FAR Council Publishes Proposed Rule Imposing New Security Requirements on Contractors Handling CUI

On January 15, 2025, the Federal Acquisition Regulatory Council published a proposed rule (the FAR CUI Rule) that would amend the Federal Acquisition Regulation (FAR) to impose government-wide cybersecurity, training, and incident reporting requirements on government contractors and subcontractors responsible for handling Controlled Unclassified Information (CUI). For context, the federal government defines CUI as “information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” 

The scope of CUI is quite broad, encompassing more than 100 different categories of information. This means the proposed FAR CUI Rule is likely to impact a significant percentage of the federal contracting community.

The FAR CUI Rule continues to progress through the rulemaking process with the public comment period closing on March 17, 2025.

FAR CUI Rule Requires Use of New Standardized Form

The FAR CUI Rule introduces a new compliance mechanism that should become familiar to contractors and subcontractors - the Standard Form (SF) XXX, Controlled Unclassified Information Requirements (the CUI Standard Form). This form is expected to help in identifying the categories of CUI that the contractor may be responsible for handling during the performance of a federal contract. The Standard Form is expected to outline agency-specific requirements for the handling and safeguarding of CUI, which may include new requirements for CUI dissemination, decontrolling, and marking procedures.

When the handling of CUI is identified in the Standard Form, contractors must be prepared to:

• Comply with the security requirements identified in National Institute of Standards and Technology (“NIST”) SP 800-171, Revision 2 when handling CUI in a non-federal information system. By way of background, key requirements contained in NIST SP 800-171 Rev. 2 include establishing access controls to limit who can view or handle CUI, data encryption during transmission and storage, logging of system access, and implementing an incident response plan to address and mitigate a security breach.
• Submit a system security plan (SSP) documenting the contractor’s compliance with NIST SP 800-171, if requested by the government.
• Comply with agency-identified security requirements from the latest version of NIST SP 800-53, specifically for Federal information systems.
• Comply with any special safeguarding requirements identified in the Standard Form.
• Comply with the FedRAMP Moderate security requirements, specifically for cloud service providers.
• Implement additional information security requirements the contractor “reasonably determines” are necessary to adequate secure CUI.

The primary objective of the new CUI Standard Form is to streamline and unify government-wide implementation of CUI policies. Once the FAR CUI Rule is finalized, federal agencies will be obligated to use the CUI Standard Form in solicitations and contracts that either involve, or may involve, the handling of CUI.

8-Hour Incident Reporting Requirement Imposed on Contractors Handling CUI in Federal Information Systems

If a contractor is expected to handle CUI in a Federal information system, they may be subject to heightened CUI safeguarding obligations stipulated under a new FAR clause: FAR 52.204-XX. The FAR 52.204-XX clause imposes two new reporting requirements:

1. Contractors must report any suspected or confirmed “CUI incident” that occurs on a non-federal information system within eight hours of discovery to a yet-to-be-identified agency official. A “CUI incident” is defined as the improper access, use, disclosure, modification, or destruction of CUI. If it is determined that the contractor was at fault for the CUI incident, the contractor “may be” liable for costs incurred by the government in responding to and mitigating the incident.
2. Contractors must notify the contracting officer within eight hours of discovery of any information that the contractor “believes” is CUI that is not identified in the Standard Form or is not properly marked as CUI. In addition, the contractor will be expected to “appropriately safeguard” this information while the contracting officer determines whether it qualifies as CUI.

FAR CUI Rule Flows Down to Subcontractors

Prime contractors will be obligated to ensure that all subcontractors to whom CUI will flow also be in compliance with the new CUI safeguarding requirements. This means that prime contractors must be prepared to incorporate the relevant FAR clauses into subcontract agreements and actively monitor subcontractor compliance. Prime contractors must prepare an SF XXX and distribute it to subcontractors to ensure they will properly safeguard CUI.

Mandatory Training

In addition to managing subcontractor compliance with the FAR CUI Rule, prime contractors will also be responsible for properly training their employees on the handling of CUI, safeguarding CUI, and complying with the more stringent incident reporting requirements. The objective of these training requirements is to ensure personnel are aware of their obligations and responsibilities when it comes to handling CUI. Contractors will also be required to maintain documentation of employee training and provide it to the contracting officer upon request.

Interplay between the FAR CUI Rule and CMMC Program

The FAR CUI Rule is primarily focused on standardizing CUI safeguards across all federal agencies, including the U.S. Department of Defense (DoD). While the FAR CUI Rule is not limited to DoD contracts, some provisions overlap with, and are designed to support, the DoD’s specific requirements for the management and handling of CUI under the Cybersecurity Maturity Model Certification (CMMC) program. For example, CMMC addresses CUI, but imposed additional requirements through its tiered certification framework. In contrast to the CMMC program, there is no certification requirement under the FAR CUI Rule. Rather, the FAR CUI Rule requires contractors to complete self-attestation of compliance with NIST SP 800-171 Rev. 2.

Looking Ahead

While the proposed FAR CUI Rule may be subject to further revision as a result of public comment during the rulemaking process, the general contours of the rule are likely to become final at some point in the near future. This means impacted federal contractors and subcontractors must take proactive steps to strengthen their compliance posture. Here are some recommended steps your organization can take:

• Become familiar with the specific obligations and requirements imposed by the rule, especially the brief incident reporting period contained in the new FAR clause.
• Amend your incident response plan to incorporate the new 8-hour reporting period.
• Conduct a gap analysis between your organization’s existing cybersecurity measures with the standards and protocols in NIST SP 800-171 Rev. 2.
• Develop protocols for the proper handling and identification of CUI, including updated policies that align with the requirements of the FAR CUI Rule.
• Develop protocols and procedures for managing subcontractor compliance with the FAR CUI Rule, including updates to contractual language.

If you are a federal contractor or subcontractor looking for guidance on how to become compliant with the FAR CUI Rule, CMMC program, or any other security framework, please contact a member of the Woods Rogers Cybersecurity & Data Privacy practice team or Construction & Government Contracts practice team.