The Federal Acquisition Regulation (FAR) Case 2017-016, Controlled Unclassified Information (CUI), was published in the Federal Register on January 15, 2025, and is now open for public comment until March 17, 2025. This proposed rule, issued by the Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA), aims to standardize CUI handling, safeguarding, and dissemination requirements across federal contracts.
The rule introduces a new standard form (SF) to ensure uniformity in CUI implementation across government agencies. It establishes roles and responsibilities for agencies and contractors when CUI resides on federal information systems, is housed within federal facilities, or is processed, transmitted, or stored on contractor information systems or facilities. Additionally, the proposal includes two new FAR clauses and a provision that define contractor reporting and compliance obligations related to CUI in federal solicitations and contracts.
Background and Purpose
The CUI Program was established under Executive Order 13556, designating the National Archives and Records Administration (NARA) as the lead agency responsible for CUI oversight. NARA published its final rule on September 14, 2016, to implement CUI policies across the executive branch. Since then, individual agencies have developed inconsistent CUI handling protocols, creating variability and compliance challenges for government contractors.
This proposed rule integrates NARA’s CUI requirements into the FAR, bringing greater consistency to how federal contractors identify, safeguard, and report CUI-related incidents. The rule also aligns with DoD’s existing DFARS 252.204-7012 clause and incorporates updates from the Cybersecurity Maturity Model Certification (CMMC) program, which verifies contractor implementation of security controls.
Key Components of the Proposed Rule
- New Standard Form (SF) for CUI – Establishes a government-wide form for contractors to identify and manage CUI-related obligations in contracts.
- Two New FAR Clauses – One clause outlines general CUI compliance and safeguarding requirements, while the other focuses on CUI identification and reporting obligations.
- Expanded Contractor Responsibilities – Defines contractor duties related to handling, marking, storing, and disseminating CUI across federal contracts.
- CUI Incident Reporting – Requires contractors to report potential CUI security breaches within eight hours and implement remediation measures.
- Alignment with Existing Cybersecurity Frameworks – Incorporates NIST SP 800-171 and NIST SP 800-53 requirements for securing CUI on contractor systems.
Implications for Government Contractors
The proposed rule significantly impacts federal contractors and subcontractors, particularly those handling sensitive but unclassified government information. Contractors will be required to:
- Review and implement new CUI requirements in solicitations and contracts.
- Ensure their information systems comply with FAR-mandated security controls.
- Train employees on proper CUI handling procedures.
- Report CUI-related security incidents in accordance with government standards.
Additionally, contractors working with cloud-based information systems may need to meet FedRAMP Moderate Baseline security requirements to maintain compliance.
Click here to read the full proposed rule.