Government contractors performing classified contracts have long been subject to cybersecurity requirements.1 However, developments over the past several months indicate that a much broader group of Federal Government contractors may soon face significant new cybersecurity requirements intended to establish a more uniform approach to safeguarding controlled unclassified information.
Controlled Unclassified Information
Not all information protected from public disclosure by the federal government is classified. Unclassified information may be protected from public disclosure if it is proprietary, subject to export controls, or otherwise exempt from disclosure by law, regulation, or policy. This type of protected information is referred to as controlled unclassified information (CUI). Historically, each federal agency developed and promulgated policies, standards and procedures for marking and safeguarding CUI.
Executive Order 13556
On November 4, 2010, President Obama signed Executive Order 13556, “Controlled Unclassified Information” (E.O. 13556).2 E.O. 13556 notes that the patchwork of agency-specific policies for safeguarding CUI has proved inefficient and created impediments to authorized sharing of CUI information. To remedy this situation, E.O. 13556 contemplates the creation of a CUI program that emphasizes government-wide openness and uniformity. E.O. 13556 identified the National Archives and Record Administration (NARA) as the CUI Executive Agent with responsibility for implementing the order after consultation with the heads of executive agencies, as well as state, local, tribal, and private sector partners.
Executive Order 13636
On February 12, 2013, President Obama signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (E.O. 13636).3 E.O. 13636 is designed to better manage cyber risks to critical systems via: (1) information sharing, (2) privacy, and (3) the adoption of cybersecurity practices. E.O. 13636 directed the U.S. Department of Commerce, National Institute of Standards and Technology (NIST) to work with the private sector to develop standards for a Cybersecurity Framework based on best practices.
Over the past several months, actions taken to implement the requirements of E.O. 13556 and E.O. 13636 have provided significant insight into the cybersecurity requirements that will soon apply to contractors handling CUI information.
NARA Proposed Rule
As required by E.O. 13556, on May 8, 2015, NARA issued a proposed rule regarding the designation and safeguarding of CUI.4 Key features of the proposed rule include:
- The proposed rule specifically notes that it applies to contractors handling CUI for an agency, and requires executive branch agencies to include a requirement to comply with E.O. 13556 in all contracts that require a contractor to handle CUI for the agency.5
- The proposed rule notes that NARA will establish and maintain a publicly accessible CUI Registry6 that will serve as the repository for all information, guidance and policy regarding the handling and marking of CUI.7
- The proposed rule notes that all CUI will be identified by CUI “category” or “subcategory,” the exclusive means of designating CUI throughout the executive branch.8 The CUI Registry currently includes 22 approved categories and 85 subcategories of CUI.9
- The proposed rule identifies two CUI Safeguarding Standards:
- CUI Basic: the default, uniform set of standards for handling all categories and subcategories of CUI.
- CUI Specified: standards that apply to CUI categories and subcategories that have specific handling standards required or permitted by authorizing laws, regulations, or government- wide policies.
The proposed rule does not identify the CUI Basic safeguarding standards, but does specifically note that safeguarding measures authorized or accredited for classified information are also sufficient for safeguarding CUI.10 In addition, the proposed rule specifically notes that agencies must apply information system requirements to CUI that are consistent with NIST standards and OMB policies.11
- The proposed rule outlines a new CUI markings regime. Under this regime, legacy markings on existing documents will not be changed, but all new documents or information derived from legacy documents must contain the CUI Specified markings detailed in the CUI Registry, or the CUI Basic marking of “CUI” or “CONTROLLED.”12
In 2016, NARA plans to sponsor a single Federal Acquisition Regulation (FAR) clause that will consolidate and apply the CUI designation and safeguarding requirements developed as a result of E.O. 13556 and E.O. 13636 to contractors.
In response to the directions provided in E.O. 13636, on June 18, 2015 NIST released the final version of Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST SP 800-171).13 NIST SP 800-171 distinguishes between CUI resident on information systems used or operated by contractors on behalf of federal agencies, and CUI resident on a contractor’s internal information system used to provide a product or service for the government. NIST SP 800-171 applies to CUI resident on a contractor’s internal information system used to provide a product or service for the government when there are no specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy.
NIST SP 800-171 describes the following 14 “families” of security requirements for protecting CUI resident in nonfederal information systems and organizations:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authorization
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
For each of these 14 “families,” NIST SP 800-171 provides a detailed listing of basic and derived requirements intended to ensure the protection and confidentiality of CUI. Notably, NIST SP 800-171 allows a contractor to limit the application of these requirements by implementing subnetworks with firewalls or other boundary protection in order to isolate CUI into its own security domain.
OMB Draft Guidance
On August 11, 2015, the Office of Management and Budget (OMB) issued draft guidance to bolster cybersecurity protections in federal acquisitions (Guidance).14 Like NIST SP 800-171, the OMB Guidance distinguishes between information systems operated by a contractor on behalf of the government and a contractor’s internal system used to provide a product or service for the government.15 However, unlike NIST SP 800-171, the OMB Guidance addresses both circumstances.
The OMB Guidance encourages the Federal Acquisition Regulatory Council to amend the Federal Acquisition Regulation (FAR) to include contract clauses that address the following five cybersecurity areas:
- Security Controls
For systems operated on behalf of the government, the Guidance generally requires that the systems meet NIST SP 800-53 and conform to the same processes as government systems. The Guidance further provides that a contractor’s internal information systems are generally subject to the requirements described in NIST SP 800-171.
- Cyber Incident Reporting
The OMB Guidance requires, at a minimum, that contractual language regarding cyber incident reporting:
- Provide a definition of “cyber incident” and identify timeline for reporting;
- Describe the information required in a “cyber incident” report;
- Note that the report of a cyber incident does not alone establish a deficiency in the contractor safeguards for CUI; and
- Identify government remedies should a contractor fail to report “cyber incidents” in accordance with the contract requirements.
For systems operated on behalf of the government, the Guidance also indicates that agencies must include contractual language requiring the reporting of all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data to the agency’s Security Operation Center (SOC), the Contracting Officer (CO), the Contracting Officer’s Representative (COR), the Chief Information Security Officer (CISO), and the senior agency official for privacy (SAOP).
For contractors’ internal information systems, the Guidance indicates that agencies must include contractual language requiring the reporting of all cyber incidents—but only if they involve CUI in the system.
- Information System Security Assessments
For systems operated on behalf of the government, the OMB Guidance requires that agencies ensure certain safeguards and an Authority to Operate (ATO) are in place prior to operation of the system per NIST 800-37. The Guidance also notes that agencies can consider independent assessments of the contractor’s system during an ATO process and when assessing whether the contractor meets applicable NIST standards.
The Guidance also requires that agencies obtain access to the contractor’s facilities, installations, operations, documentation, databases, IT systems, devices, and personnel used in performance of the contract to the extent required to conduct an inspection/audit, evaluation, investigation or preserve evidence of information security incidents. Agencies are also required to identify in a solicitation how contractors will be required to demonstrate that they meet NIST SP 800-171. The Guidance notes that, depending on the impact level of the information at risk, this demonstration may range from simple attestation of compliance to a detailed description of the system’s security and supporting test data.
The Guidance further requires that agencies must include contract language that requires the contractor to certify the sanitation of government files and information from the system prior to contract closeout.
- Information Security Continuous Monitoring
For systems operated on behalf of the government, the OMB Guidance requires that agencies include contract language to ensure that the contractor- operated systems meet or exceed the information security continuous monitoring requirements identified in OMB M-14-03, and the agency has the ability to perform information security continuous monitoring and IT security scanning of the contractor systems with tools and infrastructure chosen by the agency.
For contractors’ internal information systems, the Guidance requires compliance with the monitoring requirements of NIST SP 800-171.
- Business Due Diligence
The OMB Guidance notes that cybersecurity protections in federal acquisitions can be enhanced through the use increased business due diligence to gain a greater understanding of contractor system security and risks. The Guidance directs GSA to create a business due diligence shared service to provide agencies with access to risk information drawn from voluntary contractor reporting, public records, and other publicly available data.
The comment period on the OMB Guidance closed on September 10, 2015, and publication of final guidance is expected before the end of 2015.
The recently-released OMB Draft Guidance and the final version of NIST SP 800-171 provide significant detail and insight into the new cybersecurity requirements that will be applied to CUI information residing in nonfederal information systems and organizations. In preparation for NARA’s 2016 FAR clause regarding the safeguarding of CUI, government contractors should examine the requirements of the OMB Draft Guidance and NIST SP 800-171 now and compare these requirements to their current information security architecture, practices and policies. In addition, contractors should watch carefully for efforts by federal government customers to impose these new requirements on existing and future contracts.