Skip to content

 Experiencing a Breach? 

877-701-8000          info@serabrynn.com

FAR CUI Proposed Rule Released: What Federal Contractors Need to Know

Sera Brynn
Toggle
  1. Blog
  2. FAR CUI Proposed Rule Released: What Federal Contractors Need to Know

 

Sera Brynn - Article - FAR CUI Proposed Rule Released

 

The FAR Council has issued a proposed rule to standardize the safeguarding of Controlled Unclassified Information (CUI) across federal contracts. Learn what’s changed, what businesses are impacted and what you can do to ensure your business is compliant and eligible for federal contracts.

 

A Major Update for Federal Contractors Handling CUI

The Federal Acquisition Regulation (FAR) Council Proposed Rule on Controlled Unclassified Information (CUI) was released on January 15, 2025. This long-awaited rule aims to establish standardized security requirements for federal contractors handling CUI and aligns with broader government cybersecurity initiatives to combat evolving threats.

 

How Did We Get Here? The Evolution of the FAR CUI Rule

The FAR CUI rule has its origins in Executive Order 13556, which aimed to standardize CUI handling across federal agencies. However, while the National Archives and Records Administration (NARA) issued a final rule in 2016 to implement the CUI Program, it lacked contractual enforcement mechanisms for federal contractors.

This gap led to the introduction of FAR Case 2017-016, which served as a placeholder for the current FAR CUI Proposed Rule. The Department of Defense (DoD) had already implemented DFARS 252.204-7012, requiring contractors to meet NIST SP 800-171 security standards. However, the new FAR rule expands CUI safeguarding to all federal contractors, not just those working with the DoD.

 

New Safeguarding Requirements for CUI

The proposed rule reinforces and expands security standards that federal contractors must follow. These include:

Requirement

Who It Applies To

Compliance Standard

CUI on non-federal/contractor systems

All contractors handling CUI

Must comply with NIST SP 800-171 Rev. 2 (View Requirements)

CUI on federal systems

Contractors using federal IT environments

Must comply with NIST SP 800-53
(View Standards)

Cloud service providers

Contractors storing CUI in cloud environments

Must meet FedRAMP Moderate security controls (Learn More)

Employee training requirements

All personnel handling CUI

Contractors must provide and document CUI-specific training



New Standard Form to Define CUI in Contracts

A new Standard Form ("SF XXX") will be introduced to clearly define:

  • Which data is classified as CUI
  • How contractors must handle, store, and transmit CUI
  • What security protocols must be followed

Contractors are only responsible for safeguarding CUI identified in this form. However, if contractors discover unmarked or mismarked CUI, they must report it to the Contracting Officer within 8 hours.

This change helps clarify contractor obligations, reducing compliance confusion and potential liability.



Incident Reporting: New 8-Hour Notification Requirement

The proposed rule establishes a strict definition of a CUI incident as:

“Suspected or confirmed improper access, use, disclosure, modification, or destruction of CUI, in any form or medium.”

Key changes:

  • CUI incidents must be reported within 8 hours of discovery.
  • Unmarked/mismarked CUI is not an incident unless improper dissemination occurs.
  • Contractors may be held financially liable if a breach results from inadequate security controls.

This rule aligns with DoD’s existing DFARS 252.204-7012 incident reporting requirements.



Changes to Federal Information Definitions

The proposed rule also updates the definition of Covered Federal Information, replacing Federal Contract Information (FCI) with a broader term.

What’s NOT considered Covered Federal Information?

  • Simple transactional data (e.g., payment processing info)
  • Publicly released information (e.g., government websites)
  • Federally funded research (unless specifically classified as CUI)
  • Classified information (separately governed)

This change ensures clearer classification of sensitive data across federal agencies.

 

New FAR Clauses and Contractor Obligations

The FAR CUI Proposed Rule introduces three new contract clauses:

FAR Clause

Purpose

FAR 52.204-WW

Notifies offerors of CUI handling obligations before bidding.

FAR 52.204-XX

Requires contractors to implement CUI safeguarding, training, and incident response measures.

FAR 52.204-YY

Requires notification if a contractor discovers unmarked/mismarked CUI during contract performance.

These clauses apply to all federal contracts involving CUI, except for procurements solely for commercially available off-the-shelf (COTS) products.

 

Stay Ahead of CUI Compliance Changes

CMMC and FAR compliance are rapidly evolving. The team of compliance experts at Sera Brynn help businesses navigate these changes with compliance assessments, policy updates, and security implementation support.
Book a Free Consultation

 

Key Takeaways from the FAR CUI Proposed Rule

  • New cybersecurity obligations for federal contractors handling CUI, including adherence to NIST SP 800-171 Rev. 2
  • Introduction of a new Standard Form to identify CUI in contracts
  • Mandatory incident reporting within 8 hours of a confirmed or suspected CUI breach
  • Standardization of CUI training requirements for employees handling sensitive information
  • Expanded definition of covered federal information, replacing Federal Contract Information (FCI)