In January, we wrote about the new training requirement for employees who handle personally identifiable information (“PII”) or who build systems containing PII. On the same day that rule went into effect, Jan. 19, 2017, three related Department of Homeland Security (“DHS”) proposed rules were published in the Federal Register covering mandatory privacy training, information technology (“IT”) security awareness training, and the safeguarding of controlled unclassified information (“CUI”). Comments on all three proposed rules are due on Monday, March 20, 2017.

Here’s a brief synopsis of the proposed rules:

Training on Privacy and IT Security Awareness

The DHS proposed rules on privacy training and IT security awareness training would create mandatory flowdown clauses for subcontractors at all tiers. The privacy training proposed rule would mandate that all contractor and subcontractor employees who access a government system of records, handle PII or sensitive PII (“SPII”), or design, develop, maintain or operate a system of records on behalf of the government take a publicly accessible training course. The IT security awareness training proposed rule would require that all contractor and subcontractor employees to be given access to DHS information systems and resources complete a publicly accessible training course and sign the DHS rules of behavior (“RoB”). These proposed rules would require subject employees to complete the training and sign the RoB within 30 days of contract award and on an annual basis thereafter.

Safeguarding of Controlled Unclassified Information (“CUI”)

The DHS proposed rule on safeguarding of CUI, which would also be a mandatory flowdown to subcontractors at all tiers, would create some significant new requirements for DHS contractors. The most important contractor responsibilities outlined in the proposed rule are:

  • “Adequate Security.” Contractors will be responsible for providing “adequate security” of CUI. Unfortunately for hopeful bidders, the measure of “adequate security” required at the time of proposal submission and time of award may be different because the proposed rule states that the policies and procedures on the DHS website “in effect at the time of contract award” will govern.
  • New CUI Definitions. In addition to formally recognizing pre-existing CUI definitions listed on the CUI registry, the proposed rule defines five entirely new categories: Homeland Security Agreement Information, Homeland Security Enforcement Information, Operations Security Information, Personnel Security Information and Sensitive Personally Identifiable Information. Contractors who intend to perform contracts for the DHS in the future will need to be familiar with the extra types of information the DHS is adding under the proposed rule.
  • How to Obtain an Authority to Operate (“ATO”). Contractors seeking to operate a DHS information system containing CUI will be required to undergo testing, a third-party assessment, a security review and continuous monitoring to include regular reporting requirements. An ATO must be obtained from the DHS, at a minimum, every three years. In some cases, these information systems may be operated entirely by the contractor on behalf of the DHS.
  • Short Incident Reporting Deadlines. All contractors and subcontractors must report data breach or compromise incidents involving PII or SPII within one hour of discovery to the DHS and subsequently inform and, at the discretion of the contracting officer, provide 18 months of credit-monitoring services to affected individuals. (SPII, a subset of PII, is defined in the proposed rule.) Incidents not involving PII or SPII must be reported within eight hours of discovery.
  • No CUI in the Subject or Body of Any Email. CUI may only be communicated in an attachment compliant with FIPS 140-2 Security Requirements for Cryptographic Modules under the proposed rule.