The FAR Council has issued a proposed rule to standardize the safeguarding of Controlled Unclassified Information (CUI) across federal contracts. Learn what’s changed, what businesses are impacted and what you can do to ensure your business is compliant and eligible for federal contracts.
The Federal Acquisition Regulation (FAR) Council Proposed Rule on Controlled Unclassified Information (CUI) was released on January 15, 2025. This long-awaited rule aims to establish standardized security requirements for federal contractors handling CUI and aligns with broader government cybersecurity initiatives to combat evolving threats.
The FAR CUI rule has its origins in Executive Order 13556, which aimed to standardize CUI handling across federal agencies. However, while the National Archives and Records Administration (NARA) issued a final rule in 2016 to implement the CUI Program, it lacked contractual enforcement mechanisms for federal contractors.
This gap led to the introduction of FAR Case 2017-016, which served as a placeholder for the current FAR CUI Proposed Rule. The Department of Defense (DoD) had already implemented DFARS 252.204-7012, requiring contractors to meet NIST SP 800-171 security standards. However, the new FAR rule expands CUI safeguarding to all federal contractors, not just those working with the DoD.
The proposed rule reinforces and expands security standards that federal contractors must follow. These include:
|
Requirement |
Who It Applies To |
Compliance Standard |
|
CUI on non-federal/contractor systems |
All contractors handling CUI |
Must comply with NIST SP 800-171 Rev. 2 (View Requirements) |
|
CUI on federal systems |
Contractors using federal IT environments |
Must comply with NIST SP 800-53 |
|
Cloud service providers |
Contractors storing CUI in cloud environments |
Must meet FedRAMP Moderate security controls (Learn More) |
|
Employee training requirements |
All personnel handling CUI |
Contractors must provide and document CUI-specific training |
A new Standard Form ("SF XXX") will be introduced to clearly define:
Contractors are only responsible for safeguarding CUI identified in this form. However, if contractors discover unmarked or mismarked CUI, they must report it to the Contracting Officer within 8 hours.
This change helps clarify contractor obligations, reducing compliance confusion and potential liability.
The proposed rule establishes a strict definition of a CUI incident as:
“Suspected or confirmed improper access, use, disclosure, modification, or destruction of CUI, in any form or medium.”
Key changes:
This rule aligns with DoD’s existing DFARS 252.204-7012 incident reporting requirements.
The proposed rule also updates the definition of Covered Federal Information, replacing Federal Contract Information (FCI) with a broader term.
What’s NOT considered Covered Federal Information?
This change ensures clearer classification of sensitive data across federal agencies.
The FAR CUI Proposed Rule introduces three new contract clauses:
|
FAR Clause |
Purpose |
|
FAR 52.204-WW |
Notifies offerors of CUI handling obligations before bidding. |
|
FAR 52.204-XX |
Requires contractors to implement CUI safeguarding, training, and incident response measures. |
|
FAR 52.204-YY |
Requires notification if a contractor discovers unmarked/mismarked CUI during contract performance. |
These clauses apply to all federal contracts involving CUI, except for procurements solely for commercially available off-the-shelf (COTS) products.
Key Takeaways from the FAR CUI Proposed Rule