The Department of Homeland Security (DHS) recently released a final rule (Final Rule), effective July 21, 2023, updating the Homeland Security Acquisition Regulation (HSAR) to include cybersecurity provisions aimed at safeguarding Controlled Unclassified Information (CUI) and facilitating improved incident reporting. This rule’s promulgation follows a recent trend and overall government-wide effort focused on strengthening our national security against bad actors and foreign adversaries. PilieroMazza recently blogged about some of those efforts, including the TikTok ban (here), new standardized cybersecurity obligations mirroring those in National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST SP 800-171) (here), and increased cyber requirements under certain Veterans Affairs’ procurements (here). Government contractors working on certain DHS contracts would be wise to familiarize themselves with notable requirements and reporting obligations arising from this Final Rule that could impact their bottom line. PilieroMazza addresses these items below in this client alert.

Contractor Employee Access

The Final Rule amends a pre-existing clause governing employee access to CUI. HSAR 3052.204-71 is used when contractor or subcontractor employees require recurring access to a government facility or CUI. Previously, this clause was used when contractors required recurring access to government facilities or sensitive information. This clause generally maintains the status quo. Indeed, many of the obligations imposed under the clause are the same as its previous version (September 2012), including employees needing to complete security forms, be fingerprinted, and have favorable background investigations prior to commencing work. However, the clause does make some notable changes.

First, the new clause imposes increased training requirements. While contractor employees subject to this clause previously had to complete trainings regarding protecting sensitive information “both during and after contract performance;” now, initial trainings shall be conducted within 60 days after contract award and every two years thereafter.

Second, the new clause expands the scope of CUI to include some DHS-specific categories. The clause defines CUI using its regulatory definition (32 C.F.R. § 2002.4(h)), plus some categories (and subcategories) not previously included in the CUI registry, such as: (i) Homeland Security Agreement Information, (ii) Homeland Security Enforcement Information, (iii) Operations Security Information, (iv) Personnel Security Information, and (v) Sensitive, Personally Identifiable Information (PII) (collectively, SPII).

Safeguarding CUI and Reporting Cyber Incidents

The Final Rule also creates a new clause imposing safeguarding and reporting obligations. HSAR 3052.204-72 is used where the contractor or subcontractor employees will have access to CUI, or CUI will be collected or maintained on behalf of the agency. This clause imposes a host of requirements (both old and new) on contractors with access to CUI.

First, prime contractors and subcontractors must provide adequate security to protect CUI, implementing protections commensurate with the risk associated with unauthorized access. In addition, contractors cannot maintain SPII in their invoicing, billing, or other recordkeeping systems maintained to support financial or other administrative functions. SPII is an individual’s name (or other unique identifier) combined with one other piece of information such as date of birth, citizenship status, or sexual orientation.

Second, the reporting requirements focus on known or suspected incidents, defined broadly as occurrences that actually or imminently jeopardize the integrity, confidentiality, or availability of information, or a violation of (or threat to) the law or a security policy. The Final Rule clarified that its scope focuses on federal information systems and thus, NIST SP 800-171 is not implicated.

As noted above, the clause sets aggressive reporting requirements with timelines significantly shorter than the 72-hours allowed by the Department of Defense. These reporting obligations include a duty to report:

  • all known or suspected incidents involving PII or SPII within 1 hour of discovery;
  • any and all additional relevant information if an incident involves PII and SPII within 24 hours of the initial incident report; and
  • all other incidents within 8 hours of discovery.

These reporting obligations also apply to companies further down the supply chain. Subcontractors are required to notify the agency and their prime contractor. Lower-tier subcontractors are also required to notify their higher-tier subcontractor until the prime contractor is reached.

Third, the clause clarifies a contractor’s obligation in obtaining an Authority-to-Operate (ATO). After many comments to the Proposed Rule focused on the ATO requirements, DHS made revisions and placed them within the Alternate I version. Alternate I is only to be inserted when a contractor is operating a federal information system (including a contractor information system operated on behalf of the agency). The obligations in the basic version of the clause will continue to apply to contractors, irrespective of what type of information system they are operating, as well as when information systems are not being used and only paper documents are available.

Notification and Credit Monitoring

The Final Rule’s other new clause, HSAR 3052.204-73, imposes third-party reporting obligations on contractors, particularly when an incident occurs on a system that includes PII or SPII. Broadly speaking, contractors must notify individuals whose PII or SPII was either “under the control of the Contractor or resided in an information system under control of the Contractor at the time the incident occurred” within 5 days after being directed to by the Contracting Officer. The Contracting Officer also may require that the contractor provide credit monitoring services to those individuals for no less than 18 months. The Final Rule does note that these reporting requirements are some of the largest contributors to the estimated costs for contractors in implementing the obligations, policies, and procedures stemming from these three clauses.

Key Takeaways

  • Federal Information System vs. Non-Federal Information System. Knowing the difference between the two, and whether a system is being operated “on behalf of the agency” will make-or-break a significant amount of costs the agency estimates are associated with this Final Rule. Obtaining an ATO, and retrieving an independent assessment, will apply if the Alternate I version of HSAR 3052.204-72 is incorporated into the contract. Significantly, a majority of the generic safeguarding policies contractors will need to follow are present in the basic clause, which is applicable regardless of what information system you are working on or handling. 

  • Flowing Down Requirements. Contractors and subcontractors alike performing on DHS contracts who handle CUI, PII, or SPII should be prepared to comply with safeguarding requirements, as well as incident reporting deadlines as outlined above. All lower-tier subcontractors, regardless of how many tiers below, will be expected to comply with the relevant clauses if and when flowed down.

  • NIST SP 800-171 Left Out. A number of comments asked DHS to clarify the applicability of NIST SP 800-171 to the Final Rule. As the agency noted, NIST SP 800-171 is only applicable in certain circumstances, not as it relates to contractors handling or operating federal information systems. Thus, because the Final Rule applies specifically to federal information systems and is “intentionally silent on the security requirements applicable to nonfederal information systems,” NIST SP 800-171 does not play a role in DHS’ rulemaking here.

  • Short Turn-Around for Cyber Incident Reporting. Consistent with the trend seen in the VA’s agency-specific cybersecurity regulations, the new DHS rules impose harsh disclosure obligations requiring contractors to report incidents within hours.

If you have questions about the above HSAR requirements and how to prepare for compliance with them, or any other cybersecurity questions, please contact Kevin Barnett and Daniel Figuenick, the authors of this client alert, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups.