40.9 F
Washington D.C.
Friday, February 14, 2025

FAR Proposal Seeks to Standardize Controlled Unclassified Information Handling Across Federal Contracts

The Federal Acquisition Regulation (FAR) Case 2017-016, Controlled Unclassified Information (CUI), was published in the Federal Register on January 15, 2025, and is now open for public comment until March 17, 2025. This proposed rule, issued by the Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA), aims to standardize CUI handling, safeguarding, and dissemination requirements across federal contracts.

The rule introduces a new standard form (SF) to ensure uniformity in CUI implementation across government agencies. It establishes roles and responsibilities for agencies and contractors when CUI resides on federal information systems, is housed within federal facilities, or is processed, transmitted, or stored on contractor information systems or facilities. Additionally, the proposal includes two new FAR clauses and a provision that define contractor reporting and compliance obligations related to CUI in federal solicitations and contracts.

Background and Purpose

The CUI Program was established under Executive Order 13556, designating the National Archives and Records Administration (NARA) as the lead agency responsible for CUI oversight. NARA published its final rule on September 14, 2016, to implement CUI policies across the executive branch. Since then, individual agencies have developed inconsistent CUI handling protocols, creating variability and compliance challenges for government contractors.

This proposed rule integrates NARA’s CUI requirements into the FAR, bringing greater consistency to how federal contractors identify, safeguard, and report CUI-related incidents. The rule also aligns with DoD’s existing DFARS 252.204-7012 clause and incorporates updates from the Cybersecurity Maturity Model Certification (CMMC) program, which verifies contractor implementation of security controls.

Key Components of the Proposed Rule

  1. New Standard Form (SF) for CUI – Establishes a government-wide form for contractors to identify and manage CUI-related obligations in contracts.
  2. Two New FAR Clauses – One clause outlines general CUI compliance and safeguarding requirements, while the other focuses on CUI identification and reporting obligations.
  3. Expanded Contractor Responsibilities – Defines contractor duties related to handling, marking, storing, and disseminating CUI across federal contracts.
  4. CUI Incident Reporting – Requires contractors to report potential CUI security breaches within eight hours and implement remediation measures.
  5. Alignment with Existing Cybersecurity Frameworks – Incorporates NIST SP 800-171 and NIST SP 800-53 requirements for securing CUI on contractor systems.

Implications for Government Contractors

The proposed rule significantly impacts federal contractors and subcontractors, particularly those handling sensitive but unclassified government information. Contractors will be required to:

  • Review and implement new CUI requirements in solicitations and contracts.
  • Ensure their information systems comply with FAR-mandated security controls.
  • Train employees on proper CUI handling procedures.
  • Report CUI-related security incidents in accordance with government standards.

Additionally, contractors working with cloud-based information systems may need to meet FedRAMP Moderate Baseline security requirements to maintain compliance.

Click here to read the full proposed rule.

Matt Seldon
Matt Seldon
Matt Seldon, BSc., is an Editorial Associate with HSToday. He has over 20 years of experience in writing, social media, and analytics. Matt has a degree in Computer Studies from the University of South Wales in the UK. His diverse work experience includes positions at the Department for Work and Pensions and various responsibilities for a wide variety of companies in the private sector. He has been writing and editing various blogs and online content for promotional and educational purposes in his job roles since first entering the workplace. Matt has run various social media campaigns over his career on platforms including Google, Microsoft, Facebook and LinkedIn on topics surrounding promotion and education. His educational campaigns have been on topics including charity volunteering in the public sector and personal finance goals.

Related Articles

Latest Articles