This year, the Department of Homeland Security has proposed to amend the Homeland Security Acquisition Regulation (HSAR) to address requirements for the safeguarding of Controlled Unclassified Information (CUI). 82 FR 6429 (Jan. 19, 2017). Although this rule is not final, we note that the proposed rule mandates that a contractor must submit a “Security Authorization Package”, in conformity with NIST SP 800-53, that has been validated by an independent third party.
As an independent third party assessor, we are watching this rule, along with many other anticipated rulemakings, that could impact our clients. For example, our maritime industry clients with Navy contracts who have worked with us to comply with DFARS 7012, many also have Coast Guard contracts subject to HSAR.
One (of many) things that caught our attention about the DHS rule was the identified costs associated with compliance.
In its rulemaking process, DHS provided some relevant data about the costs to implement its cybersecurity rule. Specifically, the rule states:
Sera-Brynn performs third party validations and assessments of commercial organizations subject to government-issued cybersecurity regulations, and we understand cost is a practical concern for our clients. It factors into how we help identify a client’s risk tolerance. It factors into our recommendations for remediation and technical solutions. We know that cost matters.
If your organization is looking for assistance with interpreting or applying compliance controls to manage risk and control cost, we can help. Reach us at sera-brynn.com/dfars or call 757-243-1257.
Colleen Johnson, Business Development, Sera-Brynn