After years of anticipation, the FAR CUI (Federal Acquisition Regulation for Controlled Unclassified Information) rule has finally cleared regulatory review, marking a crucial step in the evolution of the federal CUI program. This rule, which is expected to be published in November 2024, represents the long-missing third piece of the federal CUI puzzle, joining the existing regulations overseen by the National Archives and Records Administration (NARA) and the Department of Defense (DoD).
This episode is from the Sum IT Up podcast. Click here to learn more.
“This rule will apply the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI.
This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors.
This rule is being issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 issued November 4, 2010, as implemented in NARA’s implementing regulations.”
That’s right, NIST SP 800-171 isn’t just a requirement for Department of Defense contractors, but for ALL federal contractors handling any category of Controlled Unclassified Information.
Saying the FAR CUI rule is a big deal is an understatement. It was the original regulatory "harmonization" before that was the cool thing to say.
In addition to DoD and the SBA office of advocacy, the Civilian Agency Acquisition Council is comprised of representatives from 19 departments and agencies:
We like to talk about the now officially published 32 CFR CMMC Final Rule around here, but the FAR CUI dwarfs it in comparison.
The journey of the FAR CUI rule dates back over 14 years, to the signing of Executive Order 13556, which created the foundation for managing CUI across federal agencies. However, despite the clear mandate, the FAR CUI rule languished in regulatory limbo for years. Originally expected to be released over seven years ago, the rule got caught between conflicting priorities. NIST SP 800-171 was introduced as a stopgap due to disagreements between NARA and DoD over how contractors should handle CUI.
NARA wanted a comprehensive approach, pushing for around 260 controls for managing CUI, while DoD preferred a more streamlined process. The DoD ultimately deferred to NARA’s leadership, but with no FAR CUI rule in sight, the DoD had to revise its own regulations under DFARS 7012. As time passed, the FAR CUI rule faded from the spotlight, and DoD’s struggles with self-attestation and compliance challenges became front and center.
One of the more contentious issues in the CUI space has been the concept of "FedRAMP moderate equivalency," particularly when it comes to handling CUI in cloud environments. In the absence of widely available FedRAMP-certified cloud services back in 2015, the DoD created the idea of "equivalency" to allow contractors to use cloud providers that could meet the security requirements of FedRAMP moderate, even if they weren't fully certified. This workaround, however, has proven problematic.
Many contractors have ignored this provision in their contracts, leading to widespread non-compliance. Even the DoD's January 2023 memo on equivalency highlighted this failure. Now, with the FAR CUI rule on the horizon, many believe that equivalency may not make it into federal policy, potentially signaling its end across both the FAR and DFARS regulations. The expected publication of the FAR CUI rule is seen as a major moment that could reshape contractor compliance and eliminate loopholes like "equivalency."
Now that the FAR CUI rule has cleared its final regulatory review at the Office of Information and Regulatory Affairs (OIRA), the next step is publication in the Federal Register, followed by a 60-day public comment period. This rule is expected to align closely with DFARS 252.204-7012, effectively extending its reach to all federal contractors, not just those working with DoD.
This long-awaited rule could change how contractors across the federal landscape handle CUI, possibly putting an end to self-attestation and introducing a more robust verification process. Whether this comes in the form of external assessments or another mechanism remains to be seen, but contractors should brace for significant shifts in compliance expectations.
For those who thought NIST SP 800-171 was just a DoD thing, the FAR CUI rule will make it clear that these cybersecurity standards apply much more broadly. With the rule’s expected release by the end of November 2024, federal contractors will need to stay tuned and prepare for another round of public feedback, compliance updates, and the potential end of policies like FedRAMP equivalency.
As we wait for the full details of the FAR CUI rule, one thing is clear: the long-standing gaps in federal CUI management are finally closing, and the federal government is taking major steps to enhance its cybersecurity posture across all agencies.
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others. Listen and subscribe below: