New Cybersecurity Requirements Are Coming For Federal Contractors Handling Sensitive Government Information

On Oct. 21, the new Federal Acquisition Regulation (“FAR”) rule (the “CUI Rule”) aligning requirements for federal contractors to properly safeguard Controlled Unclassified Information (“CUI”) as outlined in Executive Order 13556 (the “Executive Order”) completed regulatory review. The CUI Rule’s language has not yet been released, but once it is published on the Federal Register, we expect it to introduce some manner of mandate directing compliance with NIST SP 800-171.

The CUI Rule demonstrates the Federal Government’s commitment to aligning the government contracting space with the evolving national security climate. Current and interested federal contractors will need to update their cybersecurity practices, policies, and procedures to meet the NIST SP 800-171 and the Executive Order’s standards. This will require new training programs for their workforce and management, implementation of new audit processes and audit logging requirements, and implementation of continuous network and data monitoring programs.

The Executive Order, which is the driving force behind the CUI rule, was signed into law by President Obama in 2010. It established a standardized program for managing sensitive information that isn’t classified but still requires safeguarding or dissemination controls. Prior to the Executive Order, each Federal Agency used a patchwork of policies and procedures to handle sensitive but unclassified information, which led to inconsistencies, confusion, and hindered information sharing.

Generally, CUI is classified into several categories: (1) privacy information (i.e., personally identifiable information, medical and/or financial records); (2) national security information (i.e., information that could harm national security interests but does not meet the criteria to be classified); (3) proprietary business information (i.e., trade secrets, confidential financial data); or (4) law enforcement information (i.e., investigative reports, criminal records). Under the CUI rule, we anticipate federal contractors will be required to implement programs and controls relative to CUI to ensure relevant materials are: (1) Properly identified and marked CUI; (2) Safeguarded according to the designated category and controls; (3) Disseminated only to authorized individuals; and (4) Properly decontrolled or disposed.

Clark Hill’s Government Contracts and Regulatory and Cybersecurity teams will monitor the Federal Register for the published rule to provide additional updates as to any new requirements imposed by the CUI rule and to assist interested parties in preparing comments to help guide the final rule in meeting the Government’s and contractor’s needs and expectations.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.