It only took six years. But now the Homeland Security Department has new regulations covering how contractors must handle CUI, controlled unclassified information better get ready. They go into effect later this month. Here with what you need to prepare,  Federal Drive Host Tom Temin guest Holland & Knight attorney Eric Crusius.

Interview Transcript:

Tom Temin Thanks. And I guess these rules have been a long time in preparation. But the surprising thing about them is everyone expected them to be connected to the standards developed by NIST under 800 171   special publication, which is in the midst of revision right now. But that’s not really the case, is it?

Eric Crusius No. DHS went in a completely different direction. They explain why in the rules they’ve done that, but they’re really focusing on the standards that they’ve been developing and have developed. So the interesting thing is this regulation is a little new where it’s doing something that the first CMMC rule did and also the rule about vaccine mandates did. And it’s pointing to a website and I don’t know if that’s consistent with the Administrative Procedures Act. We’ll see if somebody wants to argue that in court. But it points to a website and the website will have all the standards that contractors have to comply with. And DHS says in the lead up to the rule in the document that they put out, that those standards are currently undergoing revision. So a contractor conceivably will have to comply with a different standard from one day to the next because the standards are being revised right now. But you’re right, they went on to a different direction, didn’t use 800 171, which was a little surprising.

Tom Temin Well, did they use standard rulemaking? That is to say that they get comments. Do they get back with comment? I mean, over six years. Some of the comments are probably obsolete. So in that sense, they did follow the Administrative Procedures Act.

Eric Crusius Yes. They went through the whole notice and comment period and they got comments. And you’re right, some of the comments were obsolete. The thing that I’m kind of concerned about is that the rule is going to change over time without going through notice and comment period, because that website is going to link to standards that change. So contractors who have requirements right now, those requirements could be different next month or next year because the link to the website, the standards on that website will change.

Tom Temin Sounds like that leaves contractors open to a little bit of capriciousness then, if that’s the case. Well, you sent this in, but guess what? It changed since you sent in your proposal. Sorry.

Eric Crusius Right. Right. And be interesting to see kind of how that juxtaposed works and how DHS handles that. And if it varies between contracting officer to contracting officer, and all that combined with the, like you mentioned, the new 800 171 standard coming out, there’s a lot going on for contractors to look at right now.

Tom Temin And so what standards does it reference Homeland Security’s specific handling of data standards then? Right?

Eric Crusius Right. There are specific standards that they mention that are on their website, security directives, 1104 2.1 and 1105 6.1. And really, there’s about a dozen other different standards that contractors need to be aware of.

Tom Temin And has anyone compared them to NIST? Do they have any consonance with what NIST’s doing or what’s out there now?

Eric Crusius Not that I’ve seen, and that’s a great weekend project, so I’ll put that on my list to do because I’ve wanted to do that with the VA regulations also, which also don’t use 800 171 as the baseline standard. So yeah.

Tom Temin Seen that in other domains of acquisition where agencies will add their own little embellishment to the FAR. You already have the D-FARS, but that’s well understood. But then there’s the Energy FAR or the EPA FAR and the DHS FAR. It gets to be kind of tough navigating for contractors.

Eric Crusius Right. And if you remember years ago, the FAR was created to create this one standard across the government. So you would need government contracts, lawyers to figure out what to do. And then each agency went and did its own thing anyway. And I think we’re seeing the same thing with cybersecurity here, where the FAR Council has been a little bit slow in putting out a standard that works across the government for controlled unclassified information. DoD has been slow in rolling out CMMC, so now filling the void are these other agencies like DHS and the VA with their own standards because they recognize that they need to protect their information, need to do it right now?

Tom Temin And what do these rules actually ask contractors to do in general?

Eric Crusius They all kind of follow a similar formula. They ask contractors to abide by certain standards, security standards. They also ask contractors to respond and to make them aware of cybersecurity incidents. The definition of a cybersecurity incident in the DHS rules is pretty broad and includes not following certain policies, spillage internally in the contractor where, you know, CUI goes from one part of the business to another where it’s not supposed to be in an employee kind of employee onboarding, you know, if they’re going to be handling certain kinds of information, they need to have training, and the agency needs to be aware of their kind of let go, things like that. So there’s those standard common themes that are in all these regulations, but they’re all different.

Tom Temin We’re speaking with attorney Eric Crusius. He’s a partner at Holland & Knight. So in their solicitations and contracts, DHS will be requiring compliance with these standards. So contractors in their bids simply need to say, yes, we are in compliance with these. We are following these directives of the 4700 series . . .

Eric Crusius Right. Right. And contractors bite kind of taking on a contract with these regulations in them, will implicitly at least acknowledge that they are complying with these regulations. And DHS knows that this is not an inexpensive proposition for contractors. And they say that in the rule that they recognize that this is going to be expensive and they expect that that expense will be reflected in the price of these contracts to DHS.

Tom Temin And you mentioned CMMC, the DoD program, which doesn’t seem to be getting quite off the ground, the Cybersecurity Model Maturity certification program. It’s like a helicopter spinning, but it never quite leaves the tarmac there and that has third-party verification as part of that program, which says we can prove that we do these things because someone objective looked at us, right? There’s nothing like that in these DHS rules.

Eric Crusius For the vast majority of companies, that is true. There’s a small subset. If you are a contractor that is operating or running a federal system, you will have some kind of third party verification that’s required. Just because you brought up CMMC. I have to say something about it, but the really interesting thing about CMMC is DoD may require contractors to do a third party certification even in advance of CMMC because the new NIST 800 171 has a control that requires third party verification of systems and the D-FARS clause that implements 800 171 says that the version of NIST 800 171 that’s applicable is the one at the time of the solicitation. So once that new 800 171 comes out, there’s an argument to be made unless DoD issues a class deviation that all contractors, DoD contractors that CUI, we will have to get a third party certification.

Tom Temin Yes. So it’s like CMMC by default almost.

Eric Crusius Right. Exactly.

Tom Temin And in delaying all of this til now, but yet coming out by DHS ahead of what DoD might or may not be doing, it sounds like each agency has been waiting on the other one to step out into this first. And DHS said, Well, screw it, we’ll go first.

Eric Crusius Right? And I kind of think like they’re all kind of holding each other up a little bit for a while, and that’s why it took six years. I mean, these rules are sophisticated and they’re not easy. But six years is a long time. And I know they were working diligently on them. So it must be that they were trying to coordinate and they’re trying to see where the new FAR upcoming whatever our upcoming FAR rules, what direction they’re going in, where DoD is going. And eventually, I think you said I think you’re exactly right. They said we just got to do something.

Tom Temin So in the meantime, right now, then contractors need to develop almost boilerplate language that says, yes, we are doing this according to this rule. That’s something they should be composing right now.

Eric Crusius Right. And they should be looking at the standards that DHS has right now, see if they’re compliant. And for contractors that play across different agencies, it’s really difficult because they have different standards for different CUI depending on which agency they’re connected with.

Tom Temin Right. Because you said earlier the definitions of what comes under CUI differ from agency to agency.

Eric Crusius Right? So DoD uses the CUI registry and DHS does to some extent, uses parts of it. And it’s not entirely clear whether it uses all of it. The general definitions are similar, but there are some nuance I think contractors should look at.

Tom Temin Yeah, this does sound like a lot of manpower required to make sure that with each agency and now DHS, you are following the clauses they want.

Eric Crusius Right. And I think each agency is really paying close attention because these rules are very important to them. Cybersecurity is really important and they spent a lot of time issuing these regulations not to just have them ignored.

Tom Temin Yeah, I mean, that’s right. At the heart of all this, there is a cybersecurity problem which everybody recognizes, but it seems like a Byzantine way of getting at it.

Eric Crusius Right? It would’ve been great if the FAR Council came out first and issued some regulations, and that enabled kind of the individual agencies to stand down. Now, DHS argues that these regulations are supplementary to the CUI regs that may come out from the FAR Council because they cover different things. We’ll have to wait and see if that’s really the case.