On Oct. 21, the new Federal Acquisition Regulation (“FAR”) rule (the “CUI Rule”) aligning requirements for federal contractors to properly safeguard Controlled Unclassified Information (“CUI”) as outlined in Executive Order 13556 (the “Executive Order”) completed regulatory review. The CUI Rule’s language has not yet been released, but once it is published on the Federal Register, we expect it to introduce some manner of mandate directing compliance with NIST SP 800-171.
The CUI Rule demonstrates the Federal Government’s commitment to aligning the government contracting space with the evolving national security climate. Current and interested federal contractors will need to update their cybersecurity practices, policies, and procedures to meet the NIST SP 800-171 and the Executive Order’s standards. This will require new training programs for their workforce and management, implementation of new audit processes and audit logging requirements, and implementation of continuous network and data monitoring programs.
The Executive Order, which is the driving force behind the CUI rule, was signed into law by President Obama in 2010. It established a standardized program for managing sensitive information that isn’t classified but still requires safeguarding or dissemination controls. Prior to the Executive Order, each Federal Agency used a patchwork of policies and procedures to handle sensitive but unclassified information, which led to inconsistencies, confusion, and hindered information sharing.
Generally, CUI is classified into several categories: (1) privacy information (i.e., personally identifiable information, medical and/or financial records); (2) national security information (i.e., information that could harm national security interests but does not meet the criteria to be classified); (3) proprietary business information (i.e., trade secrets, confidential financial data); or (4) law enforcement information (i.e., investigative reports, criminal records). Under the CUI rule, we anticipate federal contractors will be required to implement programs and controls relative to CUI to ensure relevant materials are: (1) Properly identified and marked CUI; (2) Safeguarded according to the designated category and controls; (3) Disseminated only to authorized individuals; and (4) Properly decontrolled or disposed.
