The Information Security Oversight Office (“ISOO”) within the National Archives and Records Administration (“NARA”) recently issued guidance for all non-executive branch entities  (such as elements of the legislative or judicial branches of the Federal Government; state, tribal or local government elements; and private organizations including contractors) concerning controlled unclassified information (“CUI”).  Specifically, the ISOO  issued CUI Notice 2018-01, which provides CUI guidance regarding information sharing agreements with non-executive branch entities (herein “IS agreements”) that are not governed by the forthcoming CUI Federal Acquisition Regulation (“FAR”) Clause.  Examples of applicable IS agreements include certain contracts, grants, licenses, memoranda of understanding, and information-sharing arrangements.  The ISOO guidance provides both mandatory and recommended language for inclusion in IS agreements:

Mandatory CUI Language:

  1. Non-executive branch entities must handle CUI in accordance with Executive Order 13556, 32 CFR 2002, and the CUI Registry;
  2. Misuse of CUI is subject to penalties established in applicable laws, regulations or Government-wide policies; and
  3. Non-executive branch entities must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agency’s CUI senior agency official (“SAO ”).  When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency.

Recommended CUI Language:

  1. Identifying the categories of CUI that the non-executive branch entity will handle, as well as the corresponding handling and safeguarding requirements specified by law and policy;
  2. Identifying where performance of work will occur (e.g., in a government facility or a non-executive branch facility);
  3. Identifying whether the type of equipment and IT systems used to handle CUI will be federal or non-federal IT systems, as well as the applicable technical requirements;
  4. Utilizing National Institute of Standards and Technology (“NIST ”) Special Publication (“SP ”) 800-171 when establishing security requirements to protect CUI on non-federal IT systems;
  5. Whether Government-furnished equipment will be used; and
  6. Any disposition or destruction requirements.

While we continue to await a proposed FAR Clause regarding CUI, contractors should benefit from the additional clarity that this ISOO guidance brings in standardizing CUI provisions for non-FAR based agreements.

 

 

Tags: Assessing Security Requirements for Controlled Unclassified Information, CUI, FAR, Federal Acquisition Regulation Clause, Information Security Oversight Offfice, ISOO, NARA, National Archives and Records Administration, SAO, Senior Agency Official
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory…

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate M. Growley, CIPP/G, CIPP/US
Show more Show less
Related Posts
DoD Digs In Its Cyber “SPRS”: New Solicitation Provision Requires Contracting Officers to Consider SPRS Risk Assessments
March 27, 2023
China’s New Standard Contractual Clauses and Impact on Data Intensive Businesses
March 20, 2023
EDPB's Opinion on EU-U.S. DPF
March 7, 2023