Learn about the potential impact of the impending FAR CUI Rule in federal contracting. Explore key updates and the regulatory process ahead.
The FAR CUI proposed rule has officially moved into regulatory review with the Office of Information and Regulatory Affairs (OIRA).
With the FAR CUI rule one step away from publication in the Federal Register, we dive a little deeper into what it is and some open questions we’re looking forward to resolving when the rule, after nearly 10 years, is finally released.
Watch the Podcast
Listen to the Podcast
This episode is from the Sum IT Up podcast. Click here to learn more.
What is the FAR CUI Rule?
The FAR CUI rule creates a government-wide contract clause requiring the implementation of NIST SP 800-171 for the protection of Controlled Unclassified Information.
“This rule will apply the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI.
This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors.
This rule is being issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 issued November 4, 2010, as implemented in NARA’s implementing regulations.”
That’s right, NIST SP 800-171 isn’t just a requirement for Department of Defense contractors, but for all federal contractors handling any category of Controlled Unclassified Information.
Saying the FAR CUI rule is a big deal is an understatement.
In addition to DoD and the SBA office of advocacy, the Civilian Agency Acquisition Council is comprised of representatives from 19 departments and agencies:
- Department of Agriculture
- Department of Commerce
- Department of Education
- Department of Energy
- Department of Health and Human Services
- Department of Homeland Security
- Department of Housing and Urban Development
- Department of the Interior
- Department of Justice
- Department of Labor
- Department of State
- Department of Transportation
- Department of Treasury
- Department of Veterans Affairs
- Environmental Protection Agency
- National Aeronautics and Space Administration
- Small Business Administration
- Social Security Administration
- U.S. Agency for International Development
- The FAR CUI rule is the missing piece of the 3-part plan to implement Executive Order 13556 "Controlled Unclassified Information".
It was the original regulatory "harmonization" before that was the cool thing to say.
Status of the FAR CUI rule
On May 20th, 2024 the Chair of the Civilian Agency Acquisition Council (CAAC) sent the proposed FAR CUI rule to OIRA.
OIRA review is the last step prior to publication in the Federal Register.
After waiting 8 years, we should see a published FAR CUI proposed rule by mid-August.
On paper, OIRA has 90 days to review rules.
OIRA received the rule on May 21st, 2024 + 90 days = August 19th, 2024
OIRA can request a 30-day extension = September 18th, 2024
We could easily end up with both the FAR CUI proposed rule and the 48 CFR CMMC proposed rule published in the same month:
Check out the full episode for explanations of the top things we’d like to know about the FAR CUI Rule
- Will the FAR CUI rule define Organizationally Defined Parameters (ODPs)?
- Which revision of NIST SP 800-171 will be specified?
- Will the FAR CUI rule include NIST SP 800-172 requirements?
- Will the rule expand and clarify Federal Contract Information (FCI)?
- Will there be a “phased roll-out" for the FAR CUI clause in federal contracts?
- Will the rule discuss the need for external assessments like CMMC?
Sum IT Up Podcast
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
