| Go-To Guide: |
|
On Jan. 15, 2025, the Department of Defense (DoD), General Services Administration, and NASA, all members of the FAR Council, published a proposed FAR CUI Rule under Title 48 of the CFR. This proposed rule amends the Federal Acquisition Regulation (FAR) to implement the third and final piece of the National Archives and Records Administration’s (NARA) Federal Controlled Unclassified Information (CUI) Program, which dates back to Executive Order 13556 from 2010. A November 2024 GT Alert explains the history and origin of the FAR CUI journey.
As anticipated, the FAR CUI Rule applies to contractors of all federal executive agencies and implements NARA’s policies under 32 CFR part 2002, which codified a standardized approach to designating, handling, and safeguarding CUI. The proposed rule also introduces new procedures, including reporting and compliance obligations, and defines roles and responsibilities for both the government and contractors who use and handle CUI.
All Contractors Must Meet Baseline Cybersecurity Requirements
- CUI Standard Form and Contract Clause. To advance uniformity across agencies, the proposed rule introduces a new standard form, SF XXX, which would be included in solicitations and contracts to “determine what information under the contract is considered CUI and how to properly safeguard the CUI.” Contractors that perform under an SF XXX would need to comply with FAR 52.204-XX (a new contract clause), which would further specify CUI requirements, such as NIST SP 800-171, revision 2 security requirements, or NIST SP 800-53 controls, as appropriate. It may also include agency-specific security requirements. The FAR Council also anticipates that a limited number of contractors would be subject to enhanced security requirements under NIST SP 800-172 to protect designated CUI that is associated with a critical program or high-value assets.
SF XXX (90 FR 4302)
To the extent that contractors need to flow down CUI with a subcontractor, contractors must also prepare an SF XXX and distribute it downstream “at all subcontract tiers” to ensure proper safeguarding throughout the supply chain. The expectation and goal are to ensure that all parties are aligned on what information is CUI and what is required to protect that information. The FAR Council estimates that, on average, it would take two hours to review the SF XXX, so both contractors and subcontractors should expect detailed CUI information and safeguarding instructions under each contract.
- No CUI Contract Clause—FAR 52.204-YY. Identifying and Reporting Information That Is Potentially Controlled Unclassified Information. The proposed rule introduces a second contract clause that would apply where no CUI is involved in the performance of a contract (if the “No” box is marked in Part A of the SF XXX). Under this clause, contractors would need to notify the government “if there appears to be unmarked or mismarked CUI or a suspected CUI incident related to information handled by the contractor in performance of the contract.” This clause also flows down to subcontractors.
- Solicitation Provision—FAR 52-204-WW. Notice of Controlled Unclassified Requirements. This new solicitation provision would notify “offerors that agencies will provide agency procedures on handling CUI during the solicitation phase if handling CUI is necessary to prepare an offer.” Like the proposed FAR 52.204-YY contract clause, this provision also provides that offerors should notify the contracting officer of any unmarked or mismarked CUI or a CUI incident during the solicitation phase.
- Commercially Available, Off-the-Shelf Items. The CUI requirements under the proposed rule would not apply to solicitations and contracts that are solely for acquiring commercially available, off-the-shelf items. However, the new proposed FAR clauses would apply to acquisitions of commercial products and services, as well as to simplified acquisitions for other than commercial products or services.
Proposed Rule Principles
- No Independent Certification; Ad-Hoc Verification. The proposed rule is distinct from the DoD’s implementation of its CUI Program and Cybersecurity Maturity Model Certification (CMMC) in that, as a default rule, contractors would not be required to submit evidence they are compliant with the CUI requirements. The FAR Council explains that “defense contractors should have already implemented system security plans in accordance with DFARS clause 252.204-7012 and non-defense contractors have incentive to ensure compliance with the requirements in FAR clause 52.204-XX to avoid liability for breaches of CUI that may result from improperly protecting CUI being handled on the contractor’s information system.” Instead, contractors may be required to furnish certain information upon request, including documentation to verify compliance with system security plans or training requirements in connection with a CUI incident.
- Training Requirements. The proposed CUI requirements include minimum training requirements, which contractors and subcontractors would be required to complete as specified on the SF XXX. Agencies may, at their discretion, also require evidence that contractors and subcontractors have provided appropriate employee training on safeguarding CUI, as required under FAR clause 52.204-XX.
- Eight-Hour Reporting. Where there is CUI that appears to be unmarked or mismarked, offerors and contractors must notify the contracting officer representative or designated agency official within eight hours of discovery. Further, non-defense contractors and subcontractors that discover a suspected or confirmed CUI incident—where “CUI was or could have been improperly accessed, used, processed, stored, maintained, disseminated, disclosed, or disposed of”—must report the incident to the agency as specified in the SF XXX. Subcontractors are also required to notify the prime or next higher tier subcontractor within the same eight-hour timeframe. (While the proposed rule does not attribute this requirement to defense contractors since they are expected to already comply with DFARS 252.204-7012, the relevant provision to “rapidly report” cyber incidents to DoD specifies a 72-hour timeframe from the time of discovery.)
- Compliance Costs and Small Business Contractors. For non-defense contractors and subcontractors, the FAR Council estimates the following labor and hardware (Hw)/software (Sw) costs to comply with NIST SP 800-171, revision 2.
| Type of Contractor | Initial Year Costs Labor | Hw/Sw |
Recurring Annual Costs Labor | Hw/Sw |
||
| Small Business | $148,200 (est. 1,560 hours * $95) | $27,500 | $98,800 (est. 1,040 hours * $95) | $5,000 |
| Other Than Small | $543,400 (est. 5,720 hours * $95) | $140,000 | $494,000 (est. 5,200 * $95) | $80,000 |
Separately, the proposed rule estimates that the annual cost to implement and maintain a system security plan is an additional $1,140 (est. 12 hours * $95). These estimates do not account for costs associated with NIST SP 800-53 or FedRAMP Moderate baseline compliance efforts because they are separately addressed under the proposed rule to standardize cybersecurity requirements for unclassified federal information systems (FAR Case 2021-019).
Much like DoD’s response to small business concerns under the CMMC rulemaking activities, as well as the Cybersecurity and Infrastructure Security Agency’s posture under the Cyber Incident Reporting for Critical Infrastructure Act proposed rules, small business contractors may not be granted categorical cost relief under the FAR CUI Rule. “[S]mall businesses that do business with DoD and handle CUI in performance of their contracts are already subject to requirements equivalent to the new FAR clause and provision,” and “small businesses that do business with other agencies that have included similar or overlapping safeguarding requirements under agency-specific contract terms may already be in partial or substantial compliance with the clause requirements.”
- NIST SP 800-171 Revision 3 Updates. NIST issued revision 3 to SP 800-171 in May 2024, and as the publication nears its one-year anniversary, agencies will be required to meet the updated standards and guidelines (OMB Circular No. A-130 “Managing Information as a Strategic Resource”). The proposed rule acknowledges this and anticipates future rulemaking to incorporate the latest version. In doing so, the FAR Council explicitly notes the need to “immediately implement requirements to protect CUI on non-Federal information systems; therefore, this proposed rule does not seek to implement NIST’s most recent revision.”
- Requirements for Federal Information Systems. Where the SF XXX specifies a federal information system using cloud computing services, the contractor must meet any agency-specified requirements and, at a minimum, must comply with the FedRAMP Moderate Baseline security controls. Where a contractor operates a non-federal information system but uses a cloud service provider to store, process, or transmit CUI, that cloud service provider must also meet FedRAMP Moderate Baseline standards.
Takeaways
While the new administration issued the standard regulatory freeze pending review, the order does not pause the public comment period, which will run through March 17, 2025, as scheduled. Moreover, federal contractors are advised that many of the obligations under the proposed rule are modeled after the established DFARS 252.204-7012, “which introduced many of these compliance requirements on defense contractors and subcontractors in 2015 and required compliance not later than December 31, 2017.” Interested parties should submit comments by March 17, 2025.