Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Regulation, Standards and Compliance

DHS publishes final rule updating controlled unclassified information requirements for federal systems

June 22, 2023
DHS publishes final rule updating controlled unclassified information requirements for federal systems

The U.S. DHS (Department of Homeland Security) issued a final rule to amend the Homeland Security Acquisition Regulation (HSAR) to modify a subpart, remove an existing clause and reserve the clause number, and update an existing clause. The agency will also add two new contract clauses to address requirements for the safeguarding of Controlled Unclassified Information (CUI). 

The final rule puts security and privacy safeguards in place to protect CUI and enable better incident reporting to DHS. Due to the urgent need to protect CUI and respond appropriately when DHS contractors experience incidents involving DHS information, these measures are required.

“The purpose of this final rule is to implement security and privacy measures to safeguard CUI and facilitate improved incident reporting to DHS. This final rule does not apply to classified information,” according to a notice published Wednesday in the Federal Register. “These measures are necessary because of the urgent need to protect CUI and respond appropriately when DHS contractors experience incidents with DHS information. Persistent and pervasive high-profile breaches of Federal information continue to demonstrate the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts.” 

The final rule comes into effect 30 days after the date of publication in the Federal Register. 

DHS published a notice of proposed rulemaking (NPRM) in the Federal Register on Jan. 19, 2017, to implement adequate security and privacy measures to safeguard CUI from unauthorized access and disclosure and facilitate improved incident reporting to DHS. 

Fourteen respondents submitted public comments in response to the proposed rule, the notice said. “This final rule incorporates the reasoning of the proposed rule except as reflected elsewhere in this preamble. DHS reviewed the public comments in the development of the final rule. A certain number of the comments received were outside the scope of the rule,” it added. 

The final rule strengthens and expands existing HSAR language to ensure adequate security when contractor and/or subcontractor employees will have access to CUI; CUI will be collected or maintained on behalf of the agency; or federal information systems, which include contractor information systems operated on behalf of the agency, are used to collect, process, store, or transmit CUI. 

Specifically, the final rule identifies CUI handling requirements and security processes and procedures applicable to federal information systems, which include contractor information systems operated on behalf of the agency. It also identifies incident reporting requirements, including timelines and required data elements, inspection provisions, and post-incident activities, and requires certification of sanitization of government and government-activity-related files and information. 

Lastly, the rule requires contractors to have in place procedures and the capability to notify and provide credit monitoring services to any individual whose Personally Identifiable Information (PII) or Sensitive PII (SPII) was under the control of the contractor or resided in the information system at the time of the incident. 

The notice outlined that the final rule will apply to DHS contractors that require access to CUI, collect or maintain CUI on behalf of the Government, or operate federal information systems, which include contractor information systems operating on behalf of the agency, that collect, process, store, or transmit CUI. 

“DHS estimates the final rule will have an annualized cost that ranges from $15.32 million to $17.28 million at a discount rate of 7 percent and a total 10-year cost that ranges from $107.62 million to $121.37 million at a discount rate of 7 percent,” the notice said. The primary contributors to these costs are the independent assessment requirement and reporting and recordkeeping requirements. There are additional small, quantified costs from rule familiarization and security review processes.” 

DHS was unable to quantify costs associated with incident reporting requirements, PII and SPII notification requirements, credit monitoring requirements and they are therefore discussed qualitatively, the notice said. “DHS was unable to quantify the cost savings or benefits associated with the rule. However, the final rule is expected to produce cost savings by reducing the time required to grant an ATO, reducing DHS time reviewing and reissuing proposals because contractors are better qualified, and reducing the time to identify a data breach.” 

The final rule also produces benefits by better notifying the public when their data are compromised, requiring the provision of credit monitoring services so that the public can better monitor and avoid costly consequences of data breaches, and reducing the severity of incidents through timely incident reporting.

The DHS move comes amid the reports last week that multiple local, state, and federal agencies were the target of cyber threat hackers leveraging the MOVEit transfer vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) re-released on Friday an earlier cybersecurity advisory covering that the CL0P ransomware gang is reportedly exploiting a previously unknown structured query language (SQL) injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. The agency updated the document to remove old Fortra GoAnywhere Campaign IP addresses and to add new IP addresses.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure