Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Nkechi KanuPhoto of Maida Oringher LernerPhoto of Jacob HarrisonPhoto of Alexis Ward

On June 21, 2023, the Department of Homeland Security (DHS) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) by updating an existing clause (HSAR 3052.204-71) and adding two new contract clauses (HSAR 3052.204-72 and 3052.204-73) to address safeguarding of Controlled Unclassified Information (CUI).  The final rule is effective July 21, 2023.

The new clauses aim to improve privacy and security measures around CUI by introducing: (1) general CUI handling requirements; (2) authority to operate (ATO) requirements for federal information systems; (3) incident reporting requirements and activities; and (4) sanitization of government related files and information. These new clauses move DHS away from the use of DHS-defined sensitive information and toward the government-wide CUI model. 

3052.204-72: Safeguarding of Controlled Unclassified Information

  • Definition of CUI. The clause defines CUI as “information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls,” and specifies 11 categories and subcategories as examples of DHS-related CUI, including: Homeland Security Agreement Information, Homeland Security Enforcement Information, International Agreement Information for Homeland Security, Information Systems Vulnerability Information for Homeland Security, Operations Security Information, Personnel Security Information, Physical Security Information for Homeland Security, Privacy Information, and Sensitive Personally Identifiable Information.
  • Handling of Controlled Unclassified Information. The basic clause applies to all entities handling CUI, and it requires contractors and subcontractors to provide adequate security sufficient to protect CUI from unauthorized access and disclosure. Adequate security includes compliance with DHS policies and procedures in effect at the time of award.  The requirements of the basic clause “exist whenever CUI will be accessed or developed under a contract regardless of the type of information system involved in contract performance.”  However, DHS noted that an upcoming Federal Acquisition Regulation (FAR) CUI rule will address the specific information system security requirements for nonfederal information systems and therefore purposefully avoided rulemaking for such systems. 
  • Incident Reporting. Contractors are also subject to incident reporting and response requirements under the basic clause. Known or suspected incidents involving Personally Identifiable Information (PII) or Sensitive Personally Identifiable Information (SPII) must be reported within one hour of discovery, and all other incidents must be reported within eight hours of discovery.  The contractor must cooperate with any investigation or review and provide certain information to DHS regarding the incident. 
  • Sanitization Requirements. At the conclusion of the contract, the Contractor must return all CUI to DHS or destroy it physically or logically as identified in the contract.  The contractor must then certify the sanitation of all government files and information in compliance with NIST SP 800-88, Guidelines for Media Sanitation
  • Flow Down. The basic clause must be flowed down to all subcontractors that have access to CUI.

3052.204-72 Alternate I: Safeguarding for Federal Information Systems

The alternate clause to HSAR 3052.204-72 applies to federal information systems, which includes contractor information systems operated on behalf of DHS.  Alternate I and DHS responses to comments clarify that ATO requirements will only apply to contractors operating federal information systems that collect, process, store, or transmit CUI.  DHS also noted that agencies are responsible for determining when information system are operated on their behalf.  In other words, DHS will determine whether a contractor information system is a federal information system requiring an ATO, though it is unclear whether DHS will do so in contract documents or by other means.

While federal contractors operating federal information systems were already required to meet NIST SP 800-53 security controls, the DHS ATO process includes documentation and assessment requirements that are not coextensive with SP 800-53.

Contractors that require an ATO must complete the DHS Security Authorization (SA) process by:

Impacted contractors must renew their ATO and update their SA package every 3 years, and they may be subjected to a government-conducted security review, carried out at the government’s discretion.

3052.204-73: Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents

HSAR 3052.204-73 applies to contracts and solicitations under which the contractor will have access to PII.  The clause requires contractors to notify any individual whose PII or SPII was under the control of the contractor or its information system at the time an incident occurred.  The method of notification must be approved by the Contracting Officer.  Additionally, the Contracting Officer may require contractors to provide monitoring services to the affected individuals.  The Contracting Officer may also require the contractor to set up a call center, establish Frequently Asked Questions, and provide information for affected individuals to contact customer service regarding the incident. 

Points of Consideration for DHS Contractors

Contractors who handle CUI pursuant to a DHS contract may consider:

  • examining current information handled under DHS contracts to determine if any information is newly considered CUI under the expanded definitions;
  • proactively engaging with DHS to determine whether any contractor information systems are considered federal information systems (i.e. operated on behalf of DHS) and thus subject to the ATO process; and
  • determining whether current CUI includes PII or SPII and therefore is subject to notification and credit monitoring requirements in the event of a cyber incident.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Photo of Alexis Ward Alexis Ward

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.

During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.