After years of anticipation, the Federal Acquisition Regulation (FAR) Council has announced the arrival of its proposed rule to enhance the safeguarding of Controlled Unclassified Information (CUI) in federal contracts (the Proposed Rule). Published in the Federal Register on January 15, 2025 (90 FR 4278), the Proposed Rule (stemming from FAR Case 2017-016) has been a long time coming and is intended to establish a government-wide standard for managing sensitive information, ensuring CUI uniformity and consistency across all agencies and federal contracts.
The Proposed Rule is quite long, filled with analysis (mostly financial), and was only recently released, so federal contractors should expect a tidal wave of commentary over the upcoming months discussing the ins and outs of what the Proposed Rule provides and misses. As expected—and graciously—the Proposed Rule includes a public comment period ending March 17, 2025,so contractors are encouraged to provide feedback on the proposed requirements’ feasibility, clarity, and potential economic impact. To facilitate any analysis, the following summary of the Proposed Rule is provided to start that conversation.
The Genesis of the Rule
For those not in the know, CUI is a form of covered federal information that requires safeguarding or dissemination controls as prescribed by law, regulation, or policy but which does not rise to the level of classified information. The National Archives and Records Administration (NARA) oversees the CUI Program and organizes CUI into 20 major categories, each with multiple subcategories. Examples include Personally Identifiable Information, procurement data, and Controlled Technical Information (CTI) in Department of Defense parlance. FAR Case 2017-016 has been a long-standing set of proposed FAR amendments intended to implement the CUI Program as outlined in Executive Order 13556. This Proposed Rule builds on the existing CUI Program established by that Executive Order. It aligns contractor responsibilities with National Institute of Standards and Technology (NIST) Special Publication 800-171, which provides security requirements for protecting CUI in nonfederal systems.
Highlights of the Proposed Rule
At the outset, it is worth noting that the Proposed Rule provides a precise definition of CUI, which relies on the NARA CUI Program and its implementing regulations, 32 CFR Part 2002, for detailed definitions and categorizations. The Proposed Rule applies to all federal contractors and subcontractors who handle CUI while performing federal contracts. For defense contractors, very little of the Proposed Rule should come with surprises or spoilers, but those who have gleefully avoided Department of Defense (DoD) cybersecurity requirements should find themselves welcomed to the party. Here’s what the Proposed Rule provides:
- Security Requirements: Contractors must implement security controls as specified in the NIST Special Publication 800-171, revision 2 (and like DoD, the FAR Council has chosen not to require adoption of Revision 3 at this time), which distills the minimum standards for protecting CUI in nonfederal systems and organizations. Key requirements include but are not limited to, tasks such as access controls to limit who can view or handle CUI, data encryption during transmission and storage, routine monitoring and logging of system access and activity, and implementing incident response plans to address security breaches.
- Incident Reporting and Response: In the event of a cyber incident involving CUI, federal contractors will need to:
- Report the incident to the designated federal authority within a specified timeframe
- Preserve relevant data and logs for potential investigative purposes
- Cooperate fully with federal agencies in identifying the scope of the breach and mitigating risks
- Subcontractor Flow-Down: Not surprisingly, prime contractors must ensure that all subcontractors comply with the same safeguarding requirements for CUI. This means that primes should incorporate the relevant FAR clauses into subcontract agreements and confirms that they are on the hook for monitoring subcontractor compliance.
- Employee Training and Awareness: Contractors must train their employees on CUI handling, safeguarding, and reporting requirements. The aim here is to ensure that personnel are aware of their responsibilities and capable of adhering to the prescribed security measures. Contractors will also need to maintain documentation of employee training and provide it to the contracting officer upon request.
The New FAR Requirements
The Proposed Rule introduces and amends several FAR clauses to safeguard CUI, streamline incident reporting, and promote accountability across federal contracts. These clauses outline contractor responsibilities, reporting procedures, and compliance requirements. Here are the key provisions:
- Amendments to FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems): Updated to align with the broader scope of safeguarding requirements introduced by this rule and to provide a baseline for protecting federal contract information (FCI) while emphasizing enhanced controls for CUI.
- Also, it’s worth noting that the new term has replaced the phrase “Federal Contract Information” with “covered Federal information.” So, instead of CUI being a subset of FCI, CUI is a subset of CFI, which could include CTI. Is that clear enough for you? There’s no way this will get confusing…like, at all.
- FAR 52.204-WW: Notice of Controlled Unclassified Information Requirements: The “Heads-up! Clause.” This new clause informs contractors that performance under the federal contract will involve CUI and notifies them of their obligations to comply with the safeguarding and incident reporting requirements specified in FAR 52.204-XX and FAR 52.204-YY. Notably, it also provides that contractors (a) must inform the Contracting Officer within eight hours upon the discovery of unmarked, improperly marked, and/or unidentified CUI and (b) safeguard such information until the Contracting Officer provides further guidance.
- FAR 52.204-XX: Controlled Unclassified Information:This is the crux. The new clause establishes comprehensive requirements for identifying, safeguarding, and managing CUI in federal contracts and defines key terms, such as CUI, CUI Basic, CUI Specified, and CUI incidents while emphasizing compliance with the CUI Registry, which guides safeguarding, dissemination, and marking. It also specifies that contractors are responsible for protecting only the CUI identified in the SF XXX form (more on that below) incorporated into the contract. However, unmarked or improperly marked CUI must be safeguarded until the Contracting Officer clarifies the issue(s). Per the clause, the contractor must:
- Adhere to NIST SP 800-171 for nonfederal systems or NIST SP 800-53 for federal systems to ensure adequate security
- Report suspected or confirmed CUI incidents to the government within eight hours; safeguard affected systems
- Preserve forensic data for 90 days to support investigations
- Ensure that employees handling CUI are trained and that training records are maintained
- Flow down requirements to subcontractors, ensuring consistent safeguarding throughout the supply chain
The clause also allows the government to validate compliance and set expectations for handling both government-provided and contractor-generated information, creating a robust framework to protect sensitive federal data.
- FAR 52.204-YY: Identifying and Reporting Information That Is Potentially Controlled Unclassified Information: The “You guys do it” clause. In this punt, contractors are assigned responsibilities for identifying, safeguarding, and reporting information potentially classified as CUI during the performance of federal contracts. Contractors must notify the Contracting Officer within eight hours if they discover unmarked, improperly marked, or unidentified information they believe to be CUI and safeguard it until a determination is made. If a suspected or confirmed CUI incident occurs, contractors must inventory the impacted data, report the incident, and follow additional government directives. The clause emphasizes compliance with applicable laws and prohibits contractors from using government-provided information for purposes outside of the contract unless lawfully authorized.
Additionally, contractors must appropriately label their own proprietary, bid, or attributional information when submitting it to the government. The government will determine whether such information qualifies as CUI or warrants other protections. The government retains the right to release contractor information as necessary to address CUI incidents or for lawful government purposes while minimizing unnecessary disclosures. As with the other new clauses, contractors must flow down the clause’s requirements to subcontractors, ensuring that subcontractors also report suspected or confirmed CUI incidents within eight hours.
- FAR 53.204-2: Controlled Unclassified Information Requirements (SF XXX): The Contract’s CUI Bible…with caveats. This lengthy form is intended to serve as a central reference document in federal contracts involving CUI. It consolidates all relevant information about CUI obligations, ensuring contractors and subcontractors clearly understand their responsibilities. By standardizing the identification and communication of CUI requirements, the SF XXX is expected to simplify compliance throughout the supply chain.
How the SF XXX Form Is Expected to Work
The form is intended to explicitly identify the types of CUI involved in the contract to which it is appended, including whether the information falls under CUI Basic (general safeguarding controls) or CUI Specified (specific legal or regulatory safeguarding requirements). It includes detailed references to the CUI Registry, guiding contractors on the appropriate markings, handling procedures, and dissemination controls required for each CUI category. This clarity ensures contractors know exactly what information must be safeguarded and the specific controls that apply.
In addition to identifying CUI, the SF XXX outlines handling requirements tailored to the location where CUI will be managed. The form also specifies the agency’s policies for federally controlled facilities, including any prerequisites for employee training or security clearance. For nonfederally controlled facilities, contractors must follow the safeguarding and handling protocols detailed in the form, including compliance with NIST SP 800-171 for information systems that process, store, or transmit CUI.
The SF XXX also includes comprehensive incident reporting requirements. It identifies the designated agency point of contact or reporting website and the timelines for reporting suspected or confirmed CUI incidents (typically within eight hours). The form may include additional agency-specific reporting requirements, ensuring that all relevant protocols are addressed and that contractors inventory affected CUI, preserve forensic data and cooperate with government investigations to mitigate risks associated with breaches.
Agency-specific policies for safeguarding, dissemination, and training are also to be documented in the SF XXX to provide tailored guidance for unique contract requirements. This ensures contractors know additional responsibilities beyond the baseline NIST SP 800-171 controls. Here too, as with so much discussed above, contractors must flow down the requirements outlined in the SF XXX to subcontractors, ensuring that the entire supply chain adheres to consistent safeguarding standards.
The final designation and full implementation details of the SF XXX will likely be clarified in the final rule or associated agency guidance.
Impact on DoD CMMC Framework
The proposed FAR rule addresses safeguarding CUI across all federal agencies, including the DoD. While the Proposed Rule is not exclusively focused on DoD contracts, it does have provisions that overlap with and support the DoD’s specific requirements for managing CUI. The DoD’s Cybersecurity Maturity Model Certification (CMMC) framework addresses CUI but includes additional rigor through its tiered certification process. The Proposed Rule, however, is different. Unlike CMMC, there is no certification requirement; instead, the Proposed Rulerelies on self-attestation of compliance with NIST SP 800-171, whereas the DoD may require third-party certification under the CMMC for many contracts.
This difference reflects a broader, government-wide approach resident in the Proposed Rule, which appears to allow for flexibility, unlike the DoD’s stricter verification measures. In this way, the Proposed Rule attempts to reach a one-size-fits-all model, intending to apply uniform requirements to all federal agencies, including the DoD, without tailoring its provisions to address the unique challenges of securing its highly sensitive and mission-critical information. For example, the rule does not introduce tiered compliance or enhanced safeguards for contractors handling high-value CUI specific to defense contracts, and it lacks emphasis on countering Advanced Persistent Threats that frequently target the Defense Industrial Base.
Accordingly, the Proposed Rule is a complementary framework to existing DoD-specific requirements. Still, contractors handling DoD CUI must comply with additional regulations such as DFARS 252.204-7012 and the CMMC framework to meet the DoD’s more stringent security standards. Here’s hoping pending comments will clarify how the ultimate final FAR rule integrates with DoD-specific frameworks to streamline compliance for contractors working across multiple federal agencies.
First-Blush Challenges and Criticisms
While the rule is a step, it is not without its challenges:
- Self-Attestation: The lack of a certification process may leave gaps in enforcement and accountability.
- Small-Business Impact: Smaller contractors may struggle with the costs and technical expertise required to implement NIST SP 800-171 controls.
- Software Supply Chain: The rule does not explicitly address software supply chain risks or require a software bill of materials, leaving a critical area of cybersecurity unaddressed.
- Commercial Items/Commercial Off-the-Shelf (COTS) Items: While COTS products are explicitly exempt, the rule applies safeguarding requirements to commercial items only when those items directly involve handling CUI. This may increase confusion and limit some commercial item providers and subcontractors unwilling to shoulder the accompanying regulatory requirements.
What Contractors Should Do Next
- Review the Rule: Contractors should familiarize themselves with the proposed requirements, particularly the new and amended FAR clauses.
- Assess Current Practices: Evaluate existing cybersecurity measures against NIST SP 800-171 and identify gaps.
- CUI Policies: Prepare to enhance CUI handling and identification policies to embrace the new obligations levied on contractors.
- Training: Enhance CUI and cybersecurity training in line with the FAR rule, NARA, and implementing regulations. Knowledge will be key.
- Subcontract/Supply Chain: Develop more detailed guidance for managing subcontractors’ compliance and accountability.
- Update Incident Response Policies: The new eight-hour time trigger will require some getting used to and should be integrated into policies, including incident response plans.
- Engage During the Comment Period: Stakeholders have until March 17, 2025, to submit feedback on the proposed rule. This is an opportunity to voice concerns or suggest refinements.
In the End…
The FAR Council’s Proposed Rule on safeguarding CUI introduces significant new requirements for contractors and subcontractors, posing notable challenges across the federal contracting landscape. There is much to address and even more with which contractors must become comfortable. While it aligns with established security standards like NIST SP 800-171 and simplifies compliance compared to the CMMC, its reliance on self-attestation and lack of tailored support for small businesses could limit its effectiveness while increasing contractor liability. One thing is certain: The Proposed Rule is a game changer, especially in how it demands more from contractors in the receiving and forwarding of CUI. Ultimately, the Proposed Rule could benefit from addressing lessons learned from the DoD’s CMMC framework, such as ensuring clear guidance, equitable resource allocation, and streamlined compliance processes. However, the two efforts do not seem to be sharing comments, which may result in contractors being confused when facing these and the increasing litany of new requirements.