Alexander W. Major | Sheppard Mullin Richter & Hampton LLP
Government contractors should take note of a proposed new rule that could impose significant new data storage obligations when finalized. The Federal Government is taking another baby-step towards cybersecurity regulation with a proposed rule intended to standardize protocols relating to designating and safeguarding unclassified information that is to be withheld from public disclosure (also known as “controlled unclassified information” (“CUI”)). See 80 Fed. Reg. 26501 (proposing amendments to 32 CFR Part 2002). On May 8, 2015, the National Archives and Records Administration (“NARA”) published a proposed new rule that goes a long way in creating a standardized system intended to replace the litany of improvised CUI control markings that have been used by various Federal agencies and, unintentionally, hindered inter-governmental information sharing for decades. The effort, however, is more than a simple housekeeping exercise, the re-designation of CUI will also bring changes to the manner in which contractor-generated information residing on contractor-owned systems is stored and secured.
The long gestating process originates from Executive Order (“EO”) 13556, issuing a directive to make Government more transparent. This, in turn, resulted in NARA being charged as the CUI Executive Agent responsible for standardizing CUI handling throughout the Executive branch. NARA’s new effort under the proposed rule would standardize the more than 100 different markings currently used by agencies – which include markings such as “Sensitive But Unclassified” (SBU); “UNCLASSIFIED/FOUO” (For Official Use Only); “PARD” (Protect As Restricted Data), and many, many others – by consolidating the “patchwork system that failed to adequately safeguard information requiring protection, and unnecessarily restricted information-sharing.” 80 Fed. Reg. 26502. In line with that responsibility, NARA’s proposed rule would: