Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements

On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors.  The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies.  The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:

• Requiring federal agencies to provide contractors with a new Standard Form identifying CUI expected to be handled by contractors during contract performance.  The Standard Form may also include agency-specific CUI handling and training requirements that contractors must adhere to when handling CUI. 
• Introducing a new FAR clause, “FAR 52.204-XX,” that will, at minimum, require contractors to implement National Institute of Standards and Technology Special Publication 800-171, Revision 2 (NIST SP 800-171, Rev. 2) to safeguard CUI handled on contractor information systems, report cyber incidents impacting CUI within 8 hours of discovery, and comply with any additional requirements prescribed by the contracting agency in the Standard Form.  This clause will apply if contractors receive a Standard Form indicating that they will handle or generate CUI during contract performance. 
• Introducing a second new FAR clause, “FAR 52.204-YY,” that will require contractors to report to agencies if they have received information that may potentially be CUI and to report cyber incidents impacting such information.  This clause will apply if contractors receive a Standard Form indicating that they will not handle or generate CUI during contract performance. 

A detailed summary of the proposed FAR CUI Rule and its potential impact on government contractors is provided below. 

What is CUI?

CUI is generally defined as “information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.”  CUI is a broad categorization that encompasses over 100 categories of information.  Current CUI categories are listed in the National Archives and Records Administration (NARA) CUI Registry.

Regulatory Background and Rule Overview

In November 2010, the Obama Administration issued Executive Order 13556, which directed NARA to implement uniform CUI program requirements for all federal contracts. 

The CUI program was codified in the Code of Federal Regulations at 32 C.F.R. Part 2002 six years later, but in the years that followed, only the Department of Defense formalized contractual requirements directing contractors to safeguard CUI in accordance with standards set forth at 32 C.F.R. Part 2002.  See, e.g., DFARS 252.204-7012. 

However, with the release of the proposed FAR CUI Rule, contractors and subcontractors across all federal agencies will soon be subject to more stringent CUI cybersecurity, training, and incident reporting requirements.    

The FAR CUI Rule proposes a litany of changes to the FAR intended to standardize CUI handling, but the rule can be broken down into three basic building blocks:

• Standard Form (SF) XXX, Controlled Unclassified Information Requirements
• FAR Clause 52.204-XX, Controlled Unclassified Information
• FAR Clause 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information

The proposed FAR CUI Rule would apply to all solicitations and contracts except for solicitations and contracts solely for the acquisition of commercially available off-the-shelf (COTS) items. 

The Standard Form

The rule introduces a new mechanism, the Standard Form (SF) XXX, Controlled Unclassified Information Requirements.  The form aims to create uniformity in government-wide implementation of CUI policies by clearly defining the roles and responsibilities of agencies and contractors when CUI is involved. 

Agencies will be required to use the Standard Form (SF XXX) in solicitations and contracts that may involve CUI.  While the contracting agency will provide SF XXX to prime contractors, higher tier contractors are responsible for generating and providing an SF XXX for each subcontract they expect to involve CUI.  The SF XXX must identify the category or categories of CUI that the contractor may handle or generate during performance.  Contractors are only required to use safeguards for the CUI specified in the form but may have additional reporting responsibilities under FAR 52.204-XX or FAR 52.204-YY if they discover potential CUI not identified in SF XXX.

SF XXX will dictate whether a contract incorporates FAR 52.204-XX or FAR 52.204-YY (only one or the other may be included in a contract, not both). 

• If the government marks “Yes” in Part A of SF XXX, indicating that the contractor is expected to “collect, develop, receive, transmit, use, handle, or store” CUI during contract performance, then the contracting officer will include clause 52.204-XX in the contract.
• If the government marks “No” in Part A of SF XXX, indicating that the contractor is not expected to “collect, develop, receive, transmit, use, handle, or store” CUI during performance, then the contracting officer will include clause 52.204-YY in the contract.

SF XXX will also identify whether a contractor may handle CUI within a “federal information system.”  Contractors who handle CUI within a federal information system may be subject to heightened CUI safeguarding obligations under 52.204-XX, as discussed further below. 

Finally, the SF XXX may outline agency-specific requirements for safeguarding CUI, including dissemination, decontrolling, training, and marking procedures, as well as agency verification that the contractor has implemented specified requirements.  It also provides instructions for reporting cyber incidents impacting CUI, including the agency point of contact and any special incident reporting requirements for select CUI categories (e.g., export controlled information). 

FAR 52.204-XX (Contracts with Identified CUI)

As discussed above, FAR 52.204-XX will apply where the applicable SF XXX indicates that contractors will be receiving or generating CUI during contract performance.

FAR 52.204-XX requires contractors to safeguard CUI according to (a) requirements set forth in 52.204-XX, and (b) any additional, agency-specific CUI requirements, policies, or procedures that may be detailed in SF XXX.  The clause states that its safeguarding requirements only apply to CUI identified in SF XXX, but it also requires contractors to report the discovery of potential CUI to the government within 8 hours of discovery and safeguard the potential CUI until the government determines whether it is CUI or not. 

Contractors who handle CUI within a non-federal (i.e., contractor) information system must:

• Comply with the 110 security requirements of NIST SP 800-171, Rev. 2.^[1]
• Submit a system security plan (SSP) documenting its NIST SP 800-171, Rev. 2 compliance upon request by the government.
• Implement additional information security requirements the contractor “reasonably determines” are necessary to provide adequate security for CUI.
• If using a cloud service provider to handle or store CUI, ensure that the cloud provider meets Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements and will comply with CUI incident reporting requirements.

The clause requires contractors who will handle CUI within a federal information system (as identified in the applicable SF XXX) to comply with agency-identified security requirements from the latest version of NIST SP 800-53 (a comprehensive cybersecurity framework containing over 1,000 controls across 20 control families), or, if using cloud computing services, comply with agency-identified requirements that at minimum meet the FedRAMP Moderate baseline.

The clause also details general requirements that apply to all contractors regardless of whether they operate a federal or non-federal information system, including:

• Mandatory training for all personnel before they can access CUI.
• Reporting suspected or confirmed incidents impacting CUI to the Government within eight hours of discovery.^[2]
• Flowing down CUI to subcontractors where subcontract performance involves CUI.

FAR 52.204-YY (Contracts Without Identified CUI)

In contrast to 52.204-XX, FAR 52.204-YY will apply where the applicable SF XXX indicates that contractors will not receive or generate CUI during contract performance.

52.204-YY tasks contractors with notifying the government if they discover information that they believe or have reason to know is CUI.  Contractors must notify the applicable contracting officer (CO) within 8 hours of discovery.  The contractor is required to “appropriately safeguard” the information until the CO determines whether the information at issue is CUI or not.  

Under 52.204-YY, contractors must notify the relevant CO if they discover a potential CUI incident, i.e., an event involving the improper access, use, disclosure, modification, or destruction of potential CUI, and inventory the potential CUI involved in the incident.  The CO must be notified within 8 hours of incident discovery.  

Additionally, 52.204-YY reminds contractors they may not use government-provided information for their own purposes, regardless of the information’s CUI designation.  Contractors must also identify the information they own and provide to the government, such as proprietary business information, so that the government can determine what should be protected as CUI.  Finally, if a CUI incident occurs, the government may release information provided by contractors for limited purposes, such as national security.  The government will only release such information to the extent necessary.

Clause 52.204-YY must be flowed down to all subcontractors in its entirety.

Takeaways for Federal Government Contractors

While the FAR CUI Rule may be subject to further revision following the public comment period, its proposed requirements are broad in scope, pose significant compliance challenges, and will subject federal government contractors, subcontractors, and grantees to increased legal risk, especially in light of the Department of Justice’s recent emphasis on False Claims Act cases involving government contractor cybersecurity. 

Below are some steps entities involved in federal government contracting may consider in reviewing the proposed rule and determining its potential impact to their business:

• Review existing government contracts and pending solicitations to determine whether you may already be receiving or generating CUI under a federal government contract, subcontract, or grant.
• Conduct a privileged review of your current cybersecurity posture, including both technology and policies/processes, against NIST SP 800-171, Rev. 2 security controls.
• Engage internal stakeholders from IT, legal, human resources, compliance, physical security, and other departments to ensure all parties are aligned on the compliance approach, have the needed resources, and understand their role in meeting potential CUI compliance requirements. 
• Consider submitting a public comment on the proposed rule before the public comment period closes on March 17, 2025.
• For defense contractors, compare current CUI safeguarding and incident reporting obligations against the proposed FAR CUI Rule’s requirements, as there are significant differences between DFARS 252.204-7012 and the proposed FAR CUI clauses (e.g., incident reporting timelines).