DHS releases new cybersecurity regulations: impact on policyholders

The United States Department of Homeland Security (DHS) recently issued new cybersecurity regulations with the goal of protecting controlled unclassified information (CUI). These long overdue regulations amend and add to the Homeland Security Acquisition Regulations (HSAR) and will be integrated into future tenders, including commercial contracts issued under Federal Acquisition Regulation (FAR) Part 12. These regulations link to requirements existing and future ones of the United States Department of Defense (DoD) and the Federal Acquisition Regulatory Council (FAR Council) and will take effect on July 21, 2023.

Detailed analysis of the regulations

The new regulations not only stipulate how contractors must protect CUI, but also what the new reporting requirements are for cybersecurity incidents, and in some cases, require third-party assessments. These regulations will incur additional costs for contractors, but according to DHS, those costs are necessary to protect CUI and other critical information. Three new regulations have been introduced: HSAR 3052.204-71, HSAR 204-72 and HSAR 3052.204-73, which regulate contractors' employees' access to CUI, security measures, incident notification and credit monitoring.

DHS specific security controls and definition of CUI

Curiously, DHS has decided not to use the security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as a baseline, but rather builds on the security controls outlined by DHS itself. Additionally, DHS has developed a definition of CUI that differs from existing definitions in the DoD. The DHS definition of CUI includes critical infrastructure information, sensitive security information, information about current or development technology, physical security information, and PII, among other things. DHS is working to update security policies, with a promise to replace current policies and procedures once they are finalized.

Additional requirements of the new regulations

The basic requirements of the regulation apply when CUI are managed as part of the contractual requirements. There are additional requirements for policyholders who have access to a government system or operate a system on behalf of DHS. These include the need to obtain an Operation Authorization (ATO), complete the Safety Clearance (SA) process in line with DHS Policy Directive 4300A, and undergo third-party assessments. The new rules place particular emphasis on incident notification, employee training, and compliance with DHS' stringent safety standards.