On January 17, 2025, the FAR Council announced a proposed amendment to the FAR regulation to update and standardize the protection of Controlled Unclassified Information (CUI) across federal agencies, ensuring consistent requirements for safeguarding CUI in the performance of Federal contracts. The proposed FAR CUI Rule marks a significant step toward addressing inconsistencies in managing sensitive federal information, ensuring a more unified and secure approach.
What is the FAR CUI Rule?
The proposed rule integrates the National Archives and Records Administration’s (NARA) CUI Program, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST SP 800-171), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, into the Federal Acquisition Regulation (FAR). Currently, there is no government-wide standard instructing contractors on how to collect, develop, receive, transmit, use, handle, or store CUI during contract performance, leaving individual federal agencies to define their own processes. This fragmented approach has led to inefficiencies and risks that the proposed FAR CUI Rule seeks to address.
Key highlights of the proposed rule include:
- Establishing uniform policies for marking, safeguarding, disseminating, decontrolling, and disposing of CUI.
- Adopting NARA’s registry of CUI categories requiring safeguarding or dissemination controls.
- Requiring agencies to incorporate these standards into their acquisition processes through the new Standard Form (SF) XXX (number to be updated later).
- SF XXX, Controlled Unclassified Information (CUI) Requirements, was developed to promote consistency, assist Federal agencies and contractors in the identification of CUI in agency requirements, and uniformly define all associated handling requirements in accordance with 32 CFR part 2002.
- The SF XXX will be included in solicitations and contracts that may result in the handling of CUI that will ultimately become performance requirements during contract performance.
The FAR CUI Proposed Rule AIMS to protect sensitive federal information that is processed, stored, or transmitted by nonfederal organizations and systems throughout the entire procurement lifecycle, including solicitation and contract performance.
Decades in the Making
The need for a consistent approach to managing CUI has been evident over the past decade, forming the foundation for various cybersecurity rules. However, without the standardized approach recommended by the proposed FAR CUI Rule, agencies have followed an “ad hoc” approach, resulting in inconsistent practices. This proposal aligns with existing Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requirements while introducing a broader government-wide standard.
Impact on Contractors
For DoD contractors, subcontractors, MSPs, and others managing CUI, the proposed FAR CUI Rule reinforces the importance of maintaining focus on compliance. While this rule provides additional clarity, it does not replace the existing standards (e.g., NIST SP 800-171 and NIST SP 800-172). Instead, it strengthens expectations by creating a consistent baseline across all federal contracts.
The FAR Council plans to introduce a standard form (SF XX-something something) for contract solicitations, outlining contractor responsibilities for safeguarding CUI and reporting incidents. Waivers may apply in limited circumstances, but the overarching goal remains clear: to enhance the protection of sensitive information.
Preparing for the Future
The proposed FAR CUI Rule represent a crucial step in strengthening federal security and compliance management practices and safeguarding sensitive data throughout the Federal procurement process. Federal Contractors should proactively review their current processes to ensure alignment with the evolving regulatory landscape.
By standardizing how federal agencies and contractors manage CUI, the FAR CUI Rule highlights the federal government’s commitment to protecting critical infrastructure and high value assets while fostering collaboration across the federal acquisition process.
