Today the GSA (and DOD and NASA) published a notice of proposed rulemaking in the Federal Register (90 FR 4278-4317) on “Federal Acquisition Regulation (FAR): Controlled Unclassified Information (CUI)”. This rulemaking would modify and extend provisions in existing FAR, providing information on how contractors would be expected to handle CUI obtained, used, or created in the course of federal contract work. These rules would implement the requirements of regulations created by the National Archives and Records Administration (NARA) pursuant to the requirements of EO 13556, “Controlled Unclassified Information”.
Background
The government has long tried to restrict access to sensitive information. National security information is protected by rules related classified information, but those rules do not apply to less sensitive information. Over the years agencies have come up with a number of different information control schemes for various types of information with varying levels of formal and informal rules about how that information should be protected. Needless to say, that odd mix of systems was confusing, unworkable, and, practically speaking, unenforceable.
In 2010 President Obama attempted to address this issue by releasing EO 13556. He designated NARA as the agency responsible for formulating the regulations necessary to implement the requirements outlined in the Executive Order. In 2015 NARA published their regulations at 32 CFR 2002. In general, the NARA CUI rules applied to government organizations, not people outside of the government. The one exception was government contractors that handled CUI as part of their contractual duties to the federal government.
I did a blog post when NARA published their rule. Between it and the notice of proposed rulemaking posts mentioned in that blog post, this provides a good deal of background on the regulation that this rulemaking is trying to adopt into the FAR.
Public Comments
GSA is soliciting public comments on this proposed rule.
Comments may be submitted via the Federal eRulemaking Portal (www.Regulation.gov; Docket # 2017-0016,
Sequence No. 1). Comments should be submitted by March 17th, 2025.
For more information about this rulemaking, including a
discussion of the NIST SP 800-171 cybersecurity requirements, see my article at
CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/gsa-publishes-far-nprm-on-controlled
- subscription required.
Posts
No comments:
Post a Comment