DHS Homeland Security Acquisition Regulation (HSAR) - CUI Rule

The United States Department of Homeland Security (DHS) plans to publish a final rule on safeguarding Controlled Unclassified Information (CUI) in in September 2022. Under development since 2017, this proposed rule is meant to modify Homeland Security Acquisition Regulation (HSAR) to compel DHS contractors to implement security and privacy measures to ensure CUI, such as Personally Identifiable Information (PII), is adequately safeguarded. Specifically, the proposed rule is intended to:

  • Define key terms;

  • Outline security requirements and inspection provisions for contractor information technology (IT) systems that store, process or transmit CUI, institute incident notification and response procedures; and

  • Identify post-incident credit monitoring requirements.

Background: Historical DHS Cyber Hygiene Clauses

In 2015, DHS incorporated "cyber hygiene" clauses into its contracts and agreements to require DHS contractor compliance with certain cyber standards and protections. DHS began a pathfinder effort in the summer of 2021 to advance a process for assessing industry compliance with cyber hygiene clause requirements. DHS is supposed to identify lessons learned and best practices coming out of early pathfinder work that illustrated the potential adverse impacts to the diverse small industry base supporting many DHS missions.  DHS's end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award.

As part of DHS' guidance on cyber hygiene practices on SAM.gov, DHS states the direction points to C-SCRM where its processes are designed to "establish a statistically viable assessment of overall cyber hygiene risk across DHS that will guide continued work towards an improved cyber posture and will aid in establishing the focus of future program development, including government-led assessments.  This process is again a critical step in our progress towards maturing our Cyber-Supply Chain Risk Management (C-SCRM) program and protecting the Homeland.

US National Archives & Records Administration - Authoritative CUI Program Governance

The Information Security Oversight Office (ISOO) of the US National Archives & Records Administration (NARA) is the authoritative body that is tasked with running the US Government's CUI Program. Per 32 CFR Part 2002, the Director of ISOO is responsible for the CUI Program and establishing CUI Program requirements for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI.

In 2020, ISOO published CUI Notice 2020-04, Assessing Security Requirements for CUI in Non-Federal Information Systems, and it is an important document that identifies minimum cybersecurity requirements to protect CUI across the Federal government. CUI Notice 2020-04 specifies:

  • NIST SP 800-171 as the baseline set of controls to protect CUI in non-federal systems and organizations; 

  • NIST SP 800-171A as the means to evaluate the effectiveness of tested controls; and

  • Federal agencies must take appropriate steps to minimize redundant and duplicative security inspections and audit activities.

Per the CUI notice, "NIST SP 800-171A is the primary and authoritative guidance on assessing compliance with NIST SP 800-171."

When you look at NIST SP 800-171, it does not easily map to all the common compliance frameworks, specifically NIST CSF or ISO 27001/2, since it is primary a subset of NIST SP 800-53 R4. This means that it is possible to address FAR 52.204-21 to protect Federal Contract Information (FCI) with NIST CSF or ISO 27001/2 but not NIST SP 800-171/171A or DFARS 252.204-7012, since those frameworks are insufficient "out of the box" to address those baseline cybersecurity requirements to protect CUI.

CUI vs FCI vs FAR vs DFARS requirements.jpg

When you look at NIST SP 800-171, it is a subset of NIST SP 800-53. This flowchart depicts the logic on ITAR, EAR, DFARS and FAR for protecting CUI across the US Government, both DoD and non-DoD agencies:

2022.1 - ITAR vs EAR vs CUI vs FCI cybersecurity control requirements.jpeg