After years of anticipation, the FAR CUI (Federal Acquisition Regulation for Controlled Unclassified Information) proposed rule has been published.
This rule represents the long-missing third piece of the federal CUI puzzle, joining the existing regulations overseen by the National Archives and Records Administration (NARA) and the Department of Defense (DoD).
This episode is from the Sum IT Up podcast. Click here to learn more.
“This rule will apply the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI.
This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors.
This rule is being issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 issued November 4, 2010, as implemented in NARA’s implementing regulations.”
That’s right, NIST SP 800-171 isn’t just a requirement for Department of Defense contractors, but for ALL federal contractors handling any category of Controlled Unclassified Information.
Saying the FAR CUI rule is a big deal is an understatement. It was the original regulatory "harmonization" before that was the cool thing to say.
In addition to the DoD and the SBA office of advocacy, the Civilian Agency Acquisition Council is comprised of representatives from 19 departments and agencies:
We like to talk about the now officially published 32 CFR CMMC Final Rule around here, but the FAR CUI dwarfs it in comparison.
The journey of the FAR CUI rule dates back over 14 years, to the signing of Executive Order 13556, which created the foundation for managing CUI across federal agencies. However, despite the clear mandate, the FAR CUI rule languished in regulatory limbo for years. Originally expected to be released over seven years ago, the rule got caught between conflicting priorities. NIST SP 800-171 was introduced as a stopgap due to disagreements between NARA and the DoD over how contractors should handle CUI.
NARA wanted a comprehensive approach, while the DoD preferred a more streamlined process. The DoD ultimately deferred to NARA’s leadership, but with no FAR CUI rule in sight, the DoD had to revise its own regulations under DFARS 7012. As time passed, the FAR CUI rule faded from the spotlight, and the DoD’s struggles with self-attestation and compliance challenges became front and center.
The introduction of Standard Form SF XXX is a game-changer. For the first time, contractors will receive a clear, standardized identification of CUI in their contracts. This eliminates ambiguity and provides explicit instructions on handling, marking, and securing CUI within federal contracts.
This standard form will:
Clearly identify any CUI involved in a contract.
Outline handling, marking, and dissemination requirements.
Specify security controls applicable to federal and contractor information systems.
The rule introduces two contract clauses:
FAR 52.204-XX: Required when CUI is involved, mandating NIST 800-171 compliance and incident reporting.
FAR 52.204-YY: Applies even when no CUI is initially identified, requiring contractors to report suspected CUI within 8 hours of discovery.
Both clauses ensure that even if CUI is identified after contract award, it must be handled in accordance with FAR CUI rules.
One of the most significant changes is the new incident reporting timeframe. Under FAR CUI:
Contractors must report any suspected or confirmed CUI breaches within 8 hours.
This is a dramatic shift from the DoD’s 72-hour requirement under DFARS 252.204-7012.
This compressed timeline demands that contractors have robust incident response procedures in place, as failure to report in time could result in contract penalties or other enforcement actions.
For the first time, the government has provided official cost estimates for implementing NIST 800-171:
A small business can expect first-year costs of $148,200.
These figures align closely with Summit 7's previous estimate, which suggested compliance costs between $120,000 - $180,000.
For many contractors, these numbers confirm what industry experts have been saying for years: compliance is costly, but necessary.
March 17, 2025 – Public comment period begins.
Q4 2025 - Q1 2026 – FAR CUI clauses enter contracts.
No phased rollout – All contracts with CUI will require compliance immediately.
One of the more contentious issues in the CUI space has been the concept of "FedRAMP moderate equivalency," particularly when it comes to handling CUI in cloud environments. In the absence of widely available FedRAMP-certified cloud services back in 2015, the DoD created the idea of "equivalency" to allow contractors to use cloud providers that could meet the security requirements of FedRAMP moderate, even if they weren't fully certified. This workaround, however, has proven problematic.
Many contractors have ignored this provision in their contracts, leading to widespread non-compliance. Even the DoD's January 2023 memo on equivalency highlighted this failure. Now, with the FAR CUI rule has eliminated the "equivalency" loophole. The rule specifies that CUI must be stored and processed in systems certified at least to FedRAMP Moderate. The "equivalency" approach previously allowed for non-FedRAMP-certified solutions has been eliminated, reinforcing the government’s preference for stringent cloud security standards. The rule states, "FedRAMP Moderate certification is non-negotiable for any cloud-based storage or processing of CUI."
This rule is expected to align closely with DFARS 252.204-7012, effectively extending its reach to all federal contractors, not just those working with the DoD.
This long-awaited rule could change how contractors across the federal landscape handle CUI, possibly putting an end to self-attestation and introducing a more robust verification process. Whether this comes in the form of external assessments or another mechanism remains to be seen, but contractors should brace for significant shifts in compliance expectations.
For those who thought NIST SP 800-171 was just a DoD thing, the FAR CUI rule will make it clear that these cybersecurity standards apply much more broadly.
As we wait for the full details of the FAR CUI rule, one thing is clear: the long-standing gaps in federal CUI management are finally closing, and the federal government is taking major steps to enhance its cybersecurity posture across all agencies.
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others. Listen and subscribe below: