Written By Paige Langmead

On January 15, 2025, the Federal Acquisition Regulatory (FAR) Council published a proposed rule to standardize the handling of Controlled Unclassified Information (CUI) across federal contracts. This initiative aims to enhance the protection of sensitive government information by establishing uniform requirements for contractors.

Key Points of the FAR CUI Proposed Rule

1. Definition of CUI: The rule defines CUI as information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, which requires safeguarding or dissemination controls. Notably, the rule specifies that CUI excludes classified information, covered federal information, certain contractor-maintained information, and federally funded basic and applied research.

2. Standard Form (SF) XXX: A new Standard Form (SF) XXX is introduced to be included in all solicitations and contracts where CUI is expected to be handled. This form will assist contractors in identifying the categories of CUI involved, understanding agency-specific handling requirements, and complying with standardized reporting procedures for CUI incidents.

3. New FAR Clauses: The rule introduces two new FAR clauses:

o FAR 52.204-XX (Controlled Unclassified Information): Mandates contractors to comply with security requirements, including adherence to NIST SP 800-171 Revision 2, which outlines controls for protecting CUI in non-federal systems.

o FAR 52.204-YY (Identifying and Reporting Information That Is Potentially Controlled Unclassified Information): Requires contractors to notify the contracting officer within eight hours upon discovering any unmarked or mismarked CUI or suspected CUI incidents.

4. Compliance with NIST SP 800-171: Contractors operating non-federal information systems that process, store, or transmit CUI are required to comply with NIST SP 800-171 Revision 2. This includes submitting a system security plan upon request and cooperating with agency validation actions.

5. Incident Reporting: The rule introduces an eight-hour reporting requirement for potential CUI incidents or mismarked CUI. Contractors must notify the contracting officer representative or designated agency official within eight hours of discovery.

Benefits of the FAR CUI Proposed Rule

· Standardization: By establishing uniform requirements for handling CUI, the rule aims to reduce inconsistencies across federal agencies, providing clarity for contractors and enhancing the protection of sensitive information.

· Enhanced Security: Adherence to NIST SP 800-171 Revision 2 ensures that contractors implement robust cybersecurity measures to safeguard CUI, thereby strengthening the overall security posture of federal information systems.

· Improved Incident Response: The mandated eight-hour reporting requirement for suspected CUI incidents facilitates prompt detection and response, minimizing potential damage from security breaches.

Challenges Associated with the FAR CUI Proposed Rule

· Compliance Costs: Implementing the required security measures and reporting protocols may entail significant costs, particularly for small businesses and non-defense contractors. The FAR Council estimates labor and hardware/software costs for compliance, which could be burdensome for some contractors.

· Complexity of Requirements: The detailed and technical nature of the NIST SP 800-171 controls may pose challenges for contractors without dedicated cybersecurity expertise, potentially leading to compliance difficulties.

· Short Reporting Window: The eight-hour timeframe to report suspected CUI incidents or mismarked information may be challenging for contractors, especially those with limited resources or during non-business hours.

· Scope of Applicability: The rule applies to all federal contracts, excluding those solely for commercially available off-the-shelf (COTS) items. This broad applicability means that many contractors will need to adjust their operations to comply with the new requirements.

Conclusion

The FAR CUI Proposed Rule represents a significant step toward standardizing the handling of Controlled Unclassified Information across federal contracts. While it offers benefits such as enhanced security and clarity, contractors must be prepared to address the associated challenges, including compliance costs and the complexity of the requirements. As the public comment period continues until March 17, 2025, stakeholders are encouraged to review the proposed rule and provide feedback to ensure that the final regulations effectively balance security objectives with practical implementation considerations.