%20Requirements.png?width=1000&height=571&name=RGCI%20-%20Proposed%20Rule%20Amending%20the%20FAR%20to%20Include%20Controlled%20Unclassified%20Information%20(CUI)%20Requirements.png)
The FAR Council issued a proposed rule on January 15, 2025, to expand the CUI requirements into FAR under Executive Order 13556 Controlled Unclassified Information. Controlled Unclassified Information is information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI may not be released to the public.
While DoD has implemented the CUI program requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, FAR only included the clause FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems with minimal requirements. It was only a matter of time before the CUI requirements were included in the FAR to provide consistency across federal agencies and contracts.
The proposed rule is very long and includes new forms, provisions, and clauses. Public comments are due March 17, 2025, so we strongly recommend contractors review the rule and provide comments.
What are the Requirements of the Proposed Rule?
Contractors that have CUI must implement the 110 security controls in NIST SP 800-171 Rev 2, and some contractors may also need to comply with NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information depending on the type of information systems used for CUI. The Proposed rule applies to all federal contractors and subcontractors that handle CUI in the performance of contracts. It implements the following:
- Standard Form SF XXX – Controlled Unclassified Information Requirements
- FAR 52.204-WW – Notice of Controlled Unclassified Information Requirements
- FAR 52.204-XX – Controlled Unclassified Information
- FAR 52.204-YY – Identifying and Reporting Information That is Potentially Controlled Unclassified Information
Contracting Officers will include the SF XXX form in solicitations and contracts (including contracts for commercial products and services), identify on the form whether CUI is involved in the performance of the contract, and identify roles and responsibilities as well as the type of CUI training contractors will be required to complete. FAR clause 52.204-XX will be included if CUI will be involved or FAR clause 52.204-YY will be included in the contract if no CUI is involved in the performance of the contract. Even if FAR 52.204-YY is included in your contract, you must notify the Contracting Officer if there is an unmarked or mismarked CUI encountered during the performance of the contract.
Prime contractors will be responsible for including the SF XXX in subcontracts and identifying whether CUI will be involved in the performance of the subcontract as well as flow the appropriate clause down FAR 52.204-XX or FAR 52.204-YY in its subcontracts. Subcontractors must also flow down the clause to all subcontractor tiers if CUI data will be handled during performance.
A new definition is added to FAR 2.101, CUI Incident – when there is suspected or confirmed improper access, use, disclosure, modification, or destruction of CUI in any form or medium. Contractors are required to notify the Contracting Officer of a potential CUI incident within 8 hours of discovery. Subcontractors are required to notify the prime or higher tier subcontractor within the same timeframe.
Contractors determined to be at fault for a CUI incident may be financially liable for costs incurred by the Government in responding and mitigating damages. Great. One more thing you are going to have to see if you can get insurance to cover, as this could be very costly.
All prime contractor or subcontractor employees who handle CUI are required to have training on safeguarding CUI, and you must maintain support to show that the training has been adequately completed. The frequency of training is dependent on the type of CUI. Contracting Officers are likely to request evidence of training.
What Does This Mean?
If you have US Government contracts or subcontracts with CUI data that will be used in the performance of the contract, you will be required to implement the 110 NIST SP 800-171, Rev 2 requirements, or other NIST requirements. This is not a quick and easy process.
Compliance with the NIST criteria is important, and information needs to be accurate. The Department of Justice has worked on a number of false claims related to contractor noncompliance with cybersecurity or NIST regulations. These were mostly from employees of the company via whistleblowing or Qui Tam suits.
Takeaways
We recommend that all contractors and subcontractors who have CUI read the proposed rule. This proposed rule may result in some suppliers or small businesses deciding they don’t want to submit subcontract proposals that have CUI due to added costs. This could impact some programs, especially if the small business or supplier is providing critical components or services for a program.
We recommend you review and begin implementation of the NIST SP 800-171 Rev 2 requirements. Depending on your company structure, you may need to hire an external specialist to assist you. You will need to establish robust policies in this area to meet all the requirements, including compliance with the NIST requirements, subcontract flowdowns and monitoring, training requirements, and reporting incidents.
Even if you have DoD contracts with CUI, there are additional requirements beyond DFARS 252.204-7012 (e.g., training requirements for prime and subcontract, timeframe for reporting CUI incidents, etc.), and you may be liable for costs the Government incurs to mitigate a contractor’s CUI incident. Policy updates will need to be made along with how subcontract monitoring will be performed to ensure CUI compliance, training is provided, etc.
We recommend all contractors review the proposed rule and provide comments before March 17, 2025.
How Can Redstone GCI Help?
Redstone GCI can provide our clients with more information and guidance in working with established industry-leading partners who can assist in fulfilling numerous cybersecurity compliance requirements, including but not limited to penetration testing, incident response, security assessments, and Plan of Action and Milestones (POA&M) revolving around the information technology infrastructure. Redstone GCI, along with our trusted partners, can bring you a full solution by ensuring that the cybersecurity policy and flow-down requirements revolving around all aspects are accomplished, including but not limited to purchasing policy requirements.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting