Proposed classified info rule will create confusion

In January, the Department of Homeland Security (DHS) took the federal government's plan to standardize and synthesize its various regulations for Controlled Unclassified Information (CUI) off course. The department recently issued a new proposed rule that is customized only to itself and presents federal contractors and subcontractors with the prospect of complying with conflicting policies and procedures designed to protect CUI for each different federal agency for whom they perform work.

Final CUI regulations, found at 32 C.F.R. 2002, were issued last year by the National Archives and Records Administration (NARA) pursuant to a 2010 executive order (75 FR 68675; Nov 4, 2010, 81 FR 63323). Perhaps ironically, given the DHS proposed rule, the purpose of the NARA regulation was to remedy the inconsistent and conflicting patchwork of agency-specific policies, procedures and safeguarding measures that existed throughout the executive agencies. The NARA attempted to establish a policy for all federal agencies, but DHS's new rule bucks the trend by once again establishing a set of policies geared only for itself.

The NARA regulation brought a degree of standardization to otherwise inconsistent areas, to more precisely define: required safeguarding measures for protecting CUI, common definitions for various types of CUI, who must comply with the rules and incident response protocols. However, DHS's new proposed rule goes far beyond implementing the NARA regulation at DHS, and creates confusion in a number of these key areas, including the safeguarding standards that apply to DHS-defined CUI.

The DHS's proposed rule also mandates new reporting and credit monitoring requirements for incidents affecting personally identifiable information (a category of CUI), and will increase the costs and risks for companies performing work for DHS. The controlled information is unclassified and requires safeguarding controls pursuant to an applicable law or regulation. It was created through an executive order issued by President G. W. Bush and it effectively replaced other types of secure but unclassified data, including the "Sensitive but Unclassified" and "For Official Use Only," designations used by many federal agencies.

How Does DHS's Proposed Rule Go Awry?

First, it specifies 12 categories or subcategories of CUI that do not appear in the NARA CUI Registry, which constitutes the single comprehensive authorized list of qualifying CUI information categories and subcategories. The NARA registry already contains over 100 different categories and subcategories.

The proposed rule requires a comprehensive infrastructure including testing, evaluation, independent third-party assessments, audits, security reviews and continuous monitoring, which go beyond the requirements recognized by NARA.

The rule requires a report to DHS within one hour of an incident involving personally identifiable information (PII) and Sensitive PII (SPII), and requires reporting within eight hours for incidents related to other CUI categories.

Finally, contractors who have PII- or SPII-related incidents (or even a suspected data breach) are required to notify all affected persons and, if applicable, provide credit monitoring services to those individuals for at least 18 months. The notification and credit monitoring requirements are independent from any assessment of fault or contractual noncompliance. In other words, these requirements are imposed on a strict liability basis.

These last two items will increase risk and cost to DHS contractors. The proposed rule affects contractor information systems operated on behalf of the agency, which are used to collect, process, store or transmit CUI. More importantly, it also affects contractors performing work for DHS where a contractor's and/or subcontractor's employees will have access to CUI. The reach of this section of the proposed rule is broad because many contractors have access to CUI and maintain CUI on their own systems in order to perform a federal government contract.

Under the proposed rule, the timing of reporting requirement arguably removes the contractor's management from the equation because the proposed rule requirement states: "All known or suspected incidents involving PII or SPII shall be reported within one hour of discovery. All other incidents shall be reported within eight hours of discovery." This new one-hour reporting requirement was derived from a DHS internal notification requirement for reporting to the U.S. Computer Emergency Readiness Team. Incidents are defined as an occurrence that "actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system." For logistical reasons, many contractors will find this one-hour notification requirement unworkable or, at a minimum, express extreme concern about a mandatory reporting requirement that does not even provide reasonable time for internal assessment of any suspected incident.

The other impact for contractors of the new regulation is that DHS deliberately made the provision of notification and credit monitoring services a strict liability requirement in the case of access to or transmittal of personally identifiable information (PII) or sensitive personally identifiable information (SPII), i.e. independent from an assessment of fault or lack of compliance with the contract terms and conditions. This requirement was proposed by DHS because it asserts that sophisticated cyberattacks can occur despite compliance with contractual requirements and, in these instances, there may still be a need to notify individuals and provide credit monitoring services. The Homeland Security Department is also considering broadening the credit monitoring requirement to include identity protection, identity restoration and related services. Most states already have reporting requirements related to PII incidents, and although credit monitoring is often not mandatory, it is frequently adopted voluntarily to reduce risk. The DHS requirement may also impair a contractor's efforts to reasonably respond to state law requirements.

In the proposed DHS rule, contractors must provide credit monitoring services, including call center services, if directed by the contracting officer, to any individual whose PII or SPII was under the contractor's control, or resided in the information system at the time of the incident for a period beginning on the date of the incident and extending not less than 18 months from the date the individual is notified. Contractors performing work for DHS should consider that the proposed rule indicates that contractors could satisfy the credit monitoring requirements using different methods. Some contractors could use cyberinsurance while others may satisfy this requirement through subcontracted monitoring services. The Homeland Security Department estimated the cost of compliance using subcontractors to be between $62 to $260 per person being monitored.

Ultimately, the new proposed DHS rule may change before implementation, but the core requirements are unlikely to change significantly from the proposed rule, so federal contractors performing work should understand the risks and additional costs that may arise from performing work for DHS. Even more broadly, contractors should be aware that other federal agencies may propose their own regulations implementing the NARA rule which will likely vary from the proposed DHS rule. Government contractors want to protect CUI and comply with regulations. However, contractors, especially those serving multiple agencies, can ill afford the cost and resources required to comply with multiple different CUI paradigms across agencies. Until agencies implement the NARA rule for their contractors, the NARA rule itself provides the best insight into likely agency implementation, and the fundamental safeguarding standards that are likely to apply. Agency specific requirements for protecting CUI will continue to develop.