FAR Proposed Controlled Unclassified Information Rule: A Path Toward Standardization 

February 20, 2025

Proposed Rule Overview 

On January 15, 2025, the FAR Council finally released a proposed rule (the Rule)1 regulating the use and handling of controlled unclassified information (CUI) as a part of the general strategy to reduce threats of sophisticated cyber-criminals and adversaries on federal information. Generally, a CUI is a category of sensitive, unclassified government information that requires special protections. The Rule aims to standardize how contractors and subcontractors handle CUI and applies to all federal executive agencies contractors, except for contracts and solicitations for commercially available off-the-shelf (COTS) items. It will add a new provision, a standard form, and two contract clauses to the FAR and impose significant obligations that bear careful consideration by any covered federal contractors. More specifically, the Rule introduces new compliance and reporting requirements and procedures and explains the roles and responsibilities of contractors and the government who use and handle CUI. 

Interested parties are encouraged to submit comments in response to the proposed rule on or before March 17, 2025.

Regulatory Background

The Rule should come as no surprise as it is a part of general government strategy to protect CUI from malicious actors. Executive Order (EO) 13556 of November 4, 2010, Controlled Unclassified Information, established a CUI program, and designated the National Archives and Records Administration (NARA) as the executive agent of the program. NARA codified rules and procedures on how to mark, handle, collect, receive, transmit, or store CUI in addition to establishing and maintaining a CUI category registry list. This program is the basis for the federal contractor CUI rule. 

Notably, this proposed Rule mirrors already existing requirements set forth by the Department of Defense (DoD). The DoD already implemented requirements of the CUI program through DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting that has been in place since December 31, 2017. As a result, those contractors compliant with the requirements of the DFARS clause should already be familiar with many of the requirements of this new Rule. 

Below we have summarized the key aspects of the Rule, with the caveat that since this is a proposed rule, it may change following receipt of the comments. Nevertheless, given the scope of obligations the Rule seeks to impose on federal contractors, we strongly encourage covered contractors to familiarize themselves with the Rule sooner rather than later so that efforts to implement a system that ensures compliance with the Rule (to the extent not already begun) can get underway.

Definitions

What is a CUI? Who defines what is a CUI? 

The general CUI definition comes from the NARA’s regulation, defining CUI as an unclassified “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” 32 CFR 2002.4(h). NARA’s CUI registry identifies categories of information and specifies how the information should be marked and disseminated, among other actions that must be taken.

What is a “CUI incident”? 

The Rule will amend FAR 2.101, Definitions, and include a definition of a CUI incident: “CUI incident means suspected or confirmed improper access, use, disclosure, modification, or destruction.”

Applicability

  1. The Rule has very broad application and applies to all acquisitions when a contractor’s information system may contain covered information as a part of performance of the contract. 
  2. The Rule does not apply to the acquisition of commercially available off-the-shelf (COTS) items. 
  3. The Rule does apply to contracts at or below the Simplified Acquisition Threshold (SAT) and to commercial products and services. 

Purpose and Function

The Rule includes new provisions, clauses, and forms. Each provision, form, and clause is covered in more detail below.

Provision FAR 52.204–WW, Notice of Controlled Unclassified Information Requirements 

Proposed FAR provision WW must be added to all solicitations and contracts, excluding solicitations and contracts solely for the acquisition of COTS items.

Purpose of the provision

  • Notification

The goal of this provision is to notify offerors that agencies will provide agency procedures on handling CUI during the solicitation phase. 

  • Marking

Additionally, the provision will provide notice of marking requirements for contractor bid or proposal information, proprietary business information, or contractor-attributional information to ensure appropriate protection.

Requirements — reporting and use of information

  • Reporting

The provision advises that offerors must notify the Contracting Officer within eight hours of the discovery of unmarked or mismarked CUI identified in the SF XXX or an incident related to CUI handled by an offeror during the solicitation phase.

  • Information use

 Offerors or contractors are prohibited from using government-provided information for their own purposes, regardless of whether information is marked as CUI or not.

SF XXX Standard Form (SF), Controlled Unclassified Information (CUI) Requirements

This form will be included in solicitations and contracts that may result in the handling of CUI that will ultimately become performance requirements of the contract. The goal of the form is to address CUI identification, point of contact for CUI incidents, and clause determination. The form and Provision WW work in tandem, where the form identifies CUI and the provision requires offerors to safeguard CUI as well as report mismarked CUI or incidents to the Contracting Officer. 

  • CUI Identification

SF identifies the CUI involved in the performance of the contract. The government will identify the necessary CUI that the contractors are required to protect.

  • Point of Contact

SF provides an agency point of contact to whom CUI incidents should be reported.

  • Clause Determination

This SF also determines what clause will be incorporated into the contract:

  1. If the government marks “Yes” in Part A of SF XXX, meaning that the contractor is expected to work with CUI, the CO must incorporate FAR 52.204-XX. Hence, the host of compliance requirements in that clause will apply.
  2. If no CUI is present and the government marks “No” in Part A of SF XXX, FAR 52.204-YY is incorporated into the contract.
  3. Only one clause -XX or -YY can be included in the contract.
  • Flow down requirement

SF requires prime contractors to flow down SF XXX to subcontractors.

FAR Clause 1: FAR 52.204-XX, Controlled Unclassified Information

If the SF XXX indicates that the contractor will handle CUI, FAR 52.204-XX clause is used. The clause requires contractors to comply with the requirements indicated in the clause and any additional requirements set by the agency. The clause only applies to information identified in the SF XXX. 

Most notably, the clause contains safeguarding requirements, reporting requirements, compliance validation, marking and notification restrictions on the use of government-provided information, employee training requirements, flow downs, and additional heightened compliance requirements. We have summarized below the most notable safeguarding and reporting requirements in more detail but recommend that contractors review the clause in its entirety to fully appreciate the scope of obligations imposed on contractors.

Safeguarding

FAR 52.204-XX contains requirements for safeguarding CUI residing on federal and non-federal systems, as identified in the SF XXX. The contractor subject to the clause must implement the following technical controls:

  • If contractor is operating an information system identified in SF XXX as a federal information system

Contractor must comply with agency identified security requirements from the latest version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 and CUI Specified requirements. 

For cloud computing services, the contractor shall, at minimum, comply with FedRAMP Moderate baseline and any other requirements.

  • When operating a non-federal information system

Contractors must comply with security requirements of NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations, or as authorized by the Contracting Officer. NIST SP 800-171 contains security controls that are intended to help government contractors safeguard CUI received or generated in the course of contract performance.

Contractors also must comply with agency identified requirements from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information.

Cloud service provider contractors must meet security requirements for FedRAMP moderate requirements.

Submission of a system security plan also is required by NIST SP 800-171 Rev. 2 (upon request) to demonstrate compliance. 

Reporting Incidents

The clause also sets out requirements for reporting and managing security incidents.

If an incident happens in a federally controlled facility, the contractor should report it according to the agency policies.

If an incident happens in a non-federally controlled facility: 

  1. Report must be done to a person identified in a SF and if no person is identified, then to contracting officer, within 8 hours of discovery.
  2. Contractors also must provide available information in the initial report and retain data as soon as it becomes available. You can see what data is required here.

FAR Clause 2: FAR 52.204–YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information

This clause is used in lieu of CUI clause (52.204-XX), when the contract does not identify CUI.

Reporting requirement

  • What triggers reporting

If there is an unmarked or mismarked CUI or a suspected CUI incident related to information handled by the contractor. 

  • What to report

The contractor should report any information that the contractor believes, or has reason to know, is CUI. The potential unidentified CUI may be marked, unmarked, or improperly marked. Additionally, the contractor must report any information that it believes is a CUI that is involved in a suspect or confirmed CUI incident.

  • When to report

Within eight hours of discovering or suspecting that the information is CUI.

  • Who to report to

Report to the contracting officer (per FAR 52.204-YY(b)). 

  • Marking requirement

Requires contractor to properly mark proprietary business information to ensure adequate protection. 

  • Information use

Prohibits offerors or contractors from using government-provided information for its own purposes (regardless of whether information is marked as CUI or not).

Looking into the future 

Despite the freeze placed on the issuance of new regulations and likely reassessment of proposed rules such as this one, there seems to be little indication that this Rule is at risk of disappearance or stalling, as cybersecurity protections tend to be a bipartisan issue. The Rule has been in process for many years and imposes significant compliance obligations for covered contractors, including non-DoD contractors working with CUI. Perhaps the greatest impact of the Rule will be felt by non-DoD contractor small businesses, given the lack of a small business exception. This will likely result in costly implementation burdens for these contractors — an impact that was estimated in the proposed Rule. Keep in mind, too, that the Rule impacts not just contract awards known to involve CUI but also contains reporting and marking requirements for contractors that identify potential CUI after award. Although obligations under currently awarded contracts will not be affected, the going forward impact of the Rule, once finalized, will be substantial for non-DoD contractors.

The Rule also serves to remind the contractors of the importance the government places on implementing effective data security protocols and processes. Although the FAR Council does not seek to adopt a 100% inspection approach to ensure compliance, the government does retain significant authority to inspect compliance at any time. The government also has a wide range of existing enforcement tools — many of which are already being used in the cybersecurity context — such as suspension and debarment, contractual remedies, and the False Claims Act to enforce the Rule. These remedies are in addition to assessment under the Rule of financial liability for CUI incidents for which contractors are at fault. 

Overall, even though the Rule is at the proposed rule stage, we recommend that contractors take steps to assess what changes they would need to make to their current processes and systems to ensure future compliance with the Rule. For starters, contractors should consider comparing their internal security measures to the ones established by NIST SP 800-171 Rev. 2, engage internal stakeholders to prepare for creating and implementing a compliance plan for the proposed Rule, and submit comments on this Rule by March 17, 2025. 

 

1  The Rule is subject to President Trump’s January 20, 2025, “Regulatory Freeze Pending Review” Directive that put all proposed rules on hold. However, given the many years of planning and importance of the Rule, we do not expect the Rule to be withdrawn although that is certainly a possibility. 

Share on LinkedIn

Authors

Eric Leonard

Co-Chair, Government Contracts

eleonard@cozen.com

(202) 280-6536

Related Practices

Construction Law

Government Contracts

Infrastructure


Related Industries

Real Estate & Construction

Cozen O’Connor’s Government Contracts attorneys will continue to closely follow developments in this area and are available to assist you with any questions that arise. 

This article also includes contributions from Cozen O’Connor law clerk, Kristina Zaslavskaya. Kristina is a law clerk at Cozen O’Connor’s Washington D.C. office and a 3L student at the George Washington University Law School.