The Department of Homeland Security revised its acquisition regulation to enhance the protection and privacy of controlled unclassified information, and improve security incident reporting to the agency.
The rule, which takes effect on July 21, aims to refine standard procedures for responding to DHS contractors that encounter incidents with the agency’s sensitive data.
The Homeland Security Acquisition Regulation was amended to ensure security measures are in place for contractor or subcontractor employees who will access CUI. It contains requirements and processes for handling in-house or third-party information systems that will be used to collect or transmit CUI.
New HSAR language also includes mandates for contractors to have notification and credit monitoring services for individuals who may be affected by information system incidents because of their Personally Identifiable Information or Sensitive PII.