The Department of Homeland Security (“DHS”) recently issued three new proposed cybersecurity regulations for DHS contractors which warrant careful attention. Although a freeze on new regulations by the Trump administration will likely delay any final agency action, and extensive comments and meaningful changes to any final rules are expected, these new regulations could radically impact the compliance landscape for DHS contractors. As with recent cybersecurity amendments to the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) (which we’ve covered here and here), these proposed rules seek to impose more safeguarding, handling, reporting, and training requirements on covered contractors. We continue to see cybersecurity as a major business risk in the industry today, and recommend contractors pay close attention to their operational, technology, and risk management practices relating to cybersecurity. We highlight the key elements of the proposed rules below.
Three New Proposed Rules:
- CUI Safeguarding: This proposed rule is by far the most important of the three. We expect a considerable number of comments from the industry and other stakeholders, given the ambiguities in the rule and its projected financial impact. It would create a new clause in the Homeland Security Acquisition Regulation (“HASR”), 204-7X, Safeguarding of Controlled Unclassified Information (“CUI”), that would replace the existing HSAR Clause 3052.204-70 (Security Requirements for Unclassified Information Technology Resources). The new clause would add:
- Definitions and CUI handling requirements;
- Authority to Operate requirements;
- Incident reporting and response requirements;
- Personally Identifiable Information (“PII”) and Sensitive PII (“SPII”) notification requirements;
- Credit monitoring requirements;
- Sanitization of Government and Government-Activity-related files and information requirements; and
- Other reporting requirements.
The clause would also need to be flowed-down to subcontractors touching on the collection, maintenance, or processing of CUI. Not unexpectedly, DHS projects this to bring major added compliance costs (potentially $1 million-plus per contractor). For example, the rule contemplates third-party validation of IT systems, which alone could cost contractors six-figure sums.
The proposed rule is available here.
- IT Awareness Training: DHS currently requires contractors to complete IT awareness training, and sign a “Rules of Behavior” agreement, before accessing DHS information systems and resources. The proposed rule would incorporate these requirements in the HSAR, and make required training publicly accessible through a DHS website. The proposed rule is available here.
- Privacy Training: As with IT awareness training, DHS contracts currently require contractor employees to complete privacy training before accessing a government system of records; handling PII or SPII; or designing, developing, maintaining, or operating a government system of records. This proposed rule would incorporate these obligations in the HSAR, and make required training publicly accessible through a DHS website. The proposed rule is available here.
At this time, comments on the proposed rules are due by March 20, 2017.
Even though some companies are well-prepared for the prospect of these and related rules, many are not prepared. These rules present obvious compliance obligations that will burden contractors for the foreseeable future. But hidden risks—compliance issues with subcontractors, reputational issues relating to cyber incidents, and the potential for litigation and investigations—are perhaps even greater threats. Government contractors ignore these risks at their own peril. So what can companies do? Work with their counsel and compliance professionals to regularly assess their cybersecurity posture.