[Federal Register Volume 82, Number 12 (Thursday, January 19, 2017)]
[Proposed Rules]
[Pages 6429-6446]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-00758]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

48 CFR Parts 3001, 3002, 3004, and 3052

[Docket No. DHS-2017-0006]
RIN 1601-AA76


Homeland Security Acquisition Regulation (HSAR); Safeguarding of 
Controlled Unclassified Information (HSAR Case 2015-001)

AGENCY: Office of the Chief Procurement Officer, Department of Homeland 
Security (DHS).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: DHS is proposing to amend the Homeland Security Acquisition 
Regulation (HSAR) to modify a subpart, remove an existing clause and 
reserve the clause number, update an existing clause, and add a new 
contract clause to address requirements for the safeguarding of 
Controlled Unclassified Information (CUI).

DATES: Comments on the proposed rule should be submitted in writing to 
one of the addresses shown below on or before March 20, 2017, to be 
considered in the formation of the final rule.

ADDRESSES: Submit comments identified by HSAR Case 2015-001, 
Safeguarding of Controlled Unclassified Information, using any of the 
following methods:
     Regulations.gov: http://www.regulations.gov.
    Submit comments via the Federal eRulemaking portal by entering 
``HSAR Case 2015-001'' under the heading ``Enter Keyword or ID'' and 
selecting ``Search.'' Select the link ``Submit a Comment'' that 
corresponds with ``HSAR Case 2015-001.'' Follow the instructions 
provided at the ``Submit a Comment'' screen. Please include your name, 
company name (if any), and ``HSAR Case 2015-001'' on your attached 
document.
     Fax: (202) 447-0520
     Mail: Department of Homeland Security, Office of the Chief 
Procurement Officer, Acquisition Policy and Legislation, ATTN: Ms. 
Shaundra Duggans, 245 Murray Drive, Bldg. 410 (RDS), Washington, DC 
20528.
    Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided. To 
confirm receipt of your comment(s), please check www.regulations.gov, 
approximately two to three days after submission to verify posting 
(except allow 30 days for posting of comments submitted by mail).

FOR FURTHER INFORMATION CONTACT: Ms. Shaundra Duggans, Procurement 
Analyst, DHS, Office of the Chief Procurement Officer, Acquisition 
Policy and Legislation at (202) 447-0056 or email [email protected]. When 
using email, include HSAR Case 2015-001 in the ``Subject'' line.

SUPPLEMENTARY INFORMATION: 

I. Background

    The purpose of this proposed rule is to implement adequate security 
and privacy measures to safeguard Controlled Unclassified Information 
(CUI) and facilitate improved incident reporting to DHS. This proposed 
rule does not apply to classified information. These measures are 
necessary because of the urgent need to protect CUI and respond 
appropriately when DHS contractors experience incidents with DHS 
information. Recent high-profile breaches of Federal information 
further demonstrate the need to ensure that information security 
protections are clearly, effectively, and consistently addressed in 
contracts. This proposed rule strengthens and expands existing HSAR 
language to ensure adequate security for CUI that is accessed by 
contractors; collected or maintained by contractors on behalf of an 
agency; and/or for Federal information systems that collect, process, 
store or transmit such information. The proposed rule identifies CUI 
handling requirements as well as incident reporting requirements, 
including timelines and required data elements. The proposed rule also 
includes inspection provisions and post-incident activities and 
requires certification of sanitization of Government and Government-
Activity related files and information. Additionally, the proposed rule 
requires that contractors have in place procedures and the capability 
to notify and provide credit monitoring services to any individual 
whose Personally Identifiable Information (PII) or Sensitive PII (SPII) 
was under the control of the contractor or resided in the information 
system at the time of the incident.
    This rule addresses the safeguarding requirements specified in the 
Federal Information Security Modernization Act (FISMA) of 2014 (44 
U.S.C. 3551, et seq.), Office of Management and Budget (OMB) Circular 
A-130, Managing Information as a Strategic Resource,\1\ relevant 
National Institutes of Standards and Technology (NIST) guidance, 
Executive Order 13556, Controlled Unclassified Information \2\ and its 
implementing regulation at 32 CFR part 2002,\3\ and the following OMB 
Memoranda: M-07-16, Safeguarding Against and Responding to the Breach 
of Personally Identifiable Information; M-14-03, Enhancing the Security 
of Federal Information and Information Systems; and Reporting 
Instructions for the Federal Information Security Management Act and 
Agency Privacy Management as identified in various OMB Memoranda.\4\ 
Ongoing efforts by OMB and DHS with regard to implementation of FISMA, 
such as the issuance of Binding Operational Directives, and DHS 
implementation of the CUI program, may require future HSAR revisions in 
this area. DHS intends to harmonize the HSAR to be consistent with the 
requirements of these ongoing efforts.
---------------------------------------------------------------------------

    \1\ OMB Circular A-130 Managing Information as a Strategic 
Resource is accessible at https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf.
    \2\ Executive Order 13556 Controlled Unclassified Information is 
accessible at https://www.gpo.gov/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf.
    \3\ 32 CFR part 2002 is accessible at https://www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-21665.pdf.
    \4\ These memoranda include M-03-19, M-04-25, M-05-15, M-06-20, 
M-07-19, M-08-212, M-09-29, M-10-15, M-11-33, M-12-20, M-14-04, M-
15-01, M-16-03, and M-16-04. These memoranda can be accessed at: 
https://www.whitehouse.gov/omb/memoranda_default.
---------------------------------------------------------------------------

II. Discussion and Analysis

    This proposed rule is part of a broader initiative within DHS to 
(1) ensure contractors understand their responsibilities with regard to 
safeguarding controlled unclassified information (CUI); (2) contractor 
and subcontractor employees complete

[[Page 6430]]

information technology (IT) security awareness training before access 
is provided to DHS information systems and information resources or 
contractor-owned and/or operated information systems and information 
resources where CUI is collected, processed, stored or transmitted on 
behalf of the agency; (3) contractor and subcontractor employees sign 
the DHS RoB before access is provided to DHS information systems, 
information resources, or contractor-owned and/or operated information 
systems and information resources where CUI is collected, processed, 
stored or transmitted on behalf of the agency; and (4) contractor and 
subcontractor employees complete privacy training before accessing a 
Government system of records; handling personally identifiable 
information (PII) and/or sensitive PII information; or designing, 
developing, maintaining, or operating a system of records on behalf of 
the Government.
    DHS is proposing to amend and expand an existing HSAR subpart. This 
proposed rule would (1) add new definitions; (2) clarify the 
applicability of the subpart; (3) remove an existing clause and reserve 
the clause number; (4) revise an existing clause; and (5) add a new 
clause to implement expanded safeguarding requirements and identify new 
policies for incident reporting, incident response, notification and 
credit monitoring. Each of these proposed changes are described in 
detail below.
    (1) DHS is proposing to revise subpart 3002.101, Definitions, to 
define ``adequate security,'' ``controlled unclassified information,'' 
``Federal information,'' ``Federal information system,'' ``handling,'' 
``information resources,'' ``information security,'' and ``information 
system,'' '' and remove the definition of sensitive information. The 
definition of the terms ``adequate security,'' ``Federal information,'' 
and ``Federal information system'' is taken from OMB Circular A-130, 
Managing Information as a Strategic Resource. The definition of 
controlled unclassified information is taken from its implementing 
regulation at 32 CFR part 2002. The definition of ``handling'' was 
developed based upon a review of definitions for the term developed by 
other Federal agencies. The definition for the term ``information 
security'' is taken from FISMA 2014 (44 U.S.C. 3552(b)(3)) and the 
definitions for the terms ``information resources'' and ``information 
system'' are taken from 44 U.S.C. 3502(6) and 44 U.S.C. 3502(8) 
respectively. The definition of ``sensitive information'' is removed 
because it is being replaced with ``controlled unclassified 
information'' consistent with Executive Order 13556 and its 
implementing regulation at 32 CFR part 2002. This rule also adds five 
(5) new categories/subcategories of CUI titled Homeland Security 
Agreement Information, Homeland Security Enforcement Information, 
Operations Security Information, Personnel Security Information, and 
Sensitive Personally Identifiable Information for consistency with 
NARA's CUI regulation (32 CFR part 2002). The definitions of these 
terms are needed because these terms appear in the new proposed clause 
at 3052.204-7X, Safeguarding of Controlled Unclassified Information.
    (2) DHS is proposing to revise subpart 3004.470, Security 
requirements for access to unclassified facilities, Information 
Technology resources, and sensitive information, to change the title of 
the subpart and to clarify the applicability of the subpart to the 
acquisition lifecycle. The title of the subpart would be changed to 
``Security requirements for access to unclassified facilities, 
information resources, and controlled unclassified information'' and a 
new subsection for definitions would be added under the subpart. 
Accordingly, the subsections would be renumbered as follows: 3004.470-1 
Scope, 3004.470-2 Definitions, 3004.470-3 Policy, and 3004.470-4 
Contract Clauses. Originally, the title of this subpart contained the 
term ``information technology resources;'' however, this term is 
inconsistent with 44 U.S.C. 3502(6) which defines the term 
``information resources.'' Subsection 3004.470-1, Scope, would be 
amended for consistency in terminology and to make clear the 
applicability of the subpart to the acquisition lifecycle. Subsection 
3004.470-2, Definitions, would be added to define the term 
``incident.'' The definition for ``incident'' is taken from FISMA 2014 
(44 U.S.C. 3552(b)(2)). This term could not be defined at 3002.1, 
Definitions, because the meaning of the term ``incident'' in this 
subpart differs from the meaning it is given in other parts of the 
HSAR. Additionally, this definition is needed because this term appears 
in the clause at 3052.204-7X, Safeguarding of Controlled Unclassified 
Information. Subsection 3004.470-3, Policy, would be revised to (a) 
remove explicit references to Departmental policies and procedures to 
safeguard CUI that are subject to change and provide a public facing 
link for which these policies and procedures can be accessed and (b) 
make clear the requirements for completion of security forms and 
background investigations for contractor employees that require 
recurring access to Government facilities or CUI. Subsection 3004.470-
4, Contract Clauses, would be revised to remove reference to 3052.204-
70, Security Requirements for Unclassified Information Technology 
Resources and identify the applicability of the clause at 3052.204-7X, 
Safeguarding of Controlled Unclassified Information, to solicitations, 
contracts, and subcontracts.
    (3) Clause 3052.204-70, Security Requirements for Unclassified 
Information Technology Resources, would be removed and the clause 
number reserved. This change is necessary because the addition of the 
clause at 3052.204-7X Safeguarding of Controlled Unclassified 
Information eliminates the need for this clause.
    (4) A new clause at 3052.204-7X, Safeguarding of Controlled 
Unclassified Information, would be added to ensure adequate protection 
of CUI. The new clause adds definitions and identifies CUI handling 
requirements, Authority to Operate requirements, incident reporting and 
response requirements, PII and SPII notification requirements, credit 
monitoring requirements, sanitization of Government and Government-
Activity related files and information requirements, other reporting 
requirements, and subcontract requirements. Each of these requirements 
is described below.

(a) Definitions

    This section would add definitions, which also appear in part at 
3002.1 Definitions and 3004.470-2 Definitions, as follows: ``adequate 
security,'' ``Controlled Unclassified Information,'' ``Federal 
information,'' ``Federal information system,'' ``handling,'' ``Homeland 
Security Agreement Information,'' ``Homeland Security Enforcement 
Information,'' ``incident,'' ``information resources,'' ``information 
security,'' ``information system,'' ``Operations Security 
Information,'' ``Personnel Security Information,'' and ``Sensitive 
Personally Identifiable Information.'' The definitions of these terms 
are needed because these terms appear in 3052.204-7X, Safeguarding of 
Controlled Unclassified Information.

(b) Handling of Controlled Unclassified Information

    This section sets forth specific requirements for contractors and 
subcontractors when handling CUI in order to better protect against the 
threat of persistent cyber-attacks and prevent the compromise of CUI, 
including PII.

[[Page 6431]]

These requirements include being in compliance with the DHS policies 
and procedures in effect at the time of contract award. These policies 
and procedures are located on a public Web site titled DHS Security and 
Training Requirements for Contractors which can be accessed via http://www.dhs.gov/dhs-security-and-training-requirements-contractors. This 
Web site identifies Departmental policies and procedures that 
contractors must comply with related to personnel security, information 
security, IT security, and privacy. The Web site also identifies and 
provides contractors with access to IT security awareness and privacy 
training. The policies and training requirements contained on this Web 
site are existing requirements that DHS routinely includes in the terms 
and conditions of its contracts, some of which are pre-existing through 
HSAR 3052.204-70 Security Requirements for Unclassified Information 
Technology Resources and 3052.204-71 Contractor Employee Access. Part 
of the intent of this proposed rulemaking is to increase transparency 
by consolidating these existing requirements in a single location that 
is easily accessible by the public. Changes to these policies and 
procedures will be reflected on the Web site and changes that impact 
contract performance will be communicated to the contractor by the 
Government.
    Handling requirements also include not using or redistributing any 
CUI collected, processed, stored, or transmitted by the contractor, 
except as specified in the contract and not maintaining SPII in the 
contractor's invoicing, billing, and other recordkeeping systems 
maintained to support financial or other administrative functions. DHS 
believes that maintaining SPII in the contractor's invoicing, billing, 
and other recordkeeping systems creates unnecessary risk of compromise 
and is not otherwise needed to achieve contract administration 
functions. DHS welcomes comments regarding whether other categories of 
CUI should be similarly excluded from a contractor's invoicing, 
billing, and other recordkeeping systems. Through these and other 
requirements set forth in the proposed clause and discussed in detail 
in the following sections, the Department believes that contractors and 
subcontractors will provide adequate security from the unauthorized 
access and disclosure of CUI.

(c) Authority To Operate

    FISMA defines a comprehensive framework for ensuring the protection 
of Government information, operations and assets against natural or 
man-made threats. This section sets forth information security 
requirements contractors operating a Federal information system must 
meet prior to collecting, processing, storing, or transmitting CUI in 
that information system as required by FISMA and set forth in NIST 
Special Publication 800-53, Recommended Security and Privacy Controls 
for Federal Information Systems and Organizations. The requirements 
include completing the security authorization process, including the 
preparation of security authorization package and obtaining an 
independent assessment; renewal of the security authorization; security 
review; and Federal reporting and continuous monitoring.\5\
---------------------------------------------------------------------------

    \5\ DHS is aware that NIST Special Publication 800-171, 
Protecting Controlled Unclassified Information in Nonfederal 
Information Systems and Organizations, was released in June 2015 to 
provide federal agencies with recommended requirements for 
protecting the confidentiality of Controlled Unclassified 
Information on non-Federal information systems; however, the 
information system security requirements in this proposed rulemaking 
are focused on Federal information systems, which include contractor 
information systems operating on behalf of an agency. Consistent 
with 32 CFR part 2002, these information systems are not subject to 
the requirements of NIST Special Publication 800-171.
---------------------------------------------------------------------------

    Security authorization involves comprehensive testing and 
evaluation of security features (also known as controls) of an 
information system. It addresses software and hardware security 
safeguards; considers procedural, physical, and personnel security 
measures; and establishes the extent to which a particular design (or 
architecture), configuration, and implementation meets a specified set 
of security requirements throughout the life cycle of the information 
system. It also considers procedural, physical, and personnel security 
measures employed to enforce information security policy. The security 
authorization package includes a Security Plan, Contingency Plan, 
Contingency Plan Test Results, Configuration Management Plan, Security 
Assessment Plan, and Security Assessment Report. These documents are 
used to record the results of the security authorization process and 
provide evidence that the process was followed correctly. A Federal 
information system, which includes a contractor information system 
operating on behalf of an agency, must be granted an Authority to 
Operate (ATO) before it is granted permission to collect, process, 
store, or transmit CUI. The ATO is the official management decision 
given by a senior organizational official to authorize operation of an 
information system based on the implementation of an agreed-upon set of 
security controls.
    The independent assessment is used to validate the security and 
privacy controls in place for the information system prior to 
submission of the security authorization package to the Government for 
review and acceptance. Once an ATO is accepted and signed by the 
Government, it is valid for three (3) years and must be renewed at that 
time unless otherwise specified in the ATO letter. The Government uses 
random security reviews as an additional level of verification to 
ensure security controls are in place, enforced and operating 
effectively. The contractor shall afford access to DHS, the Office of 
the Inspector General, other Government organizations, and contractors 
working in support of the Government access to the Contractor's 
facilities, installations, operations, documentation, databases, 
networks, systems, and personnel used in the performance of this 
contract to conduct security reviews. In addition, contractors 
operating information systems on behalf of the Government shall comply 
with Federal reporting and information system continuous monitoring 
requirements. Reporting requirements are determined by OMB on an annual 
basis and are defined in the Fiscal Year 2015 DHS Information Security 
Performance Plan.\6\ The plan is updated annually to reflect any new or 
revised reporting requirements from OMB.
---------------------------------------------------------------------------

    \6\ The Fiscal Year 2015 DHS Information Security Performance 
Plan can be found at: http://www.dhs.gov/dhs-security-and-training-requirements-contractors.
---------------------------------------------------------------------------

(d) Incident Reporting

    This section sets forth incident reporting requirements for 
contractors and subcontractors when reporting known or suspected 
incidents, including known or suspected incidents that involve PII and/
or SPII. The incident reporting requirements described in this section 
allow the Department to gather the information necessary to formulate 
an effective incident response plan for incident mitigation and 
resolution. These requirements include: Reporting all known or 
suspected incidents to the Component Security Operations Center and 
notifying the contracting officer and contracting officer's 
representative of the incident; reporting known or suspected incidents 
that involve PII or SPII within one hour of discovery and all other 
incidents within eight hours of discovery; encrypting CUI using FIPS 
140-2 Security Requirements for

[[Page 6432]]

Cryptographic Modules and refraining from including CUI in the subject 
or body of any email; providing additional data elements when reporting 
incidents involving PII or SPII; and making clear that an incident 
shall not, by itself, be interpreted as evidence that the contractor 
failed to provide adequate information security safeguards for CUI.
    The timing for reporting incidents involving PII or SPII is 
consistent with OMB Memorandum M-07-16, Safeguarding Against and 
Responding to the Breach of Personally Identifiable Information. The 
timing for reporting incidents unrelated to PII or SPII was derived 
from existing Departmental policy for reporting incidents related to 
other categories of CUI such as CVI, Protected Critical Infrastructure 
Information (PCII), and Sensitive Security Information (SSI). 
Controlled unclassified information is required to be excluded from the 
subject or body of an email and encrypted to prevent further compromise 
of the information when reporting incidents. The additional data 
elements required when reporting incidents involving PII or SPII are 
needed to assist in the Department's understanding of the incident and 
aid in an effective response. DHS also wants to encourage industry to 
timely report incidents to the Department by making it clear that such 
reporting does not automatically mean the contractor has failed to 
provide adequate security or otherwise meet the requirements of the 
contract.

(e) Incident Response

    This section identifies incident response requirements and 
activities. Incident response activities such as inspections, 
investigations, forensic reviews, etc. are used to quickly assess, 
remediate and protect CUI and are conducted whenever an incident is 
reported to DHS. The goal of these activities is to determine what data 
was or could have been accessed by an intruder, build a timeline of 
intruder activity, determine methods and techniques used by the 
intruder, find the initial attack vector, identify any features/aspects 
in the information security protections, and provide remediation 
recommendations to restore the protection of the data. Incident 
response activities may also include contract compliance analyses.

(f) PII and SPII Notification Requirements

    This section sets forth the notification procedures and capability 
requirements for Contractors when notifying any individual whose PII 
and/or SPII was under the control of the Contractor or resided in the 
information system at the time of the incident. The method and content 
of any notification by the Contractor shall be coordinated with, and 
subject to prior written approval by the Contracting Officer utilizing 
the DHS Privacy Incident Handling Guidance. When appropriate, 
notification of those affected and/or the public allows those 
individuals affected by the incident the opportunity to take steps to 
help protect themselves. Such notification is also consistent with the 
``openness principle'' of the Privacy Act which calls for agencies to 
inform individuals about how their information is being accessed and 
used, and may help individuals mitigate the potential harms resulting 
from an incident.
    The Department realizes that there are existing state notification 
laws that industry must also follow. Therefore, DHS welcomes comments 
regarding the impact, if any, that existing state notification laws 
will have on industry's ability to comply with this notification 
requirement.

(g) Credit Monitoring

    This section sets forth the requirement that the contractor, when 
appropriate, is required to provide credit monitoring services, 
including call center services, if directed by the Contracting Officer, 
to any individual whose PII or SPII was under the control of the 
contractor, or resided in the information system, at the time of the 
incident for a period beginning the date of the incident and extending 
not less than 18 months from the date the individual is notified. 
Credit monitoring is a commercial service that can assist individuals 
in early detection of instances of identity theft. Credit monitoring 
services notify individuals of changes that appear in their credit 
report, such as creation of new accounts, changes to their existing 
accounts or personal information, or new inquiries for credit. Such 
notification affords individuals the opportunity to take steps to 
minimize any harm associated with unauthorized or fraudulent activity. 
The section is only applicable when an incident involves PII or SPII.
    The Department deliberately made the provision of notification and 
credit monitoring services independent from an assessment of fault or 
lack of compliance with the contract terms and conditions. In 
accordance with OMB Memorandum M-07-16, Safeguarding Against and 
Responding to the Breach of Personally Identifiable Information, 
agencies have the responsibility to notify individuals whose PII or 
SPII may have been compromised without unreasonable delay. This 
notification has often been delayed while detailed forensic analysis 
and contract compliance inspections are occurring. Under this new 
provision, notification and credit monitoring, when appropriate, will 
occur more rapidly as it is not dependent upon any determination of 
contractor fault or noncompliance. DHS is also aware that sophisticated 
cyber-attacks can occur despite compliance with contract requirements. 
In these instances, even though there is no contractor noncompliance, 
there may still be a need to notify individuals and provide credit 
monitoring services. Additionally, DHS wants to emphasize that the 
provisions for notification and credit monitoring services are only 
applicable when (1) contractor and/or subcontractor employees may have 
access to PII/SPII or (2) information systems are used to collect, 
process, store, or transmit PII/SPII on behalf of the agency. DHS is 
considering broadening the credit monitoring requirement to include 
identity protection, identity restoration, and related services. DHS 
welcomes comments regarding the impact, if any, of this change.

(h) Certificate of Sanitization of Government and Government-Activity 
Related Files and Information

    Upon the conclusion of the contract by expiration, termination, 
cancellation, or as otherwise identified in the contract, the 
Contractor must return all CUI to DHS or destroy it physically or 
logically as identified in the contract. This destruction must conform 
to the guidelines for media sanitization contained in NIST SP-800-88, 
Guidelines for Media Sanitization. Further, the contractor must certify 
and confirm sanitization of media using the template provided in 
Appendix G of the publication.

(i) Other Reporting Requirements

    The purpose of this section is to make clear that the requirements 
of this clause do not rescind the Contractor's responsibility for 
compliance with other applicable U.S. Government statutory or 
regulatory requirements that may apply to its contract(s).

(j) Subcontracts

    This section requires that contractors insert the clause at 
3052.204-7X Safeguarding of Controlled Unclassified Information in all 
subcontracts and require subcontractors to include this clause in all 
lower-tier subcontracts. The requirements of this clause are applicable 
to all contractors and

[[Page 6433]]

subcontractors that (1) will have access to CUI; (2) collect or 
maintain CUI on behalf of the agency; or (3) operate Federal 
information systems, including contractor information systems operated 
on behalf of the agency, to collect, process, store, or transmit CUI.
    (5) Clause 3052.212-70, Contract Terms and Conditions Applicable to 
DHS Acquisition of Commercial Items, would be revised to remove 
3052.204-70, Security Requirements for Unclassified Information 
Technology Resources; identify Alternate II as an option under 
subparagraph (b) of 3052.204-71 Contractor Employee Access; and add 
3052.204-7X Safeguarding of Controlled Unclassified Information under 
subparagraph (b) of the clause. The addition of 3052.204-7X 
Safeguarding of Controlled Unclassified Information eliminates the need 
for 3052.204-70 Security Requirements for Unclassified Information 
Technology Resources. Because of this 3052.204-70 would be removed and 
the clause number reserved. Alternate II to 3052.204-71 was 
inadvertently omitted as an option under the listing of clauses and 
alternates available for selection under 3052.212-70. This addition 
corrects that omission. Subparagraph (b) of 3052.212-70 would also be 
amended to add 3052.204-7X Safeguarding of Controlled Unclassified 
Information because the requirements of these clauses are applicable to 
the acquisition of commercial items.
    (6) Other considerations. DHS is considering making changes to 
subpart 3004.470-3, Contract Clauses, and the clause at 3052.204-71, 
Contractor Employee Access. These changes would harmonize the text of 
the clause with the requirements of the final version of 3052.204-7X 
Safeguarding of Controlled Unclassified Information by removing 
outdated and/or unnecessary definitions (i.e., sensitive information 
and information technology resources); renumbering the paragraphs of 
the clause as a result of the removal of the definitions for the terms 
``sensitive information'' and ``information technology resources''; and 
making clear in the prescription for the clause the need for 
information security regardless of the setting, including educational 
institutions and contractor facilities. DHS believes that the 
protection of CUI is paramount regardless of where the information 
resides. DHS is also seeking comment on making the clause at 3052.204-
7X, Safeguarding of Controlled Unclassified Information, applicable to 
all services contracts. DHS believes this broader applicability would 
ensure that contractors are aware of the Government's requirements 
related to CUI. In addition, the Government believes that the 
requirements of the clause are written in such a way that they would be 
self-deleting when they are not applicable to a solicitation or 
contract. DHS welcomes comments regarding the impact, if any, on 
including 3052.204-7X, Safeguarding of Controlled Unclassified 
Information, in all services contracts. DHS also welcomes comments and 
feedback on industry's understanding of the concept of self-deleting 
and if the use of alternates to 3052.204-7X, Safeguarding of Controlled 
Unclassified Information, is needed to ensure proper understanding and 
application of the clause.

III. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This is a significant regulatory action and, therefore, 
was subject to review under Section 6(b) of E.O. 12866, Regulatory 
Planning and Review, dated September 30, 1993. This rule is not a major 
rule under 5 U.S.C. 804.
    This proposed rule addresses the safeguarding requirements 
specified in the FISMA, OMB Circular A-130, Managing Information as a 
Strategic Resource, relevant NIST guidance, Executive Order 13556, 
Controlled Unclassified Information and its implementing regulation at 
32 CFR part 2002, and multiple OMB Memoranda. DHS considered both the 
costs and benefits associated with the requirements of proposed clause 
Safeguarding of Controlled Unclassified Information, specifically those 
requirements believed to be of most import to industry such as the 
requirement to: Obtain an independent assessment, perform continuous 
monitoring, report all known and suspected incidents, provide 
notification and credit monitoring services in the event an incident 
impacts PII, document sanitization of Government and Government-
activity-related files and information, as well as ensure overall 
compliance with the requirements of the proposed clause.
    To determine the estimated costs of these requirements DHS 
requested cost information from multiple vendors whose contracts with 
DHS include requirements similar to this proposed rule; obtained cost 
input from the Federal Risk and Authorization Management Program 
(FedRAMP), for which DHS is a participant; reviewed the Congressional 
Budget Office (CBO) Cost Estimate for the Personal Data Protection and 
Breach Accountability Act of 2011; reviewed pricing from the General 
Service Administration's (GSA) recently awarded Identity Protection 
Services (IPS) blanket purchase agreements (BPAs); and reviewed 
internal price data from DHS's Managed Compliance Services and 
notification and credit monitoring services contracts. These activities 
identified that: (1) The cost of an independent assessment can range 
from $30,000 to $150,000 with an average cost of $112,872; (2) the 
equipment costs to perform continuous monitoring can range from $76,340 
to $350,000 with an average cost of $213,170 while the labor costs to 
perform continuous monitoring can range from $47,000 to $65,000 for an 
average cost of $55,674; (3) the cost of reporting an incident to DHS 
ranges between $500 and $1,500 per incident; (4) the cost of notifying 
individuals that there has been an incident with their PII ranges from 
$1.03 to $4.60 per person; (5) the cost of credit monitoring services 
range between $60 and $260 per person; (6) a specific cost for the 
certificate of sanitization of Government and Government-Activity-
Related files and information cannot be determined as the methods of 
sanitization vary widely depending on the categorization of the system 
and the media on which the data is stored; and (7) costs associated 
with Full-time Equivalent (FTE) oversight of the requirements of 
proposed clause Safeguarding of Controlled Unclassified Information 
ranges from $65,000 to $324,000. Detailed information on how DHS 
arrived at these costs and ranges is provided below.
    There are a multitude of benefits associated with the requirements 
of proposed clause Safeguarding of Controlled Unclassified Information. 
These benefits impact both DHS and contractors with which it conducts 
business. Benefits related to specific provisions of the proposed 
clause are addressed below; however, it is important to note the 
overarching benefit of transparency. While several of the requirements 
of the proposed clause have been routinely included in DHS contracts 
(e.g., Authority to Operate, notification, and credit monitoring), this 
proposed rulemaking standardizes the applicability of these 
requirements and

[[Page 6434]]

makes clear to contractors considering doing business with DHS the 
standards and requirements to which they will be held as it relates to 
the (1) handling of the Department's CUI, (2) security requirements 
when such information will be collected or maintained on behalf of the 
agency or collected, processed, stored, or transmitted in a Federal 
information system, including contractor information systems operating 
on behalf of the agency, and (3) potential notification and credit 
monitoring requirements in the event of an incident that impacts 
personally identifiable information (PII) and/or sensitive PII (SPII). 
The current lack of standardization and transparency has been point of 
contention for industry and a common concern raised when DHS has 
requested feedback from industry.

Overview of Costs

Independent Assessment
    DHS is proposing that vendors obtain an independent assessment to 
validate the security and privacy controls in place for an information 
system prior to submission of the security authorization package to the 
Government for review and acceptance. In general, when assessing 
compliance with a standard or set of requirements, there are three 
alternatives: (1) First party attestation or self-certification, (2) 
second party attestation (i.e., internal independent), or (3) third 
party attestation. While the first two options may be considered the 
least economically burdensome, third party attestation is an accepted 
best practice in commercial industry as objectivity increases with 
independence. DHS is proposing to require that vendors obtain an 
independent assessment from a third party to ensure a truly objective 
measure of an entity's compliance with the requisite security and 
privacy controls. Recent high-profile breaches of Federal information 
further demonstrate the need for Departments, agencies, and industry to 
ensure that information security protections are clearly, effectively, 
and consistently addressed and appropriately implemented in contracts. 
Additionally, the benefits of using a third party to perform an 
independent assessment also extend to the contractor as the contractor 
can use the results of the independent assessment to demonstrate its 
cybersecurity excellence for customers other than DHS.
    The cost of an independent assessment varies widely depending upon 
the complexity of the information system, the categorization of the 
information system (low, moderate, or high impact), and the 
sophistication of the contractor. Additionally, DHS does not have a 
mechanism to track the costs of independent assessments performed under 
its contracts. Because of the multiple factors that influence the cost 
of an independent assessment and lack of a tracking mechanism for 
associated costs, DHS is unable to identify with specificity the costs 
of implementing this requirement. As such, we sought to identify a 
range of costs based on the actual data we were able to access. DHS 
performed the following activities to obtain this data:
     Requested cost information from multiple vendors whose 
contracts with DHS require an independent assessment as part of the 
security authorization process;
     Obtained cost input from FedRAMP, for which DHS is a 
participant, as the program requires cloud service providers to obtain 
an independent assessment from a Third Party Assessment Organization; 
and
     Reviewed internal data from DHS's Managed Compliance 
Services contract. DHS uses this contract to perform internal 
independent assessments.
    The cost information received from DHS vendors ranged from $30,000 
to $123,615. The vendors whose costs were on the higher end of this 
range included costs for the independent party as well as internal 
labor costs associated with performing the independent assessment 
whereas the vendor on the low end of the spectrum did not. FedRAMP data 
indicates the estimated costs on an independent assessment to be 
approximately $150,000 while costs under DHS's internal contract for 
this service ranges between $35,000 and $45,000. When considering the 
data from DHS's internal contract for independent assessment services, 
it is important to note that these figures do not capture the labor 
costs of the Government employees involved in the process as the 
Government does not typically track the costs incurred for services 
performed by its own workforce. Because of this, it is both anticipated 
and expected that contractor costs for independent assessments will 
exceed the costs the Government incurs as contractor costs typically 
include not only the cost of the independent third party but also 
internal labor costs to facilitate the independent assessment and 
resolve any resultant findings.
    Based on the above data points, the cost of an independent 
assessment can range from $30,000 to $150,000 or an average cost of 
$112,872. Because it seems likely that most vendors will have to 
account for necessary staff time, the average cost was developed by 
averaging only those cost estimates that included both internal and 
external labor costs. Neither the range nor the average cost identified 
is absolute as there are multiple factors that influence the cost of 
this service. Internal historical data indicates it takes approximately 
162 labor hours to complete and independent assessment. This adds to 
the variance as the costs are dependent upon the labor categories and 
rates used to perform the assessment. Also, it is important to note 
that the assessment is required to be performed by an independent 
party. As such, the actual cost of the assessment is largely dependent 
upon agreements that the contractor is responsible for negotiating. 
Contractors with preexisting relationships with entities that perform 
independent assessments may be able to obtain more competitive pricing. 
Contractors new to this requirement may not. DHS welcomes comments from 
industry regarding the estimated costs associated with compliance with 
the requirement to obtain an independent assessment.
Continuous Monitoring
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires that contractors operating Federal information systems, which 
includes contractor information systems operating on behalf of the 
Government, or maintaining or collecting information on behalf of the 
Government, comply with information system continuous monitoring 
requirements. Continuous monitoring is not a new requirement for DHS 
contractors. Existing HSAR clause 3052.204-70, Security Requirements 
for Unclassified Information Technology Resources, requires contractors 
to comply with DHS Sensitive System Policy Publication 4300A. This 
publication and its implementing guidance addresses continuous 
monitoring requirements. DHS is seeking to be more clear and 
transparent with contractor requirements by expressly identifying this 
requirement in proposed clause Safeguarding of Controlled Unclassified 
Information.
    The costs associated with continuous monitoring are not fixed and 
can vary widely. For example, a contractor that has previously gone 
through DHS's security authorization process is more likely to have in 
place the hardware, software, and personnel to perform continuous 
monitoring. In this instance, the costs associated with performing this 
requirement would be lower than a contractor who does not have 
preexisting hardware, software, and

[[Page 6435]]

personnel in place to satisfy these requirements.
    Because of the multiple factors that influence the cost of 
continuous monitoring, DHS is unable to identify with specificity the 
costs of implementing this requirement. As such, we sought to identify 
a range of costs based on the actual data we were able to access. DHS 
performed the following activities to obtain this data:
     Requested cost information from multiple vendors whose 
contracts with DHS include similar continuous monitoring requirements; 
and
     Reviewed internal historical data.
    The cost information received from DHS vendors ranged from $65,000 
to $397,000. Vendors on the lower end of this range already had the 
hardware and software in place to perform continuous monitoring as the 
costs proposed only include labor. Alternatively, the vendors on the 
higher end of this range documented costs associated with hardware, 
software, and labor. For example, the cost breakdown from the vendor 
that reported costs of $397,000 included a one-time equipment fee of 
$350,000 and annual labor costs of $47,000. Alternatively, the vendor 
that submitted costs of $65,000 only proposed labor costs and is using 
preexisting hardware and software to perform continuous monitoring.
    A review of internal historical data indicates the cost of 
continuous monitoring ranges from $6,000 to $18,000. It is important to 
note that the internal historical data assumes the vendor has the 
appropriate tools to perform continuous monitoring (e.g., the ability 
to scan their assets) and does not include costs for the labor required 
to support continuous monitoring activities. It is both anticipated and 
expected that in many instances contractor costs for continuous 
monitoring will exceed the costs the Government incurs for the same 
service as contractor costs include the costs of hardware/software to 
perform continuous monitoring as well as labor costs to support 
continuous monitoring activities.
    Using the above data points, the equipment costs to perform 
continuous monitoring can range from $76,340 to $350,000 with an 
average cost of $213,170. The average cost was developed by averaging 
the equipment costs received. Alternatively, labor costs to perform 
continuous monitoring can range from $47,000 to $65,000 for an average 
cost of $55,674. The average cost was developed by averaging the labor 
costs received. Please note these ranges and average costs are not 
absolute as the costs associated with continuous monitoring vary based 
on the tools (i.e., hardware or software) and methods (e.g., internal 
staff, contractor support, new hires) the contractor uses to implement 
the continuous monitoring requirements. The Government anticipates 
costs will decline over time as contractors become more sophisticated 
and build the necessary infrastructure to support this activity. DHS 
welcomes comments from industry regarding the estimated costs 
associated with compliance with the requirement to perform continuous 
monitoring.
Incident Reporting
    This proposed rule requires contractors to report known or 
suspected incidents that involve PII or sensitive PII (SPII) within one 
hour of discovery and all other incidents (i.e., those incidents 
impacting any other category of CUI) within eight hours of discovery. 
DHS specifically included language in the regulatory text stating that 
an incident shall not, by itself, be interpreted as evidence that the 
contractor has failed to provide adequate information security 
safeguards for CUI, or has otherwise failed to meet the requirements of 
the contract. This language was added because DHS understands that 
sophisticated cyber-attacks can occur despite compliance with contract 
requirements.
    The cost to prepare and report an incident to DHS varies based on 
the type(s) of information impacted by the incident and the complexity 
of the incident. Proposed clause Safeguarding of Controlled 
Unclassified Information requires incidents to be reported to the 
Component Security Operations Center (SOC), or the DHS Enterprise SOC 
if the Component SOC is unavailable, in accordance with 4300A Sensitive 
Systems Handbook Attachment F Incident Response. However, if PII is 
impacted by the incident, the contractor must provide additional 
information in its incident report. Also, for incidents that impact 
multiple systems or multiple components of a system, it may take the 
contractor more resources (e.g., time) to obtain the some of the data 
points that are required to be provided when reporting an incident.
    To determine the cost of preparing and reporting an incident, DHS 
performed the following activities:
     Requested cost information from multiple vendors whose 
contracts with DHS include similar incident reporting requirements; and
     Reviewed internal historical data.
    It was difficult to use the information submitted by the vendors 
queried to establish an estimated cost. The information provided either 
included both incident reporting and incident response (i.e., 
investigation and remediation activities) or annual training and 
testing requirements. Because of this we had to rely on internal 
historical data to establish an estimate solely responsive to the 
incident reporting requirements identified in the proposed clause. This 
data indicates the estimated cost of reporting an incident to DHS 
ranges between $500 and $1,500 per incident. DHS estimates that 822 
vendors are subject to the requirements of this proposed rule and that 
each vendor may report up to one known or suspected incident per year 
for a total estimated cost range of $411,000 to $1,233,000. DHS 
welcomes comments from industry regarding the estimated costs 
associated with incident reporting.
Notification and Credit Monitoring
    In the event of an incident that impacts PII/SPII, it may be 
necessary to perform certain incident response activities such as 
notification and credit monitoring. Contractors should not assume that 
all incident response activities will take place when a known or 
suspected incident is reported to DHS as the determination on the 
appropriate incident response activities is based upon investigation of 
the known or suspected incident. DHS uses a deliberative process to 
investigate and determine if an incident has occurred. This process 
begins with the contractor's submission of an Incident report to the 
Component or DHS SOC. The SOC staff use the incident report information 
to investigate and determine if an actual incident occurred. More often 
than not, an incident has not occurred and further incident response 
activities are not needed. If the SOC determines that incident has 
occurred, additional investigation and analyses happen to determine the 
nature and scope of the incident and US-CERT is engaged as necessary. 
If the incident involves PII/SPII, the Government will determine if 
notification and the provision of credit monitoring services is 
appropriate. DHS believes notification and credit monitoring, when 
appropriate, will occur more rapidly as the provision of these services 
is no longer dependent upon any determination of contractor fault or 
noncompliance.
    To determine the cost of notifying individuals, DHS performed the 
following activities:
     Requested cost information from multiple vendors whose 
contracts with

[[Page 6436]]

DHS include similar notification requirements;
     Reviewed pricing from DHS's department-wide contract for 
credit monitoring services;
     Reviewed the CBO Cost Estimate for the Personal Data 
Protection and Breach Accountability Act of 2011;
     Reviewed pricing from the GSA's recently awarded IPS BPAs; 
and
     Reviewed GSA's Professional Services Schedule, Financial 
and Business Solutions, Category 520 19 Data Breach Analysis.
    The cost information we received from DHS vendors indicates that 
vendors price these requirements using different methods. One vendor 
bundled the cost of notification in its continuous monitoring costs 
while another bundled these costs as with those associated with 
incident reporting. In these instances we are unable to determine which 
portion of the costs are associated with the notification requirements. 
The cost submitted by the one vendor that separately priced this 
requirement was $4.06 per person. The pricing for notification in the 
Department's internal contract for credit monitoring services is 
significantly lower than the costs proposed by DHS's vendors, i.e., 
$1.57 per person.
    While the CBO report referenced above did not provide a cost 
estimate for notification, the following information was provided: 
``According to industry sources, the sensitive, personally identifiable 
information of millions of individuals is illegally accessed or 
otherwise breached every year. However, according to those sources, 46 
states already have laws requiring notification in the event of a 
security breach. In addition, it is the standard practice of most 
businesses to notify individuals if a security breach occurs. 
Therefore, CBO estimates that the notification requirements would not 
impose significant additional costs on businesses.''
    GSA's IPS BPAs contain bundled fixed unit pricing for services that 
not only exceed the requirements of proposed clause Safeguarding of 
Controlled Unclassified Information (i.e., dedicated, branded Web site; 
identity restoration services; and identity theft insurance services) 
but also includes notification. As such, DHS is unable to determine 
which portion of the fixed unit price is applicable to notification 
services. A review of GSA's Professional Services Schedule indicates 
only two vendors with specific pricing for notification services. This 
includes the vendor for which DHS has a Department-wide contract for 
credit monitoring and notification services. Pricing for the other 
vendor is $0.54 per letter plus postage, i.e., $1.03. Based on this 
data, the cost of notifying individuals that there has been an incident 
with their PII ranges from $1.03 to $4.60 per person. DHS welcomes 
comments from industry regarding the estimated costs associated with 
compliance with the requirement to provide notification services.
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors to provide credit monitoring services, including 
call center services, if directed by the Contracting Officer, to any 
individual whose PII/SPII was under the control of the contractor, or 
resided in the information system, at the time of the incident for a 
period beginning the date of the incident and extending not less than 
18 months from the date the individual is notified.
    The costs associated with this requirement vary depending on the 
method the contractor uses to provide services. For example, some 
contractors choose to satisfy this requirement through cyber insurance 
while others choose to subcontract these services with credit 
monitoring service providers. To estimate a cost for credit monitoring 
services, DHS performed the following activities:
     Requested cost information from multiple vendors whose 
contracts with DHS include similar credit monitoring requirements;
     Reviewed pricing from DHS's department-wide contract for 
credit monitoring services;
     Reviewed the CBO Cost Estimate for the Personal Data 
Protection and Breach Accountability Act of 2011; and
     Reviewed pricing from the General Service Administration's 
(GSA) recently awarded Identity Protection Services (IPS) blanket 
purchase agreements (BPAs).
    The cost information we received from DHS vendors indicates that 
vendors satisfy these requirements using different methods. One vendor 
used cyber insurance while others satisfied this requirements through 
subcontracts with credit monitoring service providers. In instances 
where subcontracts are used, the pricing ranged from $61.71 to $260 per 
person. We assume that this variance in cost stems from the vendor's 
ability to negotiate favorable pricing with its subcontractors. It is 
also important to note that credit monitoring service providers 
frequently offer volume discounts that can lower the costs of services. 
However, all vendors under contracts with DHS may not able to 
capitalize on these discounts as the amount of PII provided to a 
contractor is based upon the services being provided and can vary 
greatly from contract to contract.
    The pricing in the Department's internal contract for credit 
monitoring services is significantly lower than the costs proposed by 
DHS's vendors, i.e., $1.89 per person. It is important to note that DHS 
was able to obtain such favorable pricing because the cost of credit 
monitoring services are paid for everyone that receives notification of 
the incident without regard to their actual acceptance/request for 
credit monitoring. According to the CBO report referenced above, 
``[t]he cost of bulk purchases of the credit-monitoring or reporting 
services is about $60 per person according to credit industry 
professionals.''
    As it relates to GSA's IPS BPAs, the published price lists do not 
mirror the credit monitoring provisions of DHS's proposed clause 
Safeguarding of Controlled Unclassified Information. For example, the 
IPS BPAs contain bundled fixed unit pricing for services that exceed 
the requirements of the proposed clause (i.e., dedicated, branded Web 
site; identity restoration services; and identity theft insurance 
services). Additionally, the pricing includes volume discounts based on 
the number of individuals receiving services. The prices ranged from 
$12.21 (per person per year if 10,000--24,999) to $38 (per person per 
year if more than 10,000).
    Based on the aforementioned information, DHS believes the most 
likely costs for these services range between $60 and $260 per person. 
DHS welcomes comments from industry regarding the estimated costs 
associated with compliance with the requirement to provide credit 
monitoring. DHS also requests feedback from industry on how many 
individuals typically sign up for credit monitoring after being 
notified that an incident has occurred that impacts their PII/SPII?
Certificate of Sanitization
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors to return all CUI to DHS and certify and confirm 
the sanitization of all Government and Government-Activity related 
files and information. Destruction must conform to the guidelines for 
media sanitization contained in NIST SP-800-88, Guidelines for Media 
Sanitization. The contractor is also required to use the template 
provided in NIST Special Publication 800-88, Guidelines for Media 
Sanitization, Appendix G when

[[Page 6437]]

submitting the Certificate of Sanitization.
    NIST SP 800-88 identifies the proper and applicable techniques and 
controls for sanitization and disposal decisions, considering the 
security categorization of the associated system's confidentiality. 
Applicable sanitization methods depend on the media in which the data 
is stored. Following sanitization, NIST SP 800-88 requires a 
certificate of media disposition to be completed for each piece of 
electronic media that has been sanitized. The proposed clause 
Safeguarding of Controlled Unclassified Information requires 
contractors to certify that applicable media have been sanitized using 
the template provided in Appendix G of NIST SP 800-88. In short, this 
template states that a system or hardware has been sanitized of all 
information. The costs associated with media sanitization do not arise 
from completion of the template. The costs arise from the sanitization 
activities themselves. A specific cost cannot be provided as the 
methods of sanitization vary widely depending on the categorization of 
the system and the media on which the data is stored. DHS requests 
comments from industry regarding the estimated costs associated with 
compliance with the requirement to sanitize Government and Government-
Activity-Related files and information.
Oversight and Compliance
    As discussed above, the costs associated with oversight and 
compliance with the requirements contained in proposed clause 
Safeguarding of Controlled Unclassified Information are not easily 
quantifiable. Implementation costs stem directly from a vendor's pre-
existing information security posture. Several vendors, particularly 
those operating in the IT space, have been complying with these 
requirements for years. In these instances, the vendors have the 
existing infrastructure (i.e., hardware, software, and personnel) to 
implement these requirements and implementation costs are lower. The 
same is also true for many vendors that provide professional services 
to the Government and use IT to provide those services. Alternatively, 
vendors with less experience and capability in this area will incur 
costs associated with procuring the hardware and software necessary to 
implement these requirements, as well as the labor costs associated 
with any new personnel needed to implement and oversee these 
requirements. Costs will vary depending on the hardware and software 
selected and the skill set each contractor requires in its employee(s) 
responsible for ensuring compliance with these requirements. It is 
anticipated that these costs will be passed on to the Department, and 
that over time these vendors will become more sophisticated in this 
area and costs will decline. It is also important to note that the 
information security measures proposed in this rulemaking are quite 
similar to those industry already employs internal to their business 
operations. However, based on the feedback we received from vendors, 
the costs associated with FTE oversight of these requirements ranges 
from $65,000 to $324,000. This range is not absolute as it is entirely 
dependent upon the vendor's approach to oversight, i.e., a single 
individual, multiple personnel, and the seniority of the position, all 
of which directly impact costs. Also, it is important to note that 
requirements of this type are generally not priced as a separate line 
item and are typically captured in overhead estimates. As such, DHS 
does not have clear insight into the costs associated with this 
requirement. DHS welcomes comments from industry regarding the 
estimated costs associated with ensuring proper oversight and 
compliance with the requirements of proposed clause Safeguarding of 
Controlled Unclassified Information.

Overview of Benefits

Clear Notification of System Requirements
    Feedback from industry has consistently indicated the need for 
transparency and clear and concise requirements as it relates to 
information security. The requirements of proposed clause Safeguarding 
of Controlled Unclassified Information is, in part, intended to satisfy 
this request. Previously information security requirements were either 
imbedded in a requirements document (i.e., Statement of Work, Statement 
of Objectives, or Performance Work Statement) or identified through 
existing HSAR clause 3052.204-70, Security Requirements for 
Unclassified Information Technology Requirements. This approach (1) 
created inconsistencies in the identification of information security 
requirements for applicable contracts, (2) required the identification 
and communication of security controls for which compliance was 
necessary after contract award had been made, and (3) resulted in 
delays in contract performance.
    Proposed clause Safeguarding of Controlled Unclassified Information 
substantially mitigates the concerns with DHS's previous approach. 
Through the Government provided Requirements Traceability to Matrix 
(RTM) contractors will know at the solicitation level the security 
requirements for which they must comply. The RTM identifies the 
security controls that must be implemented on an information system 
that collects, processes, stores, or transmits CUI and is necessary for 
the contractor to prepare its security authorization package. Clear 
identification of these requirements at the solicitation level affords 
contractors the ability to (1) assess their qualifications and ability 
to fully meet the Government's requirements, (2) make informed business 
decisions when deciding to compete on Government requirements, and (3) 
engage subcontractors, if needed, early in the process to enable them 
the ability to be fully responsive to the Government's requirements. 
Similarly, the Government benefits from clear identification of its 
requirements. Presumably, proposals/quotations will be submitted by 
contractors fully qualified and able to meet the requirements of the 
effort. During the evaluation phase of a procurement, the Government 
will be able to assess a contractor's information security posture and 
ability to comply with the requirements of the RTM. Such an evaluation 
should reduce post-award delays in contractor performance and mitigate 
the need to reissue solicitations as a result of a contractor's 
inability to comply with mandatory security requirements.
Improved Notification to the Public Regarding Data Breaches
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors to have in place procedures and the capability to 
notify any individual whose PII) and/or SPII was under the control of 
the contractor or resided in the information system at the time of an 
incident no later than 5 business days after being directed to notify 
individuals, unless otherwise approved by the contracting officer. Such 
a requirement is consistent with OMB Memorandum M-07-16, Safeguarding 
Against and Responding to the Breach of Personally Identifiable 
Information, which states that agencies have the responsibility to 
notify individuals whose PII or SPII may have been compromised without 
unreasonable delay. In the past, this notification has often been 
delayed while detailed forensic analysis and contract compliance 
inspections are occurring. Under this new provision, notification and 
credit monitoring, when appropriate, will occur more rapidly as it is 
not dependent upon any

[[Page 6438]]

determination of contractor fault or noncompliance.
    The content and method of any notification sent by a contractor 
must be coordinated with and approved by the contracting officer. At a 
minimum, this notification must include: A brief description of the 
incident; a description of the types of PII or SPII involved; a 
statement as to whether the PII or SPII was encrypted or protected by 
other means; steps individuals may take to protect themselves; what the 
contractor and/or the Government are doing to investigate the incident, 
to mitigate the incident, and to protect against any future incidents; 
and information identifying who individuals may contact for additional 
information. Such notification is consistent with the ``openness 
principle'' of the Privacy Act which calls for agencies to inform 
individuals about how their information is being accessed and used, and 
may help individuals mitigate the potential harms resulting from an 
incident.
Provision of Credit Protection to Impacted Individuals
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors to provide credit monitoring services, including 
call center services to any individual whose PII or SPII was under the 
control of the contractor, or resided in the information system, at the 
time of the incident for a period beginning on the date of the incident 
and extending not less than 18 months from the date the individual is 
notified when directed by the contracting officer. Credit monitoring 
services can be particularly beneficial to the affected public as they 
can assist individuals in the early detection of identity theft as well 
as notify individuals of changes that appear in their credit report, 
such as creation of new accounts, changes to their existing accounts or 
personal information, or new inquiries for credit. Such notification 
affords individuals the opportunity to take steps to minimize any harm 
associated with unauthorized or fraudulent activity.
Incident Reporting
    Proposed clause Safeguarding of Controlled Unclassified Information 
requires contractors and subcontractors to report all known or 
suspected incidents to the Component SOC. If the Component SOC is not 
available, the report shall be made to the DHS Enterprise SOC. While 
such a requirement is not new for DHS, compliance with this requirement 
is critical. The mission of DHS is unique in that we, through the 
National Protection and Programs Directorate's Office of Cybersecurity 
and Communications, are also responsible for the identification and 
sharing of cyber threat indicators. These cyber threat indicators and 
defensive measures are shared among federal and non-federal entities 
consistent with the need to protect information systems from 
cybersecurity threats, mitigate cybersecurity threats, and comply with 
any other applicable provisions of law authorized by the Cybersecurity 
Information Sharing Act of 2015. Because of this mission requirement, 
DHS is not only concerned with actors who are successful in breaching 
our defenses, we are also concerned with attempts to breach those 
defenses. Knowledge of these attempts enables us to perform any 
necessary investigations and determine/establish new procedures to 
strengthen our defenses and prevent them from becoming successful. This 
information is then in turn shared with the interagency and non-Federal 
entities to enable them to take the necessary measures to be able to 
defend against similar attacks.
Improved Incident Response Time
    Previously contractors were not consistently provided with specific 
incident reporting timelines. As such, the timeliness of incident 
reporting was determined by the contractor. Standardizing incident 
reporting timelines through proposed clause Safeguarding of Controlled 
Unclassified Information ensures timely incident reporting. Timely 
reporting of incidents is critical to prevent the impact of the 
incident from expanding, ensure incident response and mitigation 
activities are undertaken quickly, and ensure individuals are timely 
notified of the possible or actual compromise of their personally 
identifiable information and offered credit monitoring services when 
applicable.

IV. Regulatory Flexibility Act

    DHS expects this proposed rule may have a significant economic 
impact on a substantial number of small entities within the meaning of 
the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. Therefore, an 
Initial Regulatory Flexibility Analysis (IRFA) has been prepared 
consistent with 5 U.S.C. 603, and is summarized as follows:

1. Description of the Reasons Why Action by the Agency Is Being 
Considered

    Cybersecurity has been identified as one of the most serious 
economic and national security challenges our nation faces. The 
frequency of cyber-attacks, including attempts to gain unauthorized 
access to CUI collected or maintained by or on behalf of an agency and 
information systems that collect, process, store, or transmit such 
information, has prompted the Government to expand its cybersecurity 
efforts across the Federal landscape. Part of the DHS mission is to 
protect the nation's cybersecurity and to coordinate responses to 
cyber-attacks and security vulnerabilities. As part of that mission, 
DHS is proposing to amend the HSAR to expand its current security 
measures for safeguarding CUI to include additional requirements for 
the safeguarding of CUI that is accessed by contractors, collected or 
maintained by contractors on behalf of the agency, and Federal 
information systems, which includes contractor information systems 
operating on behalf of the Government, that collect, process, store or 
transmit CUI. These proposed revisions to the HSAR are necessary to 
ensure the integrity, confidentiality, and availability of CUI.

2. Succinct Statement of the Objectives of, and Legal Basis for, the 
Rule

    The objective of this rule is to expand on existing Departmental IT 
security requirements. These existing IT security requirements are 
provided in the clause at HSAR 3052.204-70, Security Requirements for 
Unclassified Information Technology Resources, and applicable DHS 
policy and guidance. The existing clause is more narrowly focused on 
information systems connected to a DHS network or operated by a 
contractor for DHS. This rule proposes to remove the existing clause 
and provide a new expanded clause. Unlike the existing clause, this 
proposed rule extends the scope to require that CUI be safeguarded 
wherever such information resides, including government-owned and 
operated information systems, government-owned and contractor operated 
information systems, contractor-owned and/or operated information 
systems operating on behalf of the Government, and any situation where 
contractor and/or subcontractor employees may have access to CUI 
consistent with the requirements of FISMA. This proposed rule also 
establishes uniform incident reporting and response activities that 
contractors and subcontractors must comply with in the event of an 
incident. The proposed rule also requires contractors and 
subcontractors have in place procedures and the capability to notify 
and provide credit monitoring services to any individual whose 
Personally Identifiable Information (PII) or

[[Page 6439]]

Sensitive PII (SPII) was under the control of the contractor, or 
resided in the information system, at the time of the incident. 
Additionally, this proposed rule requires contractors and 
subcontractors to certify and confirm the sanitization of Government 
and Government-Activity related files and information. These collective 
measures will help DHS mitigate information security risks related to 
information as well as gather information for future improvements in 
information security policy.
    The requirement to safeguard CUI is specified in the Federal 
Information Security Modernization Act of 2014 (44 U.S.C. 3551, et 
seq.), OMB Circular A-130, Managing Information as a Strategic 
Resource, relevant National Institutes of Standards and Technology 
(NIST) guidance, Executive Order 13556, Controlled Unclassified 
Information and its implementing regulation at 32 CFR part 2002, and 
various OMB Memoranda, to include: M-07-16, Safeguarding Against and 
Responding to the Breach of Personally Identifiable Information; M-14-
03, Enhancing the Security of Federal Information and Information 
Systems; and Reporting Instructions for the Federal Information 
Security Management Act and Agency Privacy Management and Guidance on 
Federal Information Security and Privacy Management Requirements as 
identified in various OMB Memoranda.

3. Description of and, Where Feasible, Estimate of the Number of Small 
Entities To Which the Rule Will Apply

    This rule will apply to DHS contractors that require access to CUI, 
collect or maintain CUI on behalf of the Government, or operate Federal 
information systems, which includes contractor information systems 
operating on behalf of the agency, that collect, process, store or 
transmit CUI.
    For Fiscal Year (FY) 2014, DHS awarded nearly 13,000 new contract 
awards to large and small businesses, with over 35 percent of all 
contracts awarded to small businesses. The estimate of the number of 
small entities to which the proposed rule will apply was established by 
reviewing FPDS data for FY 2014, internal DHS contract data, experience 
with similar safeguarding requirements used in certain DHS contracts, 
and the most likely applicable Product and Service Codes (PSCs). The 
data review identified 2,525 unique vendors were awarded contracts 
under the most likely applicable PSCs in FY 2014, including small and 
large businesses. However, not all contractors awarded contracts under 
the most likely applicable PSCs will be subject to proposed clause 
Safeguarding of Controlled Unclassified Information. A number of 
factors determine the applicability of the proposed clause and would 
require analysis on a case-by-case basis. Further, the proposed clause 
is separated by those entities that are granted access to CUI but 
information systems will not be operated on behalf of the agency to 
collect, process, store or transmit CUI, and those that are required to 
meet the Authority to Operate (ATO) requirements because information 
systems will be used to collect, process, store or transmit CUI on 
behalf of the agency. Based on the data reviewed, the estimated number 
of annual respondents subject to the Safeguarding of Controlled 
Unclassified Information clause is estimated at 822 respondents. The 
proposed revision to the HSAR includes a flow-down provision that 
applies to subcontractors. However, DHS does not believe this 
requirement will add to the estimated number of respondents when an ATO 
is required because it is anticipated that a single information system 
will be used to collect, process, store, or transmit CUI in most 
instances. A review of DHS historical data shows that at least 35 
percent of new contracts are awarded to small businesses. Therefore, it 
is assumed that 35 percent of the projected annual number of 
respondents will also be small businesses, or approximately 288 
respondents.
    Although the proposed HSAR clause is new, DHS contractors are 
currently required to comply with Departmental IT security policy and 
guidance. It is assumed that the average DHS IT services contractor 
covered by this clause will a have high operational security readiness 
posture. However, the requirements of the proposed clause have been 
expanded to include professional services contractors that have access 
to CUI, collect or maintain CUI on behalf of the Government, and/or 
operate Federal information systems, including contractor information 
systems operating on behalf of the agency, that collect, process, store 
or transmit CUI to perform the requirements of their contract(s). While 
these contractors may not have the same operational security readiness 
posture of the average DHS IT services contractor, the expansion and 
implementation of these safeguarding requirements is necessary to 
further reduce risks and potential vulnerabilities.

4. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements of the Rule, Including an Estimate of the 
Classes of Small Entities Which Will be Subject to the Requirement and 
the Type of Professional Skills Necessary

    Reporting and recordkeeping requirements include those requirements 
necessary to ensure adequate security controls are in place when 
contractor and/or subcontractor employees will have access to sensitive 
CUI, collect or maintain CUI on behalf of the Government, and/or 
operate Federal information systems, which includes contractor 
information systems operating on behalf of the agency, that are used to 
collect, process, store, or transmit CUI. The reporting and 
recordkeeping requirements vary depending on if an Authority to Operate 
(ATO) is required. If an ATO is not required, the reporting and 
recordkeeping requirements include: Incident Reporting, Notification 
(if the incident involves PII/SPII), Credit Monitoring (if the incident 
involves PII/SPII), and Certification of Sanitization. If an ATO is 
required, the reporting and recordkeeping requirements include: 
Incident Reporting, Notification (if the incident involves PII/SPII), 
Credit Monitoring (if the incident involves PII/SPII), Certification of 
Sanitization, Security Authorization Package, Independent Assessment, 
Renewal of ATO, and Federal Reporting and Continuous Monitoring.
    Typical contract awards that may include the requirement for access 
to CUI include contracts awards with a PSC of ``D'' Automatic Data 
Processing and Telecommunication and ``R'' Professional, Administrative 
and Management Support. However, this is not an all-inclusive list. 
Additional PSCs will be added and projections will be adjusted as 
additional data becomes available through HSAR clause implementation. 
This continued process will assist in validating future projections. It 
is estimated that the average contractor will utilize a mid-level 
manager with IT expertise to ensure compliance with the requirements of 
this rule.

5. Identification, to the Extent Practicable, of All Relevant Federal 
Rules Which May Duplicate, Overlap, or Conflict With the Rule

    There are no rules that duplicate, overlap or conflict with this 
rule.

[[Page 6440]]

6. Description of Any Significant Alternatives to the Rule Which 
Accomplish the Stated Objectives of Applicable Statutes and Which 
Minimize any Significant Economic Impact of the Rule on Small Entities

    No significant alternatives were identified that would accomplish 
the stated objectives of the rule. The information security 
requirements associated with this rule are not geared towards a type of 
contractor; the requirements are based on the sensitivity of the 
information, the impact on the program, the Government and security in 
the event CUI is breached. That standard would not vary based on the 
size of the entity.
    DHS will be submitting a copy of the IRFA to the Chief Counsel for 
Advocacy of the Small Business Administration. A copy of the IRFA may 
be obtained from the point of contact specified herein. DHS invites 
comments from small business concerns and other interested parties on 
the expected impact of this rule on small entities.
    DHS will also consider comments from small entities concerning the 
existing regulations in subparts affected by this rule in accordance 
with 5 U.S.C. 610. Interested parties must submit such comments 
separately and should cite 5 U.S.C. 610, et seq. (HSAR Case 2015-001), 
in correspondence.

V. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The 
proposed rule contains information collection requirements. 
Accordingly, DHS will be submitting a request for approval of a new 
information collection requirement concerning this rule to the Office 
of Management and Budget under 44 U.S.C. 3501, et seq.
    The collection requirements for this rule are based on a new HSAR 
clause, 3052.204-7X Safeguarding of Controlled Unclassified 
Information.
    A. The average public reporting burden for this collection of 
information is estimated to be approximately 50 hours per response to 
comply with the requirements, including time for reviewing 
instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
collection of information. This average is based on an estimated 36 
hours per response to comply with the requirements when an ATO is not 
required an estimated 120 hours to comply with the requirements when an 
ATO is required (i.e., when a contractor is required to submit Security 
Authorization (SA) package). Security Authorization package consists of 
the following: Security Plan, Security Assessment Report, Plan of 
Action and Milestones, Security Control Assessor Transmittal Letter 
(documents the Security Control Assessor's recommendation (i.e., 
Authorization to Operate or Denial to Operate), and any supplemental 
information requested by the Government (e.g., Contingency Plan, final 
Risk Assessment, Configuration Management Plan, Standard Operating 
Procedures, Concept of Operations). Additional requirements include an 
Independent Assessment, Security Review, Renewal of the ATO which is 
required every three years, and Federal Reporting and Continuous 
Monitoring Requirements.
    The total annual projected number of responses per respondent is 
estimated at 1. Based on aforementioned information the annual total 
burden hours are estimated as follows:
    Title: Homeland Security Acquisition Regulation: Safeguarding of 
Controlled Unclassified Information.
    Type of Request: New Collection.
    Total Number of Respondents: 822.
    Responses per Respondent: 1.
    Annual Responses: 822.
    Average Burden per Response: Approximately 50.
    Annual Burden Hours: Approximately 41,100.
    Needs and Uses: DHS needs the information required by 3052.204-7X 
to implement the requirements for safeguarding against unauthorized 
contractor disclosure and inappropriate use of CUI that contractors and 
subcontractors may have access to during the course of contract 
performance.
    Affected Public: Businesses or other for-profit institutions.
    Respondent's Obligation: Required to obtain or retain benefits.
    Frequency: On occasion.
    B. Request for Comments Regarding Paperwork Burden.
    You may submit comments identified by DHS docket number [DHS-2017-
0006], including suggestions for reducing this burden, not later than 
[insert date 60 days after publication in the Federal Register] using 
any one of the following methods:
    (1) Via the internet at Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
    (2) Via email to the Department of Homeland Security, Office of the 
Chief Procurement Officer, at [email protected].
    Public comments are particularly invited on: Whether this 
collection of information is necessary for the proper performance of 
functions of the HSAR, and will have practical utility; whether our 
estimate of the public burden of this collection of information is 
accurate, and based on valid assumptions and methodology; ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and ways in which we can minimize the burden of the 
collection of information on those who are to respond, through the use 
of appropriate technological collection techniques or other forms of 
information technology.
    Requesters may obtain a copy of the supporting statement from the 
Department of Homeland Security, Office of the Chief Procurement 
Officer, Acquisition Policy and Legislation, via email to 
[email protected]. Please cite OMB Control No. 1600-0023, Safeguarding of 
Controlled Unclassified Information, in all correspondence.

List of Subjects in 48 CFR Parts 3001, 3002, 3004 and 3052

    Government procurement.

    Therefore, DHS proposes to amend 48 CFR parts 3001, 3002, 3004 and 
3052 as follows:

0
1. The authority citation for 48 CFR parts 3001, 3002, 3004 and 3052 is 
revised to read as follows:

    Authority: 5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 
U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation 
Number 0702.

PART 3001--FEDERAL ACQUISITION REGULATIONS SYSTEM

0
2. In section 3001.106 amend paragraph (a) by adding a new OMB Control 
Number as follows:


3001.106   OMB Approval under the Paperwork Reduction Act.

    (a) * * *
    OMB Control No. 1600-0023 (Safeguarding of Controlled Unclassified 
Information)
* * * * *

PART 3002--DEFINITIONS OF WORDS AND TERMS


3002.101  [Amended]

0
3. Amend section 3002.101 by adding, in alphabetical order, the 
definitions of ``Adequate Security,'' ``Controlled Unclassified 
Information (CUI),'' ``Federal Information,'' ``Federal Information 
System,'' ``Handling,'' ``Information Resources,'' ``Information 
Security,'' and ``Information System'' to read as follows:
    ``Adequate Security'' means security protections commensurate with 
the risk resulting from the unauthorized access, use, disclosure, 
disruption,

[[Page 6441]]

modification, or destruction of information. This includes ensuring 
that information hosted on behalf of an agency and information systems 
and applications used by the agency operate effectively and provide 
appropriate confidentiality, integrity, and availability protections 
through the application of cost-effective security controls.
* * * * *
    ``Controlled Unclassified Information (CUI)'' is any information 
the Government creates or possesses, or an entity creates or possesses 
for or on behalf of the Government (other than classified information) 
that a law, regulation, or Government-wide policy requires or permits 
an agency to handle using safeguarding or dissemination controls. 
Within the context of DHS, this includes such information which, if 
lost, misused, disclosed, or, without authorization is accessed, or 
modified, could adversely affect the national or homeland security 
interest, the conduct of Federal programs, or the privacy of 
individuals. This definition includes the following CUI categories and 
subcategories of information:
    (1) Chemical-terrorism Vulnerability Information (CVI) as defined 
in Title 6, Code of Federal Regulations, part 27 ``Chemical Facility 
Anti-Terrorism Standards,'' and as further described in supplementary 
guidance issued by an authorized official of the Department of Homeland 
Security (including the Revised Procedural Manual ``Safeguarding 
Information Designated as Chemical-Terrorism Vulnerability 
Information'' dated September 2008);
    (2) Protected Critical Infrastructure Information (PCII) as set out 
in the Critical Infrastructure Information Act of 2002 (Title II, 
Subtitle B, of the Homeland Security Act, Public Law 107-296, 196 Stat. 
2135), as amended, the implementing regulations thereto (Title 6, Code 
of Federal Regulations, part 29) as amended, the applicable PCII 
Procedures Manual, as amended, and any supplementary guidance 
officially communicated by an authorized official of the Department of 
Homeland Security (including the PCII Program Manager or his/her 
designee);
    (3) Sensitive Security Information (SSI) as defined in Title 49, 
Code of Federal Regulations, part 1520, ``Protection of Sensitive 
Security Information,'' as amended, and any supplementary guidance 
officially communicated by an authorized official of the Department of 
Homeland Security (including the Assistant Secretary for the 
Transportation Security Administration or his/her designee) to include 
DHS MD 11056.1, ``Sensitive Security Information (SSI)'' and, within 
the Transportation Security Administration, TSA MD 2010.1, ``SSI 
Program'';
    (4) Homeland Security Agreement Information means information DHS 
receives pursuant to an agreement with state, local, tribal, 
territorial, and private sector partners that is required to be 
protected by that agreement. DHS receives this information in 
furtherance of the missions of the Department, including, but not 
limited to, support of the Fusion Center Initiative and activities for 
cyber information sharing consistent with the Cybersecurity Information 
Security Act;
    (5) Homeland Security Enforcement Information means unclassified 
information of a sensitive nature lawfully created, possessed, or 
transmitted by the Department of Homeland Security in furtherance of 
its immigration, customs, and other civil and criminal enforcement 
missions, the unauthorized disclosure of which could adversely impact 
the mission of the Department;
    (6) International Agreement Information means information DHS 
receives pursuant to an information sharing agreement or arrangement, 
with a foreign government, an international organization of governments 
or any element thereof, an international or foreign public or judicial 
body, or an international or foreign private or non-governmental 
organization, that is required by that agreement or arrangement to be 
protected;
    (7) Information Systems Vulnerability Information (ISVI) means:
    (i) DHS information technology (IT) internal systems data revealing 
infrastructure used for servers, desktops, and networks; applications 
name, version and release; switching, router, and gateway information; 
interconnections and access methods; mission or business use/need. 
Examples of information are systems inventories and enterprise 
architecture models. Information pertaining to national security 
systems and eligible for classification under Executive Order 13526, 
will be classified as appropriate;
    (ii) Information regarding developing or current technology, the 
release of which could hinder the objectives of DHS, compromise a 
technological advantage or countermeasure, cause a denial of service, 
or provide an adversary with sufficient information to clone, 
counterfeit, or circumvent a process or system;
    (8) Operations Security Information means information that could 
constitute an indicator of U.S. Government intentions, capabilities, 
operations, or activities or otherwise threaten operations security;
    (9) Personnel Security Information means information that could 
result in physical risk to DHS personnel or other individuals that DHS 
is responsible for protecting;
    (10) Physical Security Information means reviews or reports 
illustrating or disclosing facility infrastructure or security 
vulnerabilities related to the protection of Federal buildings, 
grounds, or property. For example, threat assessments, system security 
plans, contingency plans, risk management plans, business impact 
analysis studies, and certification and accreditation documentation;
    (11) Privacy Information, which includes information referred to as 
Personally Identifiable Information. Personally Identifiable 
Information (PII) means information that can be used to distinguish or 
trace an individual's identity, either alone or when combined with 
other information that is linked or linkable to a specific individual; 
and
    (12) Sensitive Personally Identifiable Information (SPII) is a 
subset of PII, which if lost, compromised or disclosed without 
authorization, could result in substantial harm, embarrassment, 
inconvenience, or unfairness to an individual. Some forms of PII are 
sensitive as stand-alone elements.
    (i) Examples of stand-alone PII include: Social Security numbers 
(SSN), driver's license or state identification number, Alien 
Registration Numbers (A-number), financial account number, and 
biometric identifiers such as fingerprint, voiceprint, or iris scan.
    (ii) Additional examples of SPII include any groupings of 
information that contain an individual's name or other unique 
identifier plus one or more of the following elements:
    (A) Truncated SSN (such as last 4 digits)
    (B) Date of birth (month, day, and year)
    (C) Citizenship or immigration status
    (D) Ethnic or religious affiliation
    (E) Sexual orientation
    (F) Criminal history
    (G) Medical information
    (H) System authentication information such as mother's maiden name, 
account passwords or personal identification numbers (PIN)
    (iii) Other PII may be ``sensitive'' depending on its context, such 
as a list of employees and their performance ratings or an unlisted 
home address or phone number. In contrast, a business card or public 
telephone directory of agency employees contains PII but is not 
sensitive.

[[Page 6442]]

    ``Federal Information'' means information created, collected, 
processed, maintained, disseminated, disclosed, or disposed of by or 
for the Federal Government, in any medium or form.
    ``Federal Information System'' means an information system used or 
operated by an agency or by a contractor of an agency or by another 
organization on behalf of an agency.
    ``Handling'' means any use of controlled unclassified information, 
including but not limited to marking, safeguarding, transporting, 
disseminating, re-using, and disposing of the information.
* * * * *
    ``Information Resources'' means information and related resources, 
such as personnel, equipment, funds, and information technology.
    ``Information Security'' means protecting information and 
information systems from unauthorized access, use, disclosure, 
disruption, modification, or destruction in order to provide--
    (1) integrity, which means guarding against improper information 
modification or destruction, and includes ensuring information 
nonrepudiation and authenticity;
    (2) confidentiality, which means preserving authorized restrictions 
on access and disclosure, including means for protecting personal 
privacy and proprietary information; and
    (3) availability, which means ensuring timely and reliable access 
to and use of information.
    ``Information System'' means a discrete set of information 
resources organized for the collection, processing, maintenance, use, 
sharing, dissemination, or disposition of information.
* * * * *

PART 3004--ADMINISTRATIVE MATTERS

0
4. Revise subpart 3004.4 to read as follows:

Subpart 3004.4--Safeguarding Classified and Controlled Unclassified 
Information within Industry


3004.470   Security requirements for access to unclassified facilities, 
information resources, and controlled unclassified information.

3004.470-1 Scope.
3004.470-2 Definitions.
3004.470-3 Policy.
3004.470-4 Contract Clauses.


3004.470-1   Scope.

    This section implements DHS policies for assuring adequate security 
of unclassified facilities, information resources, and controlled 
unclassified information (CUI) during the acquisition lifecycle.


3004.470-2   Definitions.

    As used in this subpart--
    ``Incident'' means an occurrence that--
    (1) actually or imminently jeopardizes, without lawful authority, 
the integrity, confidentiality, or availability of information or an 
information system; or
    (2) constitutes a violation or imminent threat of violation of law, 
security policies, security procedures, or acceptable use policies.


3004.470-3   Policy.

    (a) DHS requires that CUI be safeguarded wherever such information 
resides. This includes government-owned and operated information 
systems, government-owned and contractor operated information systems, 
contractor-owned and/or operated information systems operating on 
behalf of the agency, and any situation where contractor and/or 
subcontractor employees may have access to CUI. There are several 
Department policies and procedures (accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors) which also address 
the safeguarding of CUI. Compliance with these policies and procedures, 
as amended, is required.
    (b) DHS requires contractor employees that require recurring access 
to Government facilities or access to CUI to complete such forms as may 
be necessary for security or other reasons, including the conduct of 
background investigations to determine fitness. Department policies and 
procedures that address contractor employee fitness are contained in 
Instruction Handbook Number 121-01-007, The Department of Homeland 
Security Personnel Suitability and Security Program. Compliance with 
these policies and procedures, as amended, is required.


3004.470-4   Contract Clauses.

    (a) Contracting officers shall insert the basic clause at (HSAR) 48 
CFR 3052.204-71, Contractor Employee Access, in solicitations and 
contracts when contractor and/or subcontractor employees require 
recurring access to Government facilities or access to CUI. Contracting 
officers shall insert the basic clause with its Alternate I for 
acquisitions requiring contractor access to Government information 
resources. For acquisitions in which contractor and/or subcontractor 
employees will not have access to Government information resources, but 
the Department has determined contractor and/or subcontractor employee 
access to CUI or Government facilities must be limited to U.S. citizens 
and lawful permanent residents, the contracting officer shall insert 
the clause with its Alternate II. Neither the basic clause nor its 
alternates shall be used unless contractor and/or subcontractor 
employees will require recurring access to Government facilities or 
access to CUI. Neither the basic clause nor its alternates should 
ordinarily be used in contracts with educational institutions.
    (b) Contracting officers shall insert the clause at (HSAR) 48 CFR 
3052.204-7X, Safeguarding of Controlled Unclassified Information, in 
solicitations and contracts where:
    (1) Contractor and/or subcontractor employees will have access to 
CUI;
    (2) CUI will be collected or maintained on behalf of the agency; or
    (3) Federal information systems, which include contractor 
information systems operated on behalf of the agency, are used to 
collect, process, store, or transmit CUI.
    (c) If the clauses prescribed in subsections (a) and/or (b) are 
included in a prime contract, the prime contractor shall include the 
clauses in subsections (a) and/or (b), in its contract(s) with 
subcontractors. If a subcontract includes the clauses prescribed in 
subsections (a) and/or (b) and the subcontractor has contracts with 
lower-tier subcontractors, the lower-tier subcontracts shall include 
the clauses in subsections (a) and/or (b).

PART 3052--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


3052.204-70   [Removed and Reserved].

0
5. Remove and reserve section 3052.204-70.
0
6. Add section 3052.204-7X to read as follows:


3052.204-7X   Safeguarding of Controlled Unclassified Information.

    As prescribed in (HSAR) 48 CFR 3004.470-4(b), insert the following 
clause:

Safeguarding of Controlled Unclassified Information (DATE)

    (a) Definitions. As used in this clause--
    ``Adequate Security'' means security protections commensurate 
with the risk resulting from the unauthorized access, use, 
disclosure, disruption, modification, or destruction of information. 
This includes ensuring that information hosted on behalf of an 
agency and information systems and applications used by the agency 
operate effectively and provide appropriate

[[Page 6443]]

confidentiality, integrity, and availability protections through the 
application of cost-effective security controls.
    ``Controlled Unclassified Information (CUI)'' is any information 
the Government creates or possesses, or an entity creates or 
possesses for or on behalf of the Government (other than classified 
information) that a law, regulation, or Government-wide policy 
requires or permits an agency to handle using safeguarding or 
dissemination controls. Within the context of DHS, this includes 
such information which, if lost, misused, disclosed, or, without 
authorization is accessed, or modified, could adversely affect the 
national or homeland security interest, the conduct of Federal 
programs, or the privacy of individuals. This definition includes 
the following CUI categories and subcategories of information:
    (i) Chemical-terrorism Vulnerability Information (CVI) as 
defined in Title 6, Code of Federal Regulations, part 27 ``Chemical 
Facility Anti-Terrorism Standards,'' and as further described in 
supplementary guidance issued by an authorized official of the 
Department of Homeland Security (including the Revised Procedural 
Manual ``Safeguarding Information Designated as Chemical-Terrorism 
Vulnerability Information'' dated September 2008);
    (ii) Protected Critical Infrastructure Information (PCII) as set 
out in the Critical Infrastructure Information Act of 2002 (Title 
II, Subtitle B, of the Homeland Security Act, Public Law 107-296, 
196 Stat. 2135), as amended, the implementing regulations thereto 
(Title 6, Code of Federal Regulations, part 29) as amended, the 
applicable PCII Procedures Manual, as amended, and any supplementary 
guidance officially communicated by an authorized official of the 
Department of Homeland Security (including the PCII Program Manager 
or his/her designee);
    (iii) Sensitive Security Information (SSI) as defined in Title 
49, Code of Federal Regulations, part 1520, ``Protection of 
Sensitive Security Information,'' as amended, and any supplementary 
guidance officially communicated by an authorized official of the 
Department of Homeland Security (including the Assistant Secretary 
for the Transportation Security Administration or his/her designee) 
to include DHS MD 11056.1, ``Sensitive Security Information (SSI)'' 
and, within the Transportation Security Administration, TSA MD 
2010.1, ``SSI Program'';
    (iv) Homeland Security Agreement Information means information 
DHS receives pursuant to an agreement with state, local, tribal, 
territorial, and private sector partners that is required to be 
protected by that agreement. DHS receives this information in 
furtherance of the missions of the Department, including, but not 
limited to, support of the Fusion Center Initiative and activities 
for cyber information sharing consistent with the Cybersecurity 
Information Security Act;
    (v) Homeland Security Enforcement Information means unclassified 
information of a sensitive nature lawfully created, possessed, or 
transmitted by the Department of Homeland Security in furtherance of 
its immigration, customs, and other civil and criminal enforcement 
missions, the unauthorized disclosure of which could adversely 
impact the mission of the Department;
    (vi) International Agreement Information means information DHS 
receives pursuant to an information sharing agreement or arrangement 
with a foreign government, an international organization of 
governments or any element thereof, an international or foreign 
public or judicial body, or an international or foreign private or 
non-governmental organization, that is required by that agreement or 
arrangement to be protected;
    (vii) Information Systems Vulnerability Information (ISVI) 
means:
    (A) DHS information technology (IT) internal systems data 
revealing infrastructure used for servers, desktops, and networks; 
applications name, version and release; switching, router, and 
gateway information; interconnections and access methods; mission or 
business use/need. Examples of information are systems inventories 
and enterprise architecture models. Information pertaining to 
national security systems and eligible for classification under 
Executive Order 13526, will be classified as appropriate;
    (B) Information regarding developing or current technology, the 
release of which could hinder the objectives of DHS, compromise a 
technological advantage or countermeasure, cause a denial of 
service, or provide an adversary with sufficient information to 
clone, counterfeit, or circumvent a process or system;
    (viii) Operations Security Information means information that 
could constitute an indicator of U.S. Government intentions, 
capabilities, operations, or activities or otherwise threaten 
operations security;
    (ix) Personnel Security Information means information that could 
result in physical risk to DHS personnel or other individuals that 
DHS is responsible for protecting;
    (x) Physical Security Information means reviews or reports 
illustrating or disclosing facility infrastructure or security 
vulnerabilities related to the protection of Federal buildings, 
grounds, or property. For example, threat assessments, system 
security plans, contingency plans, risk management plans, business 
impact analysis studies, and certification and accreditation 
documentation;
    (xi) Privacy Information, which includes information referred to 
as Personally Identifiable Information (PII). PII means information 
that can be used to distinguish or trace an individual's identity, 
either alone, or when combined with other information that is linked 
or linkable to a specific individual; and
    (xii) Sensitive Personally Identifiable Information (SPII) is a 
subset of PII, which if lost, compromised, or disclosed without 
authorization, could result in substantial harm, embarrassment, 
inconvenience, or unfairness to an individual. Some forms of PII are 
sensitive as stand-alone elements.
    (A) Examples of stand-alone SPII include: Social Security 
numbers (SSN), driver's license or state identification number, 
Alien Registration Numbers (A-number), financial account number, and 
biometric identifiers such as fingerprint, voiceprint, or iris scan.
    (B) Additional examples of SPII include any groupings of 
information that contain an individual's name or other unique 
identifier plus one or more of the following elements:
    (1) Truncated SSN (such as last 4 digits)
    (2) Date of birth (month, day, and year)
    (3) Citizenship or immigration status
    (4) Ethnic or religious affiliation
    (5) Sexual orientation
    (6) Criminal history
    (7) Medical information
    (8) System authentication information such as mother's maiden 
name, account passwords or personal identification numbers (PIN)
    (C) Other PII may be SPII depending on its context, such as a 
list of employees and their performance ratings or an unlisted home 
address or phone number. In contrast, a business card or public 
telephone directory of agency employees contains PII but is not 
SPII.
    ``Federal information'' means information created, collected, 
processed, maintained, disseminated, disclosed, or disposed of by or 
for the Federal Government, in any medium or form.
    ``Federal information system'' means an information system used 
or operated by an agency or by a contractor of an agency or by 
another organization on behalf of an agency.
    ``Handling'' means any use of controlled unclassified 
information, including but not limited to marking, safeguarding, 
transporting, disseminating, re-using, storing, capturing, and 
disposing of the information.
    ``Incident'' means an occurrence that--
    (i) actually or imminently jeopardizes, without lawful 
authority, the integrity, confidentiality, or availability of 
information or an information system; or
    (ii) constitutes a violation or imminent threat of violation of 
law, security policies, security procedures, or acceptable use 
policies.
    ``Information Resources'' means information and related 
resources, such as personnel, equipment, funds, and information 
technology.
    ``Information Security'' means protecting information and 
information systems from unauthorized access, use, disclosure, 
disruption, modification, or destruction in order to provide--
    (i) integrity, which means guarding against improper information 
modification or destruction, and includes ensuring information 
nonrepudiation and authenticity;
    (ii) confidentiality, which means preserving authorized 
restrictions on access and disclosure, including means for 
protecting personal privacy and proprietary information; and
    (iii) availability, which means ensuring timely and reliable 
access to and use of information.
    ``Information System'' means a discrete set of information 
resources organized for the collection, processing, maintenance, 
use, sharing, dissemination, or disposition of information.
    (b) Handling of Controlled Unclassified Information.
    (1) Contractors and subcontractors must provide adequate 
security to protect CUI

[[Page 6444]]

from unauthorized access and disclosure. Adequate security includes 
compliance with DHS policies and procedures in effect at the time of 
contract award. These policies and procedures are accessible at 
http://www.dhs.gov/dhs-security-and-training-requirements-contractors.
    (2) The Contractor shall not use or redistribute any CUI 
handled, collected, processed, stored, or transmitted by the 
Contractor except as specified in the contract.
    (3) The Contractor shall not maintain SPII in its invoicing, 
billing, and other recordkeeping systems maintained to support 
financial or other administrative functions. It is acceptable to 
maintain in these systems the names, titles and contact information 
for the Contracting Officer's Representative (COR) or other 
Government personnel associated with the administration of the 
contract, as needed.
    (4) Any Government data provided, developed, obtained under the 
contract, or otherwise under the control of the contractor, shall 
not become part of the bankruptcy estate in the event a contractor 
and/or subcontractor enters into bankruptcy proceedings.
    (c) Authority to Operate. This subsection is applicable only to 
Federal information systems, which includes contractor information 
systems operating on behalf of the agency. The Contractor shall not 
collect, process, store or transmit CUI within a Federal information 
system until an Authority to Operate (ATO) has been accepted and 
signed by the Component or Headquarters CIO, or designee. Once the 
ATO has been accepted and signed by the Government, the Contracting 
Officer shall incorporate the ATO into the contract as a compliance 
document. Unless otherwise specified in the ATO letter, the ATO is 
valid for three (3) years. An ATO is granted at the sole discretion 
of the Government and can be revoked at any time. Contractor receipt 
of an ATO does not create any contractual right of access or 
entitlement. The Government's acceptance of the ATO does not 
alleviate the Contractor's responsibility to ensure the information 
system controls are implemented and operating effectively.
    (1) Complete the Security Authorization process. The Security 
Authorization (SA) process shall proceed according to DHS Sensitive 
Systems Policy Directive 4300A (Version 12.0, September 25, 2015), 
or any successor publication; DHS 4300A Sensitive Systems Handbook 
(Version 12.0, November 15, 2015), or any successor publication; and 
the Security Authorization Process Guide including templates. These 
policies and templates are accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors.
    (i) Security Authorization Package. SA package shall be 
developed using the Government provided Requirements Traceability 
Matrix and SA templates. SA package consists of the following: 
Security Plan, Contingency Plan, Contingency Plan Test Results, 
Configuration Management Plan, Security Assessment Plan, Security 
Assessment Report, and Authorization to Operate Letter. Additional 
documents that may be required include a Plan(s) of Action and 
Milestones and Interconnection Security Agreement(s). The Contractor 
shall submit a signed copy of the SA package, validated by an 
independent third party, to the COR for acceptance by the 
Headquarters or Component CIO, or designee, at least thirty (30) 
days prior to the date of operation of the information system. The 
Government is the final authority on the compliance of the SA 
package and may limit the number of resubmissions of modified 
documents.
    (ii) Independent Assessment. Contractors shall have an 
independent third party validate the security and privacy controls 
in place for the information system(s). The independent third party 
shall review and analyze the SA package, and report on technical, 
operational, and management level deficiencies as outlined in NIST 
Special Publication 800-53 Security and Privacy Controls for Federal 
Information Systems and Organizations accessible at http://csrc.nist.gov/publications/PubsSPs.html. The Contractor shall 
address all deficiencies before submitting the SA package to the COR 
for acceptance.
    (2) Renewal of ATO. Unless otherwise specified in the ATO 
letter, the ATO shall be renewed every three (3) years. The 
Contractor is required to update its SA package as part of the ATO 
renewal process for review and verification of security controls. 
Review and verification of security controls is independent of the 
system production date and may include onsite visits that involve 
physical or logical inspection of the Contractor environment to 
ensure controls are in place. The updated SA package shall be 
submitted for acceptance by the Headquarters or Component CIO, or 
designee, at least 90 days before the ATO expiration date. The 
Contractor shall update its SA package by one of the following 
methods:
    (i) Updating the SA package in the DHS Information Assurance 
Compliance System; or
    (ii) Submitting the updated SA package directly to the COR.
    (3) Security Review. The Government may elect to conduct random 
periodic reviews to ensure that the security requirements contained 
in this contract are being implemented and enforced. The Government, 
at its sole discretion, may obtain the assistance from other Federal 
agencies and/or third-party firms to aid in security review 
activities. The Contractor shall afford access to DHS, the Office of 
the Inspector General, other Government organizations, and 
contractors working in support of the Government access to the 
Contractor's facilities, installations, operations, documentation, 
databases, networks, systems, and personnel used in the performance 
of this contract. The Contractor shall, through the Contracting 
Officer and COR, contact the Headquarters or Component CIO, or 
designee, to coordinate and participate in review and inspection 
activity by Government organizations external to the DHS. Access 
shall be provided, to the extent necessary as determined by the 
Government (including providing all requested images), for the 
Government to carry out a program of inspection, investigation, and 
audit to safeguard against threats and hazards to the integrity, 
availability and confidentiality of Government data or the function 
of computer systems used in performance of this contract and to 
preserve evidence of computer crime.
    (4) Federal Reporting and Continuous Monitoring Requirements. 
Contractors operating information systems on behalf of the 
Government shall comply with Federal reporting and information 
system continuous monitoring requirements. Reporting requirements 
are determined by the Government and are defined in the Fiscal Year 
2015 DHS Information Security Performance Plan, or successor 
publication, accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The plan is updated on an annual 
basis. Annual, quarterly, and monthly data collection will be 
coordinated by the Government. The Contractor shall provide the 
Government with all information to fully satisfy Federal reporting 
requirements for information systems. The Contractor shall provide 
the COR with requested information within three (3) business days of 
receipt of the request. Unless otherwise specified in the contract, 
monthly continuous monitoring data shall be stored at the 
Contractor's location for a period not less than one year from the 
date the data is created. The Government may elect to perform 
information system continuous monitoring and IT security scanning of 
information systems from Government tools and infrastructure.
    (d) Incident Reporting Requirements.
    (1) All known or suspected incidents shall be reported to the 
Component Security Operations Center (SOC) in accordance with 4300A 
Sensitive Systems Handbook Attachment F Incident Response. If the 
Component SOC is not available, the Contractor shall report to the 
DHS Enterprise SOC. Contact information for the DHS Enterprise SOC 
is accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor shall also notify the 
Contracting Officer and COR using the contact information identified 
in the contract. If the report is made by phone, or the email 
address for the Contracting Officer or COR is not immediately 
available, the Contractor shall contact the Contracting Officer 
immediately after reporting to the Component or DHS Enterprise SOC. 
All known or suspected incidents involving PII or SPII shall be 
reported within one hour of discovery. All other incidents shall be 
reported within eight hours of discovery.
    (2) The Contractor shall not include any CUI in the subject or 
body of any email. The Contractor shall transmit CUI using FIPS 140-
2 Security Requirements for Cryptographic Modules compliant 
encryption methods, accessible at http://csrc.nist.gov/groups/STM/cmvp/standards.html, to protect CUI in attachments to email. 
Passwords shall not be communicated in the same email as the 
attachment.
    (3) An incident shall not, by itself, be interpreted as evidence 
that the Contractor has failed to provide adequate information 
security safeguards for CUI, or has otherwise failed to meet the 
requirements of the contract.

[[Page 6445]]

    (4) If an incident involves PII or SPII, in addition to the 
incident reporting guidelines in 4300A Sensitive Systems Handbook 
Attachment F Incident Response, Contractors shall also provide as 
many of the following data elements that are available at the time 
the incident is reported, with any remaining data elements provided 
within 24 hours of submission of the initial incident report:
    (i) Data Universal Numbering System (DUNS);
    (ii) Contract numbers affected unless all contracts by the 
company are affected;
    (iii) Facility CAGE code if the location of the event is 
different than the prime contractor location;
    (iv) Point of contact (POC) if different than the POC recorded 
in the System for Award Management (address, position, telephone, 
email);
    (v) Contracting Officer POC (address, telephone, email);
    (vi) Contract clearance level;
    (vii) Name of subcontractor and CAGE code if this was an 
incident on a subcontractor network;
    (viii) Government programs, platforms or systems involved;
    (ix) Location(s) of incident;
    (x) Date and time the incident was discovered;
    (xi) Server names where CUI resided at the time of the incident, 
both at the Contractor and subcontractor level;
    (xii) Description of the Government PII or SPII contained within 
the system; and
    (xiii) Any additional information relevant to the incident.
    (e) Incident Response Requirements.
    (1) All determinations by the Department related to incidents, 
including response activities, notifications to affected individuals 
and/or Federal agencies, and related services (e.g., credit 
monitoring) will be made in writing by the Contracting Officer.
    (2) The Contractor shall provide full access and cooperation for 
all activities determined by the Government to be required to ensure 
an effective incident response, including providing all requested 
images, log files, and event information to facilitate rapid 
resolution of incidents.
    (3) Incident response activities determined to be required by 
the Government may include, but are not limited to, the following:
    (i) Inspections,
    (ii) Investigations,
    (iii) Forensic reviews,
    (iv) Data analyses and processing, and
    (v) Revocation of the Authority to Operate.
    (4) The contractor shall preserve and protect images of known 
affected information systems identified in paragraph (b) of this 
section and all relevant monitoring/packet capture data for at least 
90 days from submission of the incident report to allow DHS to 
request the media or decline interest.
    (5) The Government, at its sole discretion, may obtain 
assistance from other Federal agencies and/or third-party firms to 
aid in incident response activities.
    (f) PII and SPII Notification Requirements. This subsection is 
only applicable when an incident involves PII/SPII.
    (1) The Contractor shall have in place procedures and the 
capability to notify any individual whose PII and/or SPII was under 
the control of the Contractor or resided in the information system 
at the time of the incident not later than 5 business days after 
being directed to notify individuals, unless otherwise approved by 
the Contracting Officer. The method and content of any notification 
by the Contractor shall be coordinated with, and subject to prior 
written approval by the Contracting Officer utilizing the DHS 
Privacy Incident Handling Guidance accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor 
shall not proceed with notification unless directed in writing by 
the Contracting Officer.
    (2) Subject to Government analysis of the incident and the terms 
of its instructions to the Contractor regarding any resulting 
notification, the notification method may consist of letters to 
affected individuals sent by first class mail, electronic means, or 
general public notice, as approved by the Government. Notification 
may require the Contractor's use of address verification and/or 
address location services. At a minimum, the notification shall 
include:
    (i) A brief description of the incident;
    (ii) A description of the types of PII or SPII involved;
    (iii) A statement as to whether the PII or SPII was encrypted or 
protected by other means;
    (iv) Steps individuals may take to protect themselves;
    (v) What the Contractor and/or the Government are doing to 
investigate the incident, to mitigate the incident, and to protect 
against any future incidents; and
    (vi) Information identifying who individuals may contact for 
additional information.
    (g) Credit Monitoring Requirements. This subsection is only 
applicable when an incident involves PII/SPII. In the event that an 
incident involves PII or SPII, the Contractor may be directed by the 
Contracting Officer to:
    (1) Provide notification to affected individuals as described in 
paragraph (f).
    (2) Provide credit monitoring services to individuals whose PII 
or SPII was under the control of the Contractor or resided in the 
information system at the time of the incident for a period 
beginning the date of the incident and extending not less than 18 
months from the date the individual is notified. Credit monitoring 
services shall be provided from a company with which the Contractor 
has no affiliation. At a minimum, credit monitoring services shall 
include:
    (i) Triple credit bureau monitoring;
    (ii) Daily customer service;
    (iii) Alerts provided to the individual for changes and fraud; 
and
    (iv) Assistance to the individual with enrollment in the 
services and the use of fraud alerts.
    (3) Establish a dedicated call center. Call center services 
shall include:
    (i) A dedicated telephone number to contact customer service 
within a fixed period;
    (ii) Information necessary for registrants/enrollees to access 
credit reports and credit scores;
    (iii) Weekly reports on call center volume, issue escalation 
(i.e., those calls that cannot be handled by call center staff and 
must be resolved by call center management or DHS, as appropriate), 
and other key metrics;
    (iv) Escalation of calls that cannot be handled by call center 
staff to call center management or DHS, as appropriate;
    (v) Customized Frequently Asked Questions, approved in writing 
by the Contracting Officer in coordination with the Headquarters or 
Component Privacy Officer; and
    (vi) Information for registrants to contact customer service 
representatives and fraud resolution representatives for credit 
monitoring assistance.
    (h) Certificate of Sanitization of Government and Government-
Activity-Related Files and Information. Upon the conclusion of the 
contract by expiration, termination, cancellation, or as otherwise 
indicated in the contract, the Contractor shall return all CUI to 
DHS and/or destroy it physically and/or logically as identified in 
the contract. Destruction shall conform to the guidelines for media 
sanitization contained in NIST SP-800-88, Guidelines for Media 
Sanitization. The Contractor shall certify and confirm the 
sanitization of all Government and Government-Activity related files 
and information. The Contractor shall submit the certification to 
the COR and Contracting Officer following the template provided in 
NIST Special Publication 800-88, Guidelines for Media Sanitization, 
Appendix G.
    (i) Other Reporting Requirements. Incident reporting required by 
this clause in no way rescinds the Contractor's responsibility for 
other incident reporting pertaining to its unclassified information 
systems under other clauses that may apply to its contract(s), or as 
a result of other applicable U.S. Government statutory or regulatory 
requirements.
    (j) Subcontracts. The Contractor shall insert this clause in all 
subcontracts and require subcontractors to include this clause in 
all lower-tier subcontracts.


(End of clause)

0
7. Amend paragraph (b) of section 3052.212-70 to remove 3052.204-70 
Security Requirements for Unclassified Information Technology 
Resources; add Alternate II of 3052.204-71, Contractor Employee Access; 
and add 3052.204-7X, Safeguarding of Controlled Unclassified 
Information, as follows:


3052.212-70   Contract terms and conditions applicable to DHS 
acquisition of commercial items.

Contract Terms and Conditions Applicable to DHS Acquisition of 
Commercial Items (Date)

* * * * *
    (b) * * *
    ____3052.204-71 Contractor Employee Access.

    ____Alternate I

    ____Alternate II

* * * * *

[[Page 6446]]

    ____3052.204-7X Safeguarding of Controlled Unclassified 
Information.

Soraya Correa,
Chief Procurement Officer, Department of Homeland Security.
[FR Doc. 2017-00758 Filed 1-18-17; 8:45 am]
 BILLING CODE 9110-9B-P