Final CUI Rule Requires Contractors to Adopt Uniform Treatment of Confidential Information
The government has finalized a rule taking significant steps toward standardizing the treatment of non-classified sensitive United States government information by both executive agencies and government contractors.1 The rule was published on September 14, 2016, by the Information Security Oversight Office (ISOO) of the National Archives and Records Administration (NARA).
Controlled unclassified information (CUI) is information held by the Federal Government which is sensitive but unclassified. It includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings. Despite the recent public spotlight on government protection of sensitive data, until this rule there was no unified law governing the designation and safeguarding of CUI; instead, agencies used their own conventions.
The final rule, effective November 14, 2016, will now exclusively govern the treatment of CUI by both executive agencies and government contractors. Although the final rule applies only to federal agencies, the rule requires that all agency-written agreements (including contracts, grants, and licenses) with contractors that involve CUI include a provision requiring the handling of CUI in accordance with the final rule. A new FAR case will further implement this directive for federal contractors.
As described in Arnold & Porter's previous Advisory,2 a draft version of this rule was released in May 2015 pursuant to Executive Order 13556, which instructed NARA to establish "an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls."3 The final rule does not make major changes from the draft one, and instead aims to clarify and solidify the requirements that were set forth in the draft rule. Notably, the final rule contains revised definitions, clarifications regarding legacy marking, and details regarding the uniform handling requirements for CUI. NARA explained that although it received comments recommending both the strengthening and loosening of controls on CUI, NARA declined to do either. The level of protection mandated in the final rule is designed to balance the competing purposes of protecting CUI and simplifying the authorized sharing of CUI.
Similar to the draft rule, the final rule defines CUI as an intermediate level of protected information between classified information and uncontrolled information. The CUI Registry4 is to be the source and repository of all information, guidance, policy, and requirements on handling CUI once the new regime is fully implemented. The rule does not prohibit agencies from promulgating their own specific policies for marking or protecting CUI; in fact, agencies are responsible for establishing their own CUI Programs to implement the rule's requirements. However, any agency-specific policies cannot conflict with the rule or the handling and other requirements in the CUI Registry, so as to not undermine the stated goal of harmonizing treatment of CUI.
CUI is subject to both marking and handling restrictions. The markings listed in the CUI Registry are to be the only authorized markings for CUI. In order to implement the rule, agencies must not only begin to mark all new CUI in accordance with the markings specified on the CUI Registry, they must also remove all legacy markings (including FOUO, SBU, OUO, etc.).5 There is a limited exception available for agencies with significantly large amounts of legacy material, when relabeling would be excessively burdensome on the agency. In such cases, the rule provides that legacy markings may remain so long as the information remains within the agency and protected by alternative means. Should, however, that information ever be disseminated or re-used, it must be re-marked in accordance with the CUI Registry.
The requirements for handling of CUI depend on its marking. The rule divides CUI into two categories: CUI Basic and CUI Specified.
- CUI Basic includes all information with a general safekeeping or dissemination requirement. This information may be marked "CUI" or "Controlled." The rule subjects all CUI Basic to a uniform set of handling requirements published in the CUI Registry.
- CUI Specified includes protected information that is subject to specific restrictions found in law, regulation, or government-wide policy. These underlying authorities govern how the information must be handled, so CUI Specified controls may be more stringent than those for CUI Basic or may simply be different. The CUI Registry indicates which underlying authorities govern CUI Specified. Where these underlying authorities are silent as to certain aspects of the handling of CUI Specified, the CUI Basic standard applies.
Government contractors should familiarize themselves with the distinction between CUI Basic and CUI Specified information, and the markings and handling procedures for each, because contractors and other authorized holders of CUI will be responsible for handling CUI in compliance with the requirements of this rule and the CUI Registry, through a forthcoming FAR clause. The rule's applications to contractors imposes new potential liability. For example, the comments accompanying the rule explain:
If a contractor receives improperly marked CUI from an agency, the contractor is not responsible for having marked the CUI improperly, but the contractor could be responsible for knowing the types of CUI it receives from the agency pursuant to the contract, and for knowing which CUI Registry category the information falls into, the handling requirements for that type of CUI, and so forth. As a result, the contractor could, in some cases, also be held responsible for properly handling the CUI even if it is not marked properly when they receive it.
Finally, the rule makes a distinction between two types of systems that process, store, or transmit CUI: information systems "used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency"; and other systems that are not operated on behalf of an agency but that otherwise store, transmit, or process CUI. The rule explains that a system is operated "on behalf of" an agency if it "provides information processing services to the agency that the government might otherwise perform itself but has decided to outsource."
It is likely that the majority of contractor systems will fall into the latter category (i.e., systems that are not operated "on behalf of" an agency), as most contractor systems that process, store, or transmit CUI are used by the contractor for their performance of the contract, not as an outsourced IT service for the government. One major exception to this generality, of course, would be systems operated by IT services contractors to the government, such as an outsourced email, website, or data storage system. For these systems, operated on behalf of the government, contractors will have to abide by whatever controls are required by the agency under that contract for the relevant systems. The rule provides that NIST SP 800-1716 governs what controls are required for all other systems that process, store, or transmit CUI.
This distinction mirrors the structure of the "adequate security" requirement found in the Defense Federal Acquisition Regulations Supplement (DFARS) cybersecurity rules, which provides that defense contractors providing an IT service or system on behalf of the government are subject to whatever security terms are specific in that contract, while all other defense contractors handling Covered Defense Information are subject to NIST SP 800-171.7 Thus, NIST SP 800-171 (which defense contractors have been assessing and implementing for some time) now governs all federal contractor systems that store, transmit, or process CUI (unless the contractor systems are operated on behalf of the government).
The rule becomes effective on November 14, 2016, and the release date of the corresponding FAR provision is yet to be determined. Until that time, contractors should carefully review the CUI handling requirements in their contracts and agreements, as well as the various types of CUI they are handling under existing contracts, and consider developing and revising internal controls to ensure compliance with the new rule. Contractors should also pay special attention to agency implementations of the CUI rule, as the mandate for agencies to design their own implementation programs could create some agency-specific requirements once the rule becomes effective. Finally, prime contractors should consider how the flowdown of CUI clauses to their subcontractors may affect subcontractor performance and how they will monitor subcontractor compliance.
See Arnold & Porter Advisory, Proposed Rule Sets Agenda for Unified Treatment of Controlled Unclassified Information (June 25, 2016).
See Press Release, White House, Executive Order 13556 -- Controlled Unclassified Information (Nov. 4, 2010).
These acronyms refer to some of the more commonly used restrictions under the previous non-standardized systems for CUI: For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Official Use Only (OUO).
NIST Special Publication 800–171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). Several other standards are incorporated by reference in the final rule: FIPS PUB 199 (Standards for Security Categorization of Federal Information and Information Systems), FIPS PUB 200 (Minimum Security Requirements for Federal Information and Information Systems), NIST Special Publication 800–53 (Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4), and NIST Special Publication 800–88 (Guidelines for Media Sanitization, Revision 1).
See prior Arnold & Porter Advisories on this topic: Virtually All Federal Contractors Now Subject to "Basic Safeguarding" Cybersecurity Requirements (May 16, 2016); Department of Defense Publishes FAQs on DFARS Cybersecurity Interim Rule (Nov. 25, 2015); and Defense Contractors Subject to New Cybersecurity and Cloud Computing Regulations (Sept. 3, 2015).