Here you will find policies, procedures, and training requirements for DHS contractors whose solicitations and contracts include the following Homeland Security Acquisition Regulation clauses:
- 3052.204-71 Contractor Employee Access
- 3052.204-72 Safeguarding of Controlled Unclassified Information
- 3052.204-73 Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents
- Special clause IT Security Awareness Training (See HSAR Class Deviation 15-01, Rev. 1 Safeguarding of Controlled Unclassified Information)
For additional information related to personnel security at DHS, please review the helpful resources provided by our Office of the Chief Security Officer here.
Here you will find directives and guides for DHS contractors whose solicitations and contracts include the HSAR 3052.204-72, Safeguarding of Controlled Unclassified Information, and HSAR 3052.204-73, Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents.
Information Security Policy
Instruction 121-01-022, Interim Procedures for Integrating the Controlled Unclassified Information Framework at the Department of Homeland Security, establishes the process and procedures by which the Department of Homeland Security (DHS) is to transition from current practices relating to sensitive but unclassified information (e.g., For Official Use Only, Law Enforcement Sensitive, etc.) to the Controlled Unclassified Information (CUI) framework as directed by Executive Order 13556, “Controlled Unclassified Information.”
DHS Management Directive (MD) 11042.1 establishes policy regarding the identification and safeguarding of sensitive but unclassified information originating within DHS. It also applies to other sensitive but unclassified information received by DHS from other government and non‑government entities.
MD 11056.1 establishes DHS policy regarding the recognition, identification, and safeguarding of Sensitive Security Information (SSI). This MD is applicable to all persons who are permanently or temporarily assigned, attached, detailed to, employed, or under contract with DHS.
Information Technology Security Policy
- DHS Sensitive Systems Policy Directive 4300A: Explains the DHS Information Security Program policies for DHS sensitive systems and systems that process sensitive information for DHS.
- Attachment G- Rules of Behavior: Informs users of DHS information technology equipment and systems of their responsibilities and that they will be held accountable for their actions while they are accessing DHS systems and using DHS/contractor IT resources capable of accessing, storing, receiving, or transmitting sensitive information. The DHS Rules of Behavior apply to every DHS employee and DHS support contractor.
- Security Authorization Process Guide: Defines the Security Authorization process for DHS sensitive systems and systems operated by contractors that process sensitive information for DHS.
- DHS Security Authorization Templates: Provides DHS contractors with access to templates for all of the Security Authorization documentation required by HSAR Clause 3052.204-72, Safeguarding of Controlled Unclassified Information. Use of these templates is mandatory.
- Fiscal Year 2023 DHS Information Security Performance Plan: Defines performance requirements, priorities, and overall goals for all DHS sensitive systems and systems that process sensitive information.
- TSA Information Assurance (IA) Handbook: Provides the policies and requirements of the Transportation Security Administration (TSA) Management Directive (MD) 1400.3, Information Technology Security by establishing guidance applicable to the use, development, and maintenance of TSA Information Technology (IT) assets, networks, and systems.
DHS Instruction Handbook 121-01-007 Department of Homeland Security Personnel Suitability and Security Program: Establishes procedures, program responsibilities, minimum standards, and reporting protocols for DHS’s Personnel Suitability and Security Program. It does not prohibit any DHS Component from exceeding the requirements. This Instruction implements the authority of the Chief Security Officer (CSO) under DHS Directive 121 -01.
Privacy Incident Handling Guidance: Establishes DHS policy for responding to privacy incidents by providing procedures to follow upon the detection or discovery of a suspected or confirmed incident involving Personally Identifiable Information.
Safeguarding Sensitive Personally Identifiable Information Handbook: Provides best practices and DHS policy requirements to prevent a privacy incident involving Personally Identifiable Information during all stages of the information lifecycle.
Information Technology Security Awareness Training
Provides guidance for online conduct and proper use of information technology. The Challenge presents cybersecurity and information systems security awareness instructional topics through first-person simulations and mini-game challenges that allow the user to practice and review cybersecurity concepts in an interactive manner. The training takes approximately one (1) hour to complete. Completion of the training is required before access to DHS systems can be provided.
Under Department of Defense Employees, select Start/Continue New CyberAwareness Challenge Department of Defense Version.
Privacy Training
Defines Personally Identifiable Information (PII); identifies the required methods for collecting, using, sharing, and safeguarding PII; lists the potential consequences of not protecting PII; and requirements for reporting suspected or confirmed privacy incidents. The training takes approximately one (1) hour to complete. Completion of the training is required before access to PII can be provided.