The Federal Acquisition Regulation (FAR) Council has issued a long-awaited rule on Controlled Unclassified Information (CUI). This rule aims to provide clear guidance to contractors on how to identify and safeguard CUI in federal contracts. The new rule introduces a FAR clause, FAR 52.204-XX, which will apply to all contracts involving CUI, except for those that are purely commercially available off-the-shelf items. Federal agencies, not contractors, will determine whether contracts involve CUI.
Contractors will be required to safeguard CUI identified in a new form, SF XXX, provided with each contract. The safeguarding requirements include compliance with NIST SP 800-171, Revision 2 for non-federal information systems, NIST SP 800-53 for federal information systems, and FedRAMP Moderate security requirements for cloud service providers.
The rule also introduces new reporting requirements for cyber incidents and unmarked CUI. Contractors must report any suspected or confirmed CUI incidents within eight hours of discovery and notify the contracting officer of any unmarked CUI within the same timeframe. Contractors must include FAR 52.204-XX in subcontracts and other contractual instruments involving CUI.
Overall, the CUI rule aims to bring much-needed clarity to federal contractors regarding the handling and safeguarding of CUI in federal contracts