Government contractors should take note of a proposed new rule that could impose significant new data storage obligations when finalized. The Federal Government is taking another baby-step towards cybersecurity regulation with a proposed rule intended to standardize protocols relating to designating and safeguarding unclassified information that is to be withheld from public disclosure (also known as “controlled unclassified information” (“CUI”)). See 80 Fed. Reg. 26501 (proposing amendments to 32 CFR Part 2002). On May 8, 2015, the National Archives and Records Administration (“NARA”) published a proposed new rule that goes a long way in creating a standardized system intended to replace the litany of improvised CUI control markings that have been used by various Federal agencies and, unintentionally, hindered inter-governmental information sharing for decades. The effort, however, is more than a simple housekeeping exercise, the re-designation of CUI will also bring changes to the manner in which contractor-generated information residing on contractor-owned systems is stored and secured.
The long gestating process originates from Executive Order (“EO”) 13556, issuing a directive to make Government more transparent. This, in turn, resulted in NARA being charged as the CUI Executive Agent responsible for standardizing CUI handling throughout the Executive branch. NARA’s new effort under the proposed rule would standardize the more than 100 different markings currently used by agencies – which include markings such as “Sensitive But Unclassified” (SBU); “UNCLASSIFIED/FOUO” (For Official Use Only); “PARD” (Protect As Restricted Data), and many, many others – by consolidating the “patchwork system that failed to adequately safeguard information requiring protection, and unnecessarily restricted information-sharing.” 80 Fed. Reg. 26502. In line with that responsibility, NARA’s proposed rule would:Develop a publicly available CUI Registry to identify 23 discrete categories and 82 subcategories of CUI (g. “Controlled Technical Information,” “Critical Infrastructure,” “Emergency Management,” “Intelligence,” “Law Enforcement,” etc.); Standardize markings for CUI and mandate their use when disseminated outside the Government; Identify and establish the CUI de-control authority and process; and Require agencies to protect CUI using National Institute of Standards and Technology (“NIST”) Standards, including FIPS 199 and NIST Special Publication (“SP”) 800-53.
Now, the reason contractors should read and heed NARA’s proposed rule is because waiting in the wings is NIST SP 800-171. Published in April 2015, the final public draft of the NIST standard contains more than 100 security controls that, when finalized, will provide contractors with information security practices that should be employed when protecting CUI in “the contractor environment.”
Grouped into fourteen “families” of security requirements, NIST SP 800-171 describes the baseline contractors should meet when charged with protecting the confidentiality of CUI. These fourteen families include:Access control Awareness and training Audit and accountability Configuration management Identification and authentication Incident response Maintenance Media protection Personnel security Physical protection Risk assessment Security assessment System and communications protection System and information security
Within these families, NIST SP 800-171 would provide additional security requirements intended to assist contractors in the processing, storing, or transmitting of CUI. Of course, while NIST SP 800-171 will not be deemed (strictly speaking) as a “requirement” when it is finalized (expected in June 2015), NIST is encouraging Executive agencies to use it as a standard for protecting CUI until a rule is formally (and properly) propagated in the Federal Acquisition Regulations. And, regardless if it is employed as a standard by an agency, contractors can rest assured that NIST SP 800-171 will serve as the standard by regulators if a breach should occur, and the standard will likely be incorporated by reference in new contracts. As with so many things, even though the standards and proposed rules appear to apply to Government agencies, the requirements will flow down. And industry needs to be prepared to catch them.
While there are several practical takeaways contractors need to know about NARA’s proposed CUI rule, perhaps the biggest point is just how much the world of government contracting is being changed by cybersecurity concerns. There was a time when the Administrative Procedure Act (“APA”) developed and propagated regulations through formal rulemaking procedures. But the breakneck pace of cyber threats appear to be upending that system. And, particularly where you have situations like the recent cyber-attack on the IRS, Government agencies are feeling very, very exposed and very, very rushed. Granted, NARA is posting a rule for public comment in line with the APA. But, it took nearly five years to get out the door and contractors should note the trail of breadcrumbs in the rule leading to the non-APA processed NIST standards that have/will become the de facto standards by which contractors’ cybersecurity efforts will be judged and assessed. In more ways than one, NARA’s proposed rule to protect CUI is but a prologue to a new era of cybersecurity regulation and controls. What does the rest of the story look like? It is still being written – quickly. Please try to keep up.