Questions about CUI? We've got a guide for you. Learn More

Summit 7 Achieves Dual CMMC Level 2 Assessment Certifications, Setting the Standard for Cybersecurity Excellence in the Defense Industrial Base

    The FAR CUI Rule Just Cleared a Major Hurdle for Publication

    Learn about the potential impact of the impending FAR CUI Rule in federal contracting. Explore key updates and the regulatory process ahead.

    By
    4 Minutes Read

    The FAR CUI Rule: A Long-Awaited Milestone in Federal Cybersecurity

    After years of anticipation, the FAR CUI (Federal Acquisition Regulation for Controlled Unclassified Information) proposed rule has been published

    This rule represents the long-missing third piece of the federal CUI puzzle, joining the existing regulations overseen by the National Archives and Records Administration (NARA) and the Department of Defense (DoD).

    Watch the Podcast

    Listen to the Podcast


    This episode is from the Sum IT Up podcast. Click here to learn more.

    What is the FAR CUI Rule?

    The FAR CUI rule creates a government-wide contract clause requiring the implementation of NIST SP 800-171 for the protection of Controlled Unclassified Information (CUI).

    “This rule will apply the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI.

    This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors.

    This rule is being issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 issued November 4, 2010, as implemented in NARA’s implementing regulations.”

    That’s right, NIST SP 800-171 isn’t just a requirement for Department of Defense contractors, but for ALL federal contractors handling any category of Controlled Unclassified Information.

    1736954781297

    Saying the FAR CUI rule is a big deal is an understatement. It was the original regulatory "harmonization" before that was the cool thing to say.

    In addition to the DoD and the SBA office of advocacy, the Civilian Agency Acquisition Council is comprised of representatives from 19 departments and agencies:

    • Department of Agriculture
    • Department of Commerce
    • Department of Education
    • Department of Energy
    • Department of Health and Human Services
    • Department of Homeland Security
    • Department of Housing and Urban Development
    • Department of the Interior
    • Department of Justice
    • Department of Labor
    • Department of State
    • Department of Transportation
    • Department of Treasury
    • Department of Veterans Affairs
    • Environmental Protection Agency
    • National Aeronautics and Space Administration
    • Small Business Administration
    • Social Security Administration
    • U.S. Agency for International Development
    • The FAR CUI rule is the missing piece of the 3-part plan to implement Executive Order 13556 "Controlled Unclassified Information".

    We like to talk about the now officially published 32 CFR CMMC Final Rule around here, but the FAR CUI dwarfs it in comparison. 

    1729611601597

    The FAR CUI Backstory: A Decade of Delays and Confusion

    The journey of the FAR CUI rule dates back over 14 years, to the signing of Executive Order 13556, which created the foundation for managing CUI across federal agencies. However, despite the clear mandate, the FAR CUI rule languished in regulatory limbo for years. Originally expected to be released over seven years ago, the rule got caught between conflicting priorities. NIST SP 800-171 was introduced as a stopgap due to disagreements between NARA and the DoD over how contractors should handle CUI.

    NARA wanted a comprehensive approach, while the DoD preferred a more streamlined process. The DoD ultimately deferred to NARA’s leadership, but with no FAR CUI rule in sight, the DoD had to revise its own regulations under DFARS 7012. As time passed, the FAR CUI rule faded from the spotlight, and the DoD’s struggles with self-attestation and compliance challenges became front and center.

    Key Provisions of the FAR CUI Rule

    A Standard Form for Identifying CUI

    The introduction of Standard Form SF XXX is a game-changer. For the first time, contractors will receive a clear, standardized identification of CUI in their contracts. This eliminates ambiguity and provides explicit instructions on handling, marking, and securing CUI within federal contracts.

    SF XXX

    This standard form will:

    • Clearly identify any CUI involved in a contract.

    • Outline handling, marking, and dissemination requirements.

    • Specify security controls applicable to federal and contractor information systems.

    New FAR Contract Clauses: 52.204-XX and 52.204-YY

    The rule introduces two contract clauses:

    • FAR 52.204-XX: Required when CUI is involved, mandating NIST 800-171 compliance and incident reporting.

    • FAR 52.204-YY: Applies even when no CUI is initially identified, requiring contractors to report suspected CUI within 8 hours of discovery.

    Both clauses ensure that even if CUI is identified after contract award, it must be handled in accordance with FAR CUI rules.

    8-Hour CUI Incident Reporting Requirement

    One of the most significant changes is the new incident reporting timeframe. Under FAR CUI:

    • Contractors must report any suspected or confirmed CUI breaches within 8 hours.

    • This is a dramatic shift from the DoD’s 72-hour requirement under DFARS 252.204-7012.

    This compressed timeline demands that contractors have robust incident response procedures in place, as failure to report in time could result in contract penalties or other enforcement actions.

    The Cost of Compliance: A Reality Check for Contractors

    For the first time, the government has provided official cost estimates for implementing NIST 800-171:

    • A small business can expect first-year costs of $148,200.

    • These figures align closely with Summit 7's previous estimate, which suggested compliance costs between $120,000 - $180,000.


    For many contractors, these numbers confirm what industry experts have been saying for years: c    ompliance is costly, but necessary.


    When Will the FAR CUI Rule Take Effect?

    • March 17, 2025 – Public comment period begins.

    • Q4 2025 - Q1 2026 – FAR CUI clauses enter contracts.

    • No phased rolloutAll contracts with CUI will require compliance immediately.

    Goodbye, Equivalency

    One of the more contentious issues in the CUI space has been the concept of "FedRAMP moderate equivalency," particularly when it comes to handling CUI in cloud environments. In the absence of widely available FedRAMP-certified cloud services back in 2015, the DoD created the idea of "equivalency" to allow contractors to use cloud providers that could meet the security requirements of FedRAMP moderate, even if they weren't fully certified. This workaround, however, has proven problematic.

    Many contractors have ignored this provision in their contracts, leading to widespread non-compliance. Even the DoD's January 2023 memo on equivalency highlighted this failure. Now, with the FAR CUI rule has eliminated the "equivalency" loophole. The rule specifies that CUI must be stored and processed in systems certified at least to FedRAMP Moderate. The "equivalency" approach previously allowed for non-FedRAMP-certified solutions has been eliminated, reinforcing the government’s preference for stringent cloud security standards. The rule states, "FedRAMP Moderate certification is non-negotiable for any cloud-based storage or processing of CUI."

    What's Next: FAR CUI Rule Publication and Beyond

    This rule is expected to align closely with DFARS 252.204-7012, effectively extending its reach to all federal contractors, not just those working with the DoD.

    This long-awaited rule could change how contractors across the federal landscape handle CUI, possibly putting an end to self-attestation and introducing a more robust verification process. Whether this comes in the form of external assessments or another mechanism remains to be seen, but contractors should brace for significant shifts in compliance expectations.

    For those who thought NIST SP 800-171 was just a DoD thing, the FAR CUI rule will make it clear that these cybersecurity standards apply much more broadly. 

    As we wait for the full details of the FAR CUI rule, one thing is clear: the long-standing gaps in federal CUI management are finally closing, and the federal government is taking major steps to enhance its cybersecurity posture across all agencies.



    Sum IT Up Podcast

    With Jacob Horne and Jason Sproesser

    We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others. Listen and subscribe below:

    SumItUp Spotify Podcast Button SumItUp Apple Podcast Button SumItUp YouTube Podcast Button
    Picture of Jacob Horne

    Jacob Horne

    Jacob has 15 years of interdisciplinary cybersecurity experience. He uses his knowledge of cybersecurity, NIST standards, and federal rulemaking to help people make sense of cybersecurity regulations and requirements.

    Author

    Recommended For You