Proposed Rule Would Impose Government-Wide Controlled Unclassified Information (CUI) Handling Requirements
Global cybercrime costs are expected to reach $10.5 trillion annually by 2025. (Cost of a Data Breach Report, 2024, IBM). Cybersecurity is not a partisan issue — the government has a shared interest in protecting our nation against cyber threats. Our previous article cautioned that the Cybersecurity Maturity Model Certification Program 2.0 (“CMMC 2.0â€), effective as of December 16, 2024, marked a significant shift for current and future Department of Defense (“DoDâ€) contractors. CMMC 2.0 is a clear signal of sweeping changes on the horizon for government contract law. The rollout of CMMC 2.0 may be gathering steam—extending its impacts beyond DoD contractors.
On January 15, 2025, the Federal Acquisition Regulation (“FARâ€) Council released a proposed rule (“FAR CUI Ruleâ€) that would amend the FAR to establish a  federal government-wide standard for managing Controlled Unclassified Information (“CUIâ€), while also implementing cybersecurity training and incident reporting requirements for all government contractors and subcontractors. The rule’s key cybersecurity requirements largely echo CMMC 2.0, but extend the requirements to contractors and subcontractors across all federal agencies. This latest development raises the compliance bar and signals an urgent call for contractors to adapt swiftly, or otherwise risk being left behind in the increasingly stringent world of government contracting.
The rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in line with former President Biden’s farewell Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. However, with the change in presidential administration, and the January 20, 2025, Executive Order on Regulatory Freeze Pending Review, the FAR Council cannot promulgate a final FAR CUI Rule until approved by appointees of the new administration. This could delay promulgation of a final rule, but otherwise seems unlikely to derail the rule altogether, since the safeguarding of cybersecurity is a topic that spans presidential administrations. In the meantime, the current regulatory freeze does not prevent the FAR Council from soliciting comments on the proposed rule, which are due May 17, 2025.
What is CUI?
CUI is a broad categorization that encompasses over 100 categories of information and is generally defined as “information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.†(32 C.F.R. § 2002.4(h)). Current CUI categories are listed in the National Archives and Records Administration (NARA) CUI Registry.
Standardizing CUI Handling
The FAR CUI Rule can be intimidating at first pass, but it can be broken down into three essential branches: (1) Standard Form (SF) XXX, Controlled Unclassified Information Requirements, (2) FAR 52.204-XX, Controlled Unclassified Information, and (3) FAR 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information.
Standard Form
Standard Form (SF) XXX (“Formâ€) requires federal agencies to provide contractors with a standard form in solicitations and contracts, identifying whether or not a contractor is expected to handle CUI during performance. If CUI will be handled, the Form must also identify the categories of CUI involved in the performance of the contract—either FAR 52.204-XX or FAR 52.204-YY (only one or the other may be included in a contract, not both). The Form also provides instructions for reporting cyber incidents impacting CUI and may outline agency-specific requirements for safeguarding CUI (i.e. dissemination, marking procedures, etc.). The contracting agency will provide the Form to prime contractors, but the contractors are responsible for generating and providing a Form to each subcontractor expected to handle CUI.
FAR 52.204-XX (Contracts with Identified CUI)
FAR 52.204-XX will require contractors to implement National Institute of Standards and Technology Special Publication 800-171, Revision 2 (“NIST SP 800-171, Rev. 2â€) at a minimum. Under this requirement, contractors must report any suspected or confirmed “CUI incident†on a non-federal information system within eight hours of discovery to a yet-to-be-identified agency official. A “CUI incident†is the improper access, use, disclosure, modification, or destruction of a CUI. If a contractor is found to be at fault for the CUI incident, the contractor “may be†liable for costs incurred by the government in responding to and mitigating the incident.
The clause also details general requirements for all contractors, regardless of whether they operate a federal or non-federal information system. These include mandatory training for all personnel before they can access CUI, reporting suspected or confirmed incidents impacting CUI to the government within eight hours of discovery, and flow-down provisions to subcontractors whose performance involves CUI.
FAR 52.204-YY (Contracts Without Identified CUI)
FAR 52.204-YY will apply when the Form indicates the contractor will not handle or generate CUI during contract performance. Even still, it tasks contractors with notifying the government if the contractor discovers information that it believes, or has reason to know, is CUI.  Contractors must notify the government within eight hours of discovery. FAR 52.204-YY must be flowed down to all subcontractors in its entirety.
Takeaways for Federal Government Contractors
Federal contractors and subcontractors should familiarize themselves with the FAR CUI Rule. Contractors can expect to see robust commentary over the next few months, particularly as the public comment period for this rule runs through May 17, 2025. During this time, contractors are highly encouraged to analyze the FAR CUI Rule requirements and provide feedback on the proposed rule. While the FAR CUI Rule has not yet made its way out of the rulemaking process, the general constructs behind the rule are likely to become final at some point. Therefore, the public comment period is an opportunity to voice concerns for further refinement of the rule.
During their initial review of the proposed requirements, contractors should evaluate their existing cybersecurity handling procedures, assess the gaps between their existing measures with the protocols set forth in NIST SP 8000-171, and determine what financial impacts compliance with the FAR CUI Rule will have. Contractors should also keep in mind that they will be obligated to ensure that all subcontractors with which CUI is shared also comply with these new safeguarding requirements.
Importantly, the FAR CUI Rule is not exclusively focused on DoD contractors, and while it does overlap with CMMC 2.0, unlike CMMC 2.0, there are no certification mandates in the FAR CUI Rule—the framework is built around contractors self-attesting to compliance. Still, DoD contractors handling CUI must comply with all additional regulations that CMMC 2.0 mandates.
While the FAR CUI Rule may pose challenges for federal government contractors who need to move swiftly to comply with these CUI handling requirements, failing to do so may have larger consequences, given the Department of Justice’s recent crackdown on False Claims Act cases involving cybersecurity.
Smith Currie Oles will be monitoring changes to, and impacts of, the FAR CUI Rule, and stands ready to provide guidance and assistance to contractors in meeting these complex requirements and safeguarding their interests.
