FAR ‘Controlled Unclassified Information’ Rule Clears Regulatory Review After 14 Years: What This Means For Federal Contractors

On Oct. 21, 2024, the OMB Office of Information and Regulatory Affairs (OIRA) concluded its regulatory review of the long-awaited Federal Acquisition Regulation Controlled Unclassified Information Rule (FAR CUI Rule), clearing the proposed rule's path for publication in the Federal Register in 2024.

The FAR CUI Rule is being issued pursuant to Executive Order 13556, which directed the National Archives and Records Administration (NARA), and later delegated the Information Security Oversight Office, to implement uniform CUI program requirements for all federal contracts. Fourteen years later, the final step of NARA's three-part implementation plan has cleared OMB review and will be published for public review and comments.

The FAR CUI Journey

In November 2010, the Obama administration issued E.O. 13556 to create a uniform, government-wide practice of managing CUI. Part of the goal was to harmonize the ad hoc, agency-specific practices and markings-which amounted to more than 100 different types across the executive agencies-relating to CUI safeguarding and control. This directive was to be implemented in three distinct parts, which have now spanned well over a decade:

1. Codify the Federal CUI Rule-Required Controls and Markings for CUI. NARA issued this final rule via amendment to 32 C.F.R. Part 2002, which took effect Nov. 14, 2016, and established the CUI program for all executive branch agencies. The rule outlined a standardized approach to designating, handling, and controlling CUI and provided that CUI must be safeguarded at no less than the moderate confidentiality impact level. The rule further provided that information may be marked and handled as CUI only if it is identified in NARA's CUI Registry (with approved categories and subcategories) and covered by applicable laws, regulations, or government-wide policies. The rule also clarified that where non-executive agencies handle CUI, such as through contracts, grants, licenses, certificates, or other agreements, those agencies must also handle CUI according to the Federal CUI Rule, E.O. 13556, and the CUI Registry. Additionally, NARA directed all executive agencies to "promulgate CUI Program implementing policies within their agency to carry out the regulation's requirements."
2. Define Minimum Security Standards-NIST SP 800-171. To regulate CUI that leaves a federal environment-which would have been subject to NIST SP 800-53 security and privacy controls for federal information systems and organizations-NARA and DoD coordinated with NIST to publish baseline security requirements for safeguarding CUI confidentiality in non-federal environments. One of the initial stated goals was to "help nonfederal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches." Moreover, one of the expressly stated expectations in the 800-171 special publication was that NARA would also "sponsor in 2016, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the proposed federal CUI regulation and Special Publication 800-171 to contractors." That process has taken nearly a decade and has now culminated in the forthcoming FAR CUI Rule.
3. Establish the FAR CUI Rule-Contract Clauses. Not to be confused with the Federal CUI Rule above, the subject FAR CUI Rule would amend the Federal Acquisition Regulation to implement NARA's implementing regulations for the CUI program. As DoD, the General Services Administration, and NARA collectively explained in spring 2017, when the rule was first published on OIRA's Unified Agenda, "[t]his FAR rule is necessary to ensure uniform implementation of the requirements of the CUI program in contracts across the government, thereby avoiding potentially inconsistent agency-level action." In the latest spring 2024 update clearing OIRA regulatory review, the rule abstract reiterated that the FAR CUI Rule "will apply the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI." Accordingly, the forthcoming FAR CUI Rule may establish universal contract clauses that would apply to every federal contractor working with the government to enhance compliance with the baseline CUI safeguarding and handling requirements.
4. 
   

   Insights

   Federal contractors that handle CUI for non-DoD agencies that might have avoided the Cybersecurity Maturity Model Certification (CMMC) spotlight over the past few years may now face similar obligations to meet uniform, baseline security requirements to protect CUI. Given the work that DoD has put into implementing NIST SP 800-171 requirements into its acquisition contracts over the past few years, originally as a stopgap measure while the FAR CUI Rule was being finalized, the forthcoming proposed rule may track the safeguarding and reporting requirements under DFARS 252.204-7012. It is yet to be seen whether the FAR CUI Rule will impose similar external verification measures, instead of self-attestation that has proven to be largely ineffective, and if so, whether the proposed rule would leverage DoD's recent work on the CMMC program. The proposed FAR CUI Rule may publish in November 2024, which would open the 60 day public comment period. Federal contractors should continue to monitor this space for updates.

   * Special thanks to Northern Virginia Law Clerk Olivia Bellini ˘ for her contributions to this GT Alert.
   ˘Not admitted to the practice of law.