Beating Others to the Punch, DHS Proposes CUI Changes to Acquisition Regulations

On the last full day of the Obama Administration, the Department of Homeland Security (DHS) published a proposed rule that would make several amendments to the Homeland Security Acquisition Regulation (HSAR) regarding Controlled Unclassified Information (CUI). Despite recent developments, the proposed rule is open for comment until March 20, 2017, and seeks to impose several obligations, including: (1) contractors handling CUI under a contract must be in compliance with a bevy of DHS policies and procedures at the time of contract award; (2) contractors operating federal information systems must meet numerous information security obligations prior to handling CUI on those systems; (3) contractors must report known or suspected incidents affecting CUI within one to eight hours, depending on the type of CUI at issue; and (4) contractors must adhere to specific breach notification and credit monitoring requirements in response to incidents affecting personally identifiable information (PII), a subset of CUI.