What is the FAR CUI Rule?
The proposed rule aims to implement the National Archives and Records Administration (NARA) final rule on the Federal CUI Program related to performance under Federal contracts. It is part of a broader government strategy to enhance efforts to protect federal information and information systems against attacks from increasingly sophisticated criminals and adversaries.
DoD, GSA, and NASA are proposing to create a standard mechanism to:
- Enable a uniform process for communicating the information contractors must manage and safeguard, and,
- Identify where a CUI incident must be reported and when CUI incident reporting requirements differ from or are in addition to those in the clause at FAR 52.204-XX(g).
Existing laws, Federal regulations, and government-wide policies already mandate these protections. However, there is no standard way to identify and share these requirements with contractors. The proposed rule includes changes to standardize the CUI protection and reporting requirements across the government.
Standard Form
A new standard form (referred to as ‘SF XXX’ until it is officially named) will be created to standardize the implementation of these policies government-wide. The form aims to identify the roles and responsibilities that agencies and contractors must adhere to if they:
- Store CUI on Federal information systems within a Federal facility or,
- CUI is stored on or transits through contractor information systems or facilities.
NIST SP 800-171 Compliance
The proposed rule mandates compliance with NIST SP 800-171, Revision 2, which defines 110 security requirements designed to properly safeguard CUI. These requirements also form the foundation of the Cybersecurity Maturity Model Certification (CMMC), which targets U.S. Department of Defense (DoD) contractors. The application of NIST controls will be specific to the contract, with agency-determined requirements included in the contract terms based on the sensitivity of the CUI involved. The government may also require contractors to submit a system security plan as required by NIST SP 800-171 Revision 2 to demonstrate the necessary security requirements have been implemented.
Employee Training
Training is also a requirement under the FAR CUI rule. Employees of contractors or subcontractors that handle CUI must complete training on safeguarding CUI, as specified on the contract’s SF XXX. Training must be documented and made available to the contracting officer upon request.
Incident Reporting
The proposed FAR CUI Rule also adds provisions for including contractor reporting and compliance responsibilities in Federal solicitations and contracts to enforce mandates and increase accountability, including:
- Reporting of CUI Incidents: It sets an 8-hour reporting window for all cybersecurity breaches affecting CUI (‘CUI Incidents’), including what CUI was affected, how it was impacted and a timeline of the activity.
- Flow down of CUI Requirements to subcontractors: It emphasizes the importance of requirement ‘flow down’ to ensure contractors transfer CUI safeguarding and reporting to subcontractors to ensure security requirements are met throughout the supply chain.
What CUI Requirements are included?
The CUI safeguarding requirements in the FAR CUI Proposed Rule include:
- Standards for marking CUI submitted to the Government and how to notify the Government of any mismarked or unmarked CUI;
- Restrictions on the contractor’s use of Government-provided information apply whether or not the information is marked as CUI;
- Standards for safeguarding CUI on Federal and non-Federal systems, as identified in the SF XXX, Controlled Unclassified Information (CUI) Requirements;
- Reporting and security incidents management requirements;
- Actions that may be necessary to validate compliance;
- Minimum CUI training requirements, and;
- Requires contractors to flow down CUI requirements to subcontractors, if applicable.
Who will it impact?
The proposed rule aims to standardize baseline security requirements and close existing security gaps to protect CUI across the government. While CMMC only impacts defense contractors, the FAR CUI Rule expands CUI safeguarding requirements to all contractors and subcontractors that handle CUI for non-DOD agencies. However, unlike CMMC, which will be rolled out in several phases over a few years, the FAR CUI Rule will go into effect once it is final. After implementation, if an SF XXX is included in the contract and specifies CUI will be part of it, the contractor must comply with the new FAR clause (FAR 52.204-XX).
Non-defense contractors – Contracts that contain an SF XXX with Part A checked “Yes,” will be required to implement NIST SP 800-171 revision 2, among other requirements.
Defense contractors – must also comply with DFARS clause 252.204-7012 and, most probably, CMMC verification.
When will the FAR CUI Rule go into effect?
The CUI Rule was published in the Federal Register on January 15, 2025, with a comment period ending on March 17, 2025, to solicit feedback from the public. It typically takes about a year after this to issue a final regulation. Federal contractors should start familiarizing themselves with the requirements and preparing for the upcoming changes that the FAR CUI Rule will bring to minimize its impact.
Need help protecting CUI? Contact us.
Learn how archTIS can help you meet CUI labeling, marking, access and data protection guidelines in your Microsoft 365, SharePoint On-premises and File Share environments. Contact us.
