82_FR_6441 82 FR 6429 - Homeland Security Acquisition Regulation (HSAR); Safeguarding of Controlled Unclassified Information (HSAR Case 2015-001)

82 FR 6429 - Homeland Security Acquisition Regulation (HSAR); Safeguarding of Controlled Unclassified Information (HSAR Case 2015-001)

DEPARTMENT OF HOMELAND SECURITY

Federal Register Volume 82, Issue 12 (January 19, 2017)

Page Range6429-6446
FR Document2017-00758

DHS is proposing to amend the Homeland Security Acquisition Regulation (HSAR) to modify a subpart, remove an existing clause and reserve the clause number, update an existing clause, and add a new contract clause to address requirements for the safeguarding of Controlled Unclassified Information (CUI).

Federal Register, Volume 82 Issue 12 (Thursday, January 19, 2017)
[Federal Register Volume 82, Number 12 (Thursday, January 19, 2017)]
[Proposed Rules]
[Pages 6429-6446]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2017-00758]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

48 CFR Parts 3001, 3002, 3004, and 3052

[Docket No. DHS-2017-0006]
RIN 1601-AA76


Homeland Security Acquisition Regulation (HSAR); Safeguarding of 
Controlled Unclassified Information (HSAR Case 2015-001)

AGENCY: Office of the Chief Procurement Officer, Department of Homeland 
Security (DHS).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: DHS is proposing to amend the Homeland Security Acquisition 
Regulation (HSAR) to modify a subpart, remove an existing clause and 
reserve the clause number, update an existing clause, and add a new 
contract clause to address requirements for the safeguarding of 
Controlled Unclassified Information (CUI).

DATES: Comments on the proposed rule should be submitted in writing to 
one of the addresses shown below on or before March 20, 2017, to be 
considered in the formation of the final rule.

ADDRESSES: Submit comments identified by HSAR Case 2015-001, 
Safeguarding of Controlled Unclassified Information, using any of the 
following methods:
     Regulations.gov: http://www.regulations.gov.
    Submit comments via the Federal eRulemaking portal by entering 
``HSAR Case 2015-001'' under the heading ``Enter Keyword or ID'' and 
selecting ``Search.'' Select the link ``Submit a Comment'' that 
corresponds with ``HSAR Case 2015-001.'' Follow the instructions 
provided at the ``Submit a Comment'' screen. Please include your name, 
company name (if any), and ``HSAR Case 2015-001'' on your attached 
document.
     Fax: (202) 447-0520
     Mail: Department of Homeland Security, Office of the Chief 
Procurement Officer, Acquisition Policy and Legislation, ATTN: Ms. 
Shaundra Duggans, 245 Murray Drive, Bldg. 410 (RDS), Washington, DC 
20528.
    Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided. To 
confirm receipt of your comment(s), please check www.regulations.gov, 
approximately two to three days after submission to verify posting 
(except allow 30 days for posting of comments submitted by mail).

FOR FURTHER INFORMATION CONTACT: Ms. Shaundra Duggans, Procurement 
Analyst, DHS, Office of the Chief Procurement Officer, Acquisition 
Policy and Legislation at (202) 447-0056 or email [email protected]. When 
using email, include HSAR Case 2015-001 in the ``Subject'' line.

SUPPLEMENTARY INFORMATION: 

I. Background

    The purpose of this proposed rule is to implement adequate security 
and privacy measures to safeguard Controlled Unclassified Information 
(CUI) and facilitate improved incident reporting to DHS. This proposed 
rule does not apply to classified information. These measures are 
necessary because of the urgent need to protect CUI and respond 
appropriately when DHS contractors experience incidents with DHS 
information. Recent high-profile breaches of Federal information 
further demonstrate the need to ensure that information security 
protections are clearly, effectively, and consistently addressed in 
contracts. This proposed rule strengthens and expands existing HSAR 
language to ensure adequate security for CUI that is accessed by 
contractors; collected or maintained by contractors on behalf of an 
agency; and/or for Federal information systems that collect, process, 
store or transmit such information. The proposed rule identifies CUI 
handling requirements as well as incident reporting requirements, 
including timelines and required data elements. The proposed rule also 
includes inspection provisions and post-incident activities and 
requires certification of sanitization of Government and Government-
Activity related files and information. Additionally, the proposed rule 
requires that contractors have in place procedures and the capability 
to notify and provide credit monitoring services to any individual 
whose Personally Identifiable Information (PII) or Sensitive PII (SPII) 
was under the control of the contractor or resided in the information 
system at the time of the incident.
    This rule addresses the safeguarding requirements specified in the 
Federal Information Security Modernization Act (FISMA) of 2014 (44 
U.S.C. 3551, et seq.), Office of Management and Budget (OMB) Circular 
A-130, Managing Information as a Strategic Resource,\1\ relevant 
National Institutes of Standards and Technology (NIST) guidance, 
Executive Order 13556, Controlled Unclassified Information \2\ and its 
implementing regulation at 32 CFR part 2002,\3\ and the following OMB 
Memoranda: M-07-16, Safeguarding Against and Responding to the Breach 
of Personally Identifiable Information; M-14-03, Enhancing the Security 
of Federal Information and Information Systems; and Reporting 
Instructions for the Federal Information Security Management Act and 
Agency Privacy Management as identified in various OMB Memoranda.\4\ 
Ongoing efforts by OMB and DHS with regard to implementation of FISMA, 
such as the issuance of Binding Operational Directives, and DHS 
implementation of the CUI program, may require future HSAR revisions in 
this area. DHS intends to harmonize the HSAR to be consistent with the 
requirements of these ongoing efforts.
---------------------------------------------------------------------------

    \1\ OMB Circular A-130 Managing Information as a Strategic 
Resource is accessible at https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf.
    \2\ Executive Order 13556 Controlled Unclassified Information is 
accessible at https://www.thefederalregister.org/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf.
    \3\ 32 CFR part 2002 is accessible at https://www.thefederalregister.org/fdsys/pkg/FR-2016-09-14/pdf/2016-21665.pdf.
    \4\ These memoranda include M-03-19, M-04-25, M-05-15, M-06-20, 
M-07-19, M-08-212, M-09-29, M-10-15, M-11-33, M-12-20, M-14-04, M-
15-01, M-16-03, and M-16-04. These memoranda can be accessed at: 
https://www.whitehouse.gov/omb/memoranda_default.
---------------------------------------------------------------------------

II. Discussion and Analysis

    This proposed rule is part of a broader initiative within DHS to 
(1) ensure contractors understand their responsibilities with regard to 
safeguarding controlled unclassified information (CUI); (2) contractor 
and subcontractor employees complete

[[Page 6430]]

information technology (IT) security awareness training before access 
is provided to DHS information systems and information resources or 
contractor-owned and/or operated information systems and information 
resources where CUI is collected, processed, stored or transmitted on 
behalf of the agency; (3) contractor and subcontractor employees sign 
the DHS RoB before access is provided to DHS information systems, 
information resources, or contractor-owned and/or operated information 
systems and information resources where CUI is collected, processed, 
stored or transmitted on behalf of the agency; and (4) contractor and 
subcontractor employees complete privacy training before accessing a 
Government system of records; handling personally identifiable 
information (PII) and/or sensitive PII information; or designing, 
developing, maintaining, or operating a system of records on behalf of 
the Government.
    DHS is proposing to amend and expand an existing HSAR subpart. This 
proposed rule would (1) add new definitions; (2) clarify the 
applicability of the subpart; (3) remove an existing clause and reserve 
the clause number; (4) revise an existing clause; and (5) add a new 
clause to implement expanded safeguarding requirements and identify new 
policies for incident reporting, incident response, notification and 
credit monitoring. Each of these proposed changes are described in 
detail below.
    (1) DHS is proposing to revise subpart 3002.101, Definitions, to 
define ``adequate security,'' ``controlled unclassified information,'' 
``Federal information,'' ``Federal information system,'' ``handling,'' 
``information resources,'' ``information security,'' and ``information 
system,'' '' and remove the definition of sensitive information. The 
definition of the terms ``adequate security,'' ``Federal information,'' 
and ``Federal information system'' is taken from OMB Circular A-130, 
Managing Information as a Strategic Resource. The definition of 
controlled unclassified information is taken from its implementing 
regulation at 32 CFR part 2002. The definition of ``handling'' was 
developed based upon a review of definitions for the term developed by 
other Federal agencies. The definition for the term ``information 
security'' is taken from FISMA 2014 (44 U.S.C. 3552(b)(3)) and the 
definitions for the terms ``information resources'' and ``information 
system'' are taken from 44 U.S.C. 3502(6) and 44 U.S.C. 3502(8) 
respectively. The definition of ``sensitive information'' is removed 
because it is being replaced with ``controlled unclassified 
information'' consistent with Executive Order 13556 and its 
implementing regulation at 32 CFR part 2002. This rule also adds five 
(5) new categories/subcategories of CUI titled Homeland Security 
Agreement Information, Homeland Security Enforcement Information, 
Operations Security Information, Personnel Security Information, and 
Sensitive Personally Identifiable Information for consistency with 
NARA's CUI regulation (32 CFR part 2002). The definitions of these 
terms are needed because these terms appear in the new proposed clause 
at 3052.204-7X, Safeguarding of Controlled Unclassified Information.
    (2) DHS is proposing to revise subpart 3004.470, Security 
requirements for access to unclassified facilities, Information 
Technology resources, and sensitive information, to change the title of 
the subpart and to clarify the applicability of the subpart to the 
acquisition lifecycle. The title of the subpart would be changed to 
``Security requirements for access to unclassified facilities, 
information resources, and controlled unclassified information'' and a 
new subsection for definitions would be added under the subpart. 
Accordingly, the subsections would be renumbered as follows: 3004.470-1 
Scope, 3004.470-2 Definitions, 3004.470-3 Policy, and 3004.470-4 
Contract Clauses. Originally, the title of this subpart contained the 
term ``information technology resources;'' however, this term is 
inconsistent with 44 U.S.C. 3502(6) which defines the term 
``information resources.'' Subsection 3004.470-1, Scope, would be 
amended for consistency in terminology and to make clear the 
applicability of the subpart to the acquisition lifecycle. Subsection 
3004.470-2, Definitions, would be added to define the term 
``incident.'' The definition for ``incident'' is taken from FISMA 2014 
(44 U.S.C. 3552(b)(2)). This term could not be defined at 3002.1, 
Definitions, because the meaning of the term ``incident'' in this 
subpart differs from the meaning it is given in other parts of the 
HSAR. Additionally, this definition is needed because this term appears 
in the clause at 3052.204-7X, Safeguarding of Controlled Unclassified 
Information. Subsection 3004.470-3, Policy, would be revised to (a) 
remove explicit references to Departmental policies and procedures to 
safeguard CUI that are subject to change and provide a public facing 
link for which these policies and procedures can be accessed and (b) 
make clear the requirements for completion of security forms and 
background investigations for contractor employees that require 
recurring access to Government facilities or CUI. Subsection 3004.470-
4, Contract Clauses, would be revised to remove reference to 3052.204-
70, Security Requirements for Unclassified Information Technology 
Resources and identify the applicability of the clause at 3052.204-7X, 
Safeguarding of Controlled Unclassified Information, to solicitations, 
contracts, and subcontracts.
    (3) Clause 3052.204-70, Security Requirements for Unclassified 
Information Technology Resources, would be removed and the clause 
number reserved. This change is necessary because the addition of the 
clause at 3052.204-7X Safeguarding of Controlled Unclassified 
Information eliminates the need for this clause.
    (4) A new clause at 3052.204-7X, Safeguarding of Controlled 
Unclassified Information, would be added to ensure adequate protection 
of CUI. The new clause adds definitions and identifies CUI handling 
requirements, Authority to Operate requirements, incident reporting and 
response requirements, PII and SPII notification requirements, credit 
monitoring requirements, sanitization of Government and Government-
Activity related files and information requirements, other reporting 
requirements, and subcontract requirements. Each of these requirements 
is described below.

(a) Definitions

    This section would add definitions, which also appear in part at 
3002.1 Definitions and 3004.470-2 Definitions, as follows: ``adequate 
security,'' ``Controlled Unclassified Information,'' ``Federal 
information,'' ``Federal information system,'' ``handling,'' ``Homeland 
Security Agreement Information,'' ``Homeland Security Enforcement 
Information,'' ``incident,'' ``information resources,'' ``information 
security,'' ``information system,'' ``Operations Security 
Information,'' ``Personnel Security Information,'' and ``Sensitive 
Personally Identifiable Information.'' The definitions of these terms 
are needed because these terms appear in 3052.204-7X, Safeguarding of 
Controlled Unclassified Information.

(b) Handling of Controlled Unclassified Information

    This section sets forth specific requirements for contractors and 
subcontractors when handling CUI in order to better protect against the 
threat of persistent cyber-attacks and prevent the compromise of CUI, 
including PII.

[[Page 6431]]

These requirements include being in compliance with the DHS policies 
and procedures in effect at the time of contract award. These policies 
and procedures are located on a public Web site titled DHS Security and 
Training Requirements for Contractors which can be accessed via http://www.dhs.gov/dhs-security-and-training-requirements-contractors. This 
Web site identifies Departmental policies and procedures that 
contractors must comply with related to personnel security, information 
security, IT security, and privacy. The Web site also identifies and 
provides contractors with access to IT security awareness and privacy 
training. The policies and training requirements contained on this Web 
site are existing requirements that DHS routinely includes in the terms 
and conditions of its contracts, some of which are pre-existing through 
HSAR 3052.204-70 Security Requirements for Unclassified Information 
Technology Resources and 3052.204-71 Contractor Employee Access. Part 
of the intent of this proposed rulemaking is to increase transparency 
by consolidating these existing requirements in a single location that 
is easily accessible by the public. Changes to these policies and 
procedures will be reflected on the Web site and changes that impact 
contract performance will be communicated to the contractor by the 
Government.
    Handling requirements also include not using or redistributing any 
CUI collected, processed, stored, or transmitted by the contractor, 
except as specified in the contract and not maintaining SPII in the 
contractor's invoicing, billing, and other recordkeeping systems 
maintained to support financial or other administrative functions. DHS 
believes that maintaining SPII in the contractor's invoicing, billing, 
and other recordkeeping systems creates unnecessary risk of compromise 
and is not otherwise needed to achieve contract administration 
functions. DHS welcomes comments regarding whether other categories of 
CUI should be similarly excluded from a contractor's invoicing, 
billing, and other recordkeeping systems. Through these and other 
requirements set forth in the proposed clause and discussed in detail 
in the following sections, the Department believes that contractors and 
subcontractors will provide adequate security from the unauthorized 
access and disclosure of CUI.

(c) Authority To Operate

    FISMA defines a comprehensive framework for ensuring the protection 
of Government information, operations and assets against natural or 
man-made threats. This section sets forth information security 
requirements contractors operating a Federal information system must 
meet prior to collecting, processing, storing, or transmitting CUI in 
that information system as required by FISMA and set forth in NIST 
Special Publication 800-53, Recommended Security and Privacy Controls 
for Federal Information Systems and Organizations. The requirements 
include completing the security authorization process, including the 
preparation of security authorization package and obtaining an 
independent assessment; renewal of the security authorization; security 
review; and Federal reporting and continuous monitoring.\5\
---------------------------------------------------------------------------

    \5\ DHS is aware that NIST Special Publication 800-171, 
Protecting Controlled Unclassified Information in Nonfederal 
Information Systems and Organizations, was released in June 2015 to 
provide federal agencies with recommended requirements for 
protecting the confidentiality of Controlled Unclassified 
Information on non-Federal information systems; however, the 
information system security requirements in this proposed rulemaking 
are focused on Federal information systems, which include contractor 
information systems operating on behalf of an agency. Consistent 
with 32 CFR part 2002, these information systems are not subject to 
the requirements of NIST Special Publication 800-171.
---------------------------------------------------------------------------

    Security authorization involves comprehensive testing and 
evaluation of security features (also known as controls) of an 
information system. It addresses software and hardware security 
safeguards; considers procedural, physical, and personnel security 
measures; and establishes the extent to which a particular design (or 
architecture), configuration, and implementation meets a specified set 
of security requirements throughout the life cycle of the information 
system. It also considers procedural, physical, and personnel security 
measures employed to enforce information security policy. The security 
authorization package includes a Security Plan, Contingency Plan, 
Contingency Plan Test Results, Configuration Management Plan, Security 
Assessment Plan, and Security Assessment Report. These documents are 
used to record the results of the security authorization process and 
provide evidence that the process was followed correctly. A Federal 
information system, which includes a contractor information system 
operating on behalf of an agency, must be granted an Authority to 
Operate (ATO) before it is granted permission to collect, process, 
store, or transmit CUI. The ATO is the official management decision 
given by a senior organizational official to authorize operation of an 
information system based on the implementation of an agreed-upon set of 
security controls.
    The independent assessment is used to validate the security and 
privacy controls in place for the information system prior to 
submission of the security authorization package to the Government for 
review and acceptance. Once an ATO is accepted and signed by the 
Government, it is valid for three (3) years and must be renewed at that 
time unless otherwise specified in the ATO letter. The Government uses 
random security reviews as an additional level of verification to 
ensure security controls are in place, enforced and operating 
effectively. The contractor shall afford access to DHS, the Office of 
the Inspector General, other Government organizations, and contractors 
working in support of the Government access to the Contractor's 
facilities, installations, operations, documentation, databases, 
networks, systems, and personnel used in the performance of this 
contract to conduct security reviews. In addition, contractors 
operating information systems on behalf of the Government shall comply 
with Federal reporting and information system continuous monitoring 
requirements. Reporting requirements are determined by OMB on an annual 
basis and are defined in the Fiscal Year 2015 DHS Information Security 
Performance Plan.\6\ The plan is updated annually to reflect any new or 
revised reporting requirements from OMB.
---------------------------------------------------------------------------

    \6\ The Fiscal Year 2015 DHS Information Security Performance 
Plan can be found at: http://www.dhs.gov/dhs-security-and-training-requirements-contractors.
---------------------------------------------------------------------------

(d) Incident Reporting

    This section sets forth incident reporting requirements for 
contractors and subcontractors when reporting known or suspected 
incidents, including known or suspected incidents that involve PII and/
or SPII. The incident reporting requirements described in this section 
allow the Department to gather the information necessary to formulate 
an effective incident response plan for incident mitigation and 
resolution. These requirements include: Reporting all known or 
suspected incidents to the Component Security Operations Center and 
notifying the contracting officer and contracting officer's 
representative of the incident; reporting known or suspected incidents 
that involve PII or SPII within one hour of discovery and all other 
incidents within eight hours of discovery; encrypting CUI using FIPS 
140-2 Security Requirements for

[[Page 6432]]

Cryptographic Modules and refraining from including CUI in the subject 
or body of any email; providing additional data elements when reporting 
incidents involving PII or SPII; and making clear that an incident 
shall not, by itself, be interpreted as evidence that the contractor 
failed to provide adequate information security safeguards for CUI.
    The timing for reporting incidents involving PII or SPII is 
consistent with OMB Memorandum M-07-16, Safeguarding Against and 
Responding to the Breach of Personally Identifiable Information. The 
timing for reporting incidents unrelated to PII or SPII was derived 
from existing Departmental policy for reporting incidents related to 
other categories of CUI such as CVI, Protected Critical Infrastructure 
Information (PCII), and Sensitive Security Information (SSI). 
Controlled unclassified information is required to be excluded from the 
subject or body of an email and encrypted to prevent further compromise 
of the information when reporting incidents. The additional data 
elements required when reporting incidents involving PII or SPII are 
needed to assist in the Department's understanding of the incident and 
aid in an effective response. DHS also wants to encourage industry to 
timely report incidents to the Department by making it clear that such 
reporting does not automatically mean the contractor has failed to 
provide adequate security or otherwise meet the requirements of the 
contract.

(e) Incident Response

    This section identifies incident response requirements and 
activities. Incident response activities such as inspections, 
investigations, forensic reviews, etc. are used to quickly assess, 
remediate and protect CUI and are conducted whenever an incident is 
reported to DHS. The goal of these activities is to determine what data 
was or could have been accessed by an intruder, build a timeline of 
intruder activity, determine methods and techniques used by the 
intruder, find the initial attack vector, identify any features/aspects 
in the information security protections, and provide remediation 
recommendations to restore the protection of the data. Incident 
response activities may also include contract compliance analyses.

(f) PII and SPII Notification Requirements

    This section sets forth the notification procedures and capability 
requirements for Contractors when notifying any individual whose PII 
and/or SPII was under the control of the Contractor or resided in the 
information system at the time of the incident. The method and content 
of any notification by the Contractor shall be coordinated with, and 
subject to prior written approval by the Contracting Officer utilizing 
the DHS Privacy Incident Handling Guidance. When appropriate, 
notification of those affected and/or the public allows those 
individuals affected by the incident the opportunity to take steps to 
help protect themselves. Such notification is also consistent with the 
``openness principle'' of the Privacy Act which calls for agencies to 
inform individuals about how their information is being accessed and 
used, and may help individuals mitigate the potential harms resulting 
from an incident.
    The Department realizes that there are existing state notification 
laws that industry must also follow. Therefore, DHS welcomes comments 
regarding the impact, if any, that existing state notification laws 
will have on industry's ability to comply with this notification 
requirement.

(g) Credit Monitoring

    This section sets forth the requirement that the contractor, when 
appropriate, is required to provide credit monitoring services, 
including call center services, if directed by the Contracting Officer, 
to any individual whose PII or SPII was under the control of the 
contractor, or resided in the information system, at the time of the 
incident for a period beginning the date of the incident and extending 
not less than 18 months from the date the individual is notified. 
Credit monitoring is a commercial service that can assist individuals 
in early detection of instances of identity theft. Credit monitoring 
services notify individuals of changes that appear in their credit 
report, such as creation of new accounts, changes to their existing 
accounts or personal information, or new inquiries for credit. Such 
notification affords individuals the opportunity to take steps to 
minimize any harm associated with unauthorized or fraudulent activity. 
The section is only applicable when an incident involves PII or SPII.
    The Department deliberately made the provision of notification and 
credit monitoring services independent from an assessment of fault or 
lack of compliance with the contract terms and conditions. In 
accordance with OMB Memorandum M-07-16, Safeguarding Against and 
Responding to the Breach of Personally Identifiable Information, 
agencies have the responsibility to notify individuals whose PII or 
SPII may have been compromised without unreasonable delay. This 
notification has often been delayed while detailed forensic analysis 
and contract compliance inspections are occurring. Under this new 
provision, notification and credit monitoring, when appropriate, will 
occur more rapidly as it is not dependent upon any determination of 
contractor fault or noncompliance. DHS is also aware that sophisticated 
cyber-attacks can occur despite compliance with contract requirements. 
In these instances, even though there is no contractor noncompliance, 
there may still be a need to notify individuals and provide credit 
monitoring services. Additionally, DHS wants to emphasize that the 
provisions for notification and credit monitoring services are only 
applicable when (1) contractor and/or subcontractor employees may have 
access to PII/SPII or (2) information systems are used to collect, 
process, store, or transmit PII/SPII on behalf of the agency. DHS is 
considering broadening the credit monitoring requirement to include 
identity protection, identity restoration, and related services. DHS 
welcomes comments regarding the impact, if any, of this change.

(h) Certificate of Sanitization of Government and Government-Activity 
Related Files and Information

    Upon the conclusion of the contract by expiration, termination, 
cancellation, or as otherwise identified in the contract, the 
Contractor must return all CUI to DHS or destroy it physically or 
logically as identified in the contract. This destruction must conform 
to the guidelines for media sanitization contained in NIST SP-800-88, 
Guidelines for Media Sanitization. Further, the contractor must certify 
and confirm sanitization of media using the template provided in 
Appendix G of the publication.

(i) Other Reporting Requirements

    The purpose of this section is to make clear that the requirements 
of this clause do not rescind the Contractor's responsibility for 
compliance with other applicable U.S. Government statutory or 
regulatory requirements that may apply to its contract(s).

(j) Subcontracts

    This section requires that contractors insert the clause at 
3052.204-7X Safeguarding of Controlled Unclassified Information in all 
subcontracts and require subcontractors to include this clause in all 
lower-tier subcontracts. The requirements of this clause are applicable 
to all contractors and

[[Page 6433]]

subcontractors that (1) will have access to CUI; (2) collect or 
maintain CUI on behalf of the agency; or (3) operate Federal 
information systems, including contractor information systems operated 
on behalf of the agency, to collect, process, store, or transmit CUI.
    (5) Clause 3052.212-70, Contract Terms and Conditions Applicable to 
DHS Acquisition of Commercial Items, would be revised to remove 
3052.204-70, Security Requirements for Unclassified Information 
Technology Resources; identify Alternate II as an option under 
subparagraph (b) of 3052.204-71 Contractor Employee Access; and add 
3052.204-7X Safeguarding of Controlled Unclassified Information under 
subparagraph (b) of the clause. The addition of 3052.204-7X 
Safeguarding of Controlled Unclassified Information eliminates the need 
for 3052.204-70 Security Requirements for Unclassified Information 
Technology Resources. Because of this 3052.204-70 would be removed and 
the clause number reserved. Alternate II to 3052.204-71 was 
inadvertently omitted as an option under the listing of clauses and 
alternates available for selection under 3052.212-70. This addition 
corrects that omission. Subparagraph (b) of 3052.212-70 would also be 
amended to add 3052.204-7X Safeguarding of Controlled Unclassified 
Information because the requirements of these clauses are applicable to 
the acquisition of commercial items.
    (6) Other considerations. DHS is considering making changes to 
subpart 3004.470-3, Contract Clauses, and the clause at 3052.204-71, 
Contractor Employee Access. These changes would harmonize the text of 
the clause with the requirements of the final version of 3052.204-7X 
Safeguarding of Controlled Unclassified Information by removing 
outdated and/or unnecessary definitions (i.e., sensitive information 
and information technology resources); renumbering the paragraphs of 
the clause as a result of the removal of the definitions for the terms 
``sensitive information'' and ``information technology resources''; and 
making clear in the prescription for the clause the need for 
information security regardless of the setting, including educational 
institutions and contractor facilities. DHS believes that the 
protection of CUI is paramount regardless of where the information 
resides. DHS is also seeking comment on making the clause at 3052.204-
7X, Safeguarding of Controlled Unclassified Information, applicable to 
all services contracts. DHS believes this broader applicability would 
ensure that contractors are aware of the Government's requirements 
related to CUI. In addition, the Government believes that the 
requirements of the clause are written in such a way that they would be 
self-deleting when they are not applicable to a solicitation or 
contract. DHS welcomes comments regarding the impact, if any, on 
including 3052.204-7X, Safeguarding of Controlled Unclassified 
Information, in all services contracts. DHS also welcomes comments and 
feedback on industry's understanding of the concept of self-deleting 
and if the use of alternates to 3052.204-7X, Safeguarding of Controlled 
Unclassified Information, is needed to ensure proper understanding and 
application of the clause.

III. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This is a significant regulatory action and, therefore, 
was subject to review under Section 6(b) of E.O. 12866, Regulatory 
Planning and Review, dated September 30, 1993. This rule is not a major 
rule under 5 U.S.C. 804.
    This proposed rule addresses the safeguarding requirements 
specified in the FISMA, OMB Circular A-130, Managing Information as a 
Strategic Resource, relevant NIST guidance, Executive Order 13556, 
Controlled Unclassified Information and its implementing regulation at 
32 CFR part 2002, and multiple OMB Memoranda. DHS considered both the 
costs and benefits associated with the requirements of proposed clause 
Safeguarding of Controlled Unclassified Information, specifically those 
requirements believed to be of most import to industry such as the 
requirement to: Obtain an independent assessment, perform continuous 
monitoring, report all known and suspected incidents, provide 
notification and credit monitoring services in the event an incident 
impacts PII, document sanitization of Government and Government-
activity-related files and information, as well as ensure overall 
compliance with the requirements of the proposed clause.
    To determine the estimated costs of these requirements DHS 
requested cost information from multiple vendors whose contracts with 
DHS include requirements similar to this proposed rule; obtained cost 
input from the Federal Risk and Authorization Management Program 
(FedRAMP), for which DHS is a participant; reviewed the Congressional 
Budget Office (CBO) Cost Estimate for the Personal Data Protection and 
Breach Accountability Act of 2011; reviewed pricing from the General 
Service Administration's (GSA) recently awarded Identity Protection 
Services (IPS) blanket purchase agreements (BPAs); and reviewed 
internal price data from DHS's Managed Compliance Services and 
notification and credit monitoring services contracts. These activities 
identified that: (1) The cost of an independent assessment can range 
from $30,000 to $150,000 with an average cost of $112,872; (2) the 
equipment costs to perform continuous monitoring can range from $76,340 
to $350,000 with an average cost of $213,170 while the labor costs to 
perform continuous monitoring can range from $47,000 to $65,000 for an 
average cost of $55,674; (3) the cost of reporting an incident to DHS 
ranges between $500 and $1,500 per incident; (4) the cost of notifying 
individuals that there has been an incident with their PII ranges from 
$1.03 to $4.60 per person; (5) the cost of credit monitoring services 
range between $60 and $260 per person; (6) a specific cost for the 
certificate of sanitization of Government and Government-Activity-
Related files and information cannot be determined as the methods of 
sanitization vary widely depending on the categorization of the system 
and the media on which the data is stored; and (7) costs associated 
with Full-time Equivalent (FTE) oversight of the requirements of 
proposed clause Safeguarding of Controlled Unclassified Information 
ranges from $65,000 to $324,000. Detailed information on how DHS 
arrived at these costs and ranges is provided below.
    There are a multitude of benefits associated with the requirements 
of proposed clause Safeguarding of Controlled Unclassified Information. 
These benefits impact both DHS and contractors with which it conducts 
business. Benefits related to specific provisions of the proposed 
clause are addressed below; however, it is important to note the 
overarching benefit of transparency. While several of the requirements 
of the proposed clause have been routinely included in DHS contracts 
(e.g., Authority to Operate, notification, and credit monitoring), this 
proposed rulemaking standardizes the applicability of these 
requirements and

[[Page 6434]]

makes clear to contractors considering doing business with DHS the 
standards and requirements to which they will be held as it relates to 
the (1) handling of the Department's CUI, (2) security requirements 
when such information will be collected or maintained on behalf of the 
agency or collected, processed, stored, or transmitted in a Federal 
information system, including contractor information systems operating 
on behalf of the agency, and (3) potential notification and credit 
monitoring requirements in the event of an incident that impacts 
personally identifiable information (PII) and/or sensitive PII (SPII). 
The current lack of standardization and transparency has been point of 
contention for industry and a common concern raised when DHS has 
requested feedback from industry.

Overview of Costs

Independent Assessment
    DHS is proposing that vendors obtain an independent assessment to 
validate the security and privacy controls in place for an information 
system prior to submission of the security authorization package to the 
Government for review and acceptance. In general, when assessing 
compliance with a standard or set of requirements, there are three 
alternatives: (1) First party attestation or self-certification, (2) 
second party attestation (i.e., internal independent), or (3) third 
party attestation. While the first two options may be considered the 
least economically burdensome, third party attestation is an accepted 
best practice in commercial industry as objectivity increases with 
independence. DHS is proposing to require that vendors obtain an 
independent assessment from a third party to ensure a truly objective 
measure of an entity's compliance with the requisite security and 
privacy controls. Recent high-profile breaches of Federal information 
further demonstrate the need for Departments, agencies, and industry to 
ensure that information security protections are clearly, effectively, 
and consistently addressed and appropriately implemented in contracts. 
Additionally, the benefits of using a third party to perform an 
independent assessment also extend to the contractor as the contractor 
can use the results of the independent assessment to demonstrate its 
cybersecurity excellence for customers other than DHS.
    The cost of an independent assessment varies widely depending upon 
the complexity of the information system, the categorization of the 
information system (low, moderate, or high impact), and the 
sophistication of the contractor. Additionally, DHS does not have a 
mechanism to track the costs of independent assessments performed under 
its contracts. Because of the multiple factors that influence the cost 
of an independent assessment and lack of a tracking mechanism for 
associated costs, DHS is unable to identify with specificity the costs 
of implementing this requirement. As such, we sought to identify a 
range of costs based on the actual data we were able to access. DHS 
performed the following activities to obtain this data:
     Requested cost information from multiple vendors whose 
contracts with DHS require an independent assessment as part of the 
security authorization process;
     Obtained cost input from FedRAMP, for which DHS is a 
participant, as the program requires cloud service providers to obtain 
an independent assessment from a Third Party Assessment Organization; 
and
     Reviewed internal data from DHS's Managed Compliance 
Services contract. DHS uses this contract to perform internal 
independent assessments.
    The cost information received from DHS vendors ranged from $30,000 
to $123,615. The vendors whose costs were on the higher end of this 
range included costs for the independent party as well as internal 
labor costs associated with performing the independent assessment 
whereas the vendor on the low end of the spectrum did not. FedRAMP data 
indicates the estimated costs on an independent assessment to be 
approximately $150,000 while costs under DHS's internal contract for 
this service ranges between $35,000 and $45,000. When considering the 
data from DHS's internal contract for independent assessment services, 
it is important to note that these figures do not capture the labor 
costs of the Government employees involved in the process as the 
Government does not typically track the costs incurred for services 
performed by its own workforce. Because of this, it is both anticipated 
and expected that contractor costs for independent assessments will 
exceed the costs the Government incurs as contractor costs typically 
include not only the cost of the independent third party but also 
internal labor costs to facilitate the independent assessment and 
resolve any resultant findings.
    Based on the above data points, the cost of an independent 
assessment can range from $30,000 to $150,000 or an average cost of 
$112,872. Because it seems likely that most vendors will have to 
account for necessary staff time, the average cost was developed by 
averaging only those cost estimates that included both internal and 
external labor costs. Neither the range nor the average cost identified 
is absolute as there are multiple factors that influence the cost of 
this service. Internal historical data indicates it takes approximately 
162 labor hours to complete and independent assessment. This adds to 
the variance as the costs are dependent upon the labor categories and 
rates used to perform the assessment. Also, it is important to note 
that the assessment is required to be performed by an independent 
party. As such, the actual cost of the assessment is largely dependent 
upon agreements that the contractor is responsible for negotiating. 
Contractors with preexisting relationships with entities that perform 
independent assessments may be able to obtain more competitive pricing. 
Contractors new to this requirement may not. DHS welcomes comments from 
industry regarding the estimated costs associated with compliance with 
the requirement to obtain an independent assessment.
Continuous Monitoring
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires that contractors operating Federal information systems, which 
includes contractor information systems operating on behalf of the 
Government, or maintaining or collecting information on behalf of the 
Government, comply with information system continuous monitoring 
requirements. Continuous monitoring is not a new requirement for DHS 
contractors. Existing HSAR clause 3052.204-70, Security Requirements 
for Unclassified Information Technology Resources, requires contractors 
to comply with DHS Sensitive System Policy Publication 4300A. This 
publication and its implementing guidance addresses continuous 
monitoring requirements. DHS is seeking to be more clear and 
transparent with contractor requirements by expressly identifying this 
requirement in proposed clause Safeguarding of Controlled Unclassified 
Information.
    The costs associated with continuous monitoring are not fixed and 
can vary widely. For example, a contractor that has previously gone 
through DHS's security authorization process is more likely to have in 
place the hardware, software, and personnel to perform continuous 
monitoring. In this instance, the costs associated with performing this 
requirement would be lower than a contractor who does not have 
preexisting hardware, software, and

[[Page 6435]]

personnel in place to satisfy these requirements.
    Because of the multiple factors that influence the cost of 
continuous monitoring, DHS is unable to identify with specificity the 
costs of implementing this requirement. As such, we sought to identify 
a range of costs based on the actual data we were able to access. DHS 
performed the following activities to obtain this data:
     Requested cost information from multiple vendors whose 
contracts with DHS include similar continuous monitoring requirements; 
and
     Reviewed internal historical data.
    The cost information received from DHS vendors ranged from $65,000 
to $397,000. Vendors on the lower end of this range already had the 
hardware and software in place to perform continuous monitoring as the 
costs proposed only include labor. Alternatively, the vendors on the 
higher end of this range documented costs associated with hardware, 
software, and labor. For example, the cost breakdown from the vendor 
that reported costs of $397,000 included a one-time equipment fee of 
$350,000 and annual labor costs of $47,000. Alternatively, the vendor 
that submitted costs of $65,000 only proposed labor costs and is using 
preexisting hardware and software to perform continuous monitoring.
    A review of internal historical data indicates the cost of 
continuous monitoring ranges from $6,000 to $18,000. It is important to 
note that the internal historical data assumes the vendor has the 
appropriate tools to perform continuous monitoring (e.g., the ability 
to scan their assets) and does not include costs for the labor required 
to support continuous monitoring activities. It is both anticipated and 
expected that in many instances contractor costs for continuous 
monitoring will exceed the costs the Government incurs for the same 
service as contractor costs include the costs of hardware/software to 
perform continuous monitoring as well as labor costs to support 
continuous monitoring activities.
    Using the above data points, the equipment costs to perform 
continuous monitoring can range from $76,340 to $350,000 with an 
average cost of $213,170. The average cost was developed by averaging 
the equipment costs received. Alternatively, labor costs to perform 
continuous monitoring can range from $47,000 to $65,000 for an average 
cost of $55,674. The average cost was developed by averaging the labor 
costs received. Please note these ranges and average costs are not 
absolute as the costs associated with continuous monitoring vary based 
on the tools (i.e., hardware or software) and methods (e.g., internal 
staff, contractor support, new hires) the contractor uses to implement 
the continuous monitoring requirements. The Government anticipates 
costs will decline over time as contractors become more sophisticated 
and build the necessary infrastructure to support this activity. DHS 
welcomes comments from industry regarding the estimated costs 
associated with compliance with the requirement to perform continuous 
monitoring.
Incident Reporting
    This proposed rule requires contractors to report known or 
suspected incidents that involve PII or sensitive PII (SPII) within one 
hour of discovery and all other incidents (i.e., those incidents 
impacting any other category of CUI) within eight hours of discovery. 
DHS specifically included language in the regulatory text stating that 
an incident shall not, by itself, be interpreted as evidence that the 
contractor has failed to provide adequate information security 
safeguards for CUI, or has otherwise failed to meet the requirements of 
the contract. This language was added because DHS understands that 
sophisticated cyber-attacks can occur despite compliance with contract 
requirements.
    The cost to prepare and report an incident to DHS varies based on 
the type(s) of information impacted by the incident and the complexity 
of the incident. Proposed clause Safeguarding of Controlled 
Unclassified Information requires incidents to be reported to the 
Component Security Operations Center (SOC), or the DHS Enterprise SOC 
if the Component SOC is unavailable, in accordance with 4300A Sensitive 
Systems Handbook Attachment F Incident Response. However, if PII is 
impacted by the incident, the contractor must provide additional 
information in its incident report. Also, for incidents that impact 
multiple systems or multiple components of a system, it may take the 
contractor more resources (e.g., time) to obtain the some of the data 
points that are required to be provided when reporting an incident.
    To determine the cost of preparing and reporting an incident, DHS 
performed the following activities:
     Requested cost information from multiple vendors whose 
contracts with DHS include similar incident reporting requirements; and
     Reviewed internal historical data.
    It was difficult to use the information submitted by the vendors 
queried to establish an estimated cost. The information provided either 
included both incident reporting and incident response (i.e., 
investigation and remediation activities) or annual training and 
testing requirements. Because of this we had to rely on internal 
historical data to establish an estimate solely responsive to the 
incident reporting requirements identified in the proposed clause. This 
data indicates the estimated cost of reporting an incident to DHS 
ranges between $500 and $1,500 per incident. DHS estimates that 822 
vendors are subject to the requirements of this proposed rule and that 
each vendor may report up to one known or suspected incident per year 
for a total estimated cost range of $411,000 to $1,233,000. DHS 
welcomes comments from industry regarding the estimated costs 
associated with incident reporting.
Notification and Credit Monitoring
    In the event of an incident that impacts PII/SPII, it may be 
necessary to perform certain incident response activities such as 
notification and credit monitoring. Contractors should not assume that 
all incident response activities will take place when a known or 
suspected incident is reported to DHS as the determination on the 
appropriate incident response activities is based upon investigation of 
the known or suspected incident. DHS uses a deliberative process to 
investigate and determine if an incident has occurred. This process 
begins with the contractor's submission of an Incident report to the 
Component or DHS SOC. The SOC staff use the incident report information 
to investigate and determine if an actual incident occurred. More often 
than not, an incident has not occurred and further incident response 
activities are not needed. If the SOC determines that incident has 
occurred, additional investigation and analyses happen to determine the 
nature and scope of the incident and US-CERT is engaged as necessary. 
If the incident involves PII/SPII, the Government will determine if 
notification and the provision of credit monitoring services is 
appropriate. DHS believes notification and credit monitoring, when 
appropriate, will occur more rapidly as the provision of these services 
is no longer dependent upon any determination of contractor fault or 
noncompliance.
    To determine the cost of notifying individuals, DHS performed the 
following activities:
     Requested cost information from multiple vendors whose 
contracts with

[[Page 6436]]

DHS include similar notification requirements;
     Reviewed pricing from DHS's department-wide contract for 
credit monitoring services;
     Reviewed the CBO Cost Estimate for the Personal Data 
Protection and Breach Accountability Act of 2011;
     Reviewed pricing from the GSA's recently awarded IPS BPAs; 
and
     Reviewed GSA's Professional Services Schedule, Financial 
and Business Solutions, Category 520 19 Data Breach Analysis.
    The cost information we received from DHS vendors indicates that 
vendors price these requirements using different methods. One vendor 
bundled the cost of notification in its continuous monitoring costs 
while another bundled these costs as with those associated with 
incident reporting. In these instances we are unable to determine which 
portion of the costs are associated with the notification requirements. 
The cost submitted by the one vendor that separately priced this 
requirement was $4.06 per person. The pricing for notification in the 
Department's internal contract for credit monitoring services is 
significantly lower than the costs proposed by DHS's vendors, i.e., 
$1.57 per person.
    While the CBO report referenced above did not provide a cost 
estimate for notification, the following information was provided: 
``According to industry sources, the sensitive, personally identifiable 
information of millions of individuals is illegally accessed or 
otherwise breached every year. However, according to those sources, 46 
states already have laws requiring notification in the event of a 
security breach. In addition, it is the standard practice of most 
businesses to notify individuals if a security breach occurs. 
Therefore, CBO estimates that the notification requirements would not 
impose significant additional costs on businesses.''
    GSA's IPS BPAs contain bundled fixed unit pricing for services that 
not only exceed the requirements of proposed clause Safeguarding of 
Controlled Unclassified Information (i.e., dedicated, branded Web site; 
identity restoration services; and identity theft insurance services) 
but also includes notification. As such, DHS is unable to determine 
which portion of the fixed unit price is applicable to notification 
services. A review of GSA's Professional Services Schedule indicates 
only two vendors with specific pricing for notification services. This 
includes the vendor for which DHS has a Department-wide contract for 
credit monitoring and notification services. Pricing for the other 
vendor is $0.54 per letter plus postage, i.e., $1.03. Based on this 
data, the cost of notifying individuals that there has been an incident 
with their PII ranges from $1.03 to $4.60 per person. DHS welcomes 
comments from industry regarding the estimated costs associated with 
compliance with the requirement to provide notification services.
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors to provide credit monitoring services, including 
call center services, if directed by the Contracting Officer, to any 
individual whose PII/SPII was under the control of the contractor, or 
resided in the information system, at the time of the incident for a 
period beginning the date of the incident and extending not less than 
18 months from the date the individual is notified.
    The costs associated with this requirement vary depending on the 
method the contractor uses to provide services. For example, some 
contractors choose to satisfy this requirement through cyber insurance 
while others choose to subcontract these services with credit 
monitoring service providers. To estimate a cost for credit monitoring 
services, DHS performed the following activities:
     Requested cost information from multiple vendors whose 
contracts with DHS include similar credit monitoring requirements;
     Reviewed pricing from DHS's department-wide contract for 
credit monitoring services;
     Reviewed the CBO Cost Estimate for the Personal Data 
Protection and Breach Accountability Act of 2011; and
     Reviewed pricing from the General Service Administration's 
(GSA) recently awarded Identity Protection Services (IPS) blanket 
purchase agreements (BPAs).
    The cost information we received from DHS vendors indicates that 
vendors satisfy these requirements using different methods. One vendor 
used cyber insurance while others satisfied this requirements through 
subcontracts with credit monitoring service providers. In instances 
where subcontracts are used, the pricing ranged from $61.71 to $260 per 
person. We assume that this variance in cost stems from the vendor's 
ability to negotiate favorable pricing with its subcontractors. It is 
also important to note that credit monitoring service providers 
frequently offer volume discounts that can lower the costs of services. 
However, all vendors under contracts with DHS may not able to 
capitalize on these discounts as the amount of PII provided to a 
contractor is based upon the services being provided and can vary 
greatly from contract to contract.
    The pricing in the Department's internal contract for credit 
monitoring services is significantly lower than the costs proposed by 
DHS's vendors, i.e., $1.89 per person. It is important to note that DHS 
was able to obtain such favorable pricing because the cost of credit 
monitoring services are paid for everyone that receives notification of 
the incident without regard to their actual acceptance/request for 
credit monitoring. According to the CBO report referenced above, 
``[t]he cost of bulk purchases of the credit-monitoring or reporting 
services is about $60 per person according to credit industry 
professionals.''
    As it relates to GSA's IPS BPAs, the published price lists do not 
mirror the credit monitoring provisions of DHS's proposed clause 
Safeguarding of Controlled Unclassified Information. For example, the 
IPS BPAs contain bundled fixed unit pricing for services that exceed 
the requirements of the proposed clause (i.e., dedicated, branded Web 
site; identity restoration services; and identity theft insurance 
services). Additionally, the pricing includes volume discounts based on 
the number of individuals receiving services. The prices ranged from 
$12.21 (per person per year if 10,000--24,999) to $38 (per person per 
year if more than 10,000).
    Based on the aforementioned information, DHS believes the most 
likely costs for these services range between $60 and $260 per person. 
DHS welcomes comments from industry regarding the estimated costs 
associated with compliance with the requirement to provide credit 
monitoring. DHS also requests feedback from industry on how many 
individuals typically sign up for credit monitoring after being 
notified that an incident has occurred that impacts their PII/SPII?
Certificate of Sanitization
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors to return all CUI to DHS and certify and confirm 
the sanitization of all Government and Government-Activity related 
files and information. Destruction must conform to the guidelines for 
media sanitization contained in NIST SP-800-88, Guidelines for Media 
Sanitization. The contractor is also required to use the template 
provided in NIST Special Publication 800-88, Guidelines for Media 
Sanitization, Appendix G when

[[Page 6437]]

submitting the Certificate of Sanitization.
    NIST SP 800-88 identifies the proper and applicable techniques and 
controls for sanitization and disposal decisions, considering the 
security categorization of the associated system's confidentiality. 
Applicable sanitization methods depend on the media in which the data 
is stored. Following sanitization, NIST SP 800-88 requires a 
certificate of media disposition to be completed for each piece of 
electronic media that has been sanitized. The proposed clause 
Safeguarding of Controlled Unclassified Information requires 
contractors to certify that applicable media have been sanitized using 
the template provided in Appendix G of NIST SP 800-88. In short, this 
template states that a system or hardware has been sanitized of all 
information. The costs associated with media sanitization do not arise 
from completion of the template. The costs arise from the sanitization 
activities themselves. A specific cost cannot be provided as the 
methods of sanitization vary widely depending on the categorization of 
the system and the media on which the data is stored. DHS requests 
comments from industry regarding the estimated costs associated with 
compliance with the requirement to sanitize Government and Government-
Activity-Related files and information.
Oversight and Compliance
    As discussed above, the costs associated with oversight and 
compliance with the requirements contained in proposed clause 
Safeguarding of Controlled Unclassified Information are not easily 
quantifiable. Implementation costs stem directly from a vendor's pre-
existing information security posture. Several vendors, particularly 
those operating in the IT space, have been complying with these 
requirements for years. In these instances, the vendors have the 
existing infrastructure (i.e., hardware, software, and personnel) to 
implement these requirements and implementation costs are lower. The 
same is also true for many vendors that provide professional services 
to the Government and use IT to provide those services. Alternatively, 
vendors with less experience and capability in this area will incur 
costs associated with procuring the hardware and software necessary to 
implement these requirements, as well as the labor costs associated 
with any new personnel needed to implement and oversee these 
requirements. Costs will vary depending on the hardware and software 
selected and the skill set each contractor requires in its employee(s) 
responsible for ensuring compliance with these requirements. It is 
anticipated that these costs will be passed on to the Department, and 
that over time these vendors will become more sophisticated in this 
area and costs will decline. It is also important to note that the 
information security measures proposed in this rulemaking are quite 
similar to those industry already employs internal to their business 
operations. However, based on the feedback we received from vendors, 
the costs associated with FTE oversight of these requirements ranges 
from $65,000 to $324,000. This range is not absolute as it is entirely 
dependent upon the vendor's approach to oversight, i.e., a single 
individual, multiple personnel, and the seniority of the position, all 
of which directly impact costs. Also, it is important to note that 
requirements of this type are generally not priced as a separate line 
item and are typically captured in overhead estimates. As such, DHS 
does not have clear insight into the costs associated with this 
requirement. DHS welcomes comments from industry regarding the 
estimated costs associated with ensuring proper oversight and 
compliance with the requirements of proposed clause Safeguarding of 
Controlled Unclassified Information.

Overview of Benefits

Clear Notification of System Requirements
    Feedback from industry has consistently indicated the need for 
transparency and clear and concise requirements as it relates to 
information security. The requirements of proposed clause Safeguarding 
of Controlled Unclassified Information is, in part, intended to satisfy 
this request. Previously information security requirements were either 
imbedded in a requirements document (i.e., Statement of Work, Statement 
of Objectives, or Performance Work Statement) or identified through 
existing HSAR clause 3052.204-70, Security Requirements for 
Unclassified Information Technology Requirements. This approach (1) 
created inconsistencies in the identification of information security 
requirements for applicable contracts, (2) required the identification 
and communication of security controls for which compliance was 
necessary after contract award had been made, and (3) resulted in 
delays in contract performance.
    Proposed clause Safeguarding of Controlled Unclassified Information 
substantially mitigates the concerns with DHS's previous approach. 
Through the Government provided Requirements Traceability to Matrix 
(RTM) contractors will know at the solicitation level the security 
requirements for which they must comply. The RTM identifies the 
security controls that must be implemented on an information system 
that collects, processes, stores, or transmits CUI and is necessary for 
the contractor to prepare its security authorization package. Clear 
identification of these requirements at the solicitation level affords 
contractors the ability to (1) assess their qualifications and ability 
to fully meet the Government's requirements, (2) make informed business 
decisions when deciding to compete on Government requirements, and (3) 
engage subcontractors, if needed, early in the process to enable them 
the ability to be fully responsive to the Government's requirements. 
Similarly, the Government benefits from clear identification of its 
requirements. Presumably, proposals/quotations will be submitted by 
contractors fully qualified and able to meet the requirements of the 
effort. During the evaluation phase of a procurement, the Government 
will be able to assess a contractor's information security posture and 
ability to comply with the requirements of the RTM. Such an evaluation 
should reduce post-award delays in contractor performance and mitigate 
the need to reissue solicitations as a result of a contractor's 
inability to comply with mandatory security requirements.
Improved Notification to the Public Regarding Data Breaches
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors to have in place procedures and the capability to 
notify any individual whose PII) and/or SPII was under the control of 
the contractor or resided in the information system at the time of an 
incident no later than 5 business days after being directed to notify 
individuals, unless otherwise approved by the contracting officer. Such 
a requirement is consistent with OMB Memorandum M-07-16, Safeguarding 
Against and Responding to the Breach of Personally Identifiable 
Information, which states that agencies have the responsibility to 
notify individuals whose PII or SPII may have been compromised without 
unreasonable delay. In the past, this notification has often been 
delayed while detailed forensic analysis and contract compliance 
inspections are occurring. Under this new provision, notification and 
credit monitoring, when appropriate, will occur more rapidly as it is 
not dependent upon any

[[Page 6438]]

determination of contractor fault or noncompliance.
    The content and method of any notification sent by a contractor 
must be coordinated with and approved by the contracting officer. At a 
minimum, this notification must include: A brief description of the 
incident; a description of the types of PII or SPII involved; a 
statement as to whether the PII or SPII was encrypted or protected by 
other means; steps individuals may take to protect themselves; what the 
contractor and/or the Government are doing to investigate the incident, 
to mitigate the incident, and to protect against any future incidents; 
and information identifying who individuals may contact for additional 
information. Such notification is consistent with the ``openness 
principle'' of the Privacy Act which calls for agencies to inform 
individuals about how their information is being accessed and used, and 
may help individuals mitigate the potential harms resulting from an 
incident.
Provision of Credit Protection to Impacted Individuals
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors to provide credit monitoring services, including 
call center services to any individual whose PII or SPII was under the 
control of the contractor, or resided in the information system, at the 
time of the incident for a period beginning on the date of the incident 
and extending not less than 18 months from the date the individual is 
notified when directed by the contracting officer. Credit monitoring 
services can be particularly beneficial to the affected public as they 
can assist individuals in the early detection of identity theft as well 
as notify individuals of changes that appear in their credit report, 
such as creation of new accounts, changes to their existing accounts or 
personal information, or new inquiries for credit. Such notification 
affords individuals the opportunity to take steps to minimize any harm 
associated with unauthorized or fraudulent activity.
Incident Reporting
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors and subcontractors to report all known or 
suspected incidents to the Component SOC. If the Component SOC is not 
available, the report shall be made to the DHS Enterprise SOC. While 
such a requirement is not new for DHS, compliance with this requirement 
is critical. The mission of DHS is unique in that we, through the 
National Protection and Programs Directorate's Office of Cybersecurity 
and Communications, are also responsible for the identification and 
sharing of cyber threat indicators. These cyber threat indicators and 
defensive measures are shared among federal and non-federal entities 
consistent with the need to protect information systems from 
cybersecurity threats, mitigate cybersecurity threats, and comply with 
any other applicable provisions of law authorized by the Cybersecurity 
Information Sharing Act of 2015. Because of this mission requirement, 
DHS is not only concerned with actors who are successful in breaching 
our defenses, we are also concerned with attempts to breach those 
defenses. Knowledge of these attempts enables us to perform any 
necessary investigations and determine/establish new procedures to 
strengthen our defenses and prevent them from becoming successful. This 
information is then in turn shared with the interagency and non-Federal 
entities to enable them to take the necessary measures to be able to 
defend against similar attacks.
Improved Incident Response Time
    Previously contractors were not consistently provided with specific 
incident reporting timelines. As such, the timeliness of incident 
reporting was determined by the contractor. Standardizing incident 
reporting timelines through proposed clause Safeguarding of Controlled 
Unclassified Information ensures timely incident reporting. Timely 
reporting of incidents is critical to prevent the impact of the 
incident from expanding, ensure incident response and mitigation 
activities are undertaken quickly, and ensure individuals are timely 
notified of the possible or actual compromise of their personally 
identifiable information and offered credit monitoring services when 
applicable.

IV. Regulatory Flexibility Act

    DHS expects this proposed rule may have a significant economic 
impact on a substantial number of small entities within the meaning of 
the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. Therefore, an 
Initial Regulatory Flexibility Analysis (IRFA) has been prepared 
consistent with 5 U.S.C. 603, and is summarized as follows:

1. Description of the Reasons Why Action by the Agency Is Being 
Considered

    Cybersecurity has been identified as one of the most serious 
economic and national security challenges our nation faces. The 
frequency of cyber-attacks, including attempts to gain unauthorized 
access to CUI collected or maintained by or on behalf of an agency and 
information systems that collect, process, store, or transmit such 
information, has prompted the Government to expand its cybersecurity 
efforts across the Federal landscape. Part of the DHS mission is to 
protect the nation's cybersecurity and to coordinate responses to 
cyber-attacks and security vulnerabilities. As part of that mission, 
DHS is proposing to amend the HSAR to expand its current security 
measures for safeguarding CUI to include additional requirements for 
the safeguarding of CUI that is accessed by contractors, collected or 
maintained by contractors on behalf of the agency, and Federal 
information systems, which includes contractor information systems 
operating on behalf of the Government, that collect, process, store or 
transmit CUI. These proposed revisions to the HSAR are necessary to 
ensure the integrity, confidentiality, and availability of CUI.

2. Succinct Statement of the Objectives of, and Legal Basis for, the 
Rule

    The objective of this rule is to expand on existing Departmental IT 
security requirements. These existing IT security requirements are 
provided in the clause at HSAR 3052.204-70, Security Requirements for 
Unclassified Information Technology Resources, and applicable DHS 
policy and guidance. The existing clause is more narrowly focused on 
information systems connected to a DHS network or operated by a 
contractor for DHS. This rule proposes to remove the existing clause 
and provide a new expanded clause. Unlike the existing clause, this 
proposed rule extends the scope to require that CUI be safeguarded 
wherever such information resides, including government-owned and 
operated information systems, government-owned and contractor operated 
information systems, contractor-owned and/or operated information 
systems operating on behalf of the Government, and any situation where 
contractor and/or subcontractor employees may have access to CUI 
consistent with the requirements of FISMA. This proposed rule also 
establishes uniform incident reporting and response activities that 
contractors and subcontractors must comply with in the event of an 
incident. The proposed rule also requires contractors and 
subcontractors have in place procedures and the capability to notify 
and provide credit monitoring services to any individual whose 
Personally Identifiable Information (PII) or

[[Page 6439]]

Sensitive PII (SPII) was under the control of the contractor, or 
resided in the information system, at the time of the incident. 
Additionally, this proposed rule requires contractors and 
subcontractors to certify and confirm the sanitization of Government 
and Government-Activity related files and information. These collective 
measures will help DHS mitigate information security risks related to 
information as well as gather information for future improvements in 
information security policy.
    The requirement to safeguard CUI is specified in the Federal 
Information Security Modernization Act of 2014 (44 U.S.C. 3551, et 
seq.), OMB Circular A-130, Managing Information as a Strategic 
Resource, relevant National Institutes of Standards and Technology 
(NIST) guidance, Executive Order 13556, Controlled Unclassified 
Information and its implementing regulation at 32 CFR part 2002, and 
various OMB Memoranda, to include: M-07-16, Safeguarding Against and 
Responding to the Breach of Personally Identifiable Information; M-14-
03, Enhancing the Security of Federal Information and Information 
Systems; and Reporting Instructions for the Federal Information 
Security Management Act and Agency Privacy Management and Guidance on 
Federal Information Security and Privacy Management Requirements as 
identified in various OMB Memoranda.

3. Description of and, Where Feasible, Estimate of the Number of Small 
Entities To Which the Rule Will Apply

    This rule will apply to DHS contractors that require access to CUI, 
collect or maintain CUI on behalf of the Government, or operate Federal 
information systems, which includes contractor information systems 
operating on behalf of the agency, that collect, process, store or 
transmit CUI.
    For Fiscal Year (FY) 2014, DHS awarded nearly 13,000 new contract 
awards to large and small businesses, with over 35 percent of all 
contracts awarded to small businesses. The estimate of the number of 
small entities to which the proposed rule will apply was established by 
reviewing FPDS data for FY 2014, internal DHS contract data, experience 
with similar safeguarding requirements used in certain DHS contracts, 
and the most likely applicable Product and Service Codes (PSCs). The 
data review identified 2,525 unique vendors were awarded contracts 
under the most likely applicable PSCs in FY 2014, including small and 
large businesses. However, not all contractors awarded contracts under 
the most likely applicable PSCs will be subject to proposed clause 
Safeguarding of Controlled Unclassified Information. A number of 
factors determine the applicability of the proposed clause and would 
require analysis on a case-by-case basis. Further, the proposed clause 
is separated by those entities that are granted access to CUI but 
information systems will not be operated on behalf of the agency to 
collect, process, store or transmit CUI, and those that are required to 
meet the Authority to Operate (ATO) requirements because information 
systems will be used to collect, process, store or transmit CUI on 
behalf of the agency. Based on the data reviewed, the estimated number 
of annual respondents subject to the Safeguarding of Controlled 
Unclassified Information clause is estimated at 822 respondents. The 
proposed revision to the HSAR includes a flow-down provision that 
applies to subcontractors. However, DHS does not believe this 
requirement will add to the estimated number of respondents when an ATO 
is required because it is anticipated that a single information system 
will be used to collect, process, store, or transmit CUI in most 
instances. A review of DHS historical data shows that at least 35 
percent of new contracts are awarded to small businesses. Therefore, it 
is assumed that 35 percent of the projected annual number of 
respondents will also be small businesses, or approximately 288 
respondents.
    Although the proposed HSAR clause is new, DHS contractors are 
currently required to comply with Departmental IT security policy and 
guidance. It is assumed that the average DHS IT services contractor 
covered by this clause will a have high operational security readiness 
posture. However, the requirements of the proposed clause have been 
expanded to include professional services contractors that have access 
to CUI, collect or maintain CUI on behalf of the Government, and/or 
operate Federal information systems, including contractor information 
systems operating on behalf of the agency, that collect, process, store 
or transmit CUI to perform the requirements of their contract(s). While 
these contractors may not have the same operational security readiness 
posture of the average DHS IT services contractor, the expansion and 
implementation of these safeguarding requirements is necessary to 
further reduce risks and potential vulnerabilities.

4. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements of the Rule, Including an Estimate of the 
Classes of Small Entities Which Will be Subject to the Requirement and 
the Type of Professional Skills Necessary

    Reporting and recordkeeping requirements include those requirements 
necessary to ensure adequate security controls are in place when 
contractor and/or subcontractor employees will have access to sensitive 
CUI, collect or maintain CUI on behalf of the Government, and/or 
operate Federal information systems, which includes contractor 
information systems operating on behalf of the agency, that are used to 
collect, process, store, or transmit CUI. The reporting and 
recordkeeping requirements vary depending on if an Authority to Operate 
(ATO) is required. If an ATO is not required, the reporting and 
recordkeeping requirements include: Incident Reporting, Notification 
(if the incident involves PII/SPII), Credit Monitoring (if the incident 
involves PII/SPII), and Certification of Sanitization. If an ATO is 
required, the reporting and recordkeeping requirements include: 
Incident Reporting, Notification (if the incident involves PII/SPII), 
Credit Monitoring (if the incident involves PII/SPII), Certification of 
Sanitization, Security Authorization Package, Independent Assessment, 
Renewal of ATO, and Federal Reporting and Continuous Monitoring.
    Typical contract awards that may include the requirement for access 
to CUI include contracts awards with a PSC of ``D'' Automatic Data 
Processing and Telecommunication and ``R'' Professional, Administrative 
and Management Support. However, this is not an all-inclusive list. 
Additional PSCs will be added and projections will be adjusted as 
additional data becomes available through HSAR clause implementation. 
This continued process will assist in validating future projections. It 
is estimated that the average contractor will utilize a mid-level 
manager with IT expertise to ensure compliance with the requirements of 
this rule.

5. Identification, to the Extent Practicable, of All Relevant Federal 
Rules Which May Duplicate, Overlap, or Conflict With the Rule

    There are no rules that duplicate, overlap or conflict with this 
rule.

[[Page 6440]]

6. Description of Any Significant Alternatives to the Rule Which 
Accomplish the Stated Objectives of Applicable Statutes and Which 
Minimize any Significant Economic Impact of the Rule on Small Entities

    No significant alternatives were identified that would accomplish 
the stated objectives of the rule. The information security 
requirements associated with this rule are not geared towards a type of 
contractor; the requirements are based on the sensitivity of the 
information, the impact on the program, the Government and security in 
the event CUI is breached. That standard would not vary based on the 
size of the entity.
    DHS will be submitting a copy of the IRFA to the Chief Counsel for 
Advocacy of the Small Business Administration. A copy of the IRFA may 
be obtained from the point of contact specified herein. DHS invites 
comments from small business concerns and other interested parties on 
the expected impact of this rule on small entities.
    DHS will also consider comments from small entities concerning the 
existing regulations in subparts affected by this rule in accordance 
with 5 U.S.C. 610. Interested parties must submit such comments 
separately and should cite 5 U.S.C. 610, et seq. (HSAR Case 2015-001), 
in correspondence.

V. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The 
proposed rule contains information collection requirements. 
Accordingly, DHS will be submitting a request for approval of a new 
information collection requirement concerning this rule to the Office 
of Management and Budget under 44 U.S.C. 3501, et seq.
    The collection requirements for this rule are based on a new HSAR 
clause, 3052.204-7X Safeguarding of Controlled Unclassified 
Information.
    A. The average public reporting burden for this collection of 
information is estimated to be approximately 50 hours per response to 
comply with the requirements, including time for reviewing 
instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
collection of information. This average is based on an estimated 36 
hours per response to comply with the requirements when an ATO is not 
required an estimated 120 hours to comply with the requirements when an 
ATO is required (i.e., when a contractor is required to submit Security 
Authorization (SA) package). Security Authorization package consists of 
the following: Security Plan, Security Assessment Report, Plan of 
Action and Milestones, Security Control Assessor Transmittal Letter 
(documents the Security Control Assessor's recommendation (i.e., 
Authorization to Operate or Denial to Operate), and any supplemental 
information requested by the Government (e.g., Contingency Plan, final 
Risk Assessment, Configuration Management Plan, Standard Operating 
Procedures, Concept of Operations). Additional requirements include an 
Independent Assessment, Security Review, Renewal of the ATO which is 
required every three years, and Federal Reporting and Continuous 
Monitoring Requirements.
    The total annual projected number of responses per respondent is 
estimated at 1. Based on aforementioned information the annual total 
burden hours are estimated as follows:
    Title: Homeland Security Acquisition Regulation: Safeguarding of 
Controlled Unclassified Information.
    Type of Request: New Collection.
    Total Number of Respondents: 822.
    Responses per Respondent: 1.
    Annual Responses: 822.
    Average Burden per Response: Approximately 50.
    Annual Burden Hours: Approximately 41,100.
    Needs and Uses: DHS needs the information required by 3052.204-7X 
to implement the requirements for safeguarding against unauthorized 
contractor disclosure and inappropriate use of CUI that contractors and 
subcontractors may have access to during the course of contract 
performance.
    Affected Public: Businesses or other for-profit institutions.
    Respondent's Obligation: Required to obtain or retain benefits.
    Frequency: On occasion.
    B. Request for Comments Regarding Paperwork Burden.
    You may submit comments identified by DHS docket number [DHS-2017-
0006], including suggestions for reducing this burden, not later than 
[insert date 60 days after publication in the Federal Register] using 
any one of the following methods:
    (1) Via the internet at Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
    (2) Via email to the Department of Homeland Security, Office of the 
Chief Procurement Officer, at [email protected].
    Public comments are particularly invited on: Whether this 
collection of information is necessary for the proper performance of 
functions of the HSAR, and will have practical utility; whether our 
estimate of the public burden of this collection of information is 
accurate, and based on valid assumptions and methodology; ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and ways in which we can minimize the burden of the 
collection of information on those who are to respond, through the use 
of appropriate technological collection techniques or other forms of 
information technology.
    Requesters may obtain a copy of the supporting statement from the 
Department of Homeland Security, Office of the Chief Procurement 
Officer, Acquisition Policy and Legislation, via email to 
[email protected]. Please cite OMB Control No. 1600-0023, Safeguarding of 
Controlled Unclassified Information, in all correspondence.

List of Subjects in 48 CFR Parts 3001, 3002, 3004 and 3052

    Government procurement.

    Therefore, DHS proposes to amend 48 CFR parts 3001, 3002, 3004 and 
3052 as follows:

0
1. The authority citation for 48 CFR parts 3001, 3002, 3004 and 3052 is 
revised to read as follows:

    Authority: 5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 
U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation 
Number 0702.

PART 3001--FEDERAL ACQUISITION REGULATIONS SYSTEM

0
2. In section 3001.106 amend paragraph (a) by adding a new OMB Control 
Number as follows:


3001.106   OMB Approval under the Paperwork Reduction Act.

    (a) * * *
    OMB Control No. 1600-0023 (Safeguarding of Controlled Unclassified 
Information)
* * * * *

PART 3002--DEFINITIONS OF WORDS AND TERMS


3002.101  [Amended]

0
3. Amend section 3002.101 by adding, in alphabetical order, the 
definitions of ``Adequate Security,'' ``Controlled Unclassified 
Information (CUI),'' ``Federal Information,'' ``Federal Information 
System,'' ``Handling,'' ``Information Resources,'' ``Information 
Security,'' and ``Information System'' to read as follows:
    ``Adequate Security'' means security protections commensurate with 
the risk resulting from the unauthorized access, use, disclosure, 
disruption,

[[Page 6441]]

modification, or destruction of information. This includes ensuring 
that information hosted on behalf of an agency and information systems 
and applications used by the agency operate effectively and provide 
appropriate confidentiality, integrity, and availability protections 
through the application of cost-effective security controls.
* * * * *
    ``Controlled Unclassified Information (CUI)'' is any information 
the Government creates or possesses, or an entity creates or possesses 
for or on behalf of the Government (other than classified information) 
that a law, regulation, or Government-wide policy requires or permits 
an agency to handle using safeguarding or dissemination controls. 
Within the context of DHS, this includes such information which, if 
lost, misused, disclosed, or, without authorization is accessed, or 
modified, could adversely affect the national or homeland security 
interest, the conduct of Federal programs, or the privacy of 
individuals. This definition includes the following CUI categories and 
subcategories of information:
    (1) Chemical-terrorism Vulnerability Information (CVI) as defined 
in Title 6, Code of Federal Regulations, part 27 ``Chemical Facility 
Anti-Terrorism Standards,'' and as further described in supplementary 
guidance issued by an authorized official of the Department of Homeland 
Security (including the Revised Procedural Manual ``Safeguarding 
Information Designated as Chemical-Terrorism Vulnerability 
Information'' dated September 2008);
    (2) Protected Critical Infrastructure Information (PCII) as set out 
in the Critical Infrastructure Information Act of 2002 (Title II, 
Subtitle B, of the Homeland Security Act, Public Law 107-296, 196 Stat. 
2135), as amended, the implementing regulations thereto (Title 6, Code 
of Federal Regulations, part 29) as amended, the applicable PCII 
Procedures Manual, as amended, and any supplementary guidance 
officially communicated by an authorized official of the Department of 
Homeland Security (including the PCII Program Manager or his/her 
designee);
    (3) Sensitive Security Information (SSI) as defined in Title 49, 
Code of Federal Regulations, part 1520, ``Protection of Sensitive 
Security Information,'' as amended, and any supplementary guidance 
officially communicated by an authorized official of the Department of 
Homeland Security (including the Assistant Secretary for the 
Transportation Security Administration or his/her designee) to include 
DHS MD 11056.1, ``Sensitive Security Information (SSI)'' and, within 
the Transportation Security Administration, TSA MD 2010.1, ``SSI 
Program'';
    (4) Homeland Security Agreement Information means information DHS 
receives pursuant to an agreement with state, local, tribal, 
territorial, and private sector partners that is required to be 
protected by that agreement. DHS receives this information in 
furtherance of the missions of the Department, including, but not 
limited to, support of the Fusion Center Initiative and activities for 
cyber information sharing consistent with the Cybersecurity Information 
Security Act;
    (5) Homeland Security Enforcement Information means unclassified 
information of a sensitive nature lawfully created, possessed, or 
transmitted by the Department of Homeland Security in furtherance of 
its immigration, customs, and other civil and criminal enforcement 
missions, the unauthorized disclosure of which could adversely impact 
the mission of the Department;
    (6) International Agreement Information means information DHS 
receives pursuant to an information sharing agreement or arrangement, 
with a foreign government, an international organization of governments 
or any element thereof, an international or foreign public or judicial 
body, or an international or foreign private or non-governmental 
organization, that is required by that agreement or arrangement to be 
protected;
    (7) Information Systems Vulnerability Information (ISVI) means:
    (i) DHS information technology (IT) internal systems data revealing 
infrastructure used for servers, desktops, and networks; applications 
name, version and release; switching, router, and gateway information; 
interconnections and access methods; mission or business use/need. 
Examples of information are systems inventories and enterprise 
architecture models. Information pertaining to national security 
systems and eligible for classification under Executive Order 13526, 
will be classified as appropriate;
    (ii) Information regarding developing or current technology, the 
release of which could hinder the objectives of DHS, compromise a 
technological advantage or countermeasure, cause a denial of service, 
or provide an adversary with sufficient information to clone, 
counterfeit, or circumvent a process or system;
    (8) Operations Security Information means information that could 
constitute an indicator of U.S. Government intentions, capabilities, 
operations, or activities or otherwise threaten operations security;
    (9) Personnel Security Information means information that could 
result in physical risk to DHS personnel or other individuals that DHS 
is responsible for protecting;
    (10) Physical Security Information means reviews or reports 
illustrating or disclosing facility infrastructure or security 
vulnerabilities related to the protection of Federal buildings, 
grounds, or property. For example, threat assessments, system security 
plans, contingency plans, risk management plans, business impact 
analysis studies, and certification and accreditation documentation;
    (11) Privacy Information, which includes information referred to as 
Personally Identifiable Information. Personally Identifiable 
Information (PII) means information that can be used to distinguish or 
trace an individual's identity, either alone or when combined with 
other information that is linked or linkable to a specific individual; 
and
    (12) Sensitive Personally Identifiable Information (SPII) is a 
subset of PII, which if lost, compromised or disclosed without 
authorization, could result in substantial harm, embarrassment, 
inconvenience, or unfairness to an individual. Some forms of PII are 
sensitive as stand-alone elements.
    (i) Examples of stand-alone PII include: Social Security numbers 
(SSN), driver's license or state identification number, Alien 
Registration Numbers (A-number), financial account number, and 
biometric identifiers such as fingerprint, voiceprint, or iris scan.
    (ii) Additional examples of SPII include any groupings of 
information that contain an individual's name or other unique 
identifier plus one or more of the following elements:
    (A) Truncated SSN (such as last 4 digits)
    (B) Date of birth (month, day, and year)
    (C) Citizenship or immigration status
    (D) Ethnic or religious affiliation
    (E) Sexual orientation
    (F) Criminal history
    (G) Medical information
    (H) System authentication information such as mother's maiden name, 
account passwords or personal identification numbers (PIN)
    (iii) Other PII may be ``sensitive'' depending on its context, such 
as a list of employees and their performance ratings or an unlisted 
home address or phone number. In contrast, a business card or public 
telephone directory of agency employees contains PII but is not 
sensitive.

[[Page 6442]]

    ``Federal Information'' means information created, collected, 
processed, maintained, disseminated, disclosed, or disposed of by or 
for the Federal Government, in any medium or form.
    ``Federal Information System'' means an information system used or 
operated by an agency or by a contractor of an agency or by another 
organization on behalf of an agency.
    ``Handling'' means any use of controlled unclassified information, 
including but not limited to marking, safeguarding, transporting, 
disseminating, re-using, and disposing of the information.
* * * * *
    ``Information Resources'' means information and related resources, 
such as personnel, equipment, funds, and information technology.
    ``Information Security'' means protecting information and 
information systems from unauthorized access, use, disclosure, 
disruption, modification, or destruction in order to provide--
    (1) integrity, which means guarding against improper information 
modification or destruction, and includes ensuring information 
nonrepudiation and authenticity;
    (2) confidentiality, which means preserving authorized restrictions 
on access and disclosure, including means for protecting personal 
privacy and proprietary information; and
    (3) availability, which means ensuring timely and reliable access 
to and use of information.
    ``Information System'' means a discrete set of information 
resources organized for the collection, processing, maintenance, use, 
sharing, dissemination, or disposition of information.
* * * * *

PART 3004--ADMINISTRATIVE MATTERS

0
4. Revise subpart 3004.4 to read as follows:

Subpart 3004.4--Safeguarding Classified and Controlled Unclassified 
Information within Industry


3004.470   Security requirements for access to unclassified facilities, 
information resources, and controlled unclassified information.

3004.470-1 Scope.
3004.470-2 Definitions.
3004.470-3 Policy.
3004.470-4 Contract Clauses.


3004.470-1   Scope.

    This section implements DHS policies for assuring adequate security 
of unclassified facilities, information resources, and controlled 
unclassified information (CUI) during the acquisition lifecycle.


3004.470-2   Definitions.

    As used in this subpart--
    ``Incident'' means an occurrence that--
    (1) actually or imminently jeopardizes, without lawful authority, 
the integrity, confidentiality, or availability of information or an 
information system; or
    (2) constitutes a violation or imminent threat of violation of law, 
security policies, security procedures, or acceptable use policies.


3004.470-3   Policy.

    (a) DHS requires that CUI be safeguarded wherever such information 
resides. This includes government-owned and operated information 
systems, government-owned and contractor operated information systems, 
contractor-owned and/or operated information systems operating on 
behalf of the agency, and any situation where contractor and/or 
subcontractor employees may have access to CUI. There are several 
Department policies and procedures (accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors) which also address 
the safeguarding of CUI. Compliance with these policies and procedures, 
as amended, is required.
    (b) DHS requires contractor employees that require recurring access 
to Government facilities or access to CUI to complete such forms as may 
be necessary for security or other reasons, including the conduct of 
background investigations to determine fitness. Department policies and 
procedures that address contractor employee fitness are contained in 
Instruction Handbook Number 121-01-007, The Department of Homeland 
Security Personnel Suitability and Security Program. Compliance with 
these policies and procedures, as amended, is required.


3004.470-4   Contract Clauses.

    (a) Contracting officers shall insert the basic clause at (HSAR) 48 
CFR 3052.204-71, Contractor Employee Access, in solicitations and 
contracts when contractor and/or subcontractor employees require 
recurring access to Government facilities or access to CUI. Contracting 
officers shall insert the basic clause with its Alternate I for 
acquisitions requiring contractor access to Government information 
resources. For acquisitions in which contractor and/or subcontractor 
employees will not have access to Government information resources, but 
the Department has determined contractor and/or subcontractor employee 
access to CUI or Government facilities must be limited to U.S. citizens 
and lawful permanent residents, the contracting officer shall insert 
the clause with its Alternate II. Neither the basic clause nor its 
alternates shall be used unless contractor and/or subcontractor 
employees will require recurring access to Government facilities or 
access to CUI. Neither the basic clause nor its alternates should 
ordinarily be used in contracts with educational institutions.
    (b) Contracting officers shall insert the clause at (HSAR) 48 CFR 
3052.204-7X, Safeguarding of Controlled Unclassified Information, in 
solicitations and contracts where:
    (1) Contractor and/or subcontractor employees will have access to 
CUI;
    (2) CUI will be collected or maintained on behalf of the agency; or
    (3) Federal information systems, which include contractor 
information systems operated on behalf of the agency, are used to 
collect, process, store, or transmit CUI.
    (c) If the clauses prescribed in subsections (a) and/or (b) are 
included in a prime contract, the prime contractor shall include the 
clauses in subsections (a) and/or (b), in its contract(s) with 
subcontractors. If a subcontract includes the clauses prescribed in 
subsections (a) and/or (b) and the subcontractor has contracts with 
lower-tier subcontractors, the lower-tier subcontracts shall include 
the clauses in subsections (a) and/or (b).

PART 3052--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


3052.204-70   [Removed and Reserved].

0
5. Remove and reserve section 3052.204-70.
0
6. Add section 3052.204-7X to read as follows:


3052.204-7X   Safeguarding of Controlled Unclassified Information.

    As prescribed in (HSAR) 48 CFR 3004.470-4(b), insert the following 
clause:

Safeguarding of Controlled Unclassified Information (DATE)

    (a) Definitions. As used in this clause--
    ``Adequate Security'' means security protections commensurate 
with the risk resulting from the unauthorized access, use, 
disclosure, disruption, modification, or destruction of information. 
This includes ensuring that information hosted on behalf of an 
agency and information systems and applications used by the agency 
operate effectively and provide appropriate

[[Page 6443]]

confidentiality, integrity, and availability protections through the 
application of cost-effective security controls.
    ``Controlled Unclassified Information (CUI)'' is any information 
the Government creates or possesses, or an entity creates or 
possesses for or on behalf of the Government (other than classified 
information) that a law, regulation, or Government-wide policy 
requires or permits an agency to handle using safeguarding or 
dissemination controls. Within the context of DHS, this includes 
such information which, if lost, misused, disclosed, or, without 
authorization is accessed, or modified, could adversely affect the 
national or homeland security interest, the conduct of Federal 
programs, or the privacy of individuals. This definition includes 
the following CUI categories and subcategories of information:
    (i) Chemical-terrorism Vulnerability Information (CVI) as 
defined in Title 6, Code of Federal Regulations, part 27 ``Chemical 
Facility Anti-Terrorism Standards,'' and as further described in 
supplementary guidance issued by an authorized official of the 
Department of Homeland Security (including the Revised Procedural 
Manual ``Safeguarding Information Designated as Chemical-Terrorism 
Vulnerability Information'' dated September 2008);
    (ii) Protected Critical Infrastructure Information (PCII) as set 
out in the Critical Infrastructure Information Act of 2002 (Title 
II, Subtitle B, of the Homeland Security Act, Public Law 107-296, 
196 Stat. 2135), as amended, the implementing regulations thereto 
(Title 6, Code of Federal Regulations, part 29) as amended, the 
applicable PCII Procedures Manual, as amended, and any supplementary 
guidance officially communicated by an authorized official of the 
Department of Homeland Security (including the PCII Program Manager 
or his/her designee);
    (iii) Sensitive Security Information (SSI) as defined in Title 
49, Code of Federal Regulations, part 1520, ``Protection of 
Sensitive Security Information,'' as amended, and any supplementary 
guidance officially communicated by an authorized official of the 
Department of Homeland Security (including the Assistant Secretary 
for the Transportation Security Administration or his/her designee) 
to include DHS MD 11056.1, ``Sensitive Security Information (SSI)'' 
and, within the Transportation Security Administration, TSA MD 
2010.1, ``SSI Program'';
    (iv) Homeland Security Agreement Information means information 
DHS receives pursuant to an agreement with state, local, tribal, 
territorial, and private sector partners that is required to be 
protected by that agreement. DHS receives this information in 
furtherance of the missions of the Department, including, but not 
limited to, support of the Fusion Center Initiative and activities 
for cyber information sharing consistent with the Cybersecurity 
Information Security Act;
    (v) Homeland Security Enforcement Information means unclassified 
information of a sensitive nature lawfully created, possessed, or 
transmitted by the Department of Homeland Security in furtherance of 
its immigration, customs, and other civil and criminal enforcement 
missions, the unauthorized disclosure of which could adversely 
impact the mission of the Department;
    (vi) International Agreement Information means information DHS 
receives pursuant to an information sharing agreement or arrangement 
with a foreign government, an international organization of 
governments or any element thereof, an international or foreign 
public or judicial body, or an international or foreign private or 
non-governmental organization, that is required by that agreement or 
arrangement to be protected;
    (vii) Information Systems Vulnerability Information (ISVI) 
means:
    (A) DHS information technology (IT) internal systems data 
revealing infrastructure used for servers, desktops, and networks; 
applications name, version and release; switching, router, and 
gateway information; interconnections and access methods; mission or 
business use/need. Examples of information are systems inventories 
and enterprise architecture models. Information pertaining to 
national security systems and eligible for classification under 
Executive Order 13526, will be classified as appropriate;
    (B) Information regarding developing or current technology, the 
release of which could hinder the objectives of DHS, compromise a 
technological advantage or countermeasure, cause a denial of 
service, or provide an adversary with sufficient information to 
clone, counterfeit, or circumvent a process or system;
    (viii) Operations Security Information means information that 
could constitute an indicator of U.S. Government intentions, 
capabilities, operations, or activities or otherwise threaten 
operations security;
    (ix) Personnel Security Information means information that could 
result in physical risk to DHS personnel or other individuals that 
DHS is responsible for protecting;
    (x) Physical Security Information means reviews or reports 
illustrating or disclosing facility infrastructure or security 
vulnerabilities related to the protection of Federal buildings, 
grounds, or property. For example, threat assessments, system 
security plans, contingency plans, risk management plans, business 
impact analysis studies, and certification and accreditation 
documentation;
    (xi) Privacy Information, which includes information referred to 
as Personally Identifiable Information (PII). PII means information 
that can be used to distinguish or trace an individual's identity, 
either alone, or when combined with other information that is linked 
or linkable to a specific individual; and
    (xii) Sensitive Personally Identifiable Information (SPII) is a 
subset of PII, which if lost, compromised, or disclosed without 
authorization, could result in substantial harm, embarrassment, 
inconvenience, or unfairness to an individual. Some forms of PII are 
sensitive as stand-alone elements.
    (A) Examples of stand-alone SPII include: Social Security 
numbers (SSN), driver's license or state identification number, 
Alien Registration Numbers (A-number), financial account number, and 
biometric identifiers such as fingerprint, voiceprint, or iris scan.
    (B) Additional examples of SPII include any groupings of 
information that contain an individual's name or other unique 
identifier plus one or more of the following elements:
    (1) Truncated SSN (such as last 4 digits)
    (2) Date of birth (month, day, and year)
    (3) Citizenship or immigration status
    (4) Ethnic or religious affiliation
    (5) Sexual orientation
    (6) Criminal history
    (7) Medical information
    (8) System authentication information such as mother's maiden 
name, account passwords or personal identification numbers (PIN)
    (C) Other PII may be SPII depending on its context, such as a 
list of employees and their performance ratings or an unlisted home 
address or phone number. In contrast, a business card or public 
telephone directory of agency employees contains PII but is not 
SPII.
    ``Federal information'' means information created, collected, 
processed, maintained, disseminated, disclosed, or disposed of by or 
for the Federal Government, in any medium or form.
    ``Federal information system'' means an information system used 
or operated by an agency or by a contractor of an agency or by 
another organization on behalf of an agency.
    ``Handling'' means any use of controlled unclassified 
information, including but not limited to marking, safeguarding, 
transporting, disseminating, re-using, storing, capturing, and 
disposing of the information.
    ``Incident'' means an occurrence that--
    (i) actually or imminently jeopardizes, without lawful 
authority, the integrity, confidentiality, or availability of 
information or an information system; or
    (ii) constitutes a violation or imminent threat of violation of 
law, security policies, security procedures, or acceptable use 
policies.
    ``Information Resources'' means information and related 
resources, such as personnel, equipment, funds, and information 
technology.
    ``Information Security'' means protecting information and 
information systems from unauthorized access, use, disclosure, 
disruption, modification, or destruction in order to provide--
    (i) integrity, which means guarding against improper information 
modification or destruction, and includes ensuring information 
nonrepudiation and authenticity;
    (ii) confidentiality, which means preserving authorized 
restrictions on access and disclosure, including means for 
protecting personal privacy and proprietary information; and
    (iii) availability, which means ensuring timely and reliable 
access to and use of information.
    ``Information System'' means a discrete set of information 
resources organized for the collection, processing, maintenance, 
use, sharing, dissemination, or disposition of information.
    (b) Handling of Controlled Unclassified Information.
    (1) Contractors and subcontractors must provide adequate 
security to protect CUI

[[Page 6444]]

from unauthorized access and disclosure. Adequate security includes 
compliance with DHS policies and procedures in effect at the time of 
contract award. These policies and procedures are accessible at 
http://www.dhs.gov/dhs-security-and-training-requirements-contractors.
    (2) The Contractor shall not use or redistribute any CUI 
handled, collected, processed, stored, or transmitted by the 
Contractor except as specified in the contract.
    (3) The Contractor shall not maintain SPII in its invoicing, 
billing, and other recordkeeping systems maintained to support 
financial or other administrative functions. It is acceptable to 
maintain in these systems the names, titles and contact information 
for the Contracting Officer's Representative (COR) or other 
Government personnel associated with the administration of the 
contract, as needed.
    (4) Any Government data provided, developed, obtained under the 
contract, or otherwise under the control of the contractor, shall 
not become part of the bankruptcy estate in the event a contractor 
and/or subcontractor enters into bankruptcy proceedings.
    (c) Authority to Operate. This subsection is applicable only to 
Federal information systems, which includes contractor information 
systems operating on behalf of the agency. The Contractor shall not 
collect, process, store or transmit CUI within a Federal information 
system until an Authority to Operate (ATO) has been accepted and 
signed by the Component or Headquarters CIO, or designee. Once the 
ATO has been accepted and signed by the Government, the Contracting 
Officer shall incorporate the ATO into the contract as a compliance 
document. Unless otherwise specified in the ATO letter, the ATO is 
valid for three (3) years. An ATO is granted at the sole discretion 
of the Government and can be revoked at any time. Contractor receipt 
of an ATO does not create any contractual right of access or 
entitlement. The Government's acceptance of the ATO does not 
alleviate the Contractor's responsibility to ensure the information 
system controls are implemented and operating effectively.
    (1) Complete the Security Authorization process. The Security 
Authorization (SA) process shall proceed according to DHS Sensitive 
Systems Policy Directive 4300A (Version 12.0, September 25, 2015), 
or any successor publication; DHS 4300A Sensitive Systems Handbook 
(Version 12.0, November 15, 2015), or any successor publication; and 
the Security Authorization Process Guide including templates. These 
policies and templates are accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors.
    (i) Security Authorization Package. SA package shall be 
developed using the Government provided Requirements Traceability 
Matrix and SA templates. SA package consists of the following: 
Security Plan, Contingency Plan, Contingency Plan Test Results, 
Configuration Management Plan, Security Assessment Plan, Security 
Assessment Report, and Authorization to Operate Letter. Additional 
documents that may be required include a Plan(s) of Action and 
Milestones and Interconnection Security Agreement(s). The Contractor 
shall submit a signed copy of the SA package, validated by an 
independent third party, to the COR for acceptance by the 
Headquarters or Component CIO, or designee, at least thirty (30) 
days prior to the date of operation of the information system. The 
Government is the final authority on the compliance of the SA 
package and may limit the number of resubmissions of modified 
documents.
    (ii) Independent Assessment. Contractors shall have an 
independent third party validate the security and privacy controls 
in place for the information system(s). The independent third party 
shall review and analyze the SA package, and report on technical, 
operational, and management level deficiencies as outlined in NIST 
Special Publication 800-53 Security and Privacy Controls for Federal 
Information Systems and Organizations accessible at http://csrc.nist.gov/publications/PubsSPs.html. The Contractor shall 
address all deficiencies before submitting the SA package to the COR 
for acceptance.
    (2) Renewal of ATO. Unless otherwise specified in the ATO 
letter, the ATO shall be renewed every three (3) years. The 
Contractor is required to update its SA package as part of the ATO 
renewal process for review and verification of security controls. 
Review and verification of security controls is independent of the 
system production date and may include onsite visits that involve 
physical or logical inspection of the Contractor environment to 
ensure controls are in place. The updated SA package shall be 
submitted for acceptance by the Headquarters or Component CIO, or 
designee, at least 90 days before the ATO expiration date. The 
Contractor shall update its SA package by one of the following 
methods:
    (i) Updating the SA package in the DHS Information Assurance 
Compliance System; or
    (ii) Submitting the updated SA package directly to the COR.
    (3) Security Review. The Government may elect to conduct random 
periodic reviews to ensure that the security requirements contained 
in this contract are being implemented and enforced. The Government, 
at its sole discretion, may obtain the assistance from other Federal 
agencies and/or third-party firms to aid in security review 
activities. The Contractor shall afford access to DHS, the Office of 
the Inspector General, other Government organizations, and 
contractors working in support of the Government access to the 
Contractor's facilities, installations, operations, documentation, 
databases, networks, systems, and personnel used in the performance 
of this contract. The Contractor shall, through the Contracting 
Officer and COR, contact the Headquarters or Component CIO, or 
designee, to coordinate and participate in review and inspection 
activity by Government organizations external to the DHS. Access 
shall be provided, to the extent necessary as determined by the 
Government (including providing all requested images), for the 
Government to carry out a program of inspection, investigation, and 
audit to safeguard against threats and hazards to the integrity, 
availability and confidentiality of Government data or the function 
of computer systems used in performance of this contract and to 
preserve evidence of computer crime.
    (4) Federal Reporting and Continuous Monitoring Requirements. 
Contractors operating information systems on behalf of the 
Government shall comply with Federal reporting and information 
system continuous monitoring requirements. Reporting requirements 
are determined by the Government and are defined in the Fiscal Year 
2015 DHS Information Security Performance Plan, or successor 
publication, accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The plan is updated on an annual 
basis. Annual, quarterly, and monthly data collection will be 
coordinated by the Government. The Contractor shall provide the 
Government with all information to fully satisfy Federal reporting 
requirements for information systems. The Contractor shall provide 
the COR with requested information within three (3) business days of 
receipt of the request. Unless otherwise specified in the contract, 
monthly continuous monitoring data shall be stored at the 
Contractor's location for a period not less than one year from the 
date the data is created. The Government may elect to perform 
information system continuous monitoring and IT security scanning of 
information systems from Government tools and infrastructure.
    (d) Incident Reporting Requirements.
    (1) All known or suspected incidents shall be reported to the 
Component Security Operations Center (SOC) in accordance with 4300A 
Sensitive Systems Handbook Attachment F Incident Response. If the 
Component SOC is not available, the Contractor shall report to the 
DHS Enterprise SOC. Contact information for the DHS Enterprise SOC 
is accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor shall also notify the 
Contracting Officer and COR using the contact information identified 
in the contract. If the report is made by phone, or the email 
address for the Contracting Officer or COR is not immediately 
available, the Contractor shall contact the Contracting Officer 
immediately after reporting to the Component or DHS Enterprise SOC. 
All known or suspected incidents involving PII or SPII shall be 
reported within one hour of discovery. All other incidents shall be 
reported within eight hours of discovery.
    (2) The Contractor shall not include any CUI in the subject or 
body of any email. The Contractor shall transmit CUI using FIPS 140-
2 Security Requirements for Cryptographic Modules compliant 
encryption methods, accessible at http://csrc.nist.gov/groups/STM/cmvp/standards.html, to protect CUI in attachments to email. 
Passwords shall not be communicated in the same email as the 
attachment.
    (3) An incident shall not, by itself, be interpreted as evidence 
that the Contractor has failed to provide adequate information 
security safeguards for CUI, or has otherwise failed to meet the 
requirements of the contract.

[[Page 6445]]

    (4) If an incident involves PII or SPII, in addition to the 
incident reporting guidelines in 4300A Sensitive Systems Handbook 
Attachment F Incident Response, Contractors shall also provide as 
many of the following data elements that are available at the time 
the incident is reported, with any remaining data elements provided 
within 24 hours of submission of the initial incident report:
    (i) Data Universal Numbering System (DUNS);
    (ii) Contract numbers affected unless all contracts by the 
company are affected;
    (iii) Facility CAGE code if the location of the event is 
different than the prime contractor location;
    (iv) Point of contact (POC) if different than the POC recorded 
in the System for Award Management (address, position, telephone, 
email);
    (v) Contracting Officer POC (address, telephone, email);
    (vi) Contract clearance level;
    (vii) Name of subcontractor and CAGE code if this was an 
incident on a subcontractor network;
    (viii) Government programs, platforms or systems involved;
    (ix) Location(s) of incident;
    (x) Date and time the incident was discovered;
    (xi) Server names where CUI resided at the time of the incident, 
both at the Contractor and subcontractor level;
    (xii) Description of the Government PII or SPII contained within 
the system; and
    (xiii) Any additional information relevant to the incident.
    (e) Incident Response Requirements.
    (1) All determinations by the Department related to incidents, 
including response activities, notifications to affected individuals 
and/or Federal agencies, and related services (e.g., credit 
monitoring) will be made in writing by the Contracting Officer.
    (2) The Contractor shall provide full access and cooperation for 
all activities determined by the Government to be required to ensure 
an effective incident response, including providing all requested 
images, log files, and event information to facilitate rapid 
resolution of incidents.
    (3) Incident response activities determined to be required by 
the Government may include, but are not limited to, the following:
    (i) Inspections,
    (ii) Investigations,
    (iii) Forensic reviews,
    (iv) Data analyses and processing, and
    (v) Revocation of the Authority to Operate.
    (4) The contractor shall preserve and protect images of known 
affected information systems identified in paragraph (b) of this 
section and all relevant monitoring/packet capture data for at least 
90 days from submission of the incident report to allow DHS to 
request the media or decline interest.
    (5) The Government, at its sole discretion, may obtain 
assistance from other Federal agencies and/or third-party firms to 
aid in incident response activities.
    (f) PII and SPII Notification Requirements. This subsection is 
only applicable when an incident involves PII/SPII.
    (1) The Contractor shall have in place procedures and the 
capability to notify any individual whose PII and/or SPII was under 
the control of the Contractor or resided in the information system 
at the time of the incident not later than 5 business days after 
being directed to notify individuals, unless otherwise approved by 
the Contracting Officer. The method and content of any notification 
by the Contractor shall be coordinated with, and subject to prior 
written approval by the Contracting Officer utilizing the DHS 
Privacy Incident Handling Guidance accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor 
shall not proceed with notification unless directed in writing by 
the Contracting Officer.
    (2) Subject to Government analysis of the incident and the terms 
of its instructions to the Contractor regarding any resulting 
notification, the notification method may consist of letters to 
affected individuals sent by first class mail, electronic means, or 
general public notice, as approved by the Government. Notification 
may require the Contractor's use of address verification and/or 
address location services. At a minimum, the notification shall 
include:
    (i) A brief description of the incident;
    (ii) A description of the types of PII or SPII involved;
    (iii) A statement as to whether the PII or SPII was encrypted or 
protected by other means;
    (iv) Steps individuals may take to protect themselves;
    (v) What the Contractor and/or the Government are doing to 
investigate the incident, to mitigate the incident, and to protect 
against any future incidents; and
    (vi) Information identifying who individuals may contact for 
additional information.
    (g) Credit Monitoring Requirements. This subsection is only 
applicable when an incident involves PII/SPII. In the event that an 
incident involves PII or SPII, the Contractor may be directed by the 
Contracting Officer to:
    (1) Provide notification to affected individuals as described in 
paragraph (f).
    (2) Provide credit monitoring services to individuals whose PII 
or SPII was under the control of the Contractor or resided in the 
information system at the time of the incident for a period 
beginning the date of the incident and extending not less than 18 
months from the date the individual is notified. Credit monitoring 
services shall be provided from a company with which the Contractor 
has no affiliation. At a minimum, credit monitoring services shall 
include:
    (i) Triple credit bureau monitoring;
    (ii) Daily customer service;
    (iii) Alerts provided to the individual for changes and fraud; 
and
    (iv) Assistance to the individual with enrollment in the 
services and the use of fraud alerts.
    (3) Establish a dedicated call center. Call center services 
shall include:
    (i) A dedicated telephone number to contact customer service 
within a fixed period;
    (ii) Information necessary for registrants/enrollees to access 
credit reports and credit scores;
    (iii) Weekly reports on call center volume, issue escalation 
(i.e., those calls that cannot be handled by call center staff and 
must be resolved by call center management or DHS, as appropriate), 
and other key metrics;
    (iv) Escalation of calls that cannot be handled by call center 
staff to call center management or DHS, as appropriate;
    (v) Customized Frequently Asked Questions, approved in writing 
by the Contracting Officer in coordination with the Headquarters or 
Component Privacy Officer; and
    (vi) Information for registrants to contact customer service 
representatives and fraud resolution representatives for credit 
monitoring assistance.
    (h) Certificate of Sanitization of Government and Government-
Activity-Related Files and Information. Upon the conclusion of the 
contract by expiration, termination, cancellation, or as otherwise 
indicated in the contract, the Contractor shall return all CUI to 
DHS and/or destroy it physically and/or logically as identified in 
the contract. Destruction shall conform to the guidelines for media 
sanitization contained in NIST SP-800-88, Guidelines for Media 
Sanitization. The Contractor shall certify and confirm the 
sanitization of all Government and Government-Activity related files 
and information. The Contractor shall submit the certification to 
the COR and Contracting Officer following the template provided in 
NIST Special Publication 800-88, Guidelines for Media Sanitization, 
Appendix G.
    (i) Other Reporting Requirements. Incident reporting required by 
this clause in no way rescinds the Contractor's responsibility for 
other incident reporting pertaining to its unclassified information 
systems under other clauses that may apply to its contract(s), or as 
a result of other applicable U.S. Government statutory or regulatory 
requirements.
    (j) Subcontracts. The Contractor shall insert this clause in all 
subcontracts and require subcontractors to include this clause in 
all lower-tier subcontracts.


(End of clause)

0
7. Amend paragraph (b) of section 3052.212-70 to remove 3052.204-70 
Security Requirements for Unclassified Information Technology 
Resources; add Alternate II of 3052.204-71, Contractor Employee Access; 
and add 3052.204-7X, Safeguarding of Controlled Unclassified 
Information, as follows:


3052.212-70   Contract terms and conditions applicable to DHS 
acquisition of commercial items.

Contract Terms and Conditions Applicable to DHS Acquisition of 
Commercial Items (Date)

* * * * *
    (b) * * *
    ____3052.204-71 Contractor Employee Access.

    ____Alternate I

    ____Alternate II

* * * * *

[[Page 6446]]

    ____3052.204-7X Safeguarding of Controlled Unclassified 
Information.

Soraya Correa,
Chief Procurement Officer, Department of Homeland Security.
[FR Doc. 2017-00758 Filed 1-18-17; 8:45 am]
 BILLING CODE 9110-9B-P



                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                                  6429

                                                      shall be provided to the Contracting Officer            Case 2015–001’’ under the heading                      post-incident activities and requires
                                                      and/or Contracting Officer’s Representative             ‘‘Enter Keyword or ID’’ and selecting                  certification of sanitization of
                                                      (COR) via email notification not later than             ‘‘Search.’’ Select the link ‘‘Submit a                 Government and Government-Activity
                                                      thirty (30) days after contract award or
                                                                                                              Comment’’ that corresponds with                        related files and information.
                                                      assignment to the contract. Subsequent
                                                      training certificates to satisfy the annual             ‘‘HSAR Case 2015–001.’’ Follow the                     Additionally, the proposed rule requires
                                                      training requirement shall be submitted to              instructions provided at the ‘‘Submit a                that contractors have in place
                                                      the Contracting Officer and/or COR via email            Comment’’ screen. Please include your                  procedures and the capability to notify
                                                      notification not later than October 31st of             name, company name (if any), and                       and provide credit monitoring services
                                                      each year. The Contractor shall attach                  ‘‘HSAR Case 2015–001’’ on your                         to any individual whose Personally
                                                      training certificates to the email notification         attached document.                                     Identifiable Information (PII) or
                                                      and the email notification shall list all                  • Fax: (202) 447–0520                               Sensitive PII (SPII) was under the
                                                      Contractor and subcontractor employees
                                                      required to complete the training and state                • Mail: Department of Homeland                      control of the contractor or resided in
                                                      the required Privacy training has been                  Security, Office of the Chief                          the information system at the time of the
                                                      completed for all Contractor and                        Procurement Officer, Acquisition Policy                incident.
                                                      subcontractor employees.                                and Legislation, ATTN: Ms. Shaundra                       This rule addresses the safeguarding
                                                         (c) The Contractor shall insert the                  Duggans, 245 Murray Drive, Bldg. 410                   requirements specified in the Federal
                                                      substance of this clause in all subcontracts            (RDS), Washington, DC 20528.                           Information Security Modernization Act
                                                      and require subcontractors to include this                 Comments received generally will be                 (FISMA) of 2014 (44 U.S.C. 3551, et
                                                      clause in all lower-tier subcontracts.                                                                         seq.), Office of Management and Budget
                                                                                                              posted without change to http://
                                                      (End of clause)                                         www.regulations.gov, including any                     (OMB) Circular A–130, Managing
                                                                                                              personal information provided. To                      Information as a Strategic Resource,1
                                                      Soraya Correa,                                                                                                 relevant National Institutes of Standards
                                                                                                              confirm receipt of your comment(s),
                                                      Chief Procurement Officer, Department of                please check www.regulations.gov,                      and Technology (NIST) guidance,
                                                      Homeland Security.                                                                                             Executive Order 13556, Controlled
                                                                                                              approximately two to three days after
                                                      [FR Doc. 2017–00752 Filed 1–18–17; 8:45 am]
                                                                                                              submission to verify posting (except                   Unclassified Information 2 and its
                                                      BILLING CODE 9110–9B–P                                  allow 30 days for posting of comments                  implementing regulation at 32 CFR part
                                                                                                              submitted by mail).                                    2002,3 and the following OMB
                                                                                                                                                                     Memoranda: M–07–16, Safeguarding
                                                      DEPARTMENT OF HOMELAND                                  FOR FURTHER INFORMATION CONTACT: Ms.
                                                                                                                                                                     Against and Responding to the Breach
                                                      SECURITY                                                Shaundra Duggans, Procurement
                                                                                                                                                                     of Personally Identifiable Information;
                                                                                                              Analyst, DHS, Office of the Chief
                                                                                                                                                                     M–14–03, Enhancing the Security of
                                                      48 CFR Parts 3001, 3002, 3004, and                      Procurement Officer, Acquisition Policy
                                                                                                                                                                     Federal Information and Information
                                                      3052                                                    and Legislation at (202) 447–0056 or
                                                                                                                                                                     Systems; and Reporting Instructions for
                                                                                                              email HSAR@hq.dhs.gov. When using
                                                      [Docket No. DHS–2017–0006]                                                                                     the Federal Information Security
                                                                                                              email, include HSAR Case 2015–001 in
                                                                                                                                                                     Management Act and Agency Privacy
                                                      RIN 1601–AA76                                           the ‘‘Subject’’ line.
                                                                                                                                                                     Management as identified in various
                                                                                                              SUPPLEMENTARY INFORMATION:                             OMB Memoranda.4 Ongoing efforts by
                                                      Homeland Security Acquisition
                                                      Regulation (HSAR); Safeguarding of                      I. Background                                          OMB and DHS with regard to
                                                      Controlled Unclassified Information                                                                            implementation of FISMA, such as the
                                                                                                                The purpose of this proposed rule is                 issuance of Binding Operational
                                                      (HSAR Case 2015–001)                                    to implement adequate security and                     Directives, and DHS implementation of
                                                      AGENCY:  Office of the Chief Procurement                privacy measures to safeguard                          the CUI program, may require future
                                                      Officer, Department of Homeland                         Controlled Unclassified Information                    HSAR revisions in this area. DHS
                                                      Security (DHS).                                         (CUI) and facilitate improved incident                 intends to harmonize the HSAR to be
                                                      ACTION: Proposed rule.                                  reporting to DHS. This proposed rule                   consistent with the requirements of
                                                                                                              does not apply to classified information.              these ongoing efforts.
                                                      SUMMARY:   DHS is proposing to amend                    These measures are necessary because
                                                      the Homeland Security Acquisition                       of the urgent need to protect CUI and                  II. Discussion and Analysis
                                                      Regulation (HSAR) to modify a subpart,                  respond appropriately when DHS                            This proposed rule is part of a broader
                                                      remove an existing clause and reserve                   contractors experience incidents with                  initiative within DHS to (1) ensure
                                                      the clause number, update an existing                   DHS information. Recent high-profile                   contractors understand their
                                                      clause, and add a new contract clause to                breaches of Federal information further                responsibilities with regard to
                                                      address requirements for the                            demonstrate the need to ensure that                    safeguarding controlled unclassified
                                                      safeguarding of Controlled Unclassified                 information security protections are                   information (CUI); (2) contractor and
                                                      Information (CUI).                                      clearly, effectively, and consistently                 subcontractor employees complete
                                                      DATES: Comments on the proposed rule                    addressed in contracts. This proposed
                                                      should be submitted in writing to one of                rule strengthens and expands existing                    1 OMB Circular A–130 Managing Information as

                                                      the addresses shown below on or before                  HSAR language to ensure adequate                       a Strategic Resource is accessible at https://
                                                                                                                                                                     www.whitehouse.gov/sites/default/files/omb/assets/
                                                      March 20, 2017, to be considered in the                 security for CUI that is accessed by                   OMB/circulars/a130/a130revised.pdf.
                                                      formation of the final rule.                            contractors; collected or maintained by
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                                                                                       2 Executive Order 13556 Controlled Unclassified

                                                      ADDRESSES: Submit comments                              contractors on behalf of an agency; and/               Information is accessible at https://www.gpo.gov/
                                                                                                              or for Federal information systems that                fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf.
                                                      identified by HSAR Case 2015–001,                                                                                3 32 CFR part 2002 is accessible at https://
                                                      Safeguarding of Controlled Unclassified                 collect, process, store or transmit such               www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-
                                                      Information, using any of the following                 information. The proposed rule                         21665.pdf.
                                                      methods:                                                identifies CUI handling requirements as                  4 These memoranda include M–03–19, M–04–25,

                                                        • Regulations.gov: http://                            well as incident reporting requirements,               M–05–15, M–06–20, M–07–19, M–08–212, M–09–
                                                                                                                                                                     29, M–10–15, M–11–33, M–12–20, M–14–04, M–
                                                      www.regulations.gov.                                    including timelines and required data                  15–01, M–16–03, and M–16–04. These memoranda
                                                        Submit comments via the Federal                       elements. The proposed rule also                       can be accessed at: https://www.whitehouse.gov/
                                                      eRulemaking portal by entering ‘‘HSAR                   includes inspection provisions and                     omb/memoranda_default.



                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00091   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6430                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      information technology (IT) security                    ‘‘controlled unclassified information’’                completion of security forms and
                                                      awareness training before access is                     consistent with Executive Order 13556                  background investigations for contractor
                                                      provided to DHS information systems                     and its implementing regulation at 32                  employees that require recurring access
                                                      and information resources or contractor-                CFR part 2002. This rule also adds five                to Government facilities or CUI.
                                                      owned and/or operated information                       (5) new categories/subcategories of CUI                Subsection 3004.470–4, Contract
                                                      systems and information resources                       titled Homeland Security Agreement                     Clauses, would be revised to remove
                                                      where CUI is collected, processed,                      Information, Homeland Security                         reference to 3052.204–70, Security
                                                      stored or transmitted on behalf of the                  Enforcement Information, Operations                    Requirements for Unclassified
                                                      agency; (3) contractor and subcontractor                Security Information, Personnel                        Information Technology Resources and
                                                      employees sign the DHS RoB before                       Security Information, and Sensitive                    identify the applicability of the clause at
                                                      access is provided to DHS information                   Personally Identifiable Information for                3052.204–7X, Safeguarding of
                                                      systems, information resources, or                      consistency with NARA’s CUI                            Controlled Unclassified Information, to
                                                      contractor-owned and/or operated                        regulation (32 CFR part 2002). The                     solicitations, contracts, and
                                                      information systems and information                     definitions of these terms are needed                  subcontracts.
                                                      resources where CUI is collected,                       because these terms appear in the new                     (3) Clause 3052.204–70, Security
                                                      processed, stored or transmitted on                     proposed clause at 3052.204–7X,                        Requirements for Unclassified
                                                      behalf of the agency; and (4) contractor                Safeguarding of Controlled Unclassified                Information Technology Resources,
                                                      and subcontractor employees complete                    Information.                                           would be removed and the clause
                                                      privacy training before accessing a                                                                            number reserved. This change is
                                                                                                                 (2) DHS is proposing to revise subpart
                                                      Government system of records; handling                                                                         necessary because the addition of the
                                                                                                              3004.470, Security requirements for
                                                      personally identifiable information (PII)                                                                      clause at 3052.204–7X Safeguarding of
                                                                                                              access to unclassified facilities,
                                                      and/or sensitive PII information; or                                                                           Controlled Unclassified Information
                                                                                                              Information Technology resources, and
                                                      designing, developing, maintaining, or                                                                         eliminates the need for this clause.
                                                                                                              sensitive information, to change the title                (4) A new clause at 3052.204–7X,
                                                      operating a system of records on behalf                 of the subpart and to clarify the
                                                      of the Government.                                                                                             Safeguarding of Controlled Unclassified
                                                                                                              applicability of the subpart to the                    Information, would be added to ensure
                                                         DHS is proposing to amend and
                                                                                                              acquisition lifecycle. The title of the                adequate protection of CUI. The new
                                                      expand an existing HSAR subpart. This
                                                                                                              subpart would be changed to ‘‘Security                 clause adds definitions and identifies
                                                      proposed rule would (1) add new
                                                                                                              requirements for access to unclassified                CUI handling requirements, Authority
                                                      definitions; (2) clarify the applicability
                                                      of the subpart; (3) remove an existing                  facilities, information resources, and                 to Operate requirements, incident
                                                      clause and reserve the clause number;                   controlled unclassified information’’                  reporting and response requirements,
                                                      (4) revise an existing clause; and (5) add              and a new subsection for definitions                   PII and SPII notification requirements,
                                                      a new clause to implement expanded                      would be added under the subpart.                      credit monitoring requirements,
                                                      safeguarding requirements and identify                  Accordingly, the subsections would be                  sanitization of Government and
                                                      new policies for incident reporting,                    renumbered as follows: 3004.470–1                      Government-Activity related files and
                                                      incident response, notification and                     Scope, 3004.470–2 Definitions,                         information requirements, other
                                                      credit monitoring. Each of these                        3004.470–3 Policy, and 3004.470–4                      reporting requirements, and subcontract
                                                      proposed changes are described in                       Contract Clauses. Originally, the title of             requirements. Each of these
                                                      detail below.                                           this subpart contained the term                        requirements is described below.
                                                         (1) DHS is proposing to revise subpart               ‘‘information technology resources;’’
                                                      3002.101, Definitions, to define                        however, this term is inconsistent with                (a) Definitions
                                                      ‘‘adequate security,’’ ‘‘controlled                     44 U.S.C. 3502(6) which defines the                       This section would add definitions,
                                                      unclassified information,’’ ‘‘Federal                   term ‘‘information resources.’’                        which also appear in part at 3002.1
                                                      information,’’ ‘‘Federal information                    Subsection 3004.470–1, Scope, would                    Definitions and 3004.470–2 Definitions,
                                                      system,’’ ‘‘handling,’’ ‘‘information                   be amended for consistency in                          as follows: ‘‘adequate security,’’
                                                      resources,’’ ‘‘information security,’’ and              terminology and to make clear the                      ‘‘Controlled Unclassified Information,’’
                                                      ‘‘information system,’’ ’’ and remove the               applicability of the subpart to the                    ‘‘Federal information,’’ ‘‘Federal
                                                      definition of sensitive information. The                acquisition lifecycle. Subsection                      information system,’’ ‘‘handling,’’
                                                      definition of the terms ‘‘adequate                      3004.470–2, Definitions, would be                      ‘‘Homeland Security Agreement
                                                      security,’’ ‘‘Federal information,’’ and                added to define the term ‘‘incident.’’                 Information,’’ ‘‘Homeland Security
                                                      ‘‘Federal information system’’ is taken                 The definition for ‘‘incident’’ is taken               Enforcement Information,’’ ‘‘incident,’’
                                                      from OMB Circular A–130, Managing                       from FISMA 2014 (44 U.S.C. 3552(b)(2)).                ‘‘information resources,’’ ‘‘information
                                                      Information as a Strategic Resource. The                This term could not be defined at                      security,’’ ‘‘information system,’’
                                                      definition of controlled unclassified                   3002.1, Definitions, because the                       ‘‘Operations Security Information,’’
                                                      information is taken from its                           meaning of the term ‘‘incident’’ in this               ‘‘Personnel Security Information,’’ and
                                                      implementing regulation at 32 CFR part                  subpart differs from the meaning it is                 ‘‘Sensitive Personally Identifiable
                                                      2002. The definition of ‘‘handling’’ was                given in other parts of the HSAR.                      Information.’’ The definitions of these
                                                      developed based upon a review of                        Additionally, this definition is needed                terms are needed because these terms
                                                      definitions for the term developed by                   because this term appears in the clause                appear in 3052.204–7X, Safeguarding of
                                                      other Federal agencies. The definition                  at 3052.204–7X, Safeguarding of                        Controlled Unclassified Information.
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      for the term ‘‘information security’’ is                Controlled Unclassified Information.
                                                      taken from FISMA 2014 (44 U.S.C.                        Subsection 3004.470–3, Policy, would                   (b) Handling of Controlled Unclassified
                                                      3552(b)(3)) and the definitions for the                 be revised to (a) remove explicit                      Information
                                                      terms ‘‘information resources’’ and                     references to Departmental policies and                  This section sets forth specific
                                                      ‘‘information system’’ are taken from 44                procedures to safeguard CUI that are                   requirements for contractors and
                                                      U.S.C. 3502(6) and 44 U.S.C. 3502(8)                    subject to change and provide a public                 subcontractors when handling CUI in
                                                      respectively. The definition of                         facing link for which these policies and               order to better protect against the threat
                                                      ‘‘sensitive information’’ is removed                    procedures can be accessed and (b)                     of persistent cyber-attacks and prevent
                                                      because it is being replaced with                       make clear the requirements for                        the compromise of CUI, including PII.


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00092   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                                  6431

                                                      These requirements include being in                     and assets against natural or man-made                 system based on the implementation of
                                                      compliance with the DHS policies and                    threats. This section sets forth                       an agreed-upon set of security controls.
                                                      procedures in effect at the time of                     information security requirements                         The independent assessment is used
                                                      contract award. These policies and                      contractors operating a Federal                        to validate the security and privacy
                                                      procedures are located on a public Web                  information system must meet prior to                  controls in place for the information
                                                      site titled DHS Security and Training                   collecting, processing, storing, or                    system prior to submission of the
                                                      Requirements for Contractors which can                  transmitting CUI in that information                   security authorization package to the
                                                      be accessed via http://www.dhs.gov/dhs-                 system as required by FISMA and set                    Government for review and acceptance.
                                                      security-and-training-requirements-                     forth in NIST Special Publication 800–                 Once an ATO is accepted and signed by
                                                      contractors. This Web site identifies                   53, Recommended Security and Privacy                   the Government, it is valid for three (3)
                                                      Departmental policies and procedures                    Controls for Federal Information                       years and must be renewed at that time
                                                      that contractors must comply with                       Systems and Organizations. The                         unless otherwise specified in the ATO
                                                      related to personnel security,                          requirements include completing the                    letter. The Government uses random
                                                      information security, IT security, and                  security authorization process,                        security reviews as an additional level
                                                      privacy. The Web site also identifies                   including the preparation of security                  of verification to ensure security
                                                      and provides contractors with access to                 authorization package and obtaining an                 controls are in place, enforced and
                                                      IT security awareness and privacy                       independent assessment; renewal of the                 operating effectively. The contractor
                                                      training. The policies and training                     security authorization; security review;               shall afford access to DHS, the Office of
                                                      requirements contained on this Web site                 and Federal reporting and continuous                   the Inspector General, other
                                                      are existing requirements that DHS                      monitoring.5                                           Government organizations, and
                                                      routinely includes in the terms and                        Security authorization involves                     contractors working in support of the
                                                      conditions of its contracts, some of                    comprehensive testing and evaluation of                Government access to the Contractor’s
                                                      which are pre-existing through HSAR                     security features (also known as                       facilities, installations, operations,
                                                      3052.204–70 Security Requirements for                   controls) of an information system. It                 documentation, databases, networks,
                                                      Unclassified Information Technology                     addresses software and hardware                        systems, and personnel used in the
                                                      Resources and 3052.204–71 Contractor                    security safeguards; considers                         performance of this contract to conduct
                                                      Employee Access. Part of the intent of                  procedural, physical, and personnel                    security reviews. In addition,
                                                      this proposed rulemaking is to increase                 security measures; and establishes the                 contractors operating information
                                                      transparency by consolidating these                     extent to which a particular design (or                systems on behalf of the Government
                                                      existing requirements in a single                       architecture), configuration, and                      shall comply with Federal reporting and
                                                      location that is easily accessible by the               implementation meets a specified set of                information system continuous
                                                      public. Changes to these policies and                   security requirements throughout the                   monitoring requirements. Reporting
                                                      procedures will be reflected on the Web                 life cycle of the information system. It               requirements are determined by OMB
                                                      site and changes that impact contract                   also considers procedural, physical, and               on an annual basis and are defined in
                                                      performance will be communicated to                     personnel security measures employed                   the Fiscal Year 2015 DHS Information
                                                      the contractor by the Government.                       to enforce information security policy.                Security Performance Plan.6 The plan is
                                                         Handling requirements also include                   The security authorization package                     updated annually to reflect any new or
                                                      not using or redistributing any CUI                     includes a Security Plan, Contingency                  revised reporting requirements from
                                                      collected, processed, stored, or                        Plan, Contingency Plan Test Results,                   OMB.
                                                      transmitted by the contractor, except as
                                                                                                              Configuration Management Plan,
                                                      specified in the contract and not                                                                              (d) Incident Reporting
                                                                                                              Security Assessment Plan, and Security
                                                      maintaining SPII in the contractor’s                                                                              This section sets forth incident
                                                                                                              Assessment Report. These documents
                                                      invoicing, billing, and other                                                                                  reporting requirements for contractors
                                                                                                              are used to record the results of the
                                                      recordkeeping systems maintained to                                                                            and subcontractors when reporting
                                                                                                              security authorization process and
                                                      support financial or other                                                                                     known or suspected incidents,
                                                                                                              provide evidence that the process was
                                                      administrative functions. DHS believes                                                                         including known or suspected incidents
                                                                                                              followed correctly. A Federal
                                                      that maintaining SPII in the contractor’s                                                                      that involve PII and/or SPII. The
                                                                                                              information system, which includes a
                                                      invoicing, billing, and other                                                                                  incident reporting requirements
                                                                                                              contractor information system operating
                                                      recordkeeping systems creates                                                                                  described in this section allow the
                                                      unnecessary risk of compromise and is                   on behalf of an agency, must be granted
                                                                                                              an Authority to Operate (ATO) before it                Department to gather the information
                                                      not otherwise needed to achieve
                                                                                                              is granted permission to collect, process,             necessary to formulate an effective
                                                      contract administration functions. DHS
                                                                                                              store, or transmit CUI. The ATO is the                 incident response plan for incident
                                                      welcomes comments regarding whether
                                                                                                              official management decision given by a                mitigation and resolution. These
                                                      other categories of CUI should be
                                                                                                              senior organizational official to                      requirements include: Reporting all
                                                      similarly excluded from a contractor’s
                                                                                                              authorize operation of an information                  known or suspected incidents to the
                                                      invoicing, billing, and other
                                                                                                                                                                     Component Security Operations Center
                                                      recordkeeping systems. Through these                      5 DHS is aware that NIST Special Publication         and notifying the contracting officer and
                                                      and other requirements set forth in the                 800–171, Protecting Controlled Unclassified            contracting officer’s representative of
                                                      proposed clause and discussed in detail                 Information in Nonfederal Information Systems and      the incident; reporting known or
                                                      in the following sections, the
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                              Organizations, was released in June 2015 to provide
                                                                                                              federal agencies with recommended requirements         suspected incidents that involve PII or
                                                      Department believes that contractors
                                                                                                              for protecting the confidentiality of Controlled       SPII within one hour of discovery and
                                                      and subcontractors will provide                         Unclassified Information on non-Federal                all other incidents within eight hours of
                                                      adequate security from the unauthorized                 information systems; however, the information          discovery; encrypting CUI using FIPS
                                                      access and disclosure of CUI.                           system security requirements in this proposed
                                                                                                              rulemaking are focused on Federal information          140–2 Security Requirements for
                                                      (c) Authority To Operate                                systems, which include contractor information
                                                                                                              systems operating on behalf of an agency.                6 The Fiscal Year 2015 DHS Information Security
                                                         FISMA defines a comprehensive                        Consistent with 32 CFR part 2002, these                Performance Plan can be found at: http://
                                                      framework for ensuring the protection of                information systems are not subject to the             www.dhs.gov/dhs-security-and-training-
                                                      Government information, operations                      requirements of NIST Special Publication 800–171.      requirements-contractors.



                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00093   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6432                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      Cryptographic Modules and refraining                    resided in the information system at the               unreasonable delay. This notification
                                                      from including CUI in the subject or                    time of the incident. The method and                   has often been delayed while detailed
                                                      body of any email; providing additional                 content of any notification by the                     forensic analysis and contract
                                                      data elements when reporting incidents                  Contractor shall be coordinated with,                  compliance inspections are occurring.
                                                      involving PII or SPII; and making clear                 and subject to prior written approval by               Under this new provision, notification
                                                      that an incident shall not, by itself, be               the Contracting Officer utilizing the                  and credit monitoring, when
                                                      interpreted as evidence that the                        DHS Privacy Incident Handling                          appropriate, will occur more rapidly as
                                                      contractor failed to provide adequate                   Guidance. When appropriate,                            it is not dependent upon any
                                                      information security safeguards for CUI.                notification of those affected and/or the              determination of contractor fault or
                                                         The timing for reporting incidents                   public allows those individuals affected               noncompliance. DHS is also aware that
                                                      involving PII or SPII is consistent with                by the incident the opportunity to take                sophisticated cyber-attacks can occur
                                                      OMB Memorandum M–07–16,                                 steps to help protect themselves. Such                 despite compliance with contract
                                                      Safeguarding Against and Responding to                  notification is also consistent with the               requirements. In these instances, even
                                                      the Breach of Personally Identifiable                   ‘‘openness principle’’ of the Privacy Act              though there is no contractor
                                                      Information. The timing for reporting                   which calls for agencies to inform                     noncompliance, there may still be a
                                                      incidents unrelated to PII or SPII was                  individuals about how their information                need to notify individuals and provide
                                                      derived from existing Departmental                      is being accessed and used, and may                    credit monitoring services.
                                                      policy for reporting incidents related to               help individuals mitigate the potential                Additionally, DHS wants to emphasize
                                                      other categories of CUI such as CVI,                    harms resulting from an incident.                      that the provisions for notification and
                                                      Protected Critical Infrastructure                          The Department realizes that there are              credit monitoring services are only
                                                      Information (PCII), and Sensitive                       existing state notification laws that                  applicable when (1) contractor and/or
                                                      Security Information (SSI). Controlled                  industry must also follow. Therefore,                  subcontractor employees may have
                                                      unclassified information is required to                 DHS welcomes comments regarding the                    access to PII/SPII or (2) information
                                                      be excluded from the subject or body of                 impact, if any, that existing state                    systems are used to collect, process,
                                                      an email and encrypted to prevent                       notification laws will have on industry’s              store, or transmit PII/SPII on behalf of
                                                      further compromise of the information                   ability to comply with this notification               the agency. DHS is considering
                                                      when reporting incidents. The                           requirement.                                           broadening the credit monitoring
                                                      additional data elements required when                                                                         requirement to include identity
                                                                                                              (g) Credit Monitoring
                                                      reporting incidents involving PII or SPII                                                                      protection, identity restoration, and
                                                      are needed to assist in the Department’s                   This section sets forth the                         related services. DHS welcomes
                                                      understanding of the incident and aid in                requirement that the contractor, when                  comments regarding the impact, if any,
                                                      an effective response. DHS also wants to                appropriate, is required to provide                    of this change.
                                                      encourage industry to timely report                     credit monitoring services, including
                                                      incidents to the Department by making                   call center services, if directed by the               (h) Certificate of Sanitization of
                                                      it clear that such reporting does not                   Contracting Officer, to any individual                 Government and Government-Activity
                                                      automatically mean the contractor has                   whose PII or SPII was under the control                Related Files and Information
                                                      failed to provide adequate security or                  of the contractor, or resided in the                     Upon the conclusion of the contract
                                                      otherwise meet the requirements of the                  information system, at the time of the                 by expiration, termination, cancellation,
                                                      contract.                                               incident for a period beginning the date               or as otherwise identified in the
                                                                                                              of the incident and extending not less                 contract, the Contractor must return all
                                                      (e) Incident Response                                   than 18 months from the date the                       CUI to DHS or destroy it physically or
                                                         This section identifies incident                     individual is notified. Credit monitoring              logically as identified in the contract.
                                                      response requirements and activities.                   is a commercial service that can assist                This destruction must conform to the
                                                      Incident response activities such as                    individuals in early detection of                      guidelines for media sanitization
                                                      inspections, investigations, forensic                   instances of identity theft. Credit                    contained in NIST SP–800–88,
                                                      reviews, etc. are used to quickly assess,               monitoring services notify individuals                 Guidelines for Media Sanitization.
                                                      remediate and protect CUI and are                       of changes that appear in their credit                 Further, the contractor must certify and
                                                      conducted whenever an incident is                       report, such as creation of new                        confirm sanitization of media using the
                                                      reported to DHS. The goal of these                      accounts, changes to their existing                    template provided in Appendix G of the
                                                      activities is to determine what data was                accounts or personal information, or                   publication.
                                                      or could have been accessed by an                       new inquiries for credit. Such
                                                      intruder, build a timeline of intruder                  notification affords individuals the                   (i) Other Reporting Requirements
                                                      activity, determine methods and                         opportunity to take steps to minimize                     The purpose of this section is to make
                                                      techniques used by the intruder, find                   any harm associated with unauthorized                  clear that the requirements of this clause
                                                      the initial attack vector, identify any                 or fraudulent activity. The section is                 do not rescind the Contractor’s
                                                      features/aspects in the information                     only applicable when an incident                       responsibility for compliance with other
                                                      security protections, and provide                       involves PII or SPII.                                  applicable U.S. Government statutory or
                                                      remediation recommendations to restore                     The Department deliberately made the                regulatory requirements that may apply
                                                      the protection of the data. Incident                    provision of notification and credit                   to its contract(s).
                                                      response activities may also include                    monitoring services independent from
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                              an assessment of fault or lack of                      (j) Subcontracts
                                                      contract compliance analyses.
                                                                                                              compliance with the contract terms and                    This section requires that contractors
                                                      (f) PII and SPII Notification                           conditions. In accordance with OMB                     insert the clause at 3052.204–7X
                                                      Requirements                                            Memorandum M–07–16, Safeguarding                       Safeguarding of Controlled Unclassified
                                                         This section sets forth the notification             Against and Responding to the Breach                   Information in all subcontracts and
                                                      procedures and capability requirements                  of Personally Identifiable Information,                require subcontractors to include this
                                                      for Contractors when notifying any                      agencies have the responsibility to                    clause in all lower-tier subcontracts.
                                                      individual whose PII and/or SPII was                    notify individuals whose PII or SPII may               The requirements of this clause are
                                                      under the control of the Contractor or                  have been compromised without                          applicable to all contractors and


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00094   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                           6433

                                                      subcontractors that (1) will have access                related to CUI. In addition, the                       information from multiple vendors
                                                      to CUI; (2) collect or maintain CUI on                  Government believes that the                           whose contracts with DHS include
                                                      behalf of the agency; or (3) operate                    requirements of the clause are written in              requirements similar to this proposed
                                                      Federal information systems, including                  such a way that they would be self-                    rule; obtained cost input from the
                                                      contractor information systems operated                 deleting when they are not applicable to               Federal Risk and Authorization
                                                      on behalf of the agency, to collect,                    a solicitation or contract. DHS welcomes               Management Program (FedRAMP), for
                                                      process, store, or transmit CUI.                        comments regarding the impact, if any,                 which DHS is a participant; reviewed
                                                         (5) Clause 3052.212–70, Contract                     on including 3052.204–7X,                              the Congressional Budget Office (CBO)
                                                      Terms and Conditions Applicable to                      Safeguarding of Controlled Unclassified                Cost Estimate for the Personal Data
                                                      DHS Acquisition of Commercial Items,                    Information, in all services contracts.                Protection and Breach Accountability
                                                      would be revised to remove 3052.204–                    DHS also welcomes comments and                         Act of 2011; reviewed pricing from the
                                                      70, Security Requirements for                           feedback on industry’s understanding of                General Service Administration’s (GSA)
                                                      Unclassified Information Technology                     the concept of self-deleting and if the                recently awarded Identity Protection
                                                      Resources; identify Alternate II as an                  use of alternates to 3052.204–7X,                      Services (IPS) blanket purchase
                                                      option under subparagraph (b) of                        Safeguarding of Controlled Unclassified                agreements (BPAs); and reviewed
                                                      3052.204–71 Contractor Employee                         Information, is needed to ensure proper                internal price data from DHS’s Managed
                                                      Access; and add 3052.204–7X                             understanding and application of the                   Compliance Services and notification
                                                      Safeguarding of Controlled Unclassified                 clause.                                                and credit monitoring services
                                                      Information under subparagraph (b) of                                                                          contracts. These activities identified
                                                      the clause. The addition of 3052.204–7X                 III. Executive Orders 12866 and 13563
                                                                                                                                                                     that: (1) The cost of an independent
                                                      Safeguarding of Controlled Unclassified                    Executive Orders (E.O.s) 12866 and                  assessment can range from $30,000 to
                                                      Information eliminates the need for                     13563 direct agencies to assess all costs              $150,000 with an average cost of
                                                      3052.204–70 Security Requirements for                   and benefits of available regulatory                   $112,872; (2) the equipment costs to
                                                      Unclassified Information Technology                     alternatives and, if regulation is                     perform continuous monitoring can
                                                      Resources. Because of this 3052.204–70                  necessary, to select regulatory                        range from $76,340 to $350,000 with an
                                                      would be removed and the clause                         approaches that maximize net benefits                  average cost of $213,170 while the labor
                                                      number reserved. Alternate II to                        (including potential economic,                         costs to perform continuous monitoring
                                                      3052.204–71 was inadvertently omitted                   environmental, public health and safety                can range from $47,000 to $65,000 for
                                                      as an option under the listing of clauses               effects, distributive impacts, and                     an average cost of $55,674; (3) the cost
                                                      and alternates available for selection                  equity). Executive Order 13563
                                                                                                                                                                     of reporting an incident to DHS ranges
                                                      under 3052.212–70. This addition                        emphasizes the importance of
                                                                                                                                                                     between $500 and $1,500 per incident;
                                                      corrects that omission. Subparagraph (b)                quantifying both costs and benefits, of
                                                                                                                                                                     (4) the cost of notifying individuals that
                                                      of 3052.212–70 would also be amended                    reducing costs, of harmonizing rules,
                                                                                                                                                                     there has been an incident with their PII
                                                      to add 3052.204–7X Safeguarding of                      and of promoting flexibility. This is a
                                                                                                                                                                     ranges from $1.03 to $4.60 per person;
                                                      Controlled Unclassified Information                     significant regulatory action and,
                                                                                                                                                                     (5) the cost of credit monitoring services
                                                      because the requirements of these                       therefore, was subject to review under
                                                                                                                                                                     range between $60 and $260 per person;
                                                      clauses are applicable to the acquisition               Section 6(b) of E.O. 12866, Regulatory
                                                                                                                                                                     (6) a specific cost for the certificate of
                                                      of commercial items.                                    Planning and Review, dated September
                                                                                                                                                                     sanitization of Government and
                                                         (6) Other considerations. DHS is                     30, 1993. This rule is not a major rule
                                                                                                              under 5 U.S.C. 804.                                    Government-Activity-Related files and
                                                      considering making changes to subpart
                                                                                                                 This proposed rule addresses the                    information cannot be determined as the
                                                      3004.470–3, Contract Clauses, and the
                                                                                                              safeguarding requirements specified in                 methods of sanitization vary widely
                                                      clause at 3052.204–71, Contractor
                                                      Employee Access. These changes would                    the FISMA, OMB Circular A–130,                         depending on the categorization of the
                                                      harmonize the text of the clause with                   Managing Information as a Strategic                    system and the media on which the data
                                                      the requirements of the final version of                Resource, relevant NIST guidance,                      is stored; and (7) costs associated with
                                                      3052.204–7X Safeguarding of Controlled                  Executive Order 13556, Controlled                      Full-time Equivalent (FTE) oversight of
                                                      Unclassified Information by removing                    Unclassified Information and its                       the requirements of proposed clause
                                                      outdated and/or unnecessary definitions                 implementing regulation at 32 CFR part                 Safeguarding of Controlled Unclassified
                                                      (i.e., sensitive information and                        2002, and multiple OMB Memoranda.                      Information ranges from $65,000 to
                                                      information technology resources);                      DHS considered both the costs and                      $324,000. Detailed information on how
                                                      renumbering the paragraphs of the                       benefits associated with the                           DHS arrived at these costs and ranges is
                                                      clause as a result of the removal of the                requirements of proposed clause                        provided below.
                                                      definitions for the terms ‘‘sensitive                   Safeguarding of Controlled Unclassified                   There are a multitude of benefits
                                                      information’’ and ‘‘information                         Information, specifically those                        associated with the requirements of
                                                      technology resources’’; and making clear                requirements believed to be of most                    proposed clause Safeguarding of
                                                      in the prescription for the clause the                  import to industry such as the                         Controlled Unclassified Information.
                                                      need for information security regardless                requirement to: Obtain an independent                  These benefits impact both DHS and
                                                      of the setting, including educational                   assessment, perform continuous                         contractors with which it conducts
                                                      institutions and contractor facilities.                 monitoring, report all known and                       business. Benefits related to specific
                                                      DHS believes that the protection of CUI                 suspected incidents, provide                           provisions of the proposed clause are
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      is paramount regardless of where the                    notification and credit monitoring                     addressed below; however, it is
                                                      information resides. DHS is also seeking                services in the event an incident                      important to note the overarching
                                                      comment on making the clause at                         impacts PII, document sanitization of                  benefit of transparency. While several of
                                                      3052.204–7X, Safeguarding of                            Government and Government-activity-                    the requirements of the proposed clause
                                                      Controlled Unclassified Information,                    related files and information, as well as              have been routinely included in DHS
                                                      applicable to all services contracts. DHS               ensure overall compliance with the                     contracts (e.g., Authority to Operate,
                                                      believes this broader applicability                     requirements of the proposed clause.                   notification, and credit monitoring), this
                                                      would ensure that contractors are aware                    To determine the estimated costs of                 proposed rulemaking standardizes the
                                                      of the Government’s requirements                        these requirements DHS requested cost                  applicability of these requirements and


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00095   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6434                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      makes clear to contractors considering                  information system (low, moderate, or                  have to account for necessary staff time,
                                                      doing business with DHS the standards                   high impact), and the sophistication of                the average cost was developed by
                                                      and requirements to which they will be                  the contractor. Additionally, DHS does                 averaging only those cost estimates that
                                                      held as it relates to the (1) handling of               not have a mechanism to track the costs                included both internal and external
                                                      the Department’s CUI, (2) security                      of independent assessments performed                   labor costs. Neither the range nor the
                                                      requirements when such information                      under its contracts. Because of the                    average cost identified is absolute as
                                                      will be collected or maintained on                      multiple factors that influence the cost               there are multiple factors that influence
                                                      behalf of the agency or collected,                      of an independent assessment and lack                  the cost of this service. Internal
                                                      processed, stored, or transmitted in a                  of a tracking mechanism for associated                 historical data indicates it takes
                                                      Federal information system, including                   costs, DHS is unable to identify with                  approximately 162 labor hours to
                                                      contractor information systems                          specificity the costs of implementing                  complete and independent assessment.
                                                      operating on behalf of the agency, and                  this requirement. As such, we sought to                This adds to the variance as the costs
                                                      (3) potential notification and credit                   identify a range of costs based on the                 are dependent upon the labor categories
                                                      monitoring requirements in the event of                 actual data we were able to access. DHS                and rates used to perform the
                                                      an incident that impacts personally                     performed the following activities to                  assessment. Also, it is important to note
                                                      identifiable information (PII) and/or                   obtain this data:                                      that the assessment is required to be
                                                      sensitive PII (SPII). The current lack of                 • Requested cost information from                    performed by an independent party. As
                                                      standardization and transparency has                    multiple vendors whose contracts with                  such, the actual cost of the assessment
                                                      been point of contention for industry                   DHS require an independent assessment                  is largely dependent upon agreements
                                                      and a common concern raised when                        as part of the security authorization                  that the contractor is responsible for
                                                      DHS has requested feedback from                         process;                                               negotiating. Contractors with
                                                      industry.                                                 • Obtained cost input from                           preexisting relationships with entities
                                                                                                              FedRAMP, for which DHS is a                            that perform independent assessments
                                                      Overview of Costs                                       participant, as the program requires                   may be able to obtain more competitive
                                                      Independent Assessment                                  cloud service providers to obtain an                   pricing. Contractors new to this
                                                                                                              independent assessment from a Third                    requirement may not. DHS welcomes
                                                         DHS is proposing that vendors obtain                 Party Assessment Organization; and                     comments from industry regarding the
                                                      an independent assessment to validate                     • Reviewed internal data from DHS’s                  estimated costs associated with
                                                      the security and privacy controls in                    Managed Compliance Services contract.                  compliance with the requirement to
                                                      place for an information system prior to                DHS uses this contract to perform                      obtain an independent assessment.
                                                      submission of the security authorization                internal independent assessments.
                                                      package to the Government for review                      The cost information received from                   Continuous Monitoring
                                                      and acceptance. In general, when                        DHS vendors ranged from $30,000 to                        Proposed clause Safeguarding of
                                                      assessing compliance with a standard or                 $123,615. The vendors whose costs                      Controlled Unclassified Information
                                                      set of requirements, there are three                    were on the higher end of this range                   requires that contractors operating
                                                      alternatives: (1) First party attestation or            included costs for the independent                     Federal information systems, which
                                                      self-certification, (2) second party                    party as well as internal labor costs                  includes contractor information systems
                                                      attestation (i.e., internal independent),               associated with performing the                         operating on behalf of the Government,
                                                      or (3) third party attestation. While the               independent assessment whereas the                     or maintaining or collecting information
                                                      first two options may be considered the                 vendor on the low end of the spectrum                  on behalf of the Government, comply
                                                      least economically burdensome, third                    did not. FedRAMP data indicates the                    with information system continuous
                                                      party attestation is an accepted best                   estimated costs on an independent                      monitoring requirements. Continuous
                                                      practice in commercial industry as                      assessment to be approximately                         monitoring is not a new requirement for
                                                      objectivity increases with                              $150,000 while costs under DHS’s                       DHS contractors. Existing HSAR clause
                                                      independence. DHS is proposing to                       internal contract for this service ranges              3052.204–70, Security Requirements for
                                                      require that vendors obtain an                          between $35,000 and $45,000. When                      Unclassified Information Technology
                                                      independent assessment from a third                     considering the data from DHS’s                        Resources, requires contractors to
                                                      party to ensure a truly objective measure               internal contract for independent                      comply with DHS Sensitive System
                                                      of an entity’s compliance with the                      assessment services, it is important to                Policy Publication 4300A. This
                                                      requisite security and privacy controls.                note that these figures do not capture                 publication and its implementing
                                                      Recent high-profile breaches of Federal                 the labor costs of the Government                      guidance addresses continuous
                                                      information further demonstrate the                     employees involved in the process as                   monitoring requirements. DHS is
                                                      need for Departments, agencies, and                     the Government does not typically track                seeking to be more clear and transparent
                                                      industry to ensure that information                     the costs incurred for services                        with contractor requirements by
                                                      security protections are clearly,                       performed by its own workforce.                        expressly identifying this requirement
                                                      effectively, and consistently addressed                 Because of this, it is both anticipated                in proposed clause Safeguarding of
                                                      and appropriately implemented in                        and expected that contractor costs for                 Controlled Unclassified Information.
                                                      contracts. Additionally, the benefits of                independent assessments will exceed                       The costs associated with continuous
                                                      using a third party to perform an                       the costs the Government incurs as                     monitoring are not fixed and can vary
                                                      independent assessment also extend to                   contractor costs typically include not                 widely. For example, a contractor that
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      the contractor as the contractor can use                only the cost of the independent third                 has previously gone through DHS’s
                                                      the results of the independent                          party but also internal labor costs to                 security authorization process is more
                                                      assessment to demonstrate its                           facilitate the independent assessment                  likely to have in place the hardware,
                                                      cybersecurity excellence for customers                  and resolve any resultant findings.                    software, and personnel to perform
                                                      other than DHS.                                           Based on the above data points, the                  continuous monitoring. In this instance,
                                                         The cost of an independent                           cost of an independent assessment can                  the costs associated with performing
                                                      assessment varies widely depending                      range from $30,000 to $150,000 or an                   this requirement would be lower than a
                                                      upon the complexity of the information                  average cost of $112,872. Because it                   contractor who does not have
                                                      system, the categorization of the                       seems likely that most vendors will                    preexisting hardware, software, and


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00096   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                           6435

                                                      personnel in place to satisfy these                     continuous monitoring vary based on                    establish an estimated cost. The
                                                      requirements.                                           the tools (i.e., hardware or software) and             information provided either included
                                                        Because of the multiple factors that                  methods (e.g., internal staff, contractor              both incident reporting and incident
                                                      influence the cost of continuous                        support, new hires) the contractor uses                response (i.e., investigation and
                                                      monitoring, DHS is unable to identify                   to implement the continuous                            remediation activities) or annual
                                                      with specificity the costs of                           monitoring requirements. The                           training and testing requirements.
                                                      implementing this requirement. As                       Government anticipates costs will                      Because of this we had to rely on
                                                      such, we sought to identify a range of                  decline over time as contractors become                internal historical data to establish an
                                                      costs based on the actual data we were                  more sophisticated and build the                       estimate solely responsive to the
                                                      able to access. DHS performed the                       necessary infrastructure to support this               incident reporting requirements
                                                      following activities to obtain this data:               activity. DHS welcomes comments from                   identified in the proposed clause. This
                                                        • Requested cost information from                     industry regarding the estimated costs                 data indicates the estimated cost of
                                                      multiple vendors whose contracts with                   associated with compliance with the                    reporting an incident to DHS ranges
                                                      DHS include similar continuous                          requirement to perform continuous                      between $500 and $1,500 per incident.
                                                      monitoring requirements; and                            monitoring.                                            DHS estimates that 822 vendors are
                                                        • Reviewed internal historical data.                                                                         subject to the requirements of this
                                                        The cost information received from                    Incident Reporting
                                                                                                                                                                     proposed rule and that each vendor may
                                                      DHS vendors ranged from $65,000 to                         This proposed rule requires                         report up to one known or suspected
                                                      $397,000. Vendors on the lower end of                   contractors to report known or                         incident per year for a total estimated
                                                      this range already had the hardware and                 suspected incidents that involve PII or                cost range of $411,000 to $1,233,000.
                                                      software in place to perform continuous                 sensitive PII (SPII) within one hour of                DHS welcomes comments from industry
                                                      monitoring as the costs proposed only                   discovery and all other incidents (i.e.,               regarding the estimated costs associated
                                                      include labor. Alternatively, the vendors               those incidents impacting any other                    with incident reporting.
                                                      on the higher end of this range                         category of CUI) within eight hours of
                                                      documented costs associated with                        discovery. DHS specifically included                   Notification and Credit Monitoring
                                                      hardware, software, and labor. For                      language in the regulatory text stating                  In the event of an incident that
                                                      example, the cost breakdown from the                    that an incident shall not, by itself, be              impacts PII/SPII, it may be necessary to
                                                      vendor that reported costs of $397,000                  interpreted as evidence that the                       perform certain incident response
                                                      included a one-time equipment fee of                    contractor has failed to provide
                                                      $350,000 and annual labor costs of                                                                             activities such as notification and credit
                                                                                                              adequate information security                          monitoring. Contractors should not
                                                      $47,000. Alternatively, the vendor that                 safeguards for CUI, or has otherwise
                                                      submitted costs of $65,000 only                                                                                assume that all incident response
                                                                                                              failed to meet the requirements of the                 activities will take place when a known
                                                      proposed labor costs and is using                       contract. This language was added
                                                      preexisting hardware and software to                                                                           or suspected incident is reported to DHS
                                                                                                              because DHS understands that                           as the determination on the appropriate
                                                      perform continuous monitoring.                          sophisticated cyber-attacks can occur
                                                        A review of internal historical data                                                                         incident response activities is based
                                                                                                              despite compliance with contract                       upon investigation of the known or
                                                      indicates the cost of continuous                        requirements.
                                                      monitoring ranges from $6,000 to                                                                               suspected incident. DHS uses a
                                                                                                                 The cost to prepare and report an
                                                      $18,000. It is important to note that the                                                                      deliberative process to investigate and
                                                                                                              incident to DHS varies based on the
                                                      internal historical data assumes the                                                                           determine if an incident has occurred.
                                                                                                              type(s) of information impacted by the
                                                      vendor has the appropriate tools to                                                                            This process begins with the
                                                                                                              incident and the complexity of the
                                                      perform continuous monitoring (e.g., the                                                                       contractor’s submission of an Incident
                                                                                                              incident. Proposed clause Safeguarding
                                                      ability to scan their assets) and does not                                                                     report to the Component or DHS SOC.
                                                                                                              of Controlled Unclassified Information
                                                      include costs for the labor required to                                                                        The SOC staff use the incident report
                                                                                                              requires incidents to be reported to the
                                                      support continuous monitoring                                                                                  information to investigate and
                                                                                                              Component Security Operations Center
                                                      activities. It is both anticipated and                                                                         determine if an actual incident
                                                                                                              (SOC), or the DHS Enterprise SOC if the
                                                      expected that in many instances                                                                                occurred. More often than not, an
                                                                                                              Component SOC is unavailable, in
                                                      contractor costs for continuous                                                                                incident has not occurred and further
                                                                                                              accordance with 4300A Sensitive
                                                      monitoring will exceed the costs the                                                                           incident response activities are not
                                                                                                              Systems Handbook Attachment F
                                                      Government incurs for the same service                                                                         needed. If the SOC determines that
                                                                                                              Incident Response. However, if PII is
                                                      as contractor costs include the costs of                                                                       incident has occurred, additional
                                                                                                              impacted by the incident, the contractor
                                                      hardware/software to perform                                                                                   investigation and analyses happen to
                                                                                                              must provide additional information in
                                                      continuous monitoring as well as labor                                                                         determine the nature and scope of the
                                                                                                              its incident report. Also, for incidents
                                                      costs to support continuous monitoring                                                                         incident and US–CERT is engaged as
                                                                                                              that impact multiple systems or
                                                      activities.                                                                                                    necessary. If the incident involves PII/
                                                                                                              multiple components of a system, it may
                                                        Using the above data points, the                                                                             SPII, the Government will determine if
                                                                                                              take the contractor more resources (e.g.,
                                                      equipment costs to perform continuous                                                                          notification and the provision of credit
                                                                                                              time) to obtain the some of the data
                                                      monitoring can range from $76,340 to                                                                           monitoring services is appropriate. DHS
                                                                                                              points that are required to be provided
                                                      $350,000 with an average cost of                                                                               believes notification and credit
                                                                                                              when reporting an incident.
                                                      $213,170. The average cost was                                                                                 monitoring, when appropriate, will
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                                 To determine the cost of preparing
                                                      developed by averaging the equipment                    and reporting an incident, DHS                         occur more rapidly as the provision of
                                                      costs received. Alternatively, labor costs              performed the following activities:                    these services is no longer dependent
                                                      to perform continuous monitoring can                       • Requested cost information from                   upon any determination of contractor
                                                      range from $47,000 to $65,000 for an                    multiple vendors whose contracts with                  fault or noncompliance.
                                                      average cost of $55,674. The average                    DHS include similar incident reporting                   To determine the cost of notifying
                                                      cost was developed by averaging the                     requirements; and                                      individuals, DHS performed the
                                                      labor costs received. Please note these                    • Reviewed internal historical data.                following activities:
                                                      ranges and average costs are not                           It was difficult to use the information               • Requested cost information from
                                                      absolute as the costs associated with                   submitted by the vendors queried to                    multiple vendors whose contracts with


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00097   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6436                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      DHS include similar notification                        Pricing for the other vendor is $0.54 per              amount of PII provided to a contractor
                                                      requirements;                                           letter plus postage, i.e., $1.03. Based on             is based upon the services being
                                                         • Reviewed pricing from DHS’s                        this data, the cost of notifying                       provided and can vary greatly from
                                                      department-wide contract for credit                     individuals that there has been an                     contract to contract.
                                                      monitoring services;                                    incident with their PII ranges from $1.03                 The pricing in the Department’s
                                                         • Reviewed the CBO Cost Estimate for                 to $4.60 per person. DHS welcomes                      internal contract for credit monitoring
                                                      the Personal Data Protection and Breach                 comments from industry regarding the                   services is significantly lower than the
                                                      Accountability Act of 2011;                             estimated costs associated with                        costs proposed by DHS’s vendors, i.e.,
                                                         • Reviewed pricing from the GSA’s                    compliance with the requirement to                     $1.89 per person. It is important to note
                                                      recently awarded IPS BPAs; and                          provide notification services.                         that DHS was able to obtain such
                                                         • Reviewed GSA’s Professional                           Proposed clause Safeguarding of                     favorable pricing because the cost of
                                                      Services Schedule, Financial and                        Controlled Unclassified Information                    credit monitoring services are paid for
                                                      Business Solutions, Category 520 19                     requires contractors to provide credit                 everyone that receives notification of
                                                      Data Breach Analysis.                                   monitoring services, including call
                                                         The cost information we received                                                                            the incident without regard to their
                                                                                                              center services, if directed by the                    actual acceptance/request for credit
                                                      from DHS vendors indicates that                         Contracting Officer, to any individual
                                                      vendors price these requirements using                                                                         monitoring. According to the CBO
                                                                                                              whose PII/SPII was under the control of                report referenced above, ‘‘[t]he cost of
                                                      different methods. One vendor bundled                   the contractor, or resided in the
                                                      the cost of notification in its continuous                                                                     bulk purchases of the credit-monitoring
                                                                                                              information system, at the time of the                 or reporting services is about $60 per
                                                      monitoring costs while another bundled                  incident for a period beginning the date
                                                      these costs as with those associated with                                                                      person according to credit industry
                                                                                                              of the incident and extending not less                 professionals.’’
                                                      incident reporting. In these instances we               than 18 months from the date the
                                                      are unable to determine which portion                                                                             As it relates to GSA’s IPS BPAs, the
                                                                                                              individual is notified.                                published price lists do not mirror the
                                                      of the costs are associated with the                       The costs associated with this
                                                      notification requirements. The cost                                                                            credit monitoring provisions of DHS’s
                                                                                                              requirement vary depending on the
                                                      submitted by the one vendor that                                                                               proposed clause Safeguarding of
                                                                                                              method the contractor uses to provide
                                                      separately priced this requirement was                  services. For example, some contractors                Controlled Unclassified Information.
                                                      $4.06 per person. The pricing for                       choose to satisfy this requirement                     For example, the IPS BPAs contain
                                                      notification in the Department’s internal               through cyber insurance while others                   bundled fixed unit pricing for services
                                                      contract for credit monitoring services is              choose to subcontract these services                   that exceed the requirements of the
                                                      significantly lower than the costs                      with credit monitoring service                         proposed clause (i.e., dedicated,
                                                      proposed by DHS’s vendors, i.e., $1.57                  providers. To estimate a cost for credit               branded Web site; identity restoration
                                                      per person.                                             monitoring services, DHS performed the                 services; and identity theft insurance
                                                         While the CBO report referenced                      following activities:                                  services). Additionally, the pricing
                                                      above did not provide a cost estimate for                  • Requested cost information from                   includes volume discounts based on the
                                                      notification, the following information                 multiple vendors whose contracts with                  number of individuals receiving
                                                      was provided: ‘‘According to industry                   DHS include similar credit monitoring                  services. The prices ranged from $12.21
                                                      sources, the sensitive, personally                      requirements;                                          (per person per year if 10,000—24,999)
                                                      identifiable information of millions of                    • Reviewed pricing from DHS’s                       to $38 (per person per year if more than
                                                      individuals is illegally accessed or                    department-wide contract for credit                    10,000).
                                                      otherwise breached every year.                          monitoring services;                                      Based on the aforementioned
                                                      However, according to those sources, 46                    • Reviewed the CBO Cost Estimate for                information, DHS believes the most
                                                      states already have laws requiring                      the Personal Data Protection and Breach                likely costs for these services range
                                                      notification in the event of a security                 Accountability Act of 2011; and                        between $60 and $260 per person. DHS
                                                      breach. In addition, it is the standard                    • Reviewed pricing from the General                 welcomes comments from industry
                                                      practice of most businesses to notify                   Service Administration’s (GSA) recently                regarding the estimated costs associated
                                                      individuals if a security breach occurs.                awarded Identity Protection Services                   with compliance with the requirement
                                                      Therefore, CBO estimates that the                       (IPS) blanket purchase agreements                      to provide credit monitoring. DHS also
                                                      notification requirements would not                     (BPAs).                                                requests feedback from industry on how
                                                      impose significant additional costs on                     The cost information we received                    many individuals typically sign up for
                                                      businesses.’’                                           from DHS vendors indicates that                        credit monitoring after being notified
                                                         GSA’s IPS BPAs contain bundled                       vendors satisfy these requirements using               that an incident has occurred that
                                                      fixed unit pricing for services that not                different methods. One vendor used                     impacts their PII/SPII?
                                                      only exceed the requirements of                         cyber insurance while others satisfied
                                                                                                                                                                     Certificate of Sanitization
                                                      proposed clause Safeguarding of                         this requirements through subcontracts
                                                      Controlled Unclassified Information                     with credit monitoring service                           Proposed clause Safeguarding of
                                                      (i.e., dedicated, branded Web site;                     providers. In instances where                          Controlled Unclassified Information
                                                      identity restoration services; and                      subcontracts are used, the pricing                     requires contractors to return all CUI to
                                                      identity theft insurance services) but                  ranged from $61.71 to $260 per person.                 DHS and certify and confirm the
                                                      also includes notification. As such, DHS                We assume that this variance in cost                   sanitization of all Government and
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      is unable to determine which portion of                 stems from the vendor’s ability to                     Government-Activity related files and
                                                      the fixed unit price is applicable to                   negotiate favorable pricing with its                   information. Destruction must conform
                                                      notification services. A review of GSA’s                subcontractors. It is also important to                to the guidelines for media sanitization
                                                      Professional Services Schedule                          note that credit monitoring service                    contained in NIST SP–800–88,
                                                      indicates only two vendors with specific                providers frequently offer volume                      Guidelines for Media Sanitization. The
                                                      pricing for notification services. This                 discounts that can lower the costs of                  contractor is also required to use the
                                                      includes the vendor for which DHS has                   services. However, all vendors under                   template provided in NIST Special
                                                      a Department-wide contract for credit                   contracts with DHS may not able to                     Publication 800–88, Guidelines for
                                                      monitoring and notification services.                   capitalize on these discounts as the                   Media Sanitization, Appendix G when


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00098   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                            6437

                                                      submitting the Certificate of                           in its employee(s) responsible for                     Traceability to Matrix (RTM) contractors
                                                      Sanitization.                                           ensuring compliance with these                         will know at the solicitation level the
                                                        NIST SP 800–88 identifies the proper                  requirements. It is anticipated that these             security requirements for which they
                                                      and applicable techniques and controls                  costs will be passed on to the                         must comply. The RTM identifies the
                                                      for sanitization and disposal decisions,                Department, and that over time these                   security controls that must be
                                                      considering the security categorization                 vendors will become more sophisticated                 implemented on an information system
                                                      of the associated system’s                              in this area and costs will decline. It is             that collects, processes, stores, or
                                                      confidentiality. Applicable sanitization                also important to note that the                        transmits CUI and is necessary for the
                                                      methods depend on the media in which                    information security measures proposed                 contractor to prepare its security
                                                      the data is stored. Following                           in this rulemaking are quite similar to                authorization package. Clear
                                                      sanitization, NIST SP 800–88 requires a                 those industry already employs internal                identification of these requirements at
                                                      certificate of media disposition to be                  to their business operations. However,                 the solicitation level affords contractors
                                                      completed for each piece of electronic                  based on the feedback we received from                 the ability to (1) assess their
                                                      media that has been sanitized. The                      vendors, the costs associated with FTE                 qualifications and ability to fully meet
                                                      proposed clause Safeguarding of                         oversight of these requirements ranges                 the Government’s requirements, (2)
                                                      Controlled Unclassified Information                     from $65,000 to $324,000. This range is                make informed business decisions when
                                                      requires contractors to certify that                    not absolute as it is entirely dependent               deciding to compete on Government
                                                      applicable media have been sanitized                    upon the vendor’s approach to                          requirements, and (3) engage
                                                      using the template provided in                          oversight, i.e., a single individual,                  subcontractors, if needed, early in the
                                                      Appendix G of NIST SP 800–88. In                        multiple personnel, and the seniority of               process to enable them the ability to be
                                                      short, this template states that a system               the position, all of which directly                    fully responsive to the Government’s
                                                      or hardware has been sanitized of all                   impact costs. Also, it is important to                 requirements. Similarly, the
                                                      information. The costs associated with                  note that requirements of this type are                Government benefits from clear
                                                      media sanitization do not arise from                    generally not priced as a separate line                identification of its requirements.
                                                      completion of the template. The costs                   item and are typically captured in                     Presumably, proposals/quotations will
                                                      arise from the sanitization activities                  overhead estimates. As such, DHS does                  be submitted by contractors fully
                                                      themselves. A specific cost cannot be                   not have clear insight into the costs                  qualified and able to meet the
                                                      provided as the methods of sanitization                 associated with this requirement. DHS                  requirements of the effort. During the
                                                      vary widely depending on the                            welcomes comments from industry                        evaluation phase of a procurement, the
                                                      categorization of the system and the                    regarding the estimated costs associated               Government will be able to assess a
                                                      media on which the data is stored. DHS                  with ensuring proper oversight and                     contractor’s information security
                                                      requests comments from industry                         compliance with the requirements of                    posture and ability to comply with the
                                                      regarding the estimated costs associated                proposed clause Safeguarding of                        requirements of the RTM. Such an
                                                      with compliance with the requirement                    Controlled Unclassified Information.                   evaluation should reduce post-award
                                                      to sanitize Government and                                                                                     delays in contractor performance and
                                                      Government-Activity-Related files and                   Overview of Benefits                                   mitigate the need to reissue solicitations
                                                      information.                                            Clear Notification of System                           as a result of a contractor’s inability to
                                                      Oversight and Compliance                                Requirements                                           comply with mandatory security
                                                                                                                                                                     requirements.
                                                        As discussed above, the costs                            Feedback from industry has
                                                      associated with oversight and                           consistently indicated the need for                    Improved Notification to the Public
                                                      compliance with the requirements                        transparency and clear and concise                     Regarding Data Breaches
                                                      contained in proposed clause                            requirements as it relates to information                Proposed clause Safeguarding of
                                                      Safeguarding of Controlled Unclassified                 security. The requirements of proposed                 Controlled Unclassified Information
                                                      Information are not easily quantifiable.                clause Safeguarding of Controlled                      requires contractors to have in place
                                                      Implementation costs stem directly from                 Unclassified Information is, in part,                  procedures and the capability to notify
                                                      a vendor’s pre-existing information                     intended to satisfy this request.                      any individual whose PII) and/or SPII
                                                      security posture. Several vendors,                      Previously information security                        was under the control of the contractor
                                                      particularly those operating in the IT                  requirements were either imbedded in a                 or resided in the information system at
                                                      space, have been complying with these                   requirements document (i.e., Statement                 the time of an incident no later than 5
                                                      requirements for years. In these                        of Work, Statement of Objectives, or                   business days after being directed to
                                                      instances, the vendors have the existing                Performance Work Statement) or                         notify individuals, unless otherwise
                                                      infrastructure (i.e., hardware, software,               identified through existing HSAR clause                approved by the contracting officer.
                                                      and personnel) to implement these                       3052.204–70, Security Requirements for                 Such a requirement is consistent with
                                                      requirements and implementation costs                   Unclassified Information Technology                    OMB Memorandum M–07–16,
                                                      are lower. The same is also true for                    Requirements. This approach (1) created                Safeguarding Against and Responding
                                                      many vendors that provide professional                  inconsistencies in the identification of               to the Breach of Personally Identifiable
                                                      services to the Government and use IT                   information security requirements for                  Information, which states that agencies
                                                      to provide those services. Alternatively,               applicable contracts, (2) required the                 have the responsibility to notify
                                                      vendors with less experience and                        identification and communication of                    individuals whose PII or SPII may have
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      capability in this area will incur costs                security controls for which compliance                 been compromised without
                                                      associated with procuring the hardware                  was necessary after contract award had                 unreasonable delay. In the past, this
                                                      and software necessary to implement                     been made, and (3) resulted in delays in               notification has often been delayed
                                                      these requirements, as well as the labor                contract performance.                                  while detailed forensic analysis and
                                                      costs associated with any new personnel                    Proposed clause Safeguarding of                     contract compliance inspections are
                                                      needed to implement and oversee these                   Controlled Unclassified Information                    occurring. Under this new provision,
                                                      requirements. Costs will vary depending                 substantially mitigates the concerns                   notification and credit monitoring,
                                                      on the hardware and software selected                   with DHS’s previous approach. Through                  when appropriate, will occur more
                                                      and the skill set each contractor requires              the Government provided Requirements                   rapidly as it is not dependent upon any


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00099   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6438                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      determination of contractor fault or                    Protection and Programs Directorate’s                  including attempts to gain unauthorized
                                                      noncompliance.                                          Office of Cybersecurity and                            access to CUI collected or maintained by
                                                         The content and method of any                        Communications, are also responsible                   or on behalf of an agency and
                                                      notification sent by a contractor must be               for the identification and sharing of                  information systems that collect,
                                                      coordinated with and approved by the                    cyber threat indicators. These cyber                   process, store, or transmit such
                                                      contracting officer. At a minimum, this                 threat indicators and defensive                        information, has prompted the
                                                      notification must include: A brief                      measures are shared among federal and                  Government to expand its cybersecurity
                                                      description of the incident; a                          non-federal entities consistent with the               efforts across the Federal landscape.
                                                      description of the types of PII or SPII                 need to protect information systems                    Part of the DHS mission is to protect the
                                                      involved; a statement as to whether the                 from cybersecurity threats, mitigate                   nation’s cybersecurity and to coordinate
                                                      PII or SPII was encrypted or protected                  cybersecurity threats, and comply with                 responses to cyber-attacks and security
                                                      by other means; steps individuals may                   any other applicable provisions of law                 vulnerabilities. As part of that mission,
                                                      take to protect themselves; what the                    authorized by the Cybersecurity                        DHS is proposing to amend the HSAR
                                                      contractor and/or the Government are                    Information Sharing Act of 2015.                       to expand its current security measures
                                                      doing to investigate the incident, to                   Because of this mission requirement,                   for safeguarding CUI to include
                                                      mitigate the incident, and to protect                   DHS is not only concerned with actors                  additional requirements for the
                                                      against any future incidents; and                       who are successful in breaching our                    safeguarding of CUI that is accessed by
                                                      information identifying who individuals                 defenses, we are also concerned with                   contractors, collected or maintained by
                                                      may contact for additional information.                 attempts to breach those defenses.                     contractors on behalf of the agency, and
                                                      Such notification is consistent with the                Knowledge of these attempts enables us                 Federal information systems, which
                                                      ‘‘openness principle’’ of the Privacy Act               to perform any necessary investigations                includes contractor information systems
                                                      which calls for agencies to inform                      and determine/establish new                            operating on behalf of the Government,
                                                      individuals about how their information                 procedures to strengthen our defenses                  that collect, process, store or transmit
                                                      is being accessed and used, and may                     and prevent them from becoming                         CUI. These proposed revisions to the
                                                      help individuals mitigate the potential                 successful. This information is then in                HSAR are necessary to ensure the
                                                      harms resulting from an incident.                       turn shared with the interagency and                   integrity, confidentiality, and
                                                      Provision of Credit Protection to                       non-Federal entities to enable them to                 availability of CUI.
                                                      Impacted Individuals                                    take the necessary measures to be able                 2. Succinct Statement of the Objectives
                                                                                                              to defend against similar attacks.                     of, and Legal Basis for, the Rule
                                                        Proposed clause Safeguarding of
                                                      Controlled Unclassified Information                     Improved Incident Response Time                           The objective of this rule is to expand
                                                      requires contractors to provide credit                     Previously contractors were not                     on existing Departmental IT security
                                                      monitoring services, including call                     consistently provided with specific                    requirements. These existing IT security
                                                      center services to any individual whose                 incident reporting timelines. As such,                 requirements are provided in the clause
                                                      PII or SPII was under the control of the                the timeliness of incident reporting was               at HSAR 3052.204–70, Security
                                                      contractor, or resided in the information               determined by the contractor.                          Requirements for Unclassified
                                                      system, at the time of the incident for a               Standardizing incident reporting                       Information Technology Resources, and
                                                      period beginning on the date of the                     timelines through proposed clause                      applicable DHS policy and guidance.
                                                      incident and extending not less than 18                 Safeguarding of Controlled Unclassified                The existing clause is more narrowly
                                                      months from the date the individual is                  Information ensures timely incident                    focused on information systems
                                                      notified when directed by the                           reporting. Timely reporting of incidents               connected to a DHS network or operated
                                                      contracting officer. Credit monitoring                  is critical to prevent the impact of the               by a contractor for DHS. This rule
                                                      services can be particularly beneficial to              incident from expanding, ensure                        proposes to remove the existing clause
                                                      the affected public as they can assist                  incident response and mitigation                       and provide a new expanded clause.
                                                      individuals in the early detection of                   activities are undertaken quickly, and                 Unlike the existing clause, this
                                                      identity theft as well as notify                        ensure individuals are timely notified of              proposed rule extends the scope to
                                                      individuals of changes that appear in                   the possible or actual compromise of                   require that CUI be safeguarded
                                                      their credit report, such as creation of                their personally identifiable information              wherever such information resides,
                                                      new accounts, changes to their existing                 and offered credit monitoring services                 including government-owned and
                                                      accounts or personal information, or                    when applicable.                                       operated information systems,
                                                      new inquiries for credit. Such                                                                                 government-owned and contractor
                                                      notification affords individuals the                    IV. Regulatory Flexibility Act                         operated information systems,
                                                      opportunity to take steps to minimize                      DHS expects this proposed rule may                  contractor-owned and/or operated
                                                      any harm associated with unauthorized                   have a significant economic impact on                  information systems operating on behalf
                                                      or fraudulent activity.                                 a substantial number of small entities                 of the Government, and any situation
                                                                                                              within the meaning of the Regulatory                   where contractor and/or subcontractor
                                                      Incident Reporting                                                                                             employees may have access to CUI
                                                                                                              Flexibility Act, 5 U.S.C. 601, et seq.
                                                        Proposed clause Safeguarding of                       Therefore, an Initial Regulatory                       consistent with the requirements of
                                                      Controlled Unclassified Information                     Flexibility Analysis (IRFA) has been                   FISMA. This proposed rule also
                                                      requires contractors and subcontractors                 prepared consistent with 5 U.S.C. 603,                 establishes uniform incident reporting
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      to report all known or suspected                        and is summarized as follows:                          and response activities that contractors
                                                      incidents to the Component SOC. If the                                                                         and subcontractors must comply with in
                                                      Component SOC is not available, the                     1. Description of the Reasons Why                      the event of an incident. The proposed
                                                      report shall be made to the DHS                         Action by the Agency Is Being                          rule also requires contractors and
                                                      Enterprise SOC. While such a                            Considered                                             subcontractors have in place procedures
                                                      requirement is not new for DHS,                            Cybersecurity has been identified as                and the capability to notify and provide
                                                      compliance with this requirement is                     one of the most serious economic and                   credit monitoring services to any
                                                      critical. The mission of DHS is unique                  national security challenges our nation                individual whose Personally
                                                      in that we, through the National                        faces. The frequency of cyber-attacks,                 Identifiable Information (PII) or


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00100   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                           6439

                                                      Sensitive PII (SPII) was under the                      applicable PSCs will be subject to                     4. Description of Projected Reporting,
                                                      control of the contractor, or resided in                proposed clause Safeguarding of                        Recordkeeping, and Other Compliance
                                                      the information system, at the time of                  Controlled Unclassified Information. A                 Requirements of the Rule, Including an
                                                      the incident. Additionally, this                        number of factors determine the                        Estimate of the Classes of Small Entities
                                                      proposed rule requires contractors and                  applicability of the proposed clause and               Which Will be Subject to the
                                                      subcontractors to certify and confirm                   would require analysis on a case-by-case               Requirement and the Type of
                                                      the sanitization of Government and                      basis. Further, the proposed clause is                 Professional Skills Necessary
                                                      Government-Activity related files and                   separated by those entities that are
                                                      information. These collective measures                  granted access to CUI but information                     Reporting and recordkeeping
                                                      will help DHS mitigate information                      systems will not be operated on behalf                 requirements include those
                                                      security risks related to information as                                                                       requirements necessary to ensure
                                                                                                              of the agency to collect, process, store or
                                                      well as gather information for future                                                                          adequate security controls are in place
                                                      improvements in information security                    transmit CUI, and those that are
                                                                                                              required to meet the Authority to                      when contractor and/or subcontractor
                                                      policy.                                                                                                        employees will have access to sensitive
                                                        The requirement to safeguard CUI is                   Operate (ATO) requirements because
                                                                                                              information systems will be used to                    CUI, collect or maintain CUI on behalf
                                                      specified in the Federal Information
                                                                                                              collect, process, store or transmit CUI on             of the Government, and/or operate
                                                      Security Modernization Act of 2014 (44
                                                                                                              behalf of the agency. Based on the data                Federal information systems, which
                                                      U.S.C. 3551, et seq.), OMB Circular A–
                                                      130, Managing Information as a                          reviewed, the estimated number of                      includes contractor information systems
                                                      Strategic Resource, relevant National                   annual respondents subject to the                      operating on behalf of the agency, that
                                                      Institutes of Standards and Technology                  Safeguarding of Controlled Unclassified                are used to collect, process, store, or
                                                      (NIST) guidance, Executive Order                        Information clause is estimated at 822                 transmit CUI. The reporting and
                                                      13556, Controlled Unclassified                          respondents. The proposed revision to                  recordkeeping requirements vary
                                                      Information and its implementing                        the HSAR includes a flow-down                          depending on if an Authority to Operate
                                                      regulation at 32 CFR part 2002, and                     provision that applies to subcontractors.              (ATO) is required. If an ATO is not
                                                      various OMB Memoranda, to include:                      However, DHS does not believe this                     required, the reporting and
                                                      M–07–16, Safeguarding Against and                       requirement will add to the estimated                  recordkeeping requirements include:
                                                      Responding to the Breach of Personally                  number of respondents when an ATO is                   Incident Reporting, Notification (if the
                                                      Identifiable Information; M–14–03,                      required because it is anticipated that a              incident involves PII/SPII), Credit
                                                      Enhancing the Security of Federal                                                                              Monitoring (if the incident involves PII/
                                                                                                              single information system will be used
                                                      Information and Information Systems;                                                                           SPII), and Certification of Sanitization.
                                                                                                              to collect, process, store, or transmit CUI
                                                      and Reporting Instructions for the                                                                             If an ATO is required, the reporting and
                                                      Federal Information Security                            in most instances. A review of DHS
                                                                                                              historical data shows that at least 35                 recordkeeping requirements include:
                                                      Management Act and Agency Privacy                                                                              Incident Reporting, Notification (if the
                                                      Management and Guidance on Federal                      percent of new contracts are awarded to
                                                                                                              small businesses. Therefore, it is                     incident involves PII/SPII), Credit
                                                      Information Security and Privacy                                                                               Monitoring (if the incident involves PII/
                                                      Management Requirements as identified                   assumed that 35 percent of the projected
                                                                                                              annual number of respondents will also                 SPII), Certification of Sanitization,
                                                      in various OMB Memoranda.
                                                                                                              be small businesses, or approximately                  Security Authorization Package,
                                                      3. Description of and, Where Feasible,                  288 respondents.                                       Independent Assessment, Renewal of
                                                      Estimate of the Number of Small                                                                                ATO, and Federal Reporting and
                                                      Entities To Which the Rule Will Apply                      Although the proposed HSAR clause                   Continuous Monitoring.
                                                                                                              is new, DHS contractors are currently
                                                         This rule will apply to DHS                                                                                    Typical contract awards that may
                                                                                                              required to comply with Departmental
                                                      contractors that require access to CUI,                                                                        include the requirement for access to
                                                      collect or maintain CUI on behalf of the                IT security policy and guidance. It is
                                                                                                              assumed that the average DHS IT                        CUI include contracts awards with a
                                                      Government, or operate Federal                                                                                 PSC of ‘‘D’’ Automatic Data Processing
                                                      information systems, which includes                     services contractor covered by this
                                                                                                              clause will a have high operational                    and Telecommunication and ‘‘R’’
                                                      contractor information systems
                                                                                                              security readiness posture. However, the               Professional, Administrative and
                                                      operating on behalf of the agency, that
                                                                                                              requirements of the proposed clause                    Management Support. However, this is
                                                      collect, process, store or transmit CUI.
                                                         For Fiscal Year (FY) 2014, DHS                       have been expanded to include                          not an all-inclusive list. Additional
                                                      awarded nearly 13,000 new contract                      professional services contractors that                 PSCs will be added and projections will
                                                      awards to large and small businesses,                   have access to CUI, collect or maintain                be adjusted as additional data becomes
                                                      with over 35 percent of all contracts                   CUI on behalf of the Government, and/                  available through HSAR clause
                                                      awarded to small businesses. The                        or operate Federal information systems,                implementation. This continued process
                                                      estimate of the number of small entities                including contractor information                       will assist in validating future
                                                      to which the proposed rule will apply                   systems operating on behalf of the                     projections. It is estimated that the
                                                      was established by reviewing FPDS data                  agency, that collect, process, store or                average contractor will utilize a mid-
                                                      for FY 2014, internal DHS contract data,                transmit CUI to perform the                            level manager with IT expertise to
                                                      experience with similar safeguarding                                                                           ensure compliance with the
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                              requirements of their contract(s). While
                                                      requirements used in certain DHS                        these contractors may not have the same                requirements of this rule.
                                                      contracts, and the most likely applicable               operational security readiness posture of
                                                      Product and Service Codes (PSCs). The                                                                          5. Identification, to the Extent
                                                                                                              the average DHS IT services contractor,                Practicable, of All Relevant Federal
                                                      data review identified 2,525 unique
                                                                                                              the expansion and implementation of                    Rules Which May Duplicate, Overlap, or
                                                      vendors were awarded contracts under
                                                                                                              these safeguarding requirements is                     Conflict With the Rule
                                                      the most likely applicable PSCs in FY
                                                      2014, including small and large                         necessary to further reduce risks and
                                                                                                              potential vulnerabilities.                               There are no rules that duplicate,
                                                      businesses. However, not all contractors
                                                                                                                                                                     overlap or conflict with this rule.
                                                      awarded contracts under the most likely


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00101   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6440                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      6. Description of Any Significant                       following: Security Plan, Security                     and will have practical utility; whether
                                                      Alternatives to the Rule Which                          Assessment Report, Plan of Action and                  our estimate of the public burden of this
                                                      Accomplish the Stated Objectives of                     Milestones, Security Control Assessor                  collection of information is accurate,
                                                      Applicable Statutes and Which                           Transmittal Letter (documents the                      and based on valid assumptions and
                                                      Minimize any Significant Economic                       Security Control Assessor’s                            methodology; ways to enhance the
                                                      Impact of the Rule on Small Entities                    recommendation (i.e., Authorization to                 quality, utility, and clarity of the
                                                         No significant alternatives were                     Operate or Denial to Operate), and any                 information to be collected; and ways in
                                                      identified that would accomplish the                    supplemental information requested by                  which we can minimize the burden of
                                                      stated objectives of the rule. The                      the Government (e.g., Contingency Plan,                the collection of information on those
                                                      information security requirements                       final Risk Assessment, Configuration                   who are to respond, through the use of
                                                      associated with this rule are not geared                Management Plan, Standard Operating                    appropriate technological collection
                                                      towards a type of contractor; the                       Procedures, Concept of Operations).                    techniques or other forms of information
                                                      requirements are based on the                           Additional requirements include an                     technology.
                                                      sensitivity of the information, the                     Independent Assessment, Security                         Requesters may obtain a copy of the
                                                      impact on the program, the Government                   Review, Renewal of the ATO which is                    supporting statement from the
                                                      and security in the event CUI is                        required every three years, and Federal                Department of Homeland Security,
                                                      breached. That standard would not vary                  Reporting and Continuous Monitoring                    Office of the Chief Procurement Officer,
                                                      based on the size of the entity.                        Requirements.                                          Acquisition Policy and Legislation, via
                                                         DHS will be submitting a copy of the                    The total annual projected number of                email to HSAR@hq.dhs.gov. Please cite
                                                      IRFA to the Chief Counsel for Advocacy                  responses per respondent is estimated at               OMB Control No. 1600–0023,
                                                      of the Small Business Administration. A                 1. Based on aforementioned information                 Safeguarding of Controlled Unclassified
                                                      copy of the IRFA may be obtained from                   the annual total burden hours are                      Information, in all correspondence.
                                                      the point of contact specified herein.                  estimated as follows:
                                                                                                                 Title: Homeland Security Acquisition                List of Subjects in 48 CFR Parts 3001,
                                                      DHS invites comments from small                                                                                3002, 3004 and 3052
                                                                                                              Regulation: Safeguarding of Controlled
                                                      business concerns and other interested
                                                                                                              Unclassified Information.                                Government procurement.
                                                      parties on the expected impact of this
                                                                                                                 Type of Request: New Collection.                      Therefore, DHS proposes to amend 48
                                                      rule on small entities.                                    Total Number of Respondents: 822.
                                                         DHS will also consider comments                                                                             CFR parts 3001, 3002, 3004 and 3052 as
                                                                                                                 Responses per Respondent: 1.                        follows:
                                                      from small entities concerning the                         Annual Responses: 822.
                                                      existing regulations in subparts affected                  Average Burden per Response:                        ■ 1. The authority citation for 48 CFR
                                                      by this rule in accordance with 5 U.S.C.                Approximately 50.                                      parts 3001, 3002, 3004 and 3052 is
                                                      610. Interested parties must submit such                   Annual Burden Hours: Approximately                  revised to read as follows:
                                                      comments separately and should cite 5                   41,100.                                                  Authority: 5 U.S.C. 301–302, 41 U.S.C.
                                                      U.S.C. 610, et seq. (HSAR Case 2015–                       Needs and Uses: DHS needs the                       1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48
                                                      001), in correspondence.                                information required by 3052.204–7X to                 CFR part 1, subpart 1.3, and DHS Delegation
                                                                                                              implement the requirements for                         Number 0702.
                                                      V. Paperwork Reduction Act
                                                                                                              safeguarding against unauthorized
                                                         The Paperwork Reduction Act (44                      contractor disclosure and inappropriate                PART 3001—FEDERAL ACQUISITION
                                                      U.S.C. chapter 35) applies. The                         use of CUI that contractors and                        REGULATIONS SYSTEM
                                                      proposed rule contains information                      subcontractors may have access to                      ■ 2. In section 3001.106 amend
                                                      collection requirements. Accordingly,                   during the course of contract                          paragraph (a) by adding a new OMB
                                                      DHS will be submitting a request for                    performance.                                           Control Number as follows:
                                                      approval of a new information                              Affected Public: Businesses or other
                                                      collection requirement concerning this                  for-profit institutions.                               3001.106 OMB Approval under the
                                                      rule to the Office of Management and                       Respondent’s Obligation: Required to                Paperwork Reduction Act.
                                                      Budget under 44 U.S.C. 3501, et seq.                    obtain or retain benefits.                               (a) * * *
                                                         The collection requirements for this                    Frequency: On occasion.                               OMB Control No. 1600–0023
                                                      rule are based on a new HSAR clause,                       B. Request for Comments Regarding                   (Safeguarding of Controlled Unclassified
                                                      3052.204–7X Safeguarding of Controlled                  Paperwork Burden.                                      Information)
                                                      Unclassified Information.                                  You may submit comments identified                  *     *    *    *     *
                                                         A. The average public reporting                      by DHS docket number [DHS–2017–
                                                      burden for this collection of information               0006], including suggestions for                       PART 3002—DEFINITIONS OF WORDS
                                                      is estimated to be approximately 50                     reducing this burden, not later than                   AND TERMS
                                                      hours per response to comply with the                   [insert date 60 days after publication in
                                                      requirements, including time for                        the Federal Register] using any one of                 3002.101    [Amended]
                                                      reviewing instructions, searching                       the following methods:                                 ■  3. Amend section 3002.101 by adding,
                                                      existing data sources, gathering and                       (1) Via the internet at Federal                     in alphabetical order, the definitions of
                                                      maintaining the data needed, and                        eRulemaking Portal: http://                            ‘‘Adequate Security,’’ ‘‘Controlled
                                                      completing and reviewing the collection                 www.regulations.gov. Follow the                        Unclassified Information (CUI),’’
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      of information. This average is based on                instructions for submitting comments.                  ‘‘Federal Information,’’ ‘‘Federal
                                                      an estimated 36 hours per response to                      (2) Via email to the Department of                  Information System,’’ ‘‘Handling,’’
                                                      comply with the requirements when an                    Homeland Security, Office of the Chief                 ‘‘Information Resources,’’ ‘‘Information
                                                      ATO is not required an estimated 120                    Procurement Officer, at HSAR@                          Security,’’ and ‘‘Information System’’ to
                                                      hours to comply with the requirements                   hq.dhs.gov.                                            read as follows:
                                                      when an ATO is required (i.e., when a                      Public comments are particularly                       ‘‘Adequate Security’’ means security
                                                      contractor is required to submit Security               invited on: Whether this collection of                 protections commensurate with the risk
                                                      Authorization (SA) package). Security                   information is necessary for the proper                resulting from the unauthorized access,
                                                      Authorization package consists of the                   performance of functions of the HSAR,                  use, disclosure, disruption,


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00102   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                           6441

                                                      modification, or destruction of                         include DHS MD 11056.1, ‘‘Sensitive                    intentions, capabilities, operations, or
                                                      information. This includes ensuring that                Security Information (SSI)’’ and, within               activities or otherwise threaten
                                                      information hosted on behalf of an                      the Transportation Security                            operations security;
                                                      agency and information systems and                      Administration, TSA MD 2010.1, ‘‘SSI                      (9) Personnel Security Information
                                                      applications used by the agency operate                 Program’’;                                             means information that could result in
                                                      effectively and provide appropriate                        (4) Homeland Security Agreement                     physical risk to DHS personnel or other
                                                      confidentiality, integrity, and                         Information means information DHS                      individuals that DHS is responsible for
                                                      availability protections through the                    receives pursuant to an agreement with                 protecting;
                                                      application of cost-effective security                  state, local, tribal, territorial, and private            (10) Physical Security Information
                                                      controls.                                               sector partners that is required to be                 means reviews or reports illustrating or
                                                      *      *    *      *    *                               protected by that agreement. DHS                       disclosing facility infrastructure or
                                                         ‘‘Controlled Unclassified Information                receives this information in furtherance               security vulnerabilities related to the
                                                      (CUI)’’ is any information the                          of the missions of the Department,                     protection of Federal buildings,
                                                      Government creates or possesses, or an                  including, but not limited to, support of              grounds, or property. For example,
                                                      entity creates or possesses for or on                   the Fusion Center Initiative and                       threat assessments, system security
                                                      behalf of the Government (other than                    activities for cyber information sharing               plans, contingency plans, risk
                                                      classified information) that a law,                     consistent with the Cybersecurity                      management plans, business impact
                                                      regulation, or Government-wide policy                   Information Security Act;                              analysis studies, and certification and
                                                                                                                 (5) Homeland Security Enforcement                   accreditation documentation;
                                                      requires or permits an agency to handle
                                                                                                              Information means unclassified                            (11) Privacy Information, which
                                                      using safeguarding or dissemination
                                                                                                              information of a sensitive nature                      includes information referred to as
                                                      controls. Within the context of DHS,                    lawfully created, possessed, or
                                                      this includes such information which, if                                                                       Personally Identifiable Information.
                                                                                                              transmitted by the Department of                       Personally Identifiable Information (PII)
                                                      lost, misused, disclosed, or, without                   Homeland Security in furtherance of its
                                                      authorization is accessed, or modified,                                                                        means information that can be used to
                                                                                                              immigration, customs, and other civil                  distinguish or trace an individual’s
                                                      could adversely affect the national or                  and criminal enforcement missions, the
                                                      homeland security interest, the conduct                                                                        identity, either alone or when combined
                                                                                                              unauthorized disclosure of which could                 with other information that is linked or
                                                      of Federal programs, or the privacy of                  adversely impact the mission of the
                                                      individuals. This definition includes the                                                                      linkable to a specific individual; and
                                                                                                              Department;                                               (12) Sensitive Personally Identifiable
                                                      following CUI categories and                               (6) International Agreement                         Information (SPII) is a subset of PII,
                                                      subcategories of information:                           Information means information DHS                      which if lost, compromised or disclosed
                                                         (1) Chemical-terrorism Vulnerability                 receives pursuant to an information                    without authorization, could result in
                                                      Information (CVI) as defined in Title 6,                sharing agreement or arrangement, with                 substantial harm, embarrassment,
                                                      Code of Federal Regulations, part 27                    a foreign government, an international                 inconvenience, or unfairness to an
                                                      ‘‘Chemical Facility Anti-Terrorism                      organization of governments or any                     individual. Some forms of PII are
                                                      Standards,’’ and as further described in                element thereof, an international or                   sensitive as stand-alone elements.
                                                      supplementary guidance issued by an                     foreign public or judicial body, or an                    (i) Examples of stand-alone PII
                                                      authorized official of the Department of                international or foreign private or non-               include: Social Security numbers (SSN),
                                                      Homeland Security (including the                        governmental organization, that is                     driver’s license or state identification
                                                      Revised Procedural Manual                               required by that agreement or                          number, Alien Registration Numbers (A-
                                                      ‘‘Safeguarding Information Designated                   arrangement to be protected;                           number), financial account number, and
                                                      as Chemical-Terrorism Vulnerability                        (7) Information Systems Vulnerability               biometric identifiers such as fingerprint,
                                                      Information’’ dated September 2008);                    Information (ISVI) means:                              voiceprint, or iris scan.
                                                         (2) Protected Critical Infrastructure                   (i) DHS information technology (IT)                    (ii) Additional examples of SPII
                                                      Information (PCII) as set out in the                    internal systems data revealing                        include any groupings of information
                                                      Critical Infrastructure Information Act                 infrastructure used for servers, desktops,             that contain an individual’s name or
                                                      of 2002 (Title II, Subtitle B, of the                   and networks; applications name,                       other unique identifier plus one or more
                                                      Homeland Security Act, Public Law                       version and release; switching, router,                of the following elements:
                                                      107–296, 196 Stat. 2135), as amended,                   and gateway information;                                  (A) Truncated SSN (such as last 4
                                                      the implementing regulations thereto                    interconnections and access methods;                   digits)
                                                      (Title 6, Code of Federal Regulations,                  mission or business use/need. Examples                    (B) Date of birth (month, day, and
                                                      part 29) as amended, the applicable PCII                of information are systems inventories                 year)
                                                      Procedures Manual, as amended, and                      and enterprise architecture models.                       (C) Citizenship or immigration status
                                                      any supplementary guidance officially                   Information pertaining to national                        (D) Ethnic or religious affiliation
                                                      communicated by an authorized official                  security systems and eligible for                         (E) Sexual orientation
                                                      of the Department of Homeland Security                  classification under Executive Order                      (F) Criminal history
                                                      (including the PCII Program Manager or                  13526, will be classified as appropriate;                 (G) Medical information
                                                      his/her designee);                                         (ii) Information regarding developing                  (H) System authentication
                                                         (3) Sensitive Security Information                   or current technology, the release of                  information such as mother’s maiden
                                                      (SSI) as defined in Title 49, Code of                   which could hinder the objectives of                   name, account passwords or personal
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      Federal Regulations, part 1520,                         DHS, compromise a technological                        identification numbers (PIN)
                                                      ‘‘Protection of Sensitive Security                      advantage or countermeasure, cause a                      (iii) Other PII may be ‘‘sensitive’’
                                                      Information,’’ as amended, and any                      denial of service, or provide an                       depending on its context, such as a list
                                                      supplementary guidance officially                       adversary with sufficient information to               of employees and their performance
                                                      communicated by an authorized official                  clone, counterfeit, or circumvent a                    ratings or an unlisted home address or
                                                      of the Department of Homeland Security                  process or system;                                     phone number. In contrast, a business
                                                      (including the Assistant Secretary for                     (8) Operations Security Information                 card or public telephone directory of
                                                      the Transportation Security                             means information that could constitute                agency employees contains PII but is not
                                                      Administration or his/her designee) to                  an indicator of U.S. Government                        sensitive.


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00103   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6442                    Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                        ‘‘Federal Information’’ means                          unclassified facilities, information                    have access to Government information
                                                      information created, collected,                          resources, and controlled unclassified                  resources, but the Department has
                                                      processed, maintained, disseminated,                     information (CUI) during the acquisition                determined contractor and/or
                                                      disclosed, or disposed of by or for the                  lifecycle.                                              subcontractor employee access to CUI or
                                                      Federal Government, in any medium or                                                                             Government facilities must be limited to
                                                      form.                                                    3004.470–2        Definitions.                          U.S. citizens and lawful permanent
                                                        ‘‘Federal Information System’’ means                     As used in this subpart—                              residents, the contracting officer shall
                                                      an information system used or operated                     ‘‘Incident’’ means an occurrence                      insert the clause with its Alternate II.
                                                      by an agency or by a contractor of an                    that—                                                   Neither the basic clause nor its
                                                      agency or by another organization on                       (1) actually or imminently                            alternates shall be used unless
                                                      behalf of an agency.                                     jeopardizes, without lawful authority,                  contractor and/or subcontractor
                                                        ‘‘Handling’’ means any use of                          the integrity, confidentiality, or                      employees will require recurring access
                                                      controlled unclassified information,                     availability of information or an                       to Government facilities or access to
                                                      including but not limited to marking,                    information system; or                                  CUI. Neither the basic clause nor its
                                                      safeguarding, transporting,                                (2) constitutes a violation or imminent               alternates should ordinarily be used in
                                                      disseminating, re-using, and disposing                   threat of violation of law, security                    contracts with educational institutions.
                                                      of the information.                                      policies, security procedures, or                          (b) Contracting officers shall insert the
                                                      *     *     *     *    *                                 acceptable use policies.                                clause at (HSAR) 48 CFR 3052.204–7X,
                                                        ‘‘Information Resources’’ means                        3004.470–3        Policy.                               Safeguarding of Controlled Unclassified
                                                      information and related resources, such                                                                          Information, in solicitations and
                                                                                                                  (a) DHS requires that CUI be
                                                      as personnel, equipment, funds, and                                                                              contracts where:
                                                                                                               safeguarded wherever such information
                                                      information technology.                                                                                             (1) Contractor and/or subcontractor
                                                                                                               resides. This includes government-
                                                        ‘‘Information Security’’ means                                                                                 employees will have access to CUI;
                                                                                                               owned and operated information
                                                      protecting information and information                                                                              (2) CUI will be collected or
                                                                                                               systems, government-owned and
                                                      systems from unauthorized access, use,                                                                           maintained on behalf of the agency; or
                                                                                                               contractor operated information
                                                      disclosure, disruption, modification, or                                                                            (3) Federal information systems,
                                                                                                               systems, contractor-owned and/or
                                                      destruction in order to provide—                                                                                 which include contractor information
                                                                                                               operated information systems operating
                                                        (1) integrity, which means guarding                                                                            systems operated on behalf of the
                                                                                                               on behalf of the agency, and any
                                                      against improper information                                                                                     agency, are used to collect, process,
                                                                                                               situation where contractor and/or
                                                      modification or destruction, and                                                                                 store, or transmit CUI.
                                                                                                               subcontractor employees may have
                                                      includes ensuring information                                                                                       (c) If the clauses prescribed in
                                                                                                               access to CUI. There are several
                                                      nonrepudiation and authenticity;                                                                                 subsections (a) and/or (b) are included
                                                                                                               Department policies and procedures
                                                        (2) confidentiality, which means                                                                               in a prime contract, the prime contractor
                                                                                                               (accessible at http://www.dhs.gov/dhs-
                                                      preserving authorized restrictions on                                                                            shall include the clauses in subsections
                                                                                                               security-and-training-requirements-
                                                      access and disclosure, including means                                                                           (a) and/or (b), in its contract(s) with
                                                                                                               contractors) which also address the
                                                      for protecting personal privacy and                                                                              subcontractors. If a subcontract includes
                                                                                                               safeguarding of CUI. Compliance with
                                                      proprietary information; and                                                                                     the clauses prescribed in subsections (a)
                                                                                                               these policies and procedures, as
                                                        (3) availability, which means ensuring                                                                         and/or (b) and the subcontractor has
                                                                                                               amended, is required.
                                                      timely and reliable access to and use of                                                                         contracts with lower-tier subcontractors,
                                                                                                                  (b) DHS requires contractor
                                                      information.                                                                                                     the lower-tier subcontracts shall include
                                                                                                               employees that require recurring access
                                                        ‘‘Information System’’ means a                                                                                 the clauses in subsections (a) and/or (b).
                                                                                                               to Government facilities or access to CUI
                                                      discrete set of information resources
                                                                                                               to complete such forms as may be                        PART 3052—SOLICITATION
                                                      organized for the collection, processing,
                                                                                                               necessary for security or other reasons,                PROVISIONS AND CONTRACT
                                                      maintenance, use, sharing,
                                                                                                               including the conduct of background                     CLAUSES
                                                      dissemination, or disposition of
                                                                                                               investigations to determine fitness.
                                                      information.
                                                                                                               Department policies and procedures                      3052.204–70      [Removed and Reserved].
                                                      *     *     *     *    *                                 that address contractor employee fitness                ■ 5. Remove and reserve section
                                                                                                               are contained in Instruction Handbook                   3052.204–70.
                                                      PART 3004—ADMINISTRATIVE
                                                                                                               Number 121–01–007, The Department                       ■ 6. Add section 3052.204–7X to read as
                                                      MATTERS
                                                                                                               of Homeland Security Personnel                          follows:
                                                      ■ 4. Revise subpart 3004.4 to read as                    Suitability and Security Program.
                                                      follows:                                                 Compliance with these policies and                      3052.204–7X Safeguarding of Controlled
                                                                                                                                                                       Unclassified Information.
                                                                                                               procedures, as amended, is required.
                                                      Subpart 3004.4—Safeguarding                                                                                        As prescribed in (HSAR) 48 CFR
                                                      Classified and Controlled Unclassified                   3004.470–4        Contract Clauses.                     3004.470–4(b), insert the following
                                                      Information within Industry                                (a) Contracting officers shall insert the             clause:
                                                                                                               basic clause at (HSAR) 48 CFR
                                                      3004.470 Security requirements for access                                                                        Safeguarding of Controlled Unclassified
                                                                                                               3052.204–71, Contractor Employee
                                                      to unclassified facilities, information                                                                          Information (DATE)
                                                                                                               Access, in solicitations and contracts
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      resources, and controlled unclassified
                                                                                                               when contractor and/or subcontractor                       (a) Definitions. As used in this clause—
                                                      information.
                                                                                                               employees require recurring access to                      ‘‘Adequate Security’’ means security
                                                      3004.470–1 Scope.                                                                                                protections commensurate with the risk
                                                      3004.470–2 Definitions.
                                                                                                               Government facilities or access to CUI.
                                                                                                               Contracting officers shall insert the                   resulting from the unauthorized access, use,
                                                      3004.470–3 Policy.                                                                                               disclosure, disruption, modification, or
                                                      3004.470–4 Contract Clauses.                             basic clause with its Alternate I for                   destruction of information. This includes
                                                                                                               acquisitions requiring contractor access                ensuring that information hosted on behalf of
                                                      3004.470–1       Scope.                                  to Government information resources.                    an agency and information systems and
                                                        This section implements DHS policies                   For acquisitions in which contractor                    applications used by the agency operate
                                                      for assuring adequate security of                        and/or subcontractor employees will not                 effectively and provide appropriate



                                                 VerDate Sep<11>2014    20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00104    Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                                6443

                                                      confidentiality, integrity, and availability            immigration, customs, and other civil and              Registration Numbers (A-number), financial
                                                      protections through the application of cost-            criminal enforcement missions, the                     account number, and biometric identifiers
                                                      effective security controls.                            unauthorized disclosure of which could                 such as fingerprint, voiceprint, or iris scan.
                                                         ‘‘Controlled Unclassified Information                adversely impact the mission of the                       (B) Additional examples of SPII include
                                                      (CUI)’’ is any information the Government               Department;                                            any groupings of information that contain an
                                                      creates or possesses, or an entity creates or              (vi) International Agreement Information            individual’s name or other unique identifier
                                                      possesses for or on behalf of the Government            means information DHS receives pursuant to             plus one or more of the following elements:
                                                      (other than classified information) that a law,         an information sharing agreement or                       (1) Truncated SSN (such as last 4 digits)
                                                      regulation, or Government-wide policy                   arrangement with a foreign government, an                 (2) Date of birth (month, day, and year)
                                                      requires or permits an agency to handle using           international organization of governments or              (3) Citizenship or immigration status
                                                      safeguarding or dissemination controls.                 any element thereof, an international or                  (4) Ethnic or religious affiliation
                                                      Within the context of DHS, this includes                foreign public or judicial body, or an                    (5) Sexual orientation
                                                      such information which, if lost, misused,               international or foreign private or non-                  (6) Criminal history
                                                      disclosed, or, without authorization is                 governmental organization, that is required               (7) Medical information
                                                      accessed, or modified, could adversely affect           by that agreement or arrangement to be                    (8) System authentication information such
                                                      the national or homeland security interest,             protected;                                             as mother’s maiden name, account passwords
                                                      the conduct of Federal programs, or the                    (vii) Information Systems Vulnerability             or personal identification numbers (PIN)
                                                      privacy of individuals. This definition                 Information (ISVI) means:                                 (C) Other PII may be SPII depending on its
                                                      includes the following CUI categories and                  (A) DHS information technology (IT)                 context, such as a list of employees and their
                                                      subcategories of information:                           internal systems data revealing infrastructure         performance ratings or an unlisted home
                                                         (i) Chemical-terrorism Vulnerability                 used for servers, desktops, and networks;              address or phone number. In contrast, a
                                                      Information (CVI) as defined in Title 6, Code           applications name, version and release;                business card or public telephone directory
                                                      of Federal Regulations, part 27 ‘‘Chemical              switching, router, and gateway information;            of agency employees contains PII but is not
                                                      Facility Anti-Terrorism Standards,’’ and as             interconnections and access methods;                   SPII.
                                                      further described in supplementary guidance             mission or business use/need. Examples of                 ‘‘Federal information’’ means information
                                                      issued by an authorized official of the                 information are systems inventories and                created, collected, processed, maintained,
                                                      Department of Homeland Security (including              enterprise architecture models. Information            disseminated, disclosed, or disposed of by or
                                                      the Revised Procedural Manual                           pertaining to national security systems and            for the Federal Government, in any medium
                                                      ‘‘Safeguarding Information Designated as                eligible for classification under Executive            or form.
                                                      Chemical-Terrorism Vulnerability                        Order 13526, will be classified as                        ‘‘Federal information system’’ means an
                                                                                                              appropriate;                                           information system used or operated by an
                                                      Information’’ dated September 2008);
                                                                                                                                                                     agency or by a contractor of an agency or by
                                                         (ii) Protected Critical Infrastructure                  (B) Information regarding developing or
                                                                                                                                                                     another organization on behalf of an agency.
                                                      Information (PCII) as set out in the Critical           current technology, the release of which
                                                                                                                                                                        ‘‘Handling’’ means any use of controlled
                                                      Infrastructure Information Act of 2002 (Title           could hinder the objectives of DHS,
                                                                                                                                                                     unclassified information, including but not
                                                      II, Subtitle B, of the Homeland Security Act,           compromise a technological advantage or
                                                                                                                                                                     limited to marking, safeguarding,
                                                      Public Law 107–296, 196 Stat. 2135), as                 countermeasure, cause a denial of service, or          transporting, disseminating, re-using, storing,
                                                      amended, the implementing regulations                   provide an adversary with sufficient                   capturing, and disposing of the information.
                                                      thereto (Title 6, Code of Federal Regulations,          information to clone, counterfeit, or                     ‘‘Incident’’ means an occurrence that—
                                                      part 29) as amended, the applicable PCII                circumvent a process or system;                           (i) actually or imminently jeopardizes,
                                                      Procedures Manual, as amended, and any                     (viii) Operations Security Information              without lawful authority, the integrity,
                                                      supplementary guidance officially                       means information that could constitute an             confidentiality, or availability of information
                                                      communicated by an authorized official of               indicator of U.S. Government intentions,               or an information system; or
                                                      the Department of Homeland Security                     capabilities, operations, or activities or                (ii) constitutes a violation or imminent
                                                      (including the PCII Program Manager or his/             otherwise threaten operations security;                threat of violation of law, security policies,
                                                      her designee);                                             (ix) Personnel Security Information means           security procedures, or acceptable use
                                                         (iii) Sensitive Security Information (SSI) as        information that could result in physical risk         policies.
                                                      defined in Title 49, Code of Federal                    to DHS personnel or other individuals that                ‘‘Information Resources’’ means
                                                      Regulations, part 1520, ‘‘Protection of                 DHS is responsible for protecting;                     information and related resources, such as
                                                      Sensitive Security Information,’’ as amended,              (x) Physical Security Information means             personnel, equipment, funds, and
                                                      and any supplementary guidance officially               reviews or reports illustrating or disclosing          information technology.
                                                      communicated by an authorized official of               facility infrastructure or security                       ‘‘Information Security’’ means protecting
                                                      the Department of Homeland Security                     vulnerabilities related to the protection of           information and information systems from
                                                      (including the Assistant Secretary for the              Federal buildings, grounds, or property. For           unauthorized access, use, disclosure,
                                                      Transportation Security Administration or               example, threat assessments, system security           disruption, modification, or destruction in
                                                      his/her designee) to include DHS MD                     plans, contingency plans, risk management              order to provide—
                                                      11056.1, ‘‘Sensitive Security Information               plans, business impact analysis studies, and              (i) integrity, which means guarding against
                                                      (SSI)’’ and, within the Transportation                  certification and accreditation                        improper information modification or
                                                      Security Administration, TSA MD 2010.1,                 documentation;                                         destruction, and includes ensuring
                                                      ‘‘SSI Program’’;                                           (xi) Privacy Information, which includes            information nonrepudiation and authenticity;
                                                         (iv) Homeland Security Agreement                     information referred to as Personally                     (ii) confidentiality, which means
                                                      Information means information DHS receives              Identifiable Information (PII). PII means              preserving authorized restrictions on access
                                                      pursuant to an agreement with state, local,             information that can be used to distinguish            and disclosure, including means for
                                                      tribal, territorial, and private sector partners        or trace an individual’s identity, either alone,       protecting personal privacy and proprietary
                                                      that is required to be protected by that                or when combined with other information                information; and
                                                      agreement. DHS receives this information in             that is linked or linkable to a specific                  (iii) availability, which means ensuring
                                                      furtherance of the missions of the                      individual; and                                        timely and reliable access to and use of
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      Department, including, but not limited to,                 (xii) Sensitive Personally Identifiable             information.
                                                      support of the Fusion Center Initiative and             Information (SPII) is a subset of PII, which if           ‘‘Information System’’ means a discrete set
                                                      activities for cyber information sharing                lost, compromised, or disclosed without                of information resources organized for the
                                                      consistent with the Cybersecurity                       authorization, could result in substantial             collection, processing, maintenance, use,
                                                      Information Security Act;                               harm, embarrassment, inconvenience, or                 sharing, dissemination, or disposition of
                                                         (v) Homeland Security Enforcement                    unfairness to an individual. Some forms of             information.
                                                      Information means unclassified information              PII are sensitive as stand-alone elements.                (b) Handling of Controlled Unclassified
                                                      of a sensitive nature lawfully created,                    (A) Examples of stand-alone SPII include:           Information.
                                                      possessed, or transmitted by the Department             Social Security numbers (SSN), driver’s                   (1) Contractors and subcontractors must
                                                      of Homeland Security in furtherance of its              license or state identification number, Alien          provide adequate security to protect CUI



                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00105   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6444                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      from unauthorized access and disclosure.                Agreement(s). The Contractor shall submit a            integrity, availability and confidentiality of
                                                      Adequate security includes compliance with              signed copy of the SA package, validated by            Government data or the function of computer
                                                      DHS policies and procedures in effect at the            an independent third party, to the COR for             systems used in performance of this contract
                                                      time of contract award. These policies and              acceptance by the Headquarters or                      and to preserve evidence of computer crime.
                                                      procedures are accessible at http://                    Component CIO, or designee, at least thirty               (4) Federal Reporting and Continuous
                                                      www.dhs.gov/dhs-security-and-training-                  (30) days prior to the date of operation of the        Monitoring Requirements. Contractors
                                                      requirements-contractors.                               information system. The Government is the              operating information systems on behalf of
                                                         (2) The Contractor shall not use or                  final authority on the compliance of the SA            the Government shall comply with Federal
                                                      redistribute any CUI handled, collected,                package and may limit the number of                    reporting and information system continuous
                                                      processed, stored, or transmitted by the                resubmissions of modified documents.                   monitoring requirements. Reporting
                                                      Contractor except as specified in the contract.            (ii) Independent Assessment. Contractors            requirements are determined by the
                                                         (3) The Contractor shall not maintain SPII           shall have an independent third party                  Government and are defined in the Fiscal
                                                      in its invoicing, billing, and other                    validate the security and privacy controls in          Year 2015 DHS Information Security
                                                      recordkeeping systems maintained to support             place for the information system(s). The               Performance Plan, or successor publication,
                                                      financial or other administrative functions. It         independent third party shall review and               accessible at http://www.dhs.gov/dhs-
                                                      is acceptable to maintain in these systems the          analyze the SA package, and report on                  security-and-training-requirements-
                                                      names, titles and contact information for the           technical, operational, and management level           contractors. The plan is updated on an
                                                      Contracting Officer’s Representative (COR) or           deficiencies as outlined in NIST Special               annual basis. Annual, quarterly, and monthly
                                                      other Government personnel associated with              Publication 800–53 Security and Privacy                data collection will be coordinated by the
                                                      the administration of the contract, as needed.          Controls for Federal Information Systems and           Government. The Contractor shall provide
                                                         (4) Any Government data provided,                    Organizations accessible at http://                    the Government with all information to fully
                                                      developed, obtained under the contract, or              csrc.nist.gov/publications/PubsSPs.html. The           satisfy Federal reporting requirements for
                                                      otherwise under the control of the contractor,          Contractor shall address all deficiencies              information systems. The Contractor shall
                                                      shall not become part of the bankruptcy                 before submitting the SA package to the COR            provide the COR with requested information
                                                      estate in the event a contractor and/or                 for acceptance.                                        within three (3) business days of receipt of
                                                      subcontractor enters into bankruptcy                       (2) Renewal of ATO. Unless otherwise                the request. Unless otherwise specified in the
                                                      proceedings.                                            specified in the ATO letter, the ATO shall be          contract, monthly continuous monitoring
                                                         (c) Authority to Operate. This subsection is         renewed every three (3) years. The Contractor          data shall be stored at the Contractor’s
                                                      applicable only to Federal information                  is required to update its SA package as part           location for a period not less than one year
                                                      systems, which includes contractor                      of the ATO renewal process for review and              from the date the data is created. The
                                                      information systems operating on behalf of              verification of security controls. Review and          Government may elect to perform
                                                      the agency. The Contractor shall not collect,           verification of security controls is                   information system continuous monitoring
                                                      process, store or transmit CUI within a                 independent of the system production date              and IT security scanning of information
                                                      Federal information system until an                     and may include onsite visits that involve             systems from Government tools and
                                                      Authority to Operate (ATO) has been                     physical or logical inspection of the                  infrastructure.
                                                      accepted and signed by the Component or                 Contractor environment to ensure controls                 (d) Incident Reporting Requirements.
                                                      Headquarters CIO, or designee. Once the                 are in place. The updated SA package shall                (1) All known or suspected incidents shall
                                                      ATO has been accepted and signed by the                 be submitted for acceptance by the                     be reported to the Component Security
                                                      Government, the Contracting Officer shall               Headquarters or Component CIO, or                      Operations Center (SOC) in accordance with
                                                      incorporate the ATO into the contract as a              designee, at least 90 days before the ATO              4300A Sensitive Systems Handbook
                                                      compliance document. Unless otherwise                   expiration date. The Contractor shall update           Attachment F Incident Response. If the
                                                      specified in the ATO letter, the ATO is valid           its SA package by one of the following                 Component SOC is not available, the
                                                      for three (3) years. An ATO is granted at the           methods:                                               Contractor shall report to the DHS Enterprise
                                                      sole discretion of the Government and can be               (i) Updating the SA package in the DHS              SOC. Contact information for the DHS
                                                      revoked at any time. Contractor receipt of an           Information Assurance Compliance System;               Enterprise SOC is accessible at http://
                                                      ATO does not create any contractual right of            or                                                     www.dhs.gov/dhs-security-and-training-
                                                      access or entitlement. The Government’s                    (ii) Submitting the updated SA package              requirements-contractors. The Contractor
                                                      acceptance of the ATO does not alleviate the            directly to the COR.                                   shall also notify the Contracting Officer and
                                                      Contractor’s responsibility to ensure the                  (3) Security Review. The Government may             COR using the contact information identified
                                                      information system controls are implemented             elect to conduct random periodic reviews to            in the contract. If the report is made by
                                                      and operating effectively.                              ensure that the security requirements                  phone, or the email address for the
                                                         (1) Complete the Security Authorization              contained in this contract are being                   Contracting Officer or COR is not
                                                      process. The Security Authorization (SA)                implemented and enforced. The Government,              immediately available, the Contractor shall
                                                      process shall proceed according to DHS                  at its sole discretion, may obtain the                 contact the Contracting Officer immediately
                                                      Sensitive Systems Policy Directive 4300A                assistance from other Federal agencies and/            after reporting to the Component or DHS
                                                      (Version 12.0, September 25, 2015), or any              or third-party firms to aid in security review         Enterprise SOC. All known or suspected
                                                      successor publication; DHS 4300A Sensitive              activities. The Contractor shall afford access         incidents involving PII or SPII shall be
                                                      Systems Handbook (Version 12.0, November                to DHS, the Office of the Inspector General,           reported within one hour of discovery. All
                                                      15, 2015), or any successor publication; and            other Government organizations, and                    other incidents shall be reported within eight
                                                      the Security Authorization Process Guide                contractors working in support of the                  hours of discovery.
                                                      including templates. These policies and                 Government access to the Contractor’s                     (2) The Contractor shall not include any
                                                      templates are accessible at http://                     facilities, installations, operations,                 CUI in the subject or body of any email. The
                                                      www.dhs.gov/dhs-security-and-training-                  documentation, databases, networks,                    Contractor shall transmit CUI using FIPS
                                                      requirements-contractors.                               systems, and personnel used in the                     140–2 Security Requirements for
                                                         (i) Security Authorization Package. SA               performance of this contract. The Contractor           Cryptographic Modules compliant encryption
                                                      package shall be developed using the                    shall, through the Contracting Officer and             methods, accessible at http://csrc.nist.gov/
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      Government provided Requirements                        COR, contact the Headquarters or Component             groups/STM/cmvp/standards.html, to protect
                                                      Traceability Matrix and SA templates. SA                CIO, or designee, to coordinate and                    CUI in attachments to email. Passwords shall
                                                      package consists of the following: Security             participate in review and inspection activity          not be communicated in the same email as
                                                      Plan, Contingency Plan, Contingency Plan                by Government organizations external to the            the attachment.
                                                      Test Results, Configuration Management                  DHS. Access shall be provided, to the extent              (3) An incident shall not, by itself, be
                                                      Plan, Security Assessment Plan, Security                necessary as determined by the Government              interpreted as evidence that the Contractor
                                                      Assessment Report, and Authorization to                 (including providing all requested images),            has failed to provide adequate information
                                                      Operate Letter. Additional documents that               for the Government to carry out a program of           security safeguards for CUI, or has otherwise
                                                      may be required include a Plan(s) of Action             inspection, investigation, and audit to                failed to meet the requirements of the
                                                      and Milestones and Interconnection Security             safeguard against threats and hazards to the           contract.



                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00106   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                                6445

                                                         (4) If an incident involves PII or SPII, in          individual whose PII and/or SPII was under                (iii) Weekly reports on call center volume,
                                                      addition to the incident reporting guidelines           the control of the Contractor or resided in the        issue escalation (i.e., those calls that cannot
                                                      in 4300A Sensitive Systems Handbook                     information system at the time of the                  be handled by call center staff and must be
                                                      Attachment F Incident Response, Contractors             incident not later than 5 business days after          resolved by call center management or DHS,
                                                      shall also provide as many of the following             being directed to notify individuals, unless           as appropriate), and other key metrics;
                                                      data elements that are available at the time            otherwise approved by the Contracting                     (iv) Escalation of calls that cannot be
                                                      the incident is reported, with any remaining            Officer. The method and content of any                 handled by call center staff to call center
                                                      data elements provided within 24 hours of               notification by the Contractor shall be                management or DHS, as appropriate;
                                                      submission of the initial incident report:              coordinated with, and subject to prior written            (v) Customized Frequently Asked
                                                         (i) Data Universal Numbering System                  approval by the Contracting Officer utilizing          Questions, approved in writing by the
                                                      (DUNS);                                                 the DHS Privacy Incident Handling Guidance             Contracting Officer in coordination with the
                                                         (ii) Contract numbers affected unless all            accessible at http://www.dhs.gov/dhs-                  Headquarters or Component Privacy Officer;
                                                      contracts by the company are affected;                  security-and-training-requirements-                    and
                                                         (iii) Facility CAGE code if the location of          contractors. The Contractor shall not proceed             (vi) Information for registrants to contact
                                                      the event is different than the prime                   with notification unless directed in writing           customer service representatives and fraud
                                                      contractor location;                                    by the Contracting Officer.                            resolution representatives for credit
                                                         (iv) Point of contact (POC) if different than           (2) Subject to Government analysis of the           monitoring assistance.
                                                      the POC recorded in the System for Award                incident and the terms of its instructions to             (h) Certificate of Sanitization of
                                                      Management (address, position, telephone,               the Contractor regarding any resulting                 Government and Government-Activity-
                                                      email);                                                 notification, the notification method may              Related Files and Information. Upon the
                                                         (v) Contracting Officer POC (address,                consist of letters to affected individuals sent        conclusion of the contract by expiration,
                                                      telephone, email);                                      by first class mail, electronic means, or              termination, cancellation, or as otherwise
                                                         (vi) Contract clearance level;                       general public notice, as approved by the              indicated in the contract, the Contractor shall
                                                         (vii) Name of subcontractor and CAGE                 Government. Notification may require the               return all CUI to DHS and/or destroy it
                                                      code if this was an incident on a                       Contractor’s use of address verification and/          physically and/or logically as identified in
                                                      subcontractor network;                                  or address location services. At a minimum,            the contract. Destruction shall conform to the
                                                         (viii) Government programs, platforms or             the notification shall include:                        guidelines for media sanitization contained
                                                      systems involved;                                          (i) A brief description of the incident;            in NIST SP–800–88, Guidelines for Media
                                                         (ix) Location(s) of incident;                           (ii) A description of the types of PII or SPII      Sanitization. The Contractor shall certify and
                                                         (x) Date and time the incident was                   involved;                                              confirm the sanitization of all Government
                                                      discovered;                                                (iii) A statement as to whether the PII or          and Government-Activity related files and
                                                         (xi) Server names where CUI resided at the           SPII was encrypted or protected by other               information. The Contractor shall submit the
                                                      time of the incident, both at the Contractor
                                                                                                              means;                                                 certification to the COR and Contracting
                                                      and subcontractor level;
                                                                                                                 (iv) Steps individuals may take to protect          Officer following the template provided in
                                                         (xii) Description of the Government PII or
                                                                                                              themselves;                                            NIST Special Publication 800–88, Guidelines
                                                      SPII contained within the system; and
                                                                                                                 (v) What the Contractor and/or the                  for Media Sanitization, Appendix G.
                                                         (xiii) Any additional information relevant
                                                                                                              Government are doing to investigate the                   (i) Other Reporting Requirements. Incident
                                                      to the incident.
                                                                                                              incident, to mitigate the incident, and to             reporting required by this clause in no way
                                                         (e) Incident Response Requirements.
                                                         (1) All determinations by the Department             protect against any future incidents; and              rescinds the Contractor’s responsibility for
                                                      related to incidents, including response                   (vi) Information identifying who                    other incident reporting pertaining to its
                                                      activities, notifications to affected                   individuals may contact for additional                 unclassified information systems under other
                                                      individuals and/or Federal agencies, and                information.                                           clauses that may apply to its contract(s), or
                                                      related services (e.g., credit monitoring) will            (g) Credit Monitoring Requirements. This            as a result of other applicable U.S.
                                                      be made in writing by the Contracting                   subsection is only applicable when an                  Government statutory or regulatory
                                                      Officer.                                                incident involves PII/SPII. In the event that          requirements.
                                                         (2) The Contractor shall provide full access         an incident involves PII or SPII, the                    (j) Subcontracts. The Contractor shall
                                                      and cooperation for all activities determined           Contractor may be directed by the                      insert this clause in all subcontracts and
                                                      by the Government to be required to ensure              Contracting Officer to:                                require subcontractors to include this clause
                                                      an effective incident response, including                  (1) Provide notification to affected                in all lower-tier subcontracts.
                                                      providing all requested images, log files, and          individuals as described in paragraph (f).
                                                                                                                 (2) Provide credit monitoring services to           (End of clause)
                                                      event information to facilitate rapid
                                                      resolution of incidents.                                individuals whose PII or SPII was under the            ■ 7. Amend paragraph (b) of section
                                                         (3) Incident response activities determined          control of the Contractor or resided in the            3052.212–70 to remove 3052.204–70
                                                      to be required by the Government may                    information system at the time of the                  Security Requirements for Unclassified
                                                      include, but are not limited to, the following:         incident for a period beginning the date of            Information Technology Resources; add
                                                         (i) Inspections,                                     the incident and extending not less than 18
                                                                                                                                                                     Alternate II of 3052.204–71, Contractor
                                                         (ii) Investigations,                                 months from the date the individual is
                                                                                                              notified. Credit monitoring services shall be          Employee Access; and add 3052.204–
                                                         (iii) Forensic reviews,
                                                                                                              provided from a company with which the                 7X, Safeguarding of Controlled
                                                         (iv) Data analyses and processing, and
                                                         (v) Revocation of the Authority to Operate.          Contractor has no affiliation. At a minimum,           Unclassified Information, as follows:
                                                         (4) The contractor shall preserve and                credit monitoring services shall include:
                                                                                                                 (i) Triple credit bureau monitoring;                3052.212–70 Contract terms and
                                                      protect images of known affected information                                                                   conditions applicable to DHS acquisition of
                                                      systems identified in paragraph (b) of this                (ii) Daily customer service;
                                                                                                                 (iii) Alerts provided to the individual for         commercial items.
                                                      section and all relevant monitoring/packet
                                                      capture data for at least 90 days from                  changes and fraud; and                                 Contract Terms and Conditions
                                                      submission of the incident report to allow                 (iv) Assistance to the individual with
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                                                                                     Applicable to DHS Acquisition of
                                                      DHS to request the media or decline interest.           enrollment in the services and the use of
                                                                                                                                                                     Commercial Items (Date)
                                                         (5) The Government, at its sole discretion,          fraud alerts.
                                                      may obtain assistance from other Federal                   (3) Establish a dedicated call center. Call         *       *    *     *      *
                                                      agencies and/or third-party firms to aid in             center services shall include:                          (b) * * *
                                                      incident response activities.                              (i) A dedicated telephone number to                  ____3052.204–71       Contractor Employee
                                                         (f) PII and SPII Notification Requirements.          contact customer service within a fixed                Access.
                                                      This subsection is only applicable when an              period;                                                 ____Alternate I
                                                      incident involves PII/SPII.                                (ii) Information necessary for registrants/
                                                                                                                                                                      ____Alternate II
                                                        (1) The Contractor shall have in place                enrollees to access credit reports and credit
                                                      procedures and the capability to notify any             scores;                                                *       *    *     *      *


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00107   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6446                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                        ____3052.204–7X Safeguarding of                         • Mail: Department of Homeland                          (1) Add the terms ‘‘controlled
                                                      Controlled Unclassified Information.                    Security, Office of the Chief                          unclassified information,’’ ‘‘information
                                                      Soraya Correa,                                          Procurement Officer, Acquisition Policy                resources’’ and ‘‘information system’’ to
                                                      Chief Procurement Officer, Department of
                                                                                                              and Legislation, ATTN: Ms. Shaundra                    HSAR 3002.1, Definitions and remove
                                                      Homeland Security.                                      Duggans, 245 Murray Drive, Bldg. 410                   the definition of the term ‘‘sensitive
                                                      [FR Doc. 2017–00758 Filed 1–18–17; 8:45 am]
                                                                                                              (RDS), Washington, DC 20528.                           information’’ at HSAR 3002.1,
                                                                                                                 Comments received generally will be                 Definitions. The definition of
                                                      BILLING CODE 9110–9B–P
                                                                                                              posted without change to http://                       ‘‘controlled unclassified information’’ is
                                                                                                              www.regulations.gov, including any                     taken from its implementing regulation
                                                      DEPARTMENT OF HOMELAND                                  personal information provided. To                      at 32 CFR part 2002. The definitions of
                                                      SECURITY                                                confirm receipt of your comment(s),                    ‘‘information resources’’ and
                                                                                                              please check www.regulations.gov,                      ‘‘information system’’ are derived from
                                                      48 CFR Parts 3001, 3002, 3039, and                      approximately two to three days after                  44 U.S.C. 3502(6) and 44 U.S.C. 3502(8)
                                                      3052                                                    submission to verify posting (except                   respectively. The definition of
                                                                                                              allow 30 days for posting of comments                  ‘‘sensitive information’’ is removed
                                                      [Docket No. DHS–2017–0007]
                                                                                                              submitted by mail).                                    because it is being replaced with
                                                      RIN 1601–AA78                                           FOR FURTHER INFORMATION CONTACT: Ms.                   ‘‘controlled unclassified information’’
                                                                                                              Shaundra Duggans, Procurement                          consistent with Executive Order 13556
                                                      Homeland Security Acquisition                           Analyst, DHS, Office of the Chief                      and its implementing regulation at 32
                                                      Regulation (HSAR); Information                          Procurement Officer, Acquisition Policy                CFR part 2002. These definitions are
                                                      Technology Security Awareness                           and Legislation at (202) 447–0056 or                   necessary because these terms appear in
                                                      Training (HSAR Case 2015–002)                           email HSAR@hq.dhs.gov. When using                      proposed HSAR 3039.70 Information
                                                      AGENCY:  Office of the Chief Procurement                email, include HSAR Case 2015–002 in                   Technology Security Awareness
                                                      Officer, Department of Homeland                         the ‘‘Subject’’ line.                                  Training and HSAR 3052.239–7X,
                                                      Security (DHS).                                         SUPPLEMENTARY INFORMATION:                             Information Technology Security
                                                                                                                                                                     Awareness Training.
                                                      ACTION: Proposed rule.                                  I. Background                                             (2) Add a new subpart at 3039.70,
                                                      SUMMARY:    DHS is proposing to amend                      DHS contracts currently require                     Information Technology Security
                                                      the Homeland Security Acquisition                       contractor and subcontractor employees                 Awareness Training. HSAR 3039.7001,
                                                      Regulation (HSAR) to add a new                          to complete information technology (IT)                Scope, identifies the applicability of the
                                                      subpart, update an existing clause, and                 security awareness training before                     subpart to contracts and subcontracts
                                                      add a new contract clause to standardize                accessing DHS information systems and                  where contractor and subcontractor
                                                      information technology security                         information resources. This training is                employees may have access to DHS
                                                      awareness training and DHS Rules of                     initially completed upon award of the                  information systems and information
                                                      Behavior requirements for contractor                    procurement and at least annually                      resources or contractor-owned and/or
                                                      and subcontractor employees who                         thereafter. DHS contracts also require                 operated information systems and
                                                      access DHS information systems and                      such employees to sign the DHS Rules                   information resources capable of
                                                      information resources or contractor-                    of Behavior (RoB) before access is                     collecting, processing, storing or
                                                      owned and/or operated information                       provided to DHS information systems                    transmitting CUI. HSAR 3039.7002,
                                                      systems and information resources                       and information resources. The DHS                     Policy, subparagraph (a) requires
                                                      capable of collecting, processing, storing              RoB is a document that defines the                     contractors and subcontractors that may
                                                      or transmitting controlled unclassified                 responsibilities and obligations imposed               have access to DHS information systems
                                                      information (CUI).                                      on all individuals with access to DHS                  and information resources or contractor-
                                                      DATES: Interested parties should submit                 information systems and information                    owned and/or operated information
                                                      written comments to one of the                          resources. The DHS RoB holds users                     systems and information resources
                                                      addresses shown below on or before                      accountable for actions taken while                    capable of collecting, processing, storing
                                                      March 20, 2017, to be considered in the                 accessing DHS information systems and                  or transmitting CUI to complete IT
                                                      formation of the final rule.                            using DHS information resources                        security awareness training initially
                                                      ADDRESSES: Submit comments                              capable of collecting, processing, storing             upon award of the procurement and
                                                      identified by HSAR Case 2015–002,                       or transmitting controlled unclassified                annually thereafter. This subsection
                                                      Information Technology Security                         information (CUI).                                     requires the contractor to maintain
                                                      Awareness Training, using any of the                       DHS is proposing to (1) include IT                  evidence that the training has been
                                                      following methods:                                      security awareness training and RoB                    completed and provide copies of the
                                                         • Regulations.gov: http://                           requirements in the HSAR and (2) make                  training completion certificates to the
                                                      www.regulations.gov.                                    the training and RoB more easily                       contracting officer. Subparagraph (b)
                                                         Submit comments via the Federal                      accessible by hosting them on a public                 requires contractor and subcontractor
                                                      eRulemaking portal by entering ‘‘HSAR                   Web site. This approach ensures all                    employees to sign the DHS RoB before
                                                      Case 2015–002’’ under the heading                       applicable DHS contractors and                         receiving access to DHS information
                                                      ‘‘Enter Keyword or ID’’ and selecting                   subcontractors are subject to the same IT              systems and/or information resources
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      ‘‘Search.’’ Select the link ‘‘Submit a                  security awareness training and RoB                    and before contractor-owned and/or
                                                      Comment’’ that corresponds with                         requirements while removing the need                   operated information systems can be
                                                      ‘‘HSAR Case 2015–002.’’ Follow the                      for Government intervention to provide                 used to collect, process, store, or
                                                      instructions provided at the ‘‘Submit a                 access to the IT security awareness                    transmit CUI. This subsection requires
                                                      Comment’’ screen. Please include your                   training and RoB.                                      the contractor to maintain signed copies
                                                      name, company name (if any), and                           This rule proposes to standardize the               of the DHS Rob and provide signed
                                                      ‘‘HSAR Case 2015–002’’ on your                          IT security awareness training and DHS                 copies to the contracting officer. HSAR
                                                      attached document.                                      RoB requirements across DHS contracts                  3039.7003, Contract Clause, identifies
                                                         • Fax: (202) 447–0520.                               by amending the HSAR to:                               when contracting officers must insert


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00108   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1



Document Created: 2018-02-01 15:16:15
Document Modified: 2018-02-01 15:16:15
CategoryRegulatory Information
CollectionFederal Register
sudoc ClassAE 2.7:
GS 4.107:
AE 2.106:
PublisherOffice of the Federal Register, National Archives and Records Administration
SectionProposed Rules
ActionProposed rule.
DatesComments on the proposed rule should be submitted in writing to
ContactMs. Shaundra Duggans, Procurement Analyst, DHS, Office of the Chief Procurement Officer, Acquisition Policy and Legislation at (202) 447-0056 or email [email protected] When using email, include HSAR Case 2015-001 in the ``Subject'' line.
FR Citation82 FR 6429 
RIN Number1601-AA76
CFR Citation48 CFR 3001
48 CFR 3002
48 CFR 3004
48 CFR 3052

2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR