Final NARA rule signals likely expansion of contractors’ obligations to safeguard controlled unclassified information

The US National Archives and Records Administration (NARA), on Wednesday, September 14, issued a final rule regarding Controlled Unclassified Information (CUI). See Controlled Unclassified Information, 81 Fed. Reg. 63,324 (Sept. 14, 2016) (to be codified at 32 C.F.R. Part 2002) (the final rule). Although not directly applicable to contractors, the final rule, effective November 14, 2016, sends a strong signal regarding what contractors and subcontractors who handle CUI can expect in terms of additional and significant safeguarding requirements associated with receipt and maintenance of CUI. Critically, publication of the final rule will enable the Federal Acquisition Regulatory Council (FAR Council) to move forward with a separate FAR rule addressing the implications of the new CUI regime on contractors that possess or maintain such information.

The final rule is the culmination of a nearly six-year process to replace the decentralized, and often ad hoc, agency-specific approaches to protecting unclassified, but sensitive, information. In an attempt to eliminate this confusion, President Obama issued Executive Order 13556, Controlled Unclassified Information, 75 Fed. Reg. 68,675 (Nov. 4, 2010), establishing “an open and uniform program for managing information that requires safeguarding or dissemination controls.” The Order established the CUI program and designated NARA as the CUI Executive Agent (EA).

NARA first published a proposed version of the rule on May 5, 2015, in which it touted its objective of creating a uniform policy for agencies on designating, safeguarding, disseminating, marking and decontrolling CUI. We previously discussed the proposed rule. The final rule maintains the overall structure of the proposed rule, while providing key clarifications as to the operation of the new program.

The final rule defines CUI as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Based on this new definition, which differs from the definition previously contained in the proposed rule, an agency’s treatment of information as CUI may be mandatory or permissive, giving an agency the ability to designate information as CUI provided it is not expressly prevented from doing so. The final rule’s safeguarding standards require agencies to protect CUI “at all times in a manner that minimizes the risk of unauthorized disclosure while allowing timely access by authorized holders.” This includes the requirement for agencies to ensure that CUI is protected by “non-executive branch entities,” including private contractors.

The final rule formally provides for the creation and utilization of NARA’s CUI Registry, a central repository of all categories and subcategories of CUI. Pursuant to the final rule, the CUI Registry will address, among other things, the uniform level of protection required for protection of each subcategory of information. The CUI Registry will establish two categories of CUI and associated levels of protection:

  • CUI Basic. The default set of standards authorized holders must apply to all CUI unless the CUI Registry annotates the CUI as “CUI Specified.”
  • CUI Specified. Agencies may impose additional, more robust, or different controls than those utilized for CUI Basic. CUI Specified may be more stringent or simply differ from CUI Basic. The CUI Registry states which laws and regulations include specific safeguarding or disseminating controls.

The final rule prohibits agencies from creating any separate control programs outside of NARA’s CUI regime and mandates that the CUI Registry become the definitive resource for mapping the legacy control categories to the newly recommended safeguarding controls. Although the CUI Registry is currently incomplete in a few areas, NARA intends to complete the CUI Registry by November 14, 2016, when the final rule becomes effective.

As a general matter, the final rule requires that authorized holders of CUI take “reasonable precautions” to guard against disclosure of CUI. At a minimum, reasonable precautions include:

  • Controlled environments to protect CUI from unauthorized access or disclosure;
  • Prevention of access or observation of CUI by unauthorized individuals;
  • Direct control of CUI by an authorized holder and protection with at least one physical barrier; and
  • Protection of CUI processed, stored or transmitted on federal information systems.

The CUI Basic and CUI Specified standards addressed in the final rule will rely upon the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 as the source of these controls. According to the final rule, NIST SP 800–171 “defines the requirements necessary to protect CUI Basic on non-Federal information systems” and agencies “must use NIST SP 800–171 when establishing security requirements to protect CUI’s confidentiality on non-Federal information systems[.]” As we previously wrote, NIST SP 800-171 contains approximately 100 security controls drawn from minimum security requirements for contractors operating federal information systems.

The final rule confirms that contractors dealing with CUI will be required to comply with some subset of the standards outlined in NIST SP 800-171, depending upon the classification of the information maintained. A forthcoming FAR clause will apply CUI security controls to contractors.

Although the methodology for, and timeline associated with, the forthcoming FAR rule remain uncertain, the FAR Council will look to NIST SP 800-171 as the source of any mandatory controls for CUI Basic and CUI Specified information as outlined in the CUI Registry in drafting a corresponding FAR rule. As a result, covered contractors should review these controls once the CUI Registry becomes active and begin thinking about how they might implement a program that addresses both CUI Basic and CUI Specified controls.