Tuesday, March 8, 2022

FAR NPRM Covering CUI Sent to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a new Federal Acquisition Regulation (FAR) notice of proposed rulemaking (NPRM) for “FAR Case 2017-016, Controlled Unclassified Information (CUI)”.

According to the Fall 2021 Unified Agenda listing for this rulemaking:

“DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to implement the National Archives and Records Administration (NARA) Controlled Unclassified Information (CUI) program of Executive Order 13556 of November 4, 2010 as implemented in NARA’s implementing regulations at 32 CFR 2002, and implement the OMB Memorandum M-17-12, entitled Preparing for and Responding to a Breach of Personally Identifiable Information (PII). This rule will apply the CUI program requirements in Federal contracts in a uniform manner to protect CUI. This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect and respond to increasing sophisticated threat actions targeting Federal contractors.”

The NARA CUI rule was published in September 2016. Among other requirements, it requires {32 USC 2002.14(h)(2)} non-governmental entities handling CUI on computer systems to comply with NIST SP 800-171.

No comments:

/* Use this with templates/template-twocol.html */