On January 15, 2025, the Federal Acquisition Regulation (“FAR”) Council issued its long-awaited “CUI Rule.” CUI, or Controlled Unclassified Information, is information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. For nearly 15 years, contractors have struggled to determine what information meets this definition. The CUI rule is an opportunity for the federal government to finally provide contractors with the guidance needed to better identify and safeguard the CUI they receive in connection with their federal contracts.

Contractors Handling CUI Will Be Subject to a New FAR Clause

The federal government will implement the bulk of the CUI Rule through a new FAR clause: FAR 52.204-XX. FAR 52.204-XX will apply to all contracts where CUI is involved in the contract, except for contracts that are for purely commercially available off-the-shelf items. The CUI rule also makes clear that federal agencies, not contractors, are responsible for determining whether contracts will involve CUI.

Safeguarding Requirements

Under FAR 52.204-XX, contractors are only required to safeguard the CUI identified in a newly created form, SF XXX, which agencies will provide with each contract. The following safeguarding requirements will apply to any CUI identified in the SF XXX:

• Any special safeguarding requirements identified in the SF XXX.
• For contractor’s own information systems (i.e., non-federal information systems), the contractor must comply with National Institute of Standards and Technology (“NIST”) SP 800-171, Revision 2 security requirements.
• For Federal information systems, the contractor must comply with agency-identified security requirements from the latest version of NIST SP 800-53.
• For cloud service providers (“CSP”), the CSP must comply with the FedRAMP Moderate security requirements.

Reporting Requirements

FAR 52.204-XX introduces two new reporting requirements. First, contractors are subject to a new cyber incident reporting requirement. Under this requirement, contractors must report any suspected or confirmed “CUI incident” that occurs on a non-federal information system within eight hours of discovery to a yet-to-be-identified agency official. A “CUI incident” is the improper access, use, disclosure, modification, or destruction of CUI. If a contractor is found to be at fault for the CUI incident, the contractor “may be” liable for costs incurred by the government in responding to and mitigating the incident.

Second, contractors must notify the contracting officer within eight hours of discovery of any information that the contractor “believes” is CUI that is not identified in the SF XXX or is not marked or properly marked as required in the SF XXX. The contractor must then “appropriately safeguard” that information while the contracting officer determines whether it is CUI.

Subcontractors

Contractors are required to include FAR 52.204-XX in subcontracts, at any tier, or other contractual instruments that will involve CUI identified in the SF XXX. The term “other contractual instruments” has the potential to extend the reach of this new FAR clause to third parties that are not directly supporting the contract effort, but who have access to CUI.

Overall, FAR 52.204-XX, and the CUI rule as a whole, have the potential to bring much-needed clarity to federal contractors regarding which contracts involve CUI, what type of CUI contractors will receive, and what safeguards they must put in place. Whether that clarity materializes will depend on how federal agencies implement the rule.