The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of the Government’s broader efforts to identify, detect, and respond to ever-evolving threats targeting Federal contractors.

History and Development of the FAR CUI Proposed Rule

This rule stems from Executive Order 13556, Controlled Unclassified Information (the “CUI Executive Order”) from November 2010, which sought to address the patchwork system of marking and handling unclassified information across executive branch agencies. On September 14, 2016, the National Archives and Records Administration (“NARA”) issued a final rule (81 FR 63324) to establish a uniform policy for agencies on CUI. This rule became effective on November 14, 2016, but the CUI Program still needed to be incorporated into the acquisition process via the FAR to establish contractual requirements for Federal contractors.

In January 2017, following release of NARA’s final rule, the FAR Council introduced FAR Case 2017-016, Controlled Unclassified Information, which served as the placeholder for the current FAR CUI Proposed Rule. We saw no real developments until just this month. In the meantime, the Department of Defense (“DoD”) implemented the CUI Program for its contractors through DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This provision requires “adequate security” for covered defense information; implements incident reporting, investigation, and preservation requirements; and includes a flow down requirement to subcontractors. The DFARS clause applies only to defense contractors and subcontractors, but serves as the model for the new FAR CUI Proposed Rule (although, as discussed below, there are significant differences).

The proposed rule has implications for all contractors that do business with the Federal government and provides guidance to clarify contractor obligations for safeguarding and handling CUI.

Key Updates and Impact on Federal Contractors

Defining and Safeguarding Controlled Unclassified Information

The proposed rule includes the standard definition of CUI as “information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Key here, the proposed rule further includes a list of information that is not CUI, which includes: 

1. Classified information;
2. Covered Federal information;
3. Information a contractor possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency (see 32 CFR 2002.4); or
4. Federally-funded basic and applied research in science, technology, and engineering at colleges, universities, and laboratories in accordance with National Security Decision Directive 189.

The proposed rule further requires certain safeguarding requirements for CUI held in both federal and non-federal systems as follows:

1. Non-federal systems/contractor information systems must be compliant with NIST SP 800-171 Rev. 2;
2. Contractors must comply with agency-identified security requirements for Federal information systems (derived from NIST SP 800-53);
3. Cloud service providers must comply with FedRAMP Moderate requirements; and
4. Any additional special safeguarding requirements, as applicable.

Additionally, the proposed rule includes explicit training requirements. Contractors must ensure employees have completed training on properly handling CUI prior to doing so. Contractors are required to provide evidence of employee training upon request, though such requests are expected to be limited. For example, a Contracting Officer may inquire about training after an incident. Such evidence of CUI training may include the contractor’s system security plan and/or annual employee training certificates.

New Standard Form to Identify CUI Requirements for Contracts

The proposed rule introduces a new Standard Form (“SF XXX”) to be completed by agencies that will identify CUI and define relevant handling requirements for each contract. Of note, the proposed rule states that contractors will be required to safeguard only the CUI identified in the Standard Form and offerors and contractors will not be responsible for identifying or marking unmarked or mismarked CUI not already identified in the Standard Form. However, offerors are requested and contractors are required to notify the Contracting Officer within 8 hours of discovering any unmarked CUI, mismarked CUI, or any CUI that is not identified on the Standard Form, though this is expected to be rare.

Incident Reporting and Response Requirements

The proposed rule defines a “CUI incident” as “suspected or confirmed improper access, use, disclosure, modification, or destruction of CUI, in any form or medium.” This new definition is different from the definition of “cyber incident” in DFARS 252.204-7012. Notably, the rule specifies that unmarked or mismarked CUI is not considered a CUI incident unless the mismarking or lack of marking has resulted in the mishandling or improper dissemination of the information.

Per the proposed rule, contractors must report any suspected or confirmed “CUI incident” within 8 hours of discovery.

The proposed rule includes a statement that if a contractor is determined to be at fault for an incident (for example, due to not safeguarding CUI in accordance with contract requirements), the contractor may be financially liable for government costs incurred in the response and mitigation effort.

Defining Types of Information – Covered Federal Information

Another key update in the proposed rule is an overarching change in the FAR to use the term “covered Federal information” instead of “Federal contract information,” which currently is defined in FAR 52.204-21 and used in materials underlying the DoD’s CMMC program.

The updated definition for “covered Federal information” is “information provided by or created for the Government, when that information is other than—

1. Simple transactional information (such as that necessary to process payments);
2. Information already publicly released (such as on public websites), or marked for public release, by the Government;
3. Federally-funded basic and applied research in science, technology, and engineering at colleges, universities, and laboratories in accordance with National Security Decision Directive 189; 
4. Controlled unclassified information (CUI); or
5. Classified information.”

Covered Federal information is not required to be marked or identified by the government. However, some administrative markings (such as “draft,” “deliberative process,” “pre-decisional,” or “not for public release”) can indicate that the information is covered federal information, within the meaning of the term.

Updates Relating to Treatment of Contractor Proprietary Information

The proposed rule addresses an issue contractors have struggled with when trying to interpret CUI requirements for their internal information or information they create. This rule provides that offerors or contractors should identify and mark their bid or proposal information, proprietary business information, and/or contractor-attributional information to ensure the information is adequately protected under the proposed rule. The government will determine whether such information provided by offerors or contractors is to be protected as CUI internally or is entitled to other protections. The Standard Form will identify any contractor CUI marking requirements under the contract.

New FAR Clauses

The proposed rule introduces a new FAR solicitation provision and two new FAR clauses. Contracting officers will add the following for all solicitations and contracts, except for procurements solely for commercially available off the shelf (COTS) products:

• FAR 52.204-WW, Notice of Controlled Unclassified Information Requirements: A new solicitation provision that informs offerors of requirements on restricted use of Government-provided information, appropriately identifying sensitive offeror-provided information, and procedures to notify the Government of unmarked or mismarked CUI.
• FAR 52.204-XX, Controlled Unclassified Information: A new FAR clause thatwill be inserted in solicitations and contracts where the government expects the contractor will handle CUI. The clause requires contractors to comply with applicable CUI safeguarding, training, and incident response requirements and must be flowed down to subcontractors.
• FAR 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information: A new FAR clause that will be inserted in solicitations and contracts where the agency indicates on the Standard Form that CUI is not involved in the performance of the contract. Even where CUI is not expected to be involved, contractors will have requirements to notify the government if they discover CUI during performance. This clause must be flowed down to subcontractors.

Conclusion & Next Steps

The rule is currently in the “proposed rule” phase, with a 60-day public comment period that is currently open and scheduled to close on March 17, 2025. Federal contractors, especially those not already subject to DFARS 252.204-7012 requirements, should prioritize reviewing this proposed rule and further consider submitting comments to address questions or concerns relating to these new requirements.

This proposed rule represents a significant step towards standardizing the protection of CUI across Federal agencies. All Federal contractors, beyond just those DoD contractors already subject to DFARS 252.204-7012, will be subject to these uniform cybersecurity standards. When preparing for these changes, it is crucial to stay informed and proactive in understanding the implications of the proposed rule to maintain compliance and secure contractual relationships. By doing so, Federal contractors can better navigate the evolving cybersecurity landscape and continue to fulfill obligations in a secure and efficient manner. 

Sidney Howe also contributed to this article.