Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received three notices of proposed rulemaking (NPRM) from the DHS Office of the Secretary relating to cybersecurity requirements in the DHS acquisition process. Those rulemakings were:
• Privacy Training; and
Only the first rulemaking has been published in the Unified Agenda so we can only make assumptions as to the content of the other two. It is very possible that the second does not really address cybersecurity issues at all.
The unified agenda listing for the Safeguarding of Sensitive Information rule only specifically mentions personally identifiable information, but the way that it is worded could certainly include controlled but unclassified (CBU) information that will be regulated by rules being established by the National Archives and Records Administration (final rule under review at OIRA). It will be interesting to see if this DHS rule includes the same NIST computer standards that are expected to be included in the NARA rule.
OIRA typically approves acquisition rulemakings faster than wider regulatory issues so we might see an approval here in the next month or so.