The Information Security Oversight Office (“ISOO”) within the National Archives and Records Administration (“NARA”) recently issued guidance for all non-executive branch entities  (such as elements of the legislative or judicial branches of the Federal Government; state, tribal or local government elements; and private organizations including contractors) concerning controlled unclassified information (“CUI”).  Specifically, the ISOO  issued CUI Notice 2018-01, which provides CUI guidance regarding information sharing agreements with non-executive branch entities (herein “IS agreements”) that are not governed by the forthcoming CUI Federal Acquisition Regulation (“FAR”) Clause.  Examples of applicable IS agreements include certain contracts, grants, licenses, memoranda of understanding, and information-sharing arrangements.  The ISOO guidance provides both mandatory and recommended language for inclusion in IS agreements:

Mandatory CUI Language:

  1. Non-executive branch entities must handle CUI in accordance with Executive Order 13556, 32 CFR 2002, and the CUI Registry;
  2. Misuse of CUI is subject to penalties established in applicable laws, regulations or Government-wide policies; and
  3. Non-executive branch entities must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agency’s CUI senior agency official (“SAO ”).  When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency.

Recommended CUI Language:

  1. Identifying the categories of CUI that the non-executive branch entity will handle, as well as the corresponding handling and safeguarding requirements specified by law and policy;
  2. Identifying where performance of work will occur (e.g., in a government facility or a non-executive branch facility);
  3. Identifying whether the type of equipment and IT systems used to handle CUI will be federal or non-federal IT systems, as well as the applicable technical requirements;
  4. Utilizing National Institute of Standards and Technology (“NIST ”) Special Publication (“SP ”) 800-171 when establishing security requirements to protect CUI on non-federal IT systems;
  5. Whether Government-furnished equipment will be used; and
  6. Any disposition or destruction requirements.

While we continue to await a proposed FAR Clause regarding CUI, contractors should benefit from the additional clarity that this ISOO guidance brings in standardizing CUI provisions for non-FAR based agreements.