The Department of Homeland Security recently issued comprehensive cybersecurity regulations mandating steps contractors must take when handling Controlled Unclassified Information (CUI).  Not only did DHS leapfrog ahead of similar rules coming soon from DOD, but the agency’s rules follow different standards and contain a different definition of what constitutes CUI from current and prospective DOD rules.  The DHS definition of CUI “is any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” This includes protected critical infrastructure, sensitive security information, information “regarding developing or current technology,” physical security information and PII.  The current DOD definition of CUI defines such information as that which “requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies.”  DHS also chose to adopt different safeguarding standards from the established NIST 800-171 requirements on which DOD’s CUI rules will almost certainly be based.  The agency used  security controls originally adopted in 2015, ones that some have already pointed out can be more easily changed than the more well-known NIST standards.  The DHS approach will require contractors that handle CUI to incur more costs to develop similar, but manifestly different, procedures for handling covered information.  DHS even acknowledged the cost but said “the persistent and prevalent nature of cyber-attacks on both government and private sector networks has shown that this is a necessary expense.”  As such, contractors will need to ensure that they are familiar with DHS’ requirements and the “coming soon” DOD standards, the compliance costs of which will inevitably be passed on to the government as it contemplates why fewer companies may want to conduct such work.