DHS CUI Provisions Would Deviate from the Federal Standard

min read

(March 24, 2017 – Jarret Cummings) EDUCAUSE joined the Council on Government Relations (COGR), the Association of American Universities (AAU), and the Association of Public and Land-grant Universities (APLU) in comments about the U.S. Department of Homeland Security’s (DHS’s) proposed new contract provisions on controlled unclassified information (CUI).

The proposed provisions are intended, at least in part, as the DHS implementation of the final CUI regulations established by the National Archives and Records Administration (NARA) pursuant to a 2010 executive order. That order mandated the standardization of CUI requirements across federal agencies and charged NARA with developing and managing the necessary regulatory structure. NARA subsequently established government-wide CUI regulations based on guidelines developed by the National Institute of Standards and Technology (NIST), NIST SP 800-171, and worked with agency representatives to establish a definitive registry [https://www.archives.gov/cui/registry] of federal CUI categories, markings, and controls.

Unfortunately, as AAU, APLU, COGR, and EDUCAUSE found, DHS appears to have proposed a custom version of CUI requirements for its contractors. If incorporated as part of the “Homeland Security Acquisition Regulation (HSAR),” the proposed provisions would undermine NARA’s uniform approach to the CUI requirements that federal grant and contract recipients generally must follow:

Our associations remain concerned about the implications of the compliance requirements for protecting Controlled Unclassified Information (CUI) in non-Federal information systems such as those operated by our member institutions…. Unfortunately, the proposed HSAR 2015-001 rule appears to confuse rather than clarify the applicability of government security requirements applicable to CUI. Many of the proposed new categories of CUI set forth by DHS in the proposed rule do not correspond to categories in the NARA CUI Registry. This conflicts with the standardized approach established by Executive Order 13556 as implemented by the NARA Final Rule on CUI (81 FR 63323).

The letter goes onto cite other concerns, such as DHS’s failure to clearly distinguish between when security requirements for information systems run by or for federal agencies (see the Federal Information Security Management Act, or FISMA) apply, and when guidelines for CUI held by grantees or contractors in non-federal systems (see NIST SP 800-171) apply. The main new problem that DHS could create, however, would be to open the door for other federal agencies to customize their approach to supposedly “uniform” requirements:

As the initial agency acquisition regulation issued subsequent to the NARA rule, we believe that the inconsistency in the HSAR rule with the NARA CUI rule will set an unfortunate precedent…. Failure on the part of DHS, or for that matter, any agency to adhere to policies consistent with the NARA rule will result in undue burdens and unnecessary costs for our member institutions. This also is inconsistent with current efforts launched by this administration to reduce undue and excessive government regulations.

Thus, the associations asked DHS to revise its proposed CUI provisions to ensure alignment with NARA regulations. In particular, we noted that we may not agree with all of 800-171 or NARA’s requirements, but returning to highly variable agency approaches would be even more counter-productive. EDUCAUSE will continue to share information about this and other CUI developments with members as they evolve, including our work with the higher education community to limit potentially negative outcomes.

Jarret Cummings is the Director of Policy and Government Relations for EDUCAUSE.