The FAR CUI Rule: Not Just for the DoD Anymore!

The public draft of the Federal Acquisition Regulation (FAR) Controlled Unclassified Information (CUI) Rule – released on January 15, 2025 under FAR Case 2017-016 – is set to introduce new compliance requirements for all federal contractors handling CUI. Organizations which have not previously had to navigate federal cybersecurity regulations imposed upon U.S. Department of Defense (DoD) suppliers may now find themselves subject to the requirements of NIST SP 800-171, which establishes security controls for protecting sensitive but unclassified information.

This post is designed to serve as a way for non-DoD suppliers to dip their toes into the water of CUI compliance based on our experience with existing frameworks – such as the Cybersecurity Maturity Model Certification (CMMC) program and Defense Federal Acquisition Regulation Supplement (DFARS) requirements. Understanding the key points of the FAR CUI Rule and differences between this rule and other regulations will help organizations prepare effectively.

Intro to the FAR CUI Rule

The proposed FAR CUI Rule extends cybersecurity requirements beyond the Department of Defense (DoD) to civilian federal contractors handling CUI. This means organizations will need to align with NIST SP 800-171 (Revision 2) security requirements and attest to their compliance. While the rule does not introduce third-party certification at this time, organizations must ensure they fully implement the necessary security measures.

While the CMMC program has reached maturity first, the idea for what would become the FAR CUI Rule arose before CMMC as a way to implement the requirements of Executive Order 13556, which defined the term Controlled Unclassified Information, established the NARA CUI Registry, and instructed federal agencies to begin the process of defining CUI categories. This Executive Order was intended to address the “inefficient, confusing patchwork” of agency policies regarding marking and safeguarding of sensitive government information.

Due to the complexity of aligning all federal organizations, the process stalled. The DoD, however, recognized the importance of identifying and managing information security, and implemented their requirements via a number of Defense Federal Acquisition Register Supplement (DFARS) rules, as well by establishing the CMMC program. With the DoD leading the vanguard on CUI protection, other federal agencies have been able to benefit from the lessons learned through CMMC development, allowing the FAR CUI Rule to take the DoD’s lead.

Applicability

Unlike the CMMC program, the proposed FAR CUI Rule would apply to all federal contractors who will have access to CUI in performance of government contracts. However, a supplemental clause (placeholder ID: 52.204-YY), will likely be included in all federal contracts. The clause, aptly entitled Identifying and Reporting Information That Is Potentially Controlled Unclassified Information, will require all federal contractors – regardless of whether they expect to handle CUI in their contract – to report to the government if they suspect they have received or generated CUI.

Key Requirements

As mentioned above, the FAR CUI Rule would require all federal contactors handling CUI to implement the requirements of NIST SP 800-171 Revision 2, aligning with CMMC Level 2. Unlike CMMC, however, third-party certification will not be required. Organizations will be required to self-attest to their compliance and may be required to provide the government with a system security plan (SSP) – plus any plans of action & milestones (POAMs) if they aren’t fully compliant.

Organizations self-attesting to compliance should be aware that the government reserves the right to audit contractors to validate compliance (§ IV.C.2(e)). Self-attestation is not a get-out-of-jail-free card allowing organizations to indifferently check a box indicating compliance. In fact, contractors could be on the hook for the cost of the government’s response and mitigation efforts for a CUI data breach if an investigation determines the contractor was at fault and “not safeguarding CUI in accordance with contract requirements.” (¶ 450)

The NIST SP 800-171 Requirements

If you haven’t been exposed to NIST SP 800-171 before, you’re likely wondering just what is required by the framework. To summarize, SP 800-171 contains 110 controls across 14 domains. The graphic below provides an overview of the number of controls per domain.

As you can see, the controls range from highly technical and IT-specific (e.g., access control) to broader organizational processes (e.g., personnel and physical security). Enumerating each of the requirements is beyond the scope of this article, but this bird’s-eye view can provide context as organizations begin to plan for implementation.

Contractual Identification & Handling of CUI

A welcome change  from the current DoD practice is specification in (placeholder) clause 52.204-XX which requires contracting officers (COs) for contracts involving CUI to provide Standard Form XXX (yet another placeholder). This new document defines specific information about the CUI which will be handled along with requirements for safeguarding it.

The so-called SF XXX will include a listing of the specific types of CUI which will be handled (i.e., CUI Basic vs. CUI Specified – including category), which has been a source of confusion for DoD contractors based on limited and/or unclear guidance on what information received by contractors constitutes CUI. It will also include any agency-specific requirements regarding CUI access, dissemination, and handling; system security and privacy; contractor employee training requirements; and any CUI incident reporting instructions required by the agency, to include the agency website or single point of contact.

Comparison of FAR CUI Rule to CMMC

The table below provides a quick comparison of the proposed FAR CUI Rule to the CMMC program.

FAR CUI Rule information as of public draft released in January 2025 & subject to change before finalization

An Official Cost Estimate

The proposed FAR CUI Rule includes the first official estimate regarding compliance costs. For small businesses, the government estimates the initial cost of compliance to be $175K for labor, hardware, and software. The proposed rule also estimates an additional $100K per year for ongoing compliance maintenance.

The proposed FAR CUI Rule doesn’t include a third-party certification requirement, so DoD contractors also need to factor in audits when estimating their costs for compliance with the CMMC program.

Steps for Newly Impacted Organizations

For organizations new to NIST SP 800-171, achieving compliance can seem like a daunting process. To get started, begin by breaking the process down into more manageable chunks, such as:

1. Determine if You Handle CUI: Review contracts, project scopes, and communications with federal agencies to assess if you process, store, or transmit CUI.

2. Establish an Incident Response Plan: If you don’t already have one, develop and test a plan to quickly detect, respond to, and mitigate cybersecurity incidents involving CUI.

3. Conduct a Gap Analysis: Compare your existing security measures against NIST SP 800-171’s 110 security requirements. Identify areas needing improvement and prioritize actions based on risk. Results of this gap analysis can also serve as inputs for the next step.

4. Develop a System Security Plan (SSP): This critical document outlines your organization’s cybersecurity program, details security measures, and describes how compliance will be achieved and maintained.

5. Implement Necessary Controls: After completing the high-priority steps above, begin addressing identified gaps by adopting appropriate technical, administrative, and physical security measures. Not sure where to begin? Review our post about how developing an information security and compliance program via an iterative approach starting small: Don’t Overlook Level 1 – Foundations of CMMC Success.

6. Establish & Maintain Thorough Documentation: A robust written information security plan (WISP) is foundation of a good information security program, and defining measurable criteria makes it easier to determine whether your organization is meeting all the requirements. Be prepared to provide evidence of compliance if requested by an agency by maintaining records of security policies, risk assessments, incident response plans, and evidence artifacts.

7. Train Your Workforce: Employees play a crucial role in cybersecurity. Provide regular training on CUI handling, social engineering attacks (e.g., phishing), insider threats, and security best practices.

8. Conduct Regular Security Assessments: Implement periodic reviews of your strategy & implementation, and perform regular vulnerability assessments to detect and resolve security weaknesses.

Wrapping Up

While the FAR CUI Rule will introduce new obligations for federal civilian agency suppliers (and make modifications to DoD suppliers’ requirements), organizations that approach compliance methodically can ensure a smooth transition by being prepared before the rule goes into effect.

At Triumvirate Cybersecurity, we specialize in guiding organizations through compliance with NIST SP 800-171 and CMMC. Whether you’re newly impacted by the FAR CUI Rule or simply seeking to strengthen your security posture, we’re here to help. Reach out to us to learn more about how to navigate these evolving requirements and establish a strong security posture!