On Jan. 3, 2017, we wrote about the new training requirement for employees who handle personally identifiable information (“PII”) or who build systems containing PII. On the same day that rule went into effect, Jan. 19, 2017, three related Department of Homeland Security (“DHS”) proposed rules were published in the Federal Register covering mandatory privacy training, information technology (“IT”) security awareness training, and the safeguarding of controlled unclassified information (“CUI”). Comments on all three proposed rules are due March 20, 2017.
Each of the DHS proposed rules are detailed below, along with the information we first provided on Jan. 3 on the PII privacy training final rule.
Privacy / IT Security Awareness Training
The DHS proposed rules on privacy training and IT security awareness training would create mandatory flowdown clauses for subcontractors at all tiers. The privacy training proposed rule would mandate that all contractor and subcontractor employees who access a government system of records, handle PII or sensitive PII (“SPII”), or design, develop, maintain or operate a system of records on behalf of the government take a publicly accessible training course. The IT security awareness training proposed rule would require that all contractor and subcontractor employees to be given access to DHS information systems and resources complete a publicly accessible training course and sign the DHS rules of behavior (“RoB”). These proposed rules would require subject employees to complete the training and sign the RoB within 30 days of contract award and on an annual basis thereafter.
Safeguarding of CUI
The DHS proposed rule on safeguarding of CUI, which would also be a mandatory flowdown to subcontractors at all tiers, would create some significant new requirements for DHS contractors. The most important contractor responsibilities outlined in the proposed rule are:
- “Adequate Security.” Contractors will be responsible for providing “adequate security” of CUI. Unfortunately for hopeful bidders, the measure of “adequate security” required at the time of proposal submission and time of award may be different because the proposed rule states that the policies and procedures on the DHS website “in effect at the time of contract award” will govern.
- New CUI Definitions. In addition to formally recognizing pre-existing CUI definitions listed on the CUI registry, the proposed rule defines five entirely new categories: Homeland Security Agreement Information, Homeland Security Enforcement Information, Operations Security Information, Personnel Security Information and Sensitive Personally Identifiable Information. Contractors who intend to perform contracts for the DHS in the future will need to be familiar with the extra types of information the DHS is adding under the proposed rule.
- How to Obtain an Authority to Operate (“ATO”). Contractors seeking to operate a DHS information system containing CUI will be required to undergo testing, a third-party assessment, a security review and continuous monitoring to include regular reporting requirements. An ATO must be obtained from the DHS, at a minimum, every three years. In some cases, these information systems may be operated entirely by the contractor on behalf of the DHS.
- Short Incident Reporting Deadlines. All contractors and subcontractors must report data breach or compromise incidents involving PII or SPII within one hour of discovery to the DHS and subsequently inform and, at the discretion of the contracting officer, provide 18 months of credit-monitoring services to affected individuals. (SPII, a subset of PII, is defined in the proposed rule.) Incidents not involving PII or SPII must be reported within eight hours of discovery.
- No CUI in the Subject or Body of Any Email. CUI may only be communicated in an attachment compliant with FIPS 140-2 Security Requirements for Cryptographic Modules under the proposed rule.
New Mandatory Privacy Training Requirement (Effective Jan. 19, 2017)
In addition to the DHS proposed rules governing PII, there are also new privacy training requirements for certain federal contractors performing under contracts for other agencies.
After more than five years since the proposed rule in 2011, the Federal Acquisition Regulatory Council gave federal contractors a surprise holiday gift this year — a new FAR clause mandating privacy training for certain contractor employees. Under FAR 52.224-3, Privacy Training, contractors are responsible for ensuring that initial privacy training, and annual privacy training thereafter, is completed by their employees who:
(1) Have access to a system of records;
(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise handle personally identifiable information on behalf of an agency; or
(3) Design, develop, maintain or operate a system of records.
The clause defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” The required privacy training must cover the following:
(i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the act.
(ii) The appropriate handling and safeguarding of personally identifiable information.
(iii) The authorized and official use of a system of records or any other personally identifiable information.
(iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information.
(v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling or use of personally identifiable information.
(vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling. or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).
While contractors will generally be able to develop their own training or obtain the training from any source, in some instances an agency may choose to utilize FAR 52.224-3 Alternate I, which allows the agency to make its own training the only acceptable source. Contractors must also maintain records indicating trainings for each subject employee are up-to-date and make those records available to the contracting officer upon request.
This is a wide-reaching rule. FAR 52.224-3 is a mandatory flow down clause and applies to all contracts and subcontracts involving access to a system of records. This includes commercial item contracts, contracts below the simplified acquisition threshold ("SAT") and contracts for commercially available off-the-shelf ("COTS") items.