After years of contractor confusion over the federal government's inconsistent requirements for handling of Controlled Unclassified Information (CUI), a new proposed rule aims to provide clarity and governmentwide uniformity. Proposed by the Federal Acquisition Regulatory Council (FAR Council) on January 15, 2025, the rule establishes cybersecurity, incident reporting, and training requirements for all executive agencies to use as a baseline in defining contractors' CUI-related responsibilities. What the proposed rule does not do, however, is precisely define what constitutes CUI. Because of this and some of the proposed rule's other more onerous provisions, including an eight-hour incident reporting deadline, contractors should seriously consider the impact of the proposed rule to their businesses and whether to submit comments before the March 17, 2025 deadline.  

Background

CUI is a broad label for sensitive but unclassified information that the federal government wants to keep private, including over 100 categories of information tracked by the National Archives and Records Administration (NARA) CUI Registry. The term stems from Executive Order 13556, issued in 2010, which established the CUI Program to standardize the then-existing ad hoc, agency-specific, "inefficient, confusing patchwork" of policies and regulations governing this type of information. However, despite the Department of Defense (DoD) issuing a Defense Federal Acquisition Regulation Supplement (DFARS) rule to incorporate the CUI Program into the acquisition process (DFARS 252.204-7012), a corresponding Federal Acquisition Regulation (FAR) rule had not been proposed until now. With this proposed rule, the FAR Council aims to improve efficiency and enable more effective protection of CUI. 

The Proposed Rule

The proposed rule, which will apply to all solicitations and contracts other than commercially available off-the-shelf (COTS) procurements, includes three main components: definitions for CUI and related terms, a new form for agencies to include in all solicitations and contracts that may involve CUI, and two new FAR clauses.

Definitions 

The proposed rule defines CUI as "information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls." While creating a definition for CUI answers the repeated calls for clarity from industry and government alike, the proposed definition is so vague it does little to help the relevant parties understand what exactly constitutes CUI. 

The proposed rule also adds definitions for "contractor-attributional information," "CUI Incident," and "CUI Registry."

Standard Form XXX, Controlled Unclassified Information Requirements

The new Standard Form (SF) XXX allows agencies to tie particular handling requirements, including agency-specific requirements, to certain categories of CUI. While the procuring agency will prepare the form for prime contractors, it is the prime's responsibility to generate an SF XXX for all subcontractors who may have access to CUI. These handling requirements will become performance requirements during contract performance.

New FAR Clauses

FAR 52.204-XX, Controlled Unclassified Information

FAR 52.204-XX is to be included in all contracts where the SF XXX indicates that the contractor will handle or generate CUI during contract performance. The clause will only apply to CUI expressly listed on the SF XXX. However, contractors have an obligation to affirmatively report material not on the list that they think may be CUI. 

In addition, if CUI is stored on or travels through a contractor's information system or network, the contractor's system or network must:

• Comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2 (not the more recent Revision 3) 
• Potentially comply with the enhanced requirements of NIST SP 800-172 if the subject CUI relates to a critical program or high-value asset
• Meet Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements if using a cloud service provider

FAR 52.204-XX additionally provides the following: 

• Contractors must report incidents where "CUI was or could have been improperly accessed, used, processed, stored, maintained, disseminated, disclosed, or disposed of" to the agency within eight hours of discovery
• Contractors "may be financially liable" for costs associated with the government's response and mitigation efforts if found not to have safeguarded CUI in accordance with contract requirements
• Permits agencies to release contractors' bid or proposal information, proprietary business information, and contractor-attributional information to entities outside of the government if such information is necessary to respond to a CUI incident
• Requires contractors to notify the agency within eight hours (and appropriately safeguard the material in the meantime) if it believes information is unidentified or mismarked CUI
• Contractor employees who may interact with CUI must satisfy mandatory training requirements to be specified on the SF XXX and contractors should be prepared to supply training records upon request
• Prime contractors must flow down FAR 52.204-XX to all subcontractors with access to CUI

FAR 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information

If the agency indicates on the SF XXX that the contractor will not encounter CUI during contract performance, the contract will include FAR 52.204-YY. Under this clause, contractors must still educate themselves about CUI regulations despite not being expected to handle or generate CUI. 

In particular, FAR 52.204-YY:

• Requires contractors to report material they believe is unidentified or mismarked CUI within eight hours and appropriately safeguard it during agency review
• Prohibits contractors from using government-provided information, whether or not it is marked as CUI, for their "own purposes" unless it is in the public domain or shared by a third party
• Requires contractors to mark their proprietary business information submitted to the government for the agency to determine if it should be protected as CUI
• Requires prime contractors to flow down this clause to subcontractors

Outstanding Questions

While the proposed rule will provide a uniform approach and increase the protection of sensitive information, it leaves some unanswered questions for contractors to consider:

• Does the definition of CUI provide adequate clarity enabling contractors to implement effective compliance strategies?
• The proposed rule requires contractors to comply with NIST SP 800-171 Revision 2 even though NIST finalized Revision 3 in May 2024. The FAR Council left open the possibility of updating the CUI rule in the future to incorporate Revision 3, creating uncertainty about which standard to prioritize.
• The eight-hour reporting requirement may be difficult for companies to integrate with their existing incident response protocols, particularly considering its non-alignment with other existing cyber incident reporting requirements, such as that contained in DFARS 252.204-7012, which has a 72-hour reporting requirement. It could also lead to overreporting since contractors will not have sufficient time to adequately investigate incidents.
• Will the cost of complicated (and inconsistent) compliance regimes, combined with the risk associated with the potential release of proprietary information, be a barrier to entry into the federal market, or cause existing federal contractors to leave the market? This is a particular concern for small businesses.  

Comments on the proposed rule are due by March 17, 2025. If you have any questions about the proposed rule, the submission of comments, or how your company's CUI compliance obligations, please contact one of the Miller & Chevalier attorneys listed below. 

Ashley Powers, apowers@milchev.com, 202-626-5564

Jason N. Workmaster, jworkmaster@milchev.com, 202-626-5893

Alex L. Sarria, asarria@milchev.com, 202-626-5822 

Scott N. Flesch, sflesch@milchev.com, 202-626-1584

Connor W. Farrell, cfarrell@milchev.com, 202-626-5925

Elissa B. Harwood, eharwood@milchev.com, 202-626-5890

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.