Big changes are on the way when it comes to controlled unclassified information. There is an amendment to the Federal Acquisition Regulation that will apply certain requirements for security to contractors outside the Department of Defense. Additionally, some of the underlying requirements may be changing because more stringent cybersecurity measures may be required by government agencies.
The new government contracting rule addresses how contractors deal with CUI.
This involves information that is sensitive, but not considered to be classified. Federal government contracts will need to include a provision that dictates how contractors will dispose of CUI that they gain in the course of performance of their government contracts. The new rule will also include provisions for safeguarding and marking of CUI. The FAR case is based off of a rule that was issued in 2016, and applies to the executive branch. Now, it will be required to apply to contractors as well.
Since this new rule will be in the FAR, it will be a factor in whether contractors are eligible for award and whether they have complied with their contracts. Government agencies will likely have to make this clause mandatory in all of their contracts that are signed. Cybersecurity may also well become an evaluation factor in many contracts that involve the use of information systems.
Optional Cybersecurity Measures
NIST 800-171 serves as the basis for this rule. It requires “adequate security” for the information. However, NIST 800-171 will soon be changing. Agencies will be able to prescribe that contractors follow even more stringent measure to protect CUI. “Adequate security” will simply be the baseline, but agencies may be able to ask for more and contractors will need to comply. Contractors could choose to implement this level of security on their own, even if they are not required to do so by the agency.
NIST 800-171 provides the bedrock principles and protection measures when dealing with CUI. However, this area is rapidly changing as the regulatory agenda moves towards greater cybersecurity protection. Those who do business with the federal government can expect further continued evolution in this area.
As the new rules take hold and more entities within government assert their right to audit contractors for compliance, there are many issues with figuring out who the proper entity is to conduct the audit. Without a single unified regulator, contractors could be aiming for compliance with different targets. Multiple regulator authority often creates unnecessary confusion. There will likely be a single entity in the future to assess compliance with these rules. Currently, contractors certify their own compliance and then are subject to audits. In the future, there will be more clarity about the process, especially when audits are conducted by a single federal entity.
Given the rapid changes in cybersecurity requirements when dealing with the federal government, your business is best off getting as much help as possible. There are NIST 800-171 compliance solution that are available that can help your business keep track of and meet these ever-changing requirements.