stated that it would be preferable for DHS to include the
clause only in those contracts where the clause is required, saying
there is no realistic self-deleting function.
Response: DHS agrees with the commenter and will not make the
requirements of the proposed rule applicable to all service contracts.
Clause 3052.204-7X, Safeguarding of Controlled Unclassified
Information, will be included only in contracts where its requirements
are applicable.
16. Costs
Comment: One respondent noted that the cost data provided in the
proposed rule are based on the assumption of a contractor having a
centralized system base (for example, one information system, one
accounting system, a limited number of individuals with access, a
controlled physical environment). The respondent stated that
institutions of higher education are highly decentralized entities and
that costs increase significantly when implementing these requirements
over multiple systems, on a case-by-case basis, as would generally be
required in the decentralized higher education environment. The
respondent said the problem only is magnified when each agency adopts
separate and distinct requirements for the safeguarding of CUI, making
it imperative to have one standard to operate by, such as that proposed
under the NARA CUI rule.
Response: The information system security requirements of this rule
are focused on the requirements applicable to Federal information
systems. Requirements for Federal information systems are governed by
Federal Information Processing Standards (FIPS) Publication 199,
Standards for Security Categorization of Federal Information and
Information Systems; FIPS Publication 200, Minimum Security
Requirements for Federal Information and Information Systems; and NIST
SP 800-53, Security and Privacy Controls for Information Systems and
Organizations. These publications define the process by which the
Government categorizes a Federal information system as requiring low,
moderate, or high security controls to protect the confidentiality,
integrity, and availability of information that is processed, stored,
and transmitted by those systems/organizations and to satisfy a set of
defined security requirements. The commenter's approach displaces
compliance with these publications and requests that the Government
identify a single security standard for Federal information systems
without the benefit of the methodical and deliberate processes required
by each of these publications. This approach is unacceptable because it
is inconsistent with FISMA and NIST policy for Federal information
systems. Alternatively, the NARA CUI rule establishes baseline
information security requirements necessary to protect CUI Basic on
nonfederal information systems by mandating the use of NIST SP 800-171,
Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations, when establishing security
requirements to protect CUI's confidentiality on nonfederal information
systems. However, consistent with 32 CFR 2002.14(a)(3) and (g),
``[a]gencies may increase CUI Basic's confidentiality impact level
above moderate only internally, or by means of agreements with agencies
or non-executive branch entities (including agreements for the
operation of an information system on behalf of the agencies).''
The Department has not updated cost estimates to account for
institutions with multiple systems because, based on Federal
Procurement Data System (FPDS) data on unique vendors awarded contracts
under the most likely applicable Product and Service Codes (PSCs) in
Fiscal Year (FY) 2019 and FY
[[Page 40577]]
2020, fewer than 1 percent of affected entities are educational
institutions that could have multiple systems. Based on the estimated
population of affected entities (171), only one entity would be an
educational institution that might have multiple systems on average.\4\
In addition, DHS has no data on how many systems these entities use.
Other types of entities could have multiple systems. However, multiple
variables dictate the cost of an independent assessment (e.g.,
governance, decentralization of information systems, number of
information systems (i.e., size), complexity, categorization, and
documentation). As such, the number of information systems impacted by
the ATO is not the sole factor to consider when determining if there
will be increases to the cost of an independent assessment. While there
may be increases to the cost of an independent assessment when multiple
information systems are involved, such increases are largely dependent
upon the level of decentralization of the systems and variances in the
governance structure of each system. If the information systems have
the same or similar governance structures, the cost of the independent
assessment may not see significant cost impacts. Conversely, if there
is significant decentralization and variances in governance structures,
the cost of an independent assessment could increase. Such
determinations must be made on a case-by-case basis and take into
consideration all relevant factors that dictate the cost of an
independent assessment.
Therefore, DHS maintains the cost estimates from the proposed rule
but recognizes that these costs may be underestimates because FPDS data
do not indicate subcontractors that may have multiple systems, and
there is uncertainty on the prevalence of multiple systems for affected
entities beyond educational institutions and uncertainty related to the
cost implications to independent assessment of multiple systems.
IV. Statutory and Regulatory Requirements
A. Executive Orders 12866 and 13563
E.O. 12866 (Regulatory Planning and Review) and E.O. 13563
(Improving Regulation and Regulatory Review) direct agencies to assess
the costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health, and safety effects; distributive impacts; and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This rule has been designated a ``significant regulatory action,''
although not economically significant, under section 3(f) of E.O.
12866. Accordingly, the rule has been reviewed by OMB.
1. Outline of the Analysis
Section IV.A.2.a describes the need for the final rule, and section
IV.A.2.b describes the process used to estimate the costs of the rule
and the general inputs used, such as the number of affected entities.
Section IV.A.3 explains how the provisions of the final rule will
result in quantifiable costs and presents the calculations DHS used to
estimate them. In addition, section IV.A.3 describes the qualitative
costs, cost savings, and benefits of the final rule. Section IV.A.4
summarizes the estimated first year and 10-year total and annualized
costs of the final rule. Finally, section IV.A.5 presents the
regulatory alternatives considered.
2. Summary of the Analysis
DHS expects that the final rule will result in costs, cost savings,
and benefits. As shown in Exhibit 1, DHS estimates a range of costs to
capture uncertainty in cost data and, therefore, presents the estimated
impacts using a lower bound, upper bound, and primary estimate. The
primary estimate is calculated by taking the average of the upper bound
and lower bound estimates. DHS estimates the final rule will have an
annualized cost ranging from $15.32 million to $17.28 million at a
discount rate of 7 percent and a total 10-year cost that ranges from
$107.62 million to $121.37 million at a discount rate of 7 percent. DHS
was unable to quantify the cost savings or benefits associated with the
rule. However, the final rule is expected to produce cost savings by
reducing the time required to grant an ATO, reducing DHS time reviewing
and reissuing proposals because contractors are better qualified, and
reducing the time to identify a data breach. The final rule also
produces benefits by better notifying the public when their data are
compromised, requiring the provision of credit monitoring services so
that the public can better monitor and avoid costly consequences of
data breaches, and reducing the severity of incidents through timely
incident reporting.
Exhibit 1--Estimated Monetized Costs of the Final Rule
[$2020 millions]
----------------------------------------------------------------------------------------------------------------
Costs
-----------------------------------------------
Low Primary High
----------------------------------------------------------------------------------------------------------------
Undiscounted 10-Year Total...................................... $152.60 $162.32 $172.04
10-Year Total with Discount Rate of 3%.......................... 130.28 138.58 146.889
10-Year Total with Discount Rate of 7%.......................... 107.62 114.49 121.37
Annualized with Discount Rate of 3%............................. 15.27 16.25 17.22
Annualized with Discount Rate of 7%............................. 15.32 16.30 17.28
----------------------------------------------------------------------------------------------------------------
Exhibit 2 below provides a detailed summary of the final rule
provisions and their impacts. See the costs and cost savings
subsections of section IV.A.3 (Subject-by-Subject Analysis) below for
more detailed explanations.
---------------------------------------------------------------------------
\4\ Calculation: 171 ATO vendors * 0.72 percent of educational
institutions in the population = 1.2 ATO vendors with multiple
systems.
[[Page 40578]]
Exhibit 2--Summary of Provisions and Economic Impacts of the Final Rule
--------------------------------------------------------------------------------------------------------------------------------------------------------
Expressly required by
3052.204-7X, Safeguarding of statute, regulation, Statute, regulation,
controlled unclassified Requirement(s) or governmentwide or governmentwide Costs Benefits
information policy? policy
--------------------------------------------------------------------------------------------------------------------------------------------------------
(a) Definitions.................... Defines terms N/A................... Definitions for No costs associated
applicable to the adequate security, with definitions.
clause. Homeland Security
Agreement
Information,
Homeland Security
Enforcement
Information,
Operations Security
Information,
Personnel Security
Information, and
Sensitive Personally
Identifiable
Information are the
only terms that are
not defined in a
statute, regulation,
or Governmentwide
policy.
(b) Handling of Controlled (a) Requires (a) Yes............... (a) 32 CFR part 2002, (a) No new costs, is Unquantified cost
Unclassified Information. contractors to comply (b) No................ Controlled currently a savings to DHS from
with DHS policies and Unclassified regulatory clarified system
procedures for the Information (CUI). requirement. requirements, which
handling of CUI. (b) N/A--Internal DHS (b) Imposes no new reduce time to grant
(b) Limits requirement. cost. ATOs, identify
contractors' use or better qualified
redistribution of CUI bidders for DHS
to only those contracts, and
activities specified prevent DHS from
in the contract. putting contracts on
hold to reissue
requests for
proposals and
alternate
contractors.
(c) Ensures CUI (c) No................ (c) N/A--Internal DHS (c) Imposes no new
transmitted via email requirement. cost.
is protected by
encryption or
transmitted within
secure communications
systems.
(c) Incident Reporting Requirements Contractors and (a) Yes............... (a) OMB Memorandum M- (a, b) The primary (a, b, c) Timely
subcontractors must: 17-12 PRIV, estimate of reporting of
(a) Report all known Preparing for and reporting an incidents is
or suspected Responding to a incident to DHS is critical to prevent
incidents involving Breach of Personally $1,075 per incident. the impact of an
PII or SPII within 1 Identifiable DHS cannot quantify incident from
hour of discovery. Information, the aggregate total expanding, ensure
requires each agency of these costs incident response
to have a breach because DHS does not and mitigation
response plan that track the origin of activities are
includes timely security event undertaken quickly,
reporting. The DHS notices and is and ensure
Senior Agency therefore unable to individuals are
Official for Privacy determine how many timely notified of
determined that to security event the possible or
meet the timeliness notices external actual compromise of
requirements of M-17- contractors reported their PII. Reducing
12, the initial to their respective the time to identify
report must occur Component SOC or the a breach improves
within 1 hour of DHS Network the effectiveness of
discovery. Operations Security incident management,
Center. reduces false
positives, improves
triage by lowering
the cost of trivial
true positives,
minimizes mission
disruption and the
resulting impact on
revenue and
performance, and
reduces the cost of
investigation.
(b) Report all other (b) No, internal (b) N/A..............
incidents within 8 policy requirement.
hours of discovery.
(c) Ensure CUI (c) No................ (c) 32 CFR 2002.14, (c) No new costs, is
transmitted via email Safeguarding, currently a
is protected by paragraphs (c), regulatory
encryption or Protecting CUI under requirement.
transmitted within the control of an
secure communications authorized holder,
systems. and (g), Information
systems that
process, store, or
transmit CUI.
(d) Incident Response Requirements. (a) Requires (a) Yes............... (a) Federal (a) DHS components Standardizing
contractors and Information Security have included incident reporting
subcontractors to Modernization Act of differing language leads to more
provide full access 2014 (44 U.S.C. in contracts for proactive incident
and cooperation for 3551), OMB A-130, incident response, response,
all activities Managing Information while this provision potentially faster
determined by the as a Strategic creates consistency incident resolution,
Government to be Resource. across DHS and potential
required to ensure an components in reduction in the
effective incident language without scope and impact of
response. change to the incident
requirements. Since depending on the
DHS already conducts nature of the attack
this practice, these (i.e., fewer records
costs are part of breached).
the existing
baseline costs of
business.
[[Page 40579]]
(b) Allows the (b) No................ (b) N/A--Internal DHS (b) N/A--The
Government to obtain requirement. Government bears the
outside assistance to costs related to
assist in incident obtaining assistance
response activities. from external
parties for incident
response activities
(e.g., existing DHS
contracts,
interagency
agreements). This
cost is not new
because incident
response is a
longstanding
practice and DHS has
existing pre-
position contracts
that allow it to tap
services for
incident response.
(e) Certificate of Sanitization of Requires the Yes................... Paragraph (d) of HSAR No new costs are
Government and Government-Activity- contractor to return 3052.204-70, anticipated as this
Related Files and Information. all CUI to DHS and/or Security requirement simply
destroy it physically Requirements for replaces the pre-
and/or logically. Unclassified existing requirement
Destruction must Information in paragraph (d) of
conform to the Technology Resources. HSAR 3052.204-70,
guidelines for media Security
sanitization Requirements for
contained in NIST SP Unclassified
800-88, Guidelines Information
for Media Technology
Sanitization. Resources.
Additionally, any
costs associated
with this
requirement are
covered under the
initial regulation
for HSAR 3052.204-
70, Security
Requirements for
Unclassified
Information
Technology Resources.
(f) Other Reporting Requirements... Informs contractors No.................... N/A.................. No costs related to
that the incident DHS are anticipated
reporting required by with this
this clause does not requirement as those
rescind the costs would be
contractor's covered under the
responsibility for ``other applicable
other incident statutory or
reporting pertaining regulatory
to its unclassified requirements, or
information systems other U.S.
under other clauses Government
that may apply to its requirements''.
contract(s), or as a
result of other
applicable statutory
or regulatory
requirements, or
other U.S. Government
requirements.
(g) Subcontracts................... Requires the In part. Prime See above and below..
contractor to insert contractors are
this clause in all required to flow down
subcontracts and the text of this
require clause to applicable
subcontractors to subcontracts. Many of
include this clause the clause
in all lower tier requirements stem
subcontracts when from a statute,
subcontractor regulation, or
employees will have Governmentwide policy
access to CUI; CUI as indicated above
will be collected or and below.
maintained on behalf
of the agency by a
subcontractor; or a
subcontractor
information system(s)
will be used to
process, store, or
transmit CUI.
[[Page 40580]]
(h) Authority to Operate........... (a) Security (a) Yes............... (a) Federal (a) No new costs are
Authorization. Information Security anticipated as this
Modernization Act of requirement simply
2014 (44 U.S.C. replaces the pre-
3551), OMB A-130, existing requirement
Managing Information in paragraphs (a),
as a Strategic (b), and (e) of HSAR
Resource, OMB 3052.204-70,
Memorandum M-22-01, Security
Improving Detection Requirements for
of Cybersecurity Unclassified
Vulnerabilities and Information
Incidents on Federal Technology Resources.
Government Systems As part of the
through Endpoint existing paragraphs
Detection and (a) and (e) of HSAR
Response, NIST SP 3052.204-70,
800-53, Revisions 4 Security
and 5, Security and Requirements for
Privacy Controls for Unclassified
Information Systems Information
and Organizations, Technology
and paragraphs (a) Resources, vendors
and (e) of HSAR are required to
3052.204-70, maintain full-time
Security equivalent (FTE)
Requirements for oversight that is
Unclassified estimated to cost
Information $209,008 per vendor.
Technology Resources.
(b) Independent (b) No................ (b) N/A.............. (b) $71.28 million at Independent
Assessment. a 7% discount rate assessment provides
associated with the an objective measure
cost of an of compliance with
independent third security and privacy
party validating the controls. Benefits
security and privacy of using a third
controls in place party to perform an
for the information independent
system(s); reviewing assessment extend to
and analyzing the SA contractor because
package; and they can use results
reporting on to demonstrate
technical, cybersecurity
operational, and excellence for
management level customers.
deficiencies.
(c) ATO Renewal....... (c) Yes............... (c) See response at (c) No new costs are
paragraph (a). anticipated as this
requirement simply
replaces the pre-
existing requirement
in paragraphs (a),
(b), and (e) of HSAR
3052.204-70,
Security
Requirements for
Unclassified
Information
Technology
Resources.
Additionally, any
costs associated
with this
requirement are
covered under the
initial regulation
for HSAR 3052.204-
70, Security
Requirements for
Unclassified
Information
Technology Resources.
(d) Security Review... (d) No................ (d) N/A.............. (d) $159,924 at a 7% (d) Security review
discount rate from a is an important
new cost to the mechanism for the
government to Department to
conduct the security consistently ensure
reviews and to the contractors are and
contractor for any remain compliant
interruptions to with the security
normal operations requirements
caused by the contained in their
security review. contracts.
(e) Federal Reporting (e) Yes............... (e) Federal (e) No new costs are
and Continuous Information Security anticipated as this
Monitoring Modernization Act of requirement simply
Requirements. 2014 (44 U.S.C. replaces the pre-
3551), OMB A-130, existing requirement
Managing Information in paragraphs (a)
as a Strategic and (e) of HSAR
Resource, OMB 3052.204-70,
Memorandum M-14-03, Security
Enhancing the Requirements for
Security of Federal Unclassified
Information and Information
Information Systems, Technology
and NIST SP 800-53, Resources.
Revisions 4 and 5, Additionally, any
Security and Privacy costs associated
Controls for with this
Information Systems requirement are
and Organizations. covered under the
initial regulation
for HSAR 3052.204-
70, Security
Requirements for
Unclassified
Information
Technology Resources.
--------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 40581]]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Expressly required by
3052.204-7Y, Safeguarding of statute, regulation, Statute, regulation,
controlled unclassified Requirement(s) or governmentwide or governmentwide Costs Benefits
information policy? policy
--------------------------------------------------------------------------------------------------------------------------------------------------------
(a) Definitions.................... Defines terms No.................... Definition for No costs associated
applicable to the Sensitive Personally with definition.
clause. Identifiable
Information is not
defined in a
statute, regulation,
or Governmentwide
policy.
(b) PII and SPII Notification Requires the Yes................... OMB Memorandum M-17- Estimated costs of Benefit of improved
Requirements. contractor, when 12, Preparing for notification are notification to the
directed, to notify and Responding to a $2.72 per year per public regarding
any individual whose Breach of Personally individual. DHS breaches of their
PII or SPII was Identifiable cannot quantify an data, allowing
either under the Information. aggregate total of better self-
control of the this cost due to the monitoring for
contractor or resided rule because DHS identity theft. Such
in an information does not track at notification affords
system under control the Department level individuals the
of the contractor at the number of opportunity to take
the time the incident notifications steps to minimize
occurred. required on either any harm associated
an annual or per- with unauthorized or
incident basis. fraudulent activity.
Note: These costs
are discretionary as
the Government may
or may not choose to
have the contractor
perform these
services.
(c) Credit Monitoring Requirements. Requires the Yes................... OMB Memorandum M-17- Credit monitoring is Credit monitoring
contractor, when 12, Preparing for estimated to cost services can be
directed, to provide and Responding to a $6.53 per year per particularly
credit monitoring Breach of Personally individual. DHS beneficial to the
services to Identifiable cannot quantify affected public as
individuals whose PII Information. these costs because they can assist
or SPII was under the it does not have individuals in the
control of the estimates for the early detection of
contractor, or population of identity theft as
resided in the individuals well as notify
information system at affected. Note: individuals of
the time of the These costs are changes that appear
incident, for a discretionary as the in their credit
period beginning the Government may or report, such as
date of the incident may not choose to creation of new
and extending not have the contractor accounts, changes to
less than 18 months perform these their existing
from the date the services. accounts or personal
individual is information, or new
notified. inquiries for
credit. Such
notification affords
individuals the
opportunity to take
steps to minimize
any harm associated
with unauthorized or
fraudulent activity.
--------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------
Expressly required by
3052.204-71, Contractor employee statute, regulation, Statute, regulation,
access Requirement(s) or governmentwide or governmentwide Costs Benefits
policy? policy
--------------------------------------------------------------------------------------------------------------------------------------------------------
(a) Controlled Unclassified Provides definition of N/A................... Definitions for N/A--No new costs are
Information. CUI. Homeland Security anticipated with the
Agreement changes to this
Information, clause as the
Homeland Security changes are merely
Enforcement updates to
Information, terminology and
Operations Security clarifying edits to
Information, ensure complete
Personnel Security understanding of pre-
Information, and existing
Sensitive Personally requirements.
Identifiable Additionally, the
Information are the costs associated
only terms that are with this clause are
not defined in a covered under the
statute, regulation, initial regulation
or Governmentwide for HSAR 3052.204-
policy. 71, Contractor
Employee Access.
(b) Information Resources.......... Provides definition of N/A................... Definition is taken No costs associated
information resources. from statute. with definitions.
(c) Background Investigation Identifies background Yes................... Paragraph (c) of HSAR No new costs, is
Requirements. investigation 3052.204-71, currently a
requirements. Contractor Employee regulatory
Access. Note: requirement.
Paragraph was
updated in final
rule to replace the
term ``IT
resources'' with
``information
resources''.
(d) Prohibition.................... Identifies Yes................... Paragraph (d) of HSAR No new costs, is
circumstances where 3052.204-71, currently a
the contracting Contractor Employee regulatory
officer can prohibit Access. Note: No requirement.
individuals from change from original
working under a text.
contract.
[[Page 40582]]
(e) CUI Disclosure and Training Identifies limitation Yes................... Paragraph (e) of HSAR No new costs, is
Requirements. on disclosure of CUI 3052.204-71, currently a
and training Contractor Employee regulatory
requirements. Access. Note: requirement.
Replaced references
to ``sensitive
information'' with
``CUI'' and
clarified the timing
for completion of
training discussed
in the original
clause.
(f) Subcontract Requirements....... Identifies when clause Yes................... Paragraph (f) of HSAR No new costs, is
must be included in 3052.204-71, currently a
subcontracts. Contractor Employee regulatory
Access. Note: requirement. Note:
Replaced reference The change in
to ``sensitive terminology from
information'' with ``sensitive
``CUI'' and information'' to
``resources'' with ``CUI'' does not
``information change the
resources''. requirement for
safeguarding. This
change was made
solely to comply
with E.O. 13556,
Controlled
Unclassified
Information, and its
implementing
regulation at 32 CFR
part 2002. The
type(s) of
information DHS
protected under
``sensitive
information'' and
now under ``CUI'' is
not changed.
Additionally, cost
impacts associated
with Governmentwide
implementation of
the CUI Program will
be captured under
the Federal
Acquisition
Regulation
rulemaking that is
currently in
progress.
(g) Training and Non-Disclosure Identifies that Yes................... Paragraph (g) of HSAR No new costs, is
Agreement Requirements. contractors must 3052.204-71, currently a
complete a security Contractor Employee regulatory
briefing, additional Access. Note: Added requirement.
training for specific language to clarify
categories of CUI (if that additional
identified in the training for
contract), and sign a specific categories
nondisclosure of CUI from
agreement before paragraph (e) will
receiving access to be identified in the
information resources contract.
under the contract.
(h) Contractor Access to Identifies Yes................... Paragraph (h) of HSAR No new costs, already
Information Resources. restrictions on 3052.204-71, a regulatory
access to DHS Contractor Employee requirement.
information resources Access. Note:
and consequences for Replaced reference
attempting to access to ``information
information resources technology
that are not resources'' with
authorized under the ``information
contract. resources''.
(i), (j), (k), and (l)............. No change from Yes................... Paragraphs (i), (j), No new costs, is
original clause text. (k), and (l) of HSAR currently a
3052.204-71, regulatory
Contractor Employee requirement.
Access. Note: No
change from original
clause text.
--------------------------------------------------------------------------------------------------------------------------------------------------------
a. Need for Regulation
DHS has determined that rulemaking is needed to implement security
and privacy measures to safeguard CUI and facilitate improved incident
reporting to DHS. The final rule enables DHS to identify, remediate,
mitigate, and resolve incidents when they occur, not necessarily
completely prevent them. DHS understands that there is no ``true'' way
to completely prevent an incident from occurring. However, these
measures are intended to decrease the likelihood of occurrence with
full knowledge that there is no such thing as an ``unhackable'' system.
The final rule adds a new clause at 3052.204-7X, Safeguarding of
Controlled Unclassified Information, that ensures adequate protection
of CUI. That new clause (1) identifies CUI handling requirements and
security processes and procedures applicable to Federal information
systems, which include contractor information systems operated on
behalf of the agency; (2) identifies incident reporting requirements,
including timelines and required data elements, inspection provisions,
and post-incident activities; and (3) requires certification of
sanitization of governm
[…truncated; see source link]Indexed from Federal Register on June 21, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.