Homeland Security Acquisition Regulation; Safeguarding of Controlled Unclassified Information rule (2023)
| What is a significant rule? Significant regulatory action is a term used to describe an agency rule that has had or might have a large impact on the economy, environment, public health, or state or local governments. These actions may also conflict with other rules or presidential priorities. As part of its role in the regulatory review process, the Office of Information and Regulatory Affairs (OIRA) determines which rules meet this definition. |
| Administrative State |
|---|
|
| Five Pillars of the Administrative State |
| •Agency control • Executive control • Judicial control •Legislative control • Public Control |
| Click here for more coverage of the administrative state on Ballotpedia.
|
| Click here to access Ballotpedia's administrative state legislation tracker. |
The Homeland Security Acquisition Regulation; Safeguarding of Controlled Unclassified Information rule is a significant rule issued by the U.S. Department of Homeland Security (DHS) effective July 21, 2023, that implemented information security measures and amended Controlled Unclassified Information (CUI) incident reporting to DHS. DHS issued the rule pursuant to its authority under the Federal Information Security Modernization Act of 2014 (FISMA).[1]
Timeline
The following timeline details key rulemaking activity:
- July 21, 2023: The final rule took effect.[1]
- June 21, 2023: DHS issued the final rule.[1]
- March 20, 2017: The comment period closed.[1]
- January 19, 2017: DHS issued the proposed rule and opened the comment period.[1]
Background
The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to establish “information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of—(i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency,” according to the text rule.[1]
The U.S. Department of Homeland Security (DHS) argued that additional security measures were needed to regulate contractor information handling after repeated incidents of unclassified but important information breaches. The Homeland Security Acquisition Regulation; Safeguarding of Controlled Unclassified Information rule established additional guidance and rules related to how contractors should handle and protect controlled data.[1]
Summary of the rule
The following is a summary of the rule from the rule's entry in the Federal Register:
| “ | DHS is issuing a final rule to amend the Homeland Security Acquisition Regulation (HSAR) to modify a subpart, remove an existing clause and reserve the clause number, update an existing clause, and add two new contract clauses to address requirements for the safeguarding of Controlled Unclassified Information (CUI). This final rule implements security and privacy measures to safeguard CUI and facilitate improved incident reporting to DHS. These measures are necessary because of the urgent need to protect CUI and respond appropriately when DHS contractors experience incidents with DHS information.[1][2] | ” |
Summary of provisions
The following is a summary of the provisions from the rule's entry in the Federal Register:[1]
| “ |
This final rule strengthens and expands existing HSAR language to ensure adequate security when: (1) contractor and/or subcontractor employees will have access to CUI; (2) CUI will be collected or maintained on behalf of the agency; or (3) Federal information systems, which include contractor information systems operated on behalf of the agency, are used to collect, process, store, or transmit CUI. Specifically, the final rule:
|
” |
Significant impact
- See also: Significant regulatory action
Executive Order 12866, issued by President Bill Clinton (D) in 1993, directed the Office of Management and Budget (OMB) to determine which agency rules qualify as significant rules and thus are subject to OMB review.
Significant rules have had or might have a large impact on the economy, environment, public health, or state or local governments. These actions may also conflict with other rules or presidential priorities. Executive Order 12866 further defined an economically significant rule as a significant rule with an associated economic impact of $100 million or more. Executive Order 14094, issued by President Joe Biden (D) on April 6, 2023, made changes to Executive Order 12866, including referring to economically significant rules as section 3(f)(1) significant rules and raising the monetary threshold for economic significance to $200 million or more.[1]
The text of the Homeland Security Acquisition Regulation; Safeguarding of Controlled Unclassified Information rule states that OMB deemed this rule significant, but not economically significant under section 3(f)(1) of E.O. 14094:
| “ | This rule has been designated a 'significant regulatory action,' although not economically significant, under section 3(f) of E.O. 12866.[2] | ” |
Text of the rule
The full text of the rule is available below:[1]
See also
External links
Footnotes
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 Federal Register, "Homeland Security Acquisition Regulation; Safeguarding of Controlled Unclassified Information," February 14, 2024.
- ↑ 2.0 2.1 2.2 Note: This text is quoted verbatim from the original source. Any inconsistencies are attributable to the original source.
