Imagine the following scenario:
As part of Project Road Runner, a new initiative, the United States Army, a portion of the Department of Defense (“DoD”) wants to purchase three dozen anvils. The anvils must meet specific size, strength, and weight requirements. DoD has already performed a search and is not able to find a COTS source for the anvils that meet the requirements, so an Request for Proposals (“RFP”) is published. DoD has determined that neither the specifications nor other parts of the RFP constitute Controlled Unclassified Information (“CUI”).
Acme Anvils has been in the highly competitive custom anvil business for decades. They have had strong business to business and business to consumer sales channels for decades, but they have been considering becoming a government contractor. They prepare a proposal in response to the Project Road Runner RFP. In accordance with 48 CFR 3.104-4, Acme marks their proposal as “Source Selection Information – See FAR 2.101 and 3.104.”
Mr. Wyle is a highly experienced Contracting Officer and is assigned to Project Road Runner. When he receives the Acme proposal, he notices the source selection marking and does a quick review of the DOD CUI Registry. Under the Procurement and Acquisition category, Mr. Wyle notices that there is a regulation, 48 CFR 3.104-4, which requires that source selection information must be protected by the government. Mr. Wyle determines that this makes the information CUI, and he applies an appropriate CUI marking to the proposal.
After a careful competitive analysis, Acme is awarded the Project Road Runner contract. Mr. Wyle puts together a standard government contract with Acme.
Ms. Jones, Acme’s Chief Revenue Officer, is very excited that the company won its first proposal and begins reviewing the contract terms. She notes that DFARS 252.204-7012, -7019, and -7020 are included, but since the RFP didn’t include any CUI, she knows that those clauses will not apply to Acme and continues her review of the contract. Everything looks good, until she gets to the copy of Acme’s proposal. The weight of the contract suddenly comes crashing down on Ms. Jones when she sees that the proposal has been marked as CUI! Now Ms. Jones is in a panic: Acme’s own information is now forcing them to meet the CUI-related DFARS requirements prior to contract award!
Is Ms. Jones right?
This is an open question that the National Archives and Records Administration (“NARA”) Information System Security Oversight Office (“ISOO”), the entity responsible for overseeing the CUI program, has yet to weigh in on. However, approaching this logically, if the government were to claim that a contractor’s own information is CUI when it is returned to the contractor, this will almost instantaneously create scenarios where all government contractors (even those outside the Defense Industrial Base) must comply with NIST Special Publication 800-171 and other heightened security controls. While those controls may be advantageous, and even arguably necessary, in today’s business environment, it is difficult to imagine the ISOO intending this result. As a practical matter, most courts are likely to decide that it was not the ISOO’s intent to create this scenario, and that a contractor’s own information is not CUI even when marked as such by the government.
Until the courts or ISOO provide additional clarity, however, companies should continue to be diligent about the way they handle all information labeled as CUI. Congress should encourage the ISOO to issue guidance on this as soon as possible to help companies understand their responsibilities.