On June 21, the Department of Homeland Security (DHS) published a final rule to implement security measures that safeguard controlled unclassified information (CUI) from unauthorized access and disclosure and improve incident reporting. 

This final rule comes approximately six and half years after DHS published its proposed rule on January 19, 2017, and provides a comprehensive set of requirements and procedures aimed at ensuring the proper handling, storage, transmission, and disposal of CUI during DHS acquisition processes.

Beginning on July 21, 2023, this new framework will apply to all DHS contractors that require access to CUI; collect or maintain CUI on behalf of DHS; or operate federal information systems (including contractor information systems) on behalf of DHS that collect, process, store, or transmit CUI.

The DHS final rule sets out to expand and strengthen the existing Homeland Security Acquisition Regulations (HSAR) related to information security by updating an existing clause (HSAR 3052.204-71, Contractor Employee Access) and adding two new contract clauses (HSAR 3052.204-72, Safeguarding of Controlled Unclassified Information and 3052.204-73, Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents) to specifically address safeguarding CUI.  At a high level, the final rule does the following:

1. Defines CUI as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls” and lists 11 categories and subcategories of DHS-related information that would fall under the definition.
2. Establishes CUI handling requirements and security processes and procedures.
3. Outlines incident reporting requirements, including timelines and required data elements, inspection provisions, and post-incident activities.
4. Describes certification requirements for sanitization of government and government-activity-related files and information.
5. In the case of an incident, requires contractors to have in place procedures and the capability to notify and provide credit monitoring services to any individual whose personally identifiable information (PII) or sensitive PII (SPII) was under the control of the contractor or resided in its information system at the time of the incident.

Notably, the final rule does not adopt CUI security controls provided in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  Instead, it relies on DHS’s own specified security controls, which can be modified at any time.  NIST SP 800-171 serves as a foundation for the much-anticipated Federal Acquisition Regulation (FAR) CUI rule and already serves as the basis for the Department of Defense’s regulations concerning CUI security.  In the commentary accompanying the rule, DHS explained that since it is working with the National Archives and Records Administration (NARA) and the FAR Council on the aforementioned FAR CUI rule, it had no need “to identify requirements applicable to nonfederal information systems in this rulemaking” since its “inclusion would be duplicative and redundant to the work of the FAR Councils.”

Prior to the July 21, 2023, implementation date, DHS contractors who handle CUI should do the following:

1. Review and assess information currently managed in DHS contracts to identify any data that falls under the new HSAR CUI definition.
2. Work with DHS to determine if any contractor information systems qualify as federal information systems operated on behalf of DHS.
3. Evaluate whether existing CUI includes PII or SPII, thereby triggering notification and credit monitoring in the event of an incident.