On June 21, 2023, DHS published a final rule that amends the Homeland Security Acquisition Regulation (HSAR) both by modifying the existing regulations through removing and updating existing clauses and by adding new contract clauses to include certain requirements for the safeguarding of Controlled Unclassified Information (CUI).  The final rule, first released in proposed form by DHS in January 2017, implements security and privacy measures to safeguard CUI and facilitates improved incident reporting to DHS .  DHS has said the new measures are “necessary because of the urgent need to protect CUI and respond appropriately when DHS contractors experience incidents with DHS information,” in light of “[p]ersistent and pervasive high-profile breaches of Federal information” in government contracts.

Below we summarize certain key requirements from the rule, consider how the new DHS rule may impact government contractors, and discuss best practices for contractors impacted by the rule.

Department of Homeland Security Final Rule on Safeguarding CUI

At a high level, the rule “strengthens and expands existing HSAR language to ensure adequate security when: (1) contractor and/or subcontractor employees will have access to CUI; (2) CUI will be collected or maintained on behalf of the agency; or (3) Federal information systems, which include contractor information systems operated on behalf of the agency, are used to collect, process, store, or transmit CUI.”  Government contractors should take particular note of the three DHS contract clauses covered by the rule and discussed in more detail below.

3052.204–71 Contractor Employee Access Clause

The first contract clause in the DHS rule concerns contractor employee access to CUI.  The clause is required in DHS contracts when contractor and/or subcontractor personnel require “recurring access to government facilities or access to CUI.”  In particular, “Contractor employees” working on contracts that incorporate the clause will be required to “complete such forms as may be necessary for security or other reasons, including the conduct of background investigations to determine suitability” and to submit such forms as directed by the contracting officer.  The contracting officer will have the authority to require to the contractor to prohibit individuals from working on the contract if determined to be contrary to the public interest for any reason, including carelessness and incompetence.  Additionally, “[a]ll Contractor employees requiring recurring access to government facilities or access to CUI or information resources are required to have a favorably adjudicated background investigation prior to commencing work [on their respective contracts] unless this requirement is waived under departmental procedures.”  Additional security requirements apply where contractor employees need access to Federal information systems during contract performance.

 The clause also contains a very broad non-disclosure prohibition stating that contractors  “shall not disclose, orally or in writing, CUI for any other purpose to any person unless authorized in writing by the Contracting Officer.”  Given the continuing challenge that contractors (and the government) face with regard to identifying which data relating to a contract qualifies as CUI, many contractors may default to taking an expansive view of what qualifies as CUI.  Moreover, this provision imposes training requirements addressing the protection and disclosure of CUI on contractor employees who will access CUI under the contract.  This training must take place no later than 60 days after contract award, with refresher training every two years.  Finally, this clause must be flowed down to all subcontractors “at any tier where the subcontractor may have access to government facilities, CUI, or information resources.”  

3052.204–72 and ALT.1 Safeguarding of Controlled Unclassified Information Clause

The second contract clause imposes precautions that contractors must take to safeguard and properly handle CUI, incident reporting and response requirements, and a requirement to sanitize government and government-activity related files and information upon conclusion of the contract.  The base clause applies when contractor and/or subcontractor employees will have access to CUI; or CUI will be collected or maintained on behalf of DHS.  The ALT 1 version of the clause applies to information system that a contractor is operating on behalf of DHS, which is used to collect, process, store, or transmit CUI. Under the ALT 1 version of the clause, contractors cannot operate a system on behalf of DHS until they receive an authority to operation (ATO).

Regarding the handling of CUI, “Contractors and subcontractors must provide adequate security to protect CUI from unauthorized access and disclosure.”  In turn, the regulations define “Adequate security” to mean compliance with “DHS policies and procedures in effect at the time of contract award.”  Additionally, the clause prohibits contractors from maintaining Sensitive Personally Identifiable Information (SPII) in their invoicing, billing, or other recordkeeping systems.  The clause requires contractors to report known or suspected incidents involving Personally Identifiable Information (PII) or SPII within 1 hour of discovery, and other incidents within 8 hours of discovery.  It further specifies that CUI must only be transmitted via email through encrypted means or within secure communications systems.  The safeguarding requirements include a link to DHS policies and procedures in place at the time of award, which include numerous directives, handbooks, guidelines, and templates.  

Although HSAR 3052.204–72 addresses obligations of contractors employees who access CUI, it specifically reserves any statement as to  security safeguards on nonfederal  information systems that store, process, or transmit CUI, indicating that “[t]he rule is intentionally silent on the security requirements applicable to nonfederal information systems because NARA is working with the FAR Councils, in which DHS is a participant, to develop a FAR CUI rule that addresses the requirements nonfederal information systems must meet before processing, storing, or transmitting CUI.”  Instead, the clause formalizes certain processes where a contract operates an information system on behalf of a federal agency that is used to store, process, or transmit CUI (i.e., federal information systems), including ATO procedures and continuous monitoring obligations.

3052.204–73 Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents Clause

The third, and final, contract clause relates to notification and credit monitoring requirements for PII.  After an incident involving PII or SPII occurs, the clause requires contractors to “notify any individual whose PII or SPII was either under the control of the Contractor or resided in an information system under control of the Contractor at the time the incident occurred” within 5 business days of being directed to do so by their Contracting Officer.  The rule presumably is targeting DHS employee PII or SPII that is “under the control of the Contractor” or “resid[es] in an information system under control of the Contractor”, rather than contractor employee information. 

The final rule will take effect thirty days after its publication in the Federal Register, on July 21, 2023.

Takeaways for Government Contractors

DHS’s new final rule is the most recent cybersecurity regulation at the federal level, and it explicitly recognizes that additional FAR rules are expected.  Its publication, however, highlights several important takeaways for those in the contractor community.

Employee Vetting Requirements.

The rule imposes stringent vetting requirements where contractor employees require access to CUI in performance of a DHS contract.  This is a broad requirement that could potentially impact a large portion of a contractor’s workforce where those employees perform work for DHS.  Additionally, the rule leaves open the possibility that vetting requirements may vary by contract.  Contractors should ensure that the costs of these efforts are appropriately built into their cost or pricing proposal.  Contractors should also develop a clear understanding of who within their workforce could potentially access CUI relating to a DHS contract (including third parties), and take steps to ensure that access is appropriately restricted to those employees unless they are read on to the contract.

Reporting Requirements.

The rule significantly shortens applicable incident reporting timelines as compared to other agencies.  For example, the Department of Defense requires contractors to report cybersecurity incidents within 72 hours of discovery.  As noted above, the DHS rule requires incidents to be reported within 8 hours of discovery, and incidents involving PII or SPII within 1 hour of discovery.  Contractors should accordingly take steps to revise their incident reporting policies appropriately to ensure that these timeframes are met.

Identification of CUI.

The significant safeguarding, incident reporting, training, and background investigation requirements imposed by this rule are all premised on contractors being able to determine which employees are accessing CUI, including which data the contractor generates during performance of a contract qualifies as CUI.  Effective communication both with the government and contractor employees will be necessary to ensure that contractors and the government are aligned on which data are CUI, thereby triggering some of these requirements.

Forthcoming FAR Rules.

This rule foreshadows the publication of three long-awaited FAR rules.  The first is a rule (FAR Case 2017-016) that would provide implementing regulations to address agency policies for “designating, safeguarding, disseminating, marking, decontrolling and disposing of CUI.”  As noted above, a common understanding of what data qualifies as CUI is the cornerstone to safeguarding the data and to recognizing when an incident occurs.  In addition, two other related FAR rules are expected to “standardiz[e]common cybersecurity contractual requirements across Federal agencies (FAR Case 2021-019),” and impose Executive Branch-wide requirements for reporting cyber incidents and sharing information about cyber threats (FAR Case 2021-017).  As of June 23, 2023, drafts of all three proposed rules had been sent to OIRA for final review before publication.  Contractors should continue to track the progress of these three key proposed rules, as they will supplement DHS’s new final rule and also impose common baseline cybersecurity requirements for all federal agencies.

Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Robert Huffman Robert Huffman

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance…

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance, contract claims and disputes, and intellectual property (IP) matters related to U.S. government contracts.

Bob has leading expertise advising companies that are defending against investigations, prosecutions, and civil suits alleging procurement fraud and false claims. He has represented clients in more than a dozen False Claims Act qui tam suits. He also represents clients in connection with parallel criminal proceedings and suspension and debarment.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including cybersecurity, the Buy American Act/Trade Agreements Act (BAA/TAA), and counterfeit parts requirements. He also has extensive experience litigating contract and related issues before the Court of Federal Claims, the Armed Services Board of Contract Appeals, federal district courts, the Federal Circuit, and other federal appellate courts.

In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial items and services. He handles IP matters involving government contracts, grants, Cooperative Research and Development Agreements (CRADAs), and Other Transaction Agreements (OTAs).

Photo of Michael Wagner Michael Wagner

Mike Wagner helps government contractors navigate high-stakes enforcement matters and complex regulatory regimes.

Combining deep regulatory knowledge with extensive investigations experience, Mr. Wagner works closely with contractors across a range of industries to achieve the efficient resolution of regulatory enforcement actions and government…

Mike Wagner helps government contractors navigate high-stakes enforcement matters and complex regulatory regimes.

Combining deep regulatory knowledge with extensive investigations experience, Mr. Wagner works closely with contractors across a range of industries to achieve the efficient resolution of regulatory enforcement actions and government investigations, including False Claims Act cases. He has particular expertise representing individuals and companies in suspension and debarment proceedings, and he has successfully resolved numerous such matters at both the agency and district court level. He also routinely conducts internal investigations of potential compliance issues and advises clients on voluntary and mandatory disclosures to federal agencies.

In his contract disputes and advisory work, Mr. Wagner helps government contractors resolve complex issues arising at all stages of the public procurement process. As lead counsel, he has successfully litigated disputes at the Armed Services Board of Contract Appeals, and he regularly assists contractors in preparing and pursuing contract claims. In his counseling practice, Mr. Wagner advises clients on best practices for managing a host of compliance obligations, including domestic sourcing requirements under the Buy American Act and Trade Agreements Act, safeguarding and reporting requirements under cybersecurity regulations, and pricing obligations under the GSA Schedules program. And he routinely assists contractors in navigating issues and disputes that arise during negotiations over teaming agreements and subcontracts.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national…

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and federal supply chain security. Ryan also advises on government cost accounting, FAR and DFARS compliance, public policy matters, and agency disputes. He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.

Emma Merrill

Emma Merrill is an associate in the firm’s Washington, DC office. She advises clients on a broad range of issues related to government contracting, including both regulatory and transactional matters. She maintains an active pro bono practice.