The Federal Acquisition Regulation (FAR) Council issued its long awaited proposed rule on Controlled Unclassified Information (CUI) on January 15, 2025. The proposed rule establishes a common form to be used by all federal agencies at the contract formation stage to identify contract‑related CUI, prescribes requirements for contractor protection of CUI, and creates a formal reporting process for security incidents involving CUI. Below, we examine these and several other noteworthy aspects of the proposed rule and their implications for contractors.
Historical Context
As defined in the proposed FAR rule, CUI is “information that the Government creates or possesses, or that an entity creates or possess for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” This is consistent with the statutory definition of CUI established by the National Archives and Records Administration (NARA), which defines CUI as “[a]ll unclassified information throughout the executive branch that requires any safeguarding or dissemination control.” 32 C.F.R. § 2002.
The federal government has long recognized the need to protect sensitive but unclassified information. In 2010, President Obama issued Executive Order 13556, establishing the CUI Program and designating NARA as its executive agent. In September 2016, NARA published a final rule codifying uniform policies for marking, safeguarding, disseminating, and disposing CUI. The FAR Council then opened FAR Case 2017-016 to develop parallel acquisition regulations and contractor clauses. It has taken until now, however, to issue the proposed regulations. In the interim, the Department of Defense (DoD) established its own CUI protection requirements in the form of DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Other agencies have also issued CUI regulations or created special clauses for use in select contracts. This inconsistent and uneven approach to CUI handling has created confusion and compliance uncertainty among the contractor community, which must protect sensitive information from potential security vulnerabilities. The proposed regulation seeks to remedy this situation by standardizing the federal government’s approach to CUI.
The Proposed Rule’s Framework for Identifying and Handling CUI
The proposed rule applies broadly to nearly all federal contracts, including those for commercial products and services, except those solely for the sale of commercial off-the-shelf products. We have classified these major changes into the following categories: (1) identifying requirements (in the standard form); (2) safeguarding requirements; (3) incident reporting; and (4) additional notable provisions and next steps.
Identification of Requirements: Understanding Standard Form XXX
At the heart of the proposed rule is Standard Form XXX (SF XXX), which will inform contractors of their CUI protection obligations from the outset of the procurement process. The form will be included in all solicitations and contracts that may involve CUI, and contractors must prepare their own SF XXX, tailored from the prime contract version, when flowing down CUI requirements to applicable subcontractors.
Each SF XXX will identify what information under the contract is considered CUI and establish any contract-specific compliance requirements. For each contract, the form will specify all required privacy measures, security controls, and agency-specific security measures—dependent on whether federal or non-federal information systems will process the CUI. The form will also identify who can access CUI and under what conditions, personnel training requirements, and incident reporting procedures.
Notably, even if there is no CUI identified, new FAR clause 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information, must be incorporated into solicitations and contracts. The clause applies when the SF XXX indicates that no CUI will be involved in contract performance. The clause requires contractors to notify the relevant contracting officer within 8 hours if potential CUI is discovered but that CUI is not listed on an SF XXX or not properly marked.
In addition, the proposed rule places an obligation on contractors to mark as CUI proposal information, proprietary business information, and certain other types of information in proposal submissions and other CUI that it creates in performance of the contract.
Safeguarding Requirements
The proposed rule establishes comprehensive requirements for safeguarding CUI, introducing new obligations for contractors of civilian agencies that are similar to, but not the same as, the existing DoD requirements under DFARS clause 252.204-7012.[1] Applicable safeguarding requirements vary based on whether contractors handle CUI on federal or contractor systems, the type of CUI involved, and whether the contract involves critical programs.
For CUI on federal information systems, contractors must implement NIST SP 800-53 security controls and meet any additional CUI requirements listed in SF XXX. If cloud services are used, they must, at minimum, comply with FedRAMP Moderate baseline standards.
For CUI on non-federal information (i.e., contractor or subcontractor) systems, contractors must implement NIST SP 800-171 Revision 2 security controls and follow any additional requirements specified in Form SF XXX for higher security levels.[2] To demonstrate compliance, contractors must maintain system security plans documenting their implementation of NIST SP 800-171 controls and submit these plans to their government customers upon request. Contractors can only use cloud-based products and services for performance of contracts involving CUI that meet FedRAMP Moderate baseline standards. They must also allow government validation of security measures, according to NIST SP 800-171A standards. For certain critical programs, contractors may need to implement enhanced security requirements from NIST SP 800-172.[3]
As noted above, additional safeguarding and handling requirements beyond these baseline standards may be required and reflected in solicitations and contracts in the form of agency- and contract-specific security requirements.
The proposed rule also requires annual CUI training for contractor employees and states that no contractor employee may handle CUI without first completing the required training and meeting any additional prerequisites for access. Contractors must maintain training documentation and provide it upon request to the contracting officer. These requirements flow down to subcontractors that will handle CUI.
Incident Reporting Requirements
For non-federal facilities and systems, the proposed rule establishes an 8-hour reporting requirement for suspected or confirmed “CUI incidents,” defined very broadly as “improper access, use, disclosure, modification, or destruction of CUI, in any form or medium.” Contractors must report to the agency website or point of contact identified in SF XXX.
When a CUI incident occurs, contractors must determine what CUI was or could have been improperly accessed, construct a timeline of user activity, and assess the methods used to access the CUI. For incidents involving information systems, contractors must preserve and protect images of all affected systems and relevant monitoring data for 90 days after submitting the CUI incident report, unless the government declines interest or requests the data and media sooner.
The reporting requirements apply to subcontractors at any tier that have access to CUI as well. Subcontractors must notify their prime contractor or next-higher-tier subcontractor within 8 hours of discovery of a suspected or confirmed CUI incident.[4]
Cloud service providers with FedRAMP authorization must follow FedRAMP-specific reporting requirements in addition to those set forth in the proposed contract clauses.
Incidents occurring at federal facilities must be reported in accordance with applicable agency procedures.
Importantly, the incident reporting rule specifies that, while the mere fact of a report does not create liability, “[i]f the Contractor is determined to be at fault for a CUI incident (e.g., not safeguarding CUI in accordance with the contract requirements), the Contractor may be financially liable for Government costs incurred in the course of the response and mitigation efforts in addition to any other damages at law or remedies available to the Government for noncompliance.” This provision is part of a continuing trend of the government seeking to hold contractors to account for failure to meet security and cybersecurity obligations.
Additional Notable Provisions and Next Steps
In addition to the changes described above, the proposed rule does away with the previously used term “federal contract information” (FCI) and replaces it with a revised definition of “covered Federal information” that clarifies that this category does not include CUI or classified information. As with FCI previously, “covered Federal information” is subject to the protections of the updated FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
In a helpful clarification for contractors, the new definition of CUI specifically excludes information that the contractor possesses or has on its systems that was not created for and/or is not possessed on behalf of, a federal agency. In the past, many contractors questioned how and whether CUI markings apply to their own internal information. This provision makes clear that contractors have no obligation to mark or protect internal information that, in other contexts, might be CUI.
Interestingly, the procedure for completion of the SF XXX form specifies that it is the agency “requiring activity,” not the contracting officer, that is required to identify CUI and applicable requirements. It remains to be seen what guidance and training will be provided across government to prevent over-identification—a common issue currently—and encourage consistency across agencies.
Also, although CUI can be identified later in the contracting process via modification, the proposed rule leaves open the possibility of a contractor request for equitable adjustment to account for newly added requirements that increase contract compliance costs.
The proposed changes formally integrate CUI protection requirements into the federal procurement process and transform the previously piecemeal approach to CUI into a cohesive framework. Nonetheless, the devil is in the details, and contractors are sure to have thoughts about the proposed rule. The FAR Council has even asked interested parties to weigh in on specific questions, including how they believe they will handle competing incident reporting timelines across the federal government and how these additional requirements might impact pricing.
Comments should be submitted to the Regulatory Secretariat Division on or before March 17, 2025, to be considered for the final rule.
President Trump’s regulatory freeze, announced on January 20, 2025, does not impede the FAR Council’s ability to solicit and review comments from industry on the proposed rule, but it does preclude the FAR Council from promulgating a final rule at least until approved by the cognizant appointees of the new administration.
[1] It remains to be seen how (or whether) DoD will harmonize the differences between the DFARS and this proposed rule.
[2] The rule notes that the current NIST SP 800-171 version, Rev. 3, is available, but purposefully declines to apply it until further study. However, the FAR Council adds that it anticipates future rulemaking to update to Rev. 3 or future versions of the NIST special publication.
[3]These enhanced requirements are expected to only apply to a limited subset of contractors; FAR estimates that 160 contractors would be affected.
[4] This is a notable deviation from the DFARS 252.204-7012 incident reporting process, which requires subcontractors to report directly to the government. The revised process puts the burden on prime contractors to further report subcontractor incidents.
[View source.]
