Homeland Cybersecurity: DHS Overhauls Its CUI Program, Releases New Contract Clauses

On June 21, 2023, the Department of Homeland Security (DHS) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) by updating an existing clause (HSAR 3052.204-71) and adding two new contract clauses (HSAR 3052.204-72 and 3052.204-73) to address safeguarding of Controlled Unclassified Information (CUI).  The final rule is effective July 21, 2023.

The new clauses aim to improve privacy and security measures around CUI by introducing: (1) general CUI handling requirements; (2) authority to operate (ATO) requirements for federal information systems; (3) incident reporting requirements and activities; and (4) sanitization of government related files and information. These new clauses move DHS away from the use of DHS-defined sensitive information and toward the government-wide CUI model. 

3052.204-72: Safeguarding of Controlled Unclassified Information

• Definition of CUI. The clause defines CUI as “information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls,” and specifies 11 categories and subcategories as examples of DHS-related CUI, including: Homeland Security Agreement Information, Homeland Security Enforcement Information, International Agreement Information for Homeland Security, Information Systems Vulnerability Information for Homeland Security, Operations Security Information, Personnel Security Information, Physical Security Information for Homeland Security, Privacy Information, and Sensitive Personally Identifiable Information.
• Handling of Controlled Unclassified Information. The basic clause applies to all entities handling CUI, and it requires contractors and subcontractors to provide adequate security sufficient to protect CUI from unauthorized access and disclosure. Adequate security includes compliance with DHS policies and procedures in effect at the time of award.  The requirements of the basic clause “exist whenever CUI will be accessed or developed under a contract regardless of the type of information system involved in contract performance.”  However, DHS noted that an upcoming Federal Acquisition Regulation (FAR) CUI rule will address the specific information system security requirements for nonfederal information systems and therefore purposefully avoided rulemaking for such systems. 
• Incident Reporting. Contractors are also subject to incident reporting and response requirements under the basic clause. Known or suspected incidents involving Personally Identifiable Information (PII) or Sensitive Personally Identifiable Information (SPII) must be reported within one hour of discovery, and all other incidents must be reported within eight hours of discovery.  The contractor must cooperate with any investigation or review and provide certain information to DHS regarding the incident. 
• Sanitization Requirements. At the conclusion of the contract, the Contractor must return all CUI to DHS or destroy it physically or logically as identified in the contract.  The contractor must then certify the sanitation of all government files and information in compliance with NIST SP 800-88, Guidelines for Media Sanitation. 
• Flow Down. The basic clause must be flowed down to all subcontractors that have access to CUI.

3052.204-72 Alternate I: Safeguarding for Federal Information Systems

The alternate clause to HSAR 3052.204-72 applies to federal information systems, which includes contractor information systems operated on behalf of DHS.  Alternate I and DHS responses to comments clarify that ATO requirements will only apply to contractors operating federal information systems that collect, process, store, or transmit CUI.  DHS also noted that agencies are responsible for determining when information system are operated on their behalf.  In other words, DHS will determine whether a contractor information system is a federal information system requiring an ATO, though it is unclear whether DHS will do so in contract documents or by other means.

While federal contractors operating federal information systems were already required to meet NIST SP 800-53 security controls, the DHS ATO process includes documentation and assessment requirements that are not coextensive with SP 800-53.

Contractors that require an ATO must complete the DHS Security Authorization (SA) process by:

• Adhering to the processes prescribed by the DHS Sensitive Systems Policy Directive 4300A and the DHS Security Authorization Process Guide for SAs.
• Developing an SA package using a government-provided Security Requirements Traceability Matrix and templates.
• Engaging an independent third-party assessor to evaluate contractor security and privacy practices against NIST SP 800-53.

Impacted contractors must renew their ATO and update their SA package every 3 years, and they may be subjected to a government-conducted security review, carried out at the government’s discretion.

3052.204-73: Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents

HSAR 3052.204-73 applies to contracts and solicitations under which the contractor will have access to PII.  The clause requires contractors to notify any individual whose PII or SPII was under the control of the contractor or its information system at the time an incident occurred.  The method of notification must be approved by the Contracting Officer.  Additionally, the Contracting Officer may require contractors to provide monitoring services to the affected individuals.  The Contracting Officer may also require the contractor to set up a call center, establish Frequently Asked Questions, and provide information for affected individuals to contact customer service regarding the incident. 

Points of Consideration for DHS Contractors

Contractors who handle CUI pursuant to a DHS contract may consider:

• examining current information handled under DHS contracts to determine if any information is newly considered CUI under the expanded definitions;
• proactively engaging with DHS to determine whether any contractor information systems are considered federal information systems (i.e. operated on behalf of DHS) and thus subject to the ATO process; and
• determining whether current CUI includes PII or SPII and therefore is subject to notification and credit monitoring requirements in the event of a cyber incident.