May 11, 2015
The National Archives and Records Administration (“NARA”) published a proposed rule on Friday that would establish a government-wide policy related to controlled unclassified information (“CUI”). See 80 Fed. Reg. 26501 [found here]. The proposed rule would establish policies for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. Most importantly for contractors is that these extensive additional requirements could soon start infiltrating government contracts for which CUI is provided or created.
Executive Order (“EO”) 13556, dated November 4, 2010, established the CUI Program, with NARA as the CUI Executive Agent. NARA’s charter is to standardize the way CUI is handled throughout the federal government. Consistent with the EO, the proposed rule would formalize the program and, along with NARA’s CUI Registry, establish a comprehensive government-wide program to standardize CUI handling by federal agencies. The proposed rule, among other things, would create a uniform marking requirement for CUI and require agencies to protect CUI using standards promulgated by the National Institute of Standards and Technology (“NIST”), including FIPS 199 and NIST Special Publication (“SP”) 800-53.
While the proposed rule is largely focused on agency requirements, the CUI requirements will impact contractors in a number of different ways:
- Agencies would be required to include NARA’s CUI requirements from the proposed rule in “all contracts that require a contractor to handle CUI for the agency.”
- Agencies would be encouraged to enter into formal information-sharing agreements with contractors that would require contractors to comply with NARA’s CUI requirements. Alternatively, agencies would be required to communicate to contractors that the government “strongly encourages” contractors to protect CUI consistent with NARA’s CUI requirements.
- NARA and NIST are planning to finalize and adopt NIST SP 800-171, published in April 2015, which contains more than 100 security controls for protecting CUI in nonfederal information systems and organizations.
- NARA is planning to promulgate a FAR clause to apply the requirements of NARA’s proposed rule and the final version of NIST 800-171 to contractors.
The proposed rule is yet another shot across the bow of contractors and subcontractors, many of which are still working to comply with the requirements of the DFARS Unclassified Controlled Technical Information (“UCTI”), 252.204-7012. NARA’s proposed rule does not discuss how these new CUI requirements are to be harmonized with existing requirements, nor does it explain why its proposed CUI requirements are more stringent than those adopted by the DOD in its version of the UCTI clause.
The new CUI regime, if adopted, will have important consequences for contractors, including imposing significant safeguarding requirements related to CUI that were not previously required. Comments on the proposed rule are due on July 7, 2015.