The FAR CUI proposed rule has officially moved into regulatory review with the Office of Information and Regulatory Affairs (OIRA).
With the FAR CUI rule one step away from publication in the Federal Register, we dive a little deeper into what it is and some open questions we’re looking forward to resolving when the rule, after nearly 10 years, is finally released.
This episode is from the Sum IT Up podcast. Click here to learn more.
The FAR CUI rule creates a government-wide contract clause requiring the implementation of NIST SP 800-171 for the protection of Controlled Unclassified Information.
“This rule will apply the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI.
This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors.
This rule is being issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 issued November 4, 2010, as implemented in NARA’s implementing regulations.”
That’s right, NIST SP 800-171 isn’t just a requirement for Department of Defense contractors, but for all federal contractors handling any category of Controlled Unclassified Information.
Saying the FAR CUI rule is a big deal is an understatement.
In addition to DoD and the SBA office of advocacy, the Civilian Agency Acquisition Council is comprised of representatives from 19 departments and agencies:
It was the original regulatory "harmonization" before that was the cool thing to say.
On May 20th, 2024 the Chair of the Civilian Agency Acquisition Council (CAAC) sent the proposed FAR CUI rule to OIRA.
OIRA review is the last step prior to publication in the Federal Register.
After waiting 8 years, we should see a published FAR CUI proposed rule by mid-August.
On paper, OIRA has 90 days to review rules.
OIRA received the rule on May 21st, 2024 + 90 days = August 19th, 2024
OIRA can request a 30-day extension = September 18th, 2024
We could easily end up with both the FAR CUI proposed rule and the 48 CFR CMMC proposed rule published in the same month:
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.