Controlled, unclassified information. That’s most of the information the government generates. It’s known as CUI. The Federal Acquisition Regulation council is considering new rules for CUI. Haynes Boone procurement attorney Dan Ramish joined the Federal Drive with Tom Temin to discuss CUI and the possible new rules.
Interview transcript:
Dan Ramish Tom, I think it’s fair to say that many government operations across the government are being affected by some of the events of the transition. But, I think it is also clear that the Trump administration values cybersecurity. Cybersecurity Maturity Model Certification 1.0 was actually rolled out under the first Trump administration. So cyber should be an expected priority under the new administration. So this may not go forward on the timeframe that we currently expect, but it should be expected to proceed under the new administration.
Tom Temin All right. And what is the goal of this new rule and what would it require of contractors?
Dan Ramish So, Tom, there are really three major things in this rule. One of them is establishing government wide standardized cybersecurity requirements for information systems with CUI. And that piece is modeled on DOD’s provisions under DFARS 252.204-7012 for safeguarding covert information systems. The second piece is requirements for handling CUI independent of cybersecurity. So this is things like marking and training and requiring notice to the government of CUI that’s unmarked, mismarked or unidentified. And then the third major thing is creating a new uniform way for the government to communicate what information under a contract is CUI and how it’s required to be safeguarded. And that’ll be accomplished through a new form. SFXXX is how it’s referred, it’ll get a number when the final rule is issued.
Tom Temin So a significant burden or activity for contractors that are handling CUI, which is a lot of contract.
Dan Ramish It will impact a lot of contractors. Now, on the DOD side, as we say, there is an implementation of the NARS UI rules already with the DFARS 7012 clause it’s referred to, 252.204-7012. For civilian agencies, DHS has a more developed approach to handling contracts with CUI, but other civilian agencies have a more ad hoc approach, and so this new proposed rule would create some common standards across the government, which would then be supplemented for certain specific agency needs and particular types of CUI.
Tom Temin And does it, though, require specific controls to be in place on contractor information systems similar to the CMMC side for DOD contractors?
Dan Ramish It does. So it relies on the same standard NIST requirements. So for nonfederal information systems. That’s NIST Special Publication 800-171, and currently they’re proceeding with revision 2. Now there has been a revision 3 that’s been issued, but at least the proposed rule for the time being would stick with revision 2, which is also what DOD is doing with CMMC.
Tom Temin And what is the status of the rule right now? Where is it in the rulemaking stages?
Dan Ramish So the proposed rule was issued January 15th and comments will be due on March 17th.
Tom Temin Right? So DOGE, et cetera hasn’t come around for that so far as we know.
Dan Ramish No. And I think, as I say, I don’t think that the new administration has different policy priorities. They may have their own approach to tweaking the rule, but I think we can expect that this will remain a priority for them.
Tom Temin We’re speaking with Dan Ramesh. He’s a procurement attorney with Haynes Boone. And what does industry say about this? Is it something they want to oppose or I mean, CMMC got a lot of resistance because of the cost of implementing it. And what about that, And what are your clients saying about it?
Dan Ramish I think it is fair to say that there are concerns about the costs of implementing the required cybersecurity controls and potentially those requirements acting as a deterrent for participation in the government market. This is particularly a concern when it comes to small businesses that have fewer resources to implement these requirements. But the reality is, there’s no good way of addressing it. Certainly small businesses are equally a target of foreign nation states and non-state actors that want to do harm and get access to sensitive government information. So, the federal government has time and again found that although they acknowledge that this is a burden for small businesses and they’re looking at different ways to help reduce that burden, it’s still important that small businesses implement controls so that the information at the end of the day is protected.
Tom Temin And I wonder if any of the comments run to the fact that a contractor, say a small business or middle-sized business could be a contractor to both DOD and civilian agencies. And if they come under CMMC, would that be good enough to meet the rules requirements of the new CUI rule for the civilian side? So you don’t have to have redundant activities to achieve the same thing?
Dan Ramish Yes. So the cybersecurity requirements are modeled after the DOD implementation of the NARS CUI rule. So the intent is not to increase the cybersecurity requirements or create redundancies, although there will be some little kinks in terms of aligning the requirements specific to agencies with the government wide requirements.
Tom Temin And your reading of the rule, what needs to be done to make it worthy of being a final rule at this point? Because sometimes these things are a little bit rough hewn whether proposed.
Dan Ramish So one of the concerns that many commentators raised is the aggressive notice requirement for notice of CUI incidents. There’s a proposed eight-hour notice requirement. And that contrasts with the DOD requirement of 72 hours under the DFARS 7012 clause. So a much faster notice requirement which is frankly unrealistic. And underscoring this, the proposed rule actually says that it may take contractors four hours to prepare the incident report. So there’s there’s really no acknowledgment that this is unrealistic. And actually, GAO did a study in 2022 that found that even with the 72 hours many contractors were not meeting consistently. And it’s just difficult to collect the information that’s necessary that would be useful to the federal government in understanding an incident within that time frame. So I would look for that piece to be updated.
Tom Temin And that’s what people are saying. In other words, in the comments coming in so far, they’re saying, what are you crazy, eight hours? Give us at least three days. Maybe they don’t put it in that language, but that’s what they’re asking for.
Dan Ramish Yes, that is one of the major comments. Two other items that struck me in reviewing the rule. One of them relates to protection of contractor computer software and trade secrets. So the proposed rule would in some cases allow contracting officers to release contractor proprietary information if he or she isn’t persuaded that the designation is justified. And this relates to some of the requirements in the proposed rule for contractors to make sure that they’re marking contractor attribution information and proprietary information and bidding proposal information, source election information. But the potential for release is concerning. And the proposed rule doesn’t, in my view, sufficiently cover contractor proprietary computer software. It only mentions technical data and says that the contracting officer has to follow the procedures for validation of technical data markings. But it doesn’t acknowledge other potential contractor rights to object to having proprietary information released, including the rights they would have under FOIA exemption 4. So I hope that the Federal Acquisition Regulation council will fix that when they finalize the rule.
Tom Temin Right, so that everything inside a contractor systems is not laid bare for every competitor to take a look at.
Dan Ramish Absolutely. It’s really important. And in fact, there there are statutes in place that prevent federal employees from releasing contractor trade secrets. So having a little bit better treatment on that subject would be a priority for me. And then one other item is addressing the potential for overbooking. So I think many federal contractors have experience that agencies are sometimes prone to marking information as CUI that isn’t really isn’t CUI. And as we talk about the burden on contractors associated with complying with cybersecurity and now complying with handling requirements and training and so forth, it’ll be really important to have a defined mechanism for each agency to handle challenges if a contractor receives information that is marked as CUI but doesn’t believe that it’s properly designated as CUI. And the NARA regulations at 32 CFR § 2002-50 do provide for federal agencies to have a process for challenging CUI. But that’s an area that the proposed rule on CUI here hasn’t further developed.
Tom Temin All right. So March 17th again is the deadline for comments.
Dan Ramish Yes, this will be a big one.
The post A new FAR rule over controlled, unclassified information is on the way first appeared on Federal News Network.
