The Information Security Oversight Office (“ISOO”) within the National Archives and Records Administration (“NARA”) recently issued guidance for all non-executive branch entities  (such as elements of the legislative or judicial branches of the Federal Government; state, tribal or local government elements; and private organizations including contractors) concerning controlled unclassified information (“CUI”).  Specifically, the ISOO  issued CUI Notice 2018-01, which provides CUI guidance regarding information sharing agreements with non-executive branch entities (herein “IS agreements”) that are not governed by the forthcoming CUI Federal Acquisition Regulation (“FAR”) Clause.  Examples of applicable IS agreements include certain contracts, grants, licenses, memoranda of understanding, and information-sharing arrangements.  The ISOO guidance provides both mandatory and recommended language for inclusion in IS agreements:

Mandatory CUI Language:

  1. Non-executive branch entities must handle CUI in accordance with Executive Order 13556, 32 CFR 2002, and the CUI Registry;
  2. Misuse of CUI is subject to penalties established in applicable laws, regulations or Government-wide policies; and
  3. Non-executive branch entities must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agency’s CUI senior agency official (“SAO ”).  When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency.

Recommended CUI Language:

  1. Identifying the categories of CUI that the non-executive branch entity will handle, as well as the corresponding handling and safeguarding requirements specified by law and policy;
  2. Identifying where performance of work will occur (e.g., in a government facility or a non-executive branch facility);
  3. Identifying whether the type of equipment and IT systems used to handle CUI will be federal or non-federal IT systems, as well as the applicable technical requirements;
  4. Utilizing National Institute of Standards and Technology (“NIST ”) Special Publication (“SP ”) 800-171 when establishing security requirements to protect CUI on non-federal IT systems;
  5. Whether Government-furnished equipment will be used; and
  6. Any disposition or destruction requirements.

While we continue to await a proposed FAR Clause regarding CUI, contractors should benefit from the additional clarity that this ISOO guidance brings in standardizing CUI provisions for non-FAR based agreements.

 

 

Tags: Assessing Security Requirements for Controlled Unclassified Information, CUI, FAR, Federal Acquisition Regulation Clause, Information Security Oversight Offfice, ISOO, NARA, National Archives and Records Administration, SAO, Senior Agency Official
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Related Posts
The NIS2 Directive is on the Edge of Enforcement: What Now for EU/US Companies?
August 26, 2024
SEC “Encourages” Public Companies to Disclose “Immaterial” Cybersecurity Incidents Under Item 8.01 of Form 8-K
May 23, 2024
"Browsing and location data are sensitive . . .. Full stop"
March 12, 2024