The National Archives and Records Administration (“NARA”) published a proposed rule on Friday that would establish a government-wide policy related to controlled unclassified information (“CUI”). See 80 Fed. Reg. 26501 [found here]. The proposed rule would establish policies for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. Most importantly for contractors is that these extensive additional requirements could soon start infiltrating government contracts for which CUI is provided or created.
While the proposed rule is largely focused on agency requirements, the CUI requirements will impact contractors in a number of different ways:
- Agencies would be required to include NARA’s CUI requirements from the proposed rule in “all contracts that require a contractor to handle CUI for the agency.”
- Agencies would be encouraged to enter into formal information-sharing agreements with contractors that would require contractors to comply with NARA’s CUI requirements. Alternatively, agencies would be required to communicate to contractors that the government “strongly encourages” contractors to protect CUI consistent with NARA’s CUI requirements.
- NARA and NIST are planning to finalize and adopt NIST SP 800-171, published in April 2015, which contains more than 100 security controls for protecting CUI in nonfederal information systems and organizations.
- NARA is planning to promulgate a FAR clause to apply the requirements of NARA’s proposed rule and the final version of NIST 800-171 to contractors.