The FAR Council issued a proposed rule that would amend the several FAR provisions and add new clauses to provide guidance on the safe handling of CUI. Public comments on the proposed rule are being accepted until March 17, 2025. The FAR Council intends to provide guidance to contractors on the requirements to mark, safeguard, disseminate, decontrol, and dispose of CUI (“CUI safeguarding”) for every executive branch agency.

To hold contractors accountable, these safeguarding CUI requirements must be incorporated into the acquisition process. Specifically, the requirements must be incorporated when agencies define their requirements, issue solicitations, and award contracts. The FAR Council describes the proposed rule as one component of a larger strategy to defend federal data and information systems.

💡 Related ideas for public comment

New FAR Definitions Proposed, Others are Clarified or Relocated 

The proposed rule would add, clarify or relocate several definitions to the FAR, including:  

– Contractor-Attributional Information
– Covered Federal Information
– Controlled Unclassified Information
– CUI Basic and CUI Specified
– CUI Incident
– CUI Registry
– Federal Information System
– Handling
– Information System
– Lawful Government Purpose
– Limited Dissemination Control.
 
💡 Is the definition of CUI clear and comprehensive?
💡 Will agencies consistently distinguish CUI from CUI Basic, or will they be confusing??
 
A Standard Form to Notify Contractors Whether CUI Safeguarding is Expected

The proposed rule contemplates three scenarios where agencies and contractors would benefit from additional guidance to identify CUI in agency requirements during the solicitation phase:

1) to notify offerors and contractors whether CUI safeguarding requirements are expected to be applicable to the solicitation and the eventual contract;  
2) to notify offerors and contractors that they must report any potential CUI within 8 hours after discovery, even if CUI was not anticipated for that solicitation or contract;  
3) to notify contractors that they can expect to receive CUI during the performance of the contract, and they will be required to implement CUI safeguarding measures.

To address these scenarios, the proposed rule introduces Standard Form XXX (SF XXX), that will be part of each solicitation for which CUI safeguarding is anticipated.
 
SF XXX will also inform contractors whether the solicitation or future contract expects the contractor to collect, develop, receive, transmit, use, handle or store CUI during performance.
 
If the customer agency does not anticipate that CUI safeguarding will be required, the contracting officer will add the SF XXX to the contract file and will include in the solicitation a contract clause with procedures should the contractor encounter suspected CUI during the performance of the contract.
 
💡 For standardized procedures, should the contracting officer always incorporate the SF XXX into the solicitation and contract, even when CUI safeguarding is not expected?
💡 Will prime contractors have less oversight burdens if they can always share an SF XXX with their subcontractors?

Compliance Requirements

The proposed rule states that the requirements are to be conveyed to offerors and contractors in solicitations by including FAR Provision 52.204-WW, Notice of Controlled Unclassified Information Requirements. The provision describes an offeror’s obligations for handling CUI received from the government as part of the solicitation, properly identifying information created by the offeror that is proprietary business information, contractor bid or proposal information, or the newly defined term contractor-attributional information. FAR 52.204-WW also advises offerors that if unmarked or incorrectly marked CUI is discovered, the offeror should notify the contracting officer within 8 hours of discovery.

Solicitations containing Provision 52.204-WW will also include either FAR Clause 52.204-XX, Controlled Unclassified Information, or FAR Clause 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information.

If a response to a solicitation or the performance of a contract is expected to involve CUI, the completed SF XXX will describe the agency’s requirements for CUI safeguarding pursuant to 52.204-XX, and will provide additional details on the CUI safeguarding requirements such as:

– Complying with certain security controls from the following National Institute of Standards and Technology Special Publications 800-53, 800-171 and 800-172.
– Labeling CUI correctly for submission to the agency customer;
– Notifying the contracting officer of any CUI Incidents within 8 hours of discovery;

a. Retaining system images for 90 days after a reported CUI Incident if a contracting officer requests the images be preserved;
b. Reporting and managing CUI Incidents;

– Submitting supporting documentation to verify compliance;
– Training the workforce on proper CUI handling; and
– Flowing down applicable CUI requirements to subcontractors.

💡 Will non-DOD agencies standardize their CUI training expectations?
💡 Should the final rule confirm reciprocity between agencies for training requirements involving the same categories of CUI?
💡 Will a subcontractor’s training for a different agency be accepted?

Like the CUI Incident reporting timelines described above, when the solicitation or performance of the contract does not anticipate the involvement of CUI, 52.204-YY is incorporated. In those instances, the contractors and subcontractors must understand that if they identify information that they believe, or have reason to know, is CUI, they must notify the contracting officer, prime, or next higher tiered subcontractor within 8 hours of discovery.

Flowdown Requirement for Subcontractors

If the solicitation or contract is expected to involve CUI, and a prime contractor or higher tier subcontractor intends for a lower tier subcontractor to be involved in that activity, then the prime contractor or higher tier subcontractor must also prepare an SF XXX and distribute it to the lower tier subcontractor(s) to ensure the subcontractors properly safeguard the CUI.

This allows all parties involved in the contract to be aware of their obligations regarding CUI handling. Prime contractors are also responsible for ensuring compliance across all subcontract tiers, including actively monitoring and enforcing the safeguarding procedures described above and ensuring the workforces are trained on CUI safeguarding.

There is Only One Exception to the Proposed Rule – COTS Items

Except for contracts that are solely for the acquisition of Commercially Available Off-the-Shelf (COTS) items, the proposed rule will apply to all federal contracts, regardless of dollar value or commerciality. Therefore, the proposed rule will apply to contracts for commercial products, commercial services, and contracts at or below the Simplified Acquisition Threshold.

Conclusion

The FAR Council expressly acknowledges that the proposed rule is another step in a multi-faceted effort to enhance information security within the government’s supply chain. Comments on this proposed rule are due by March 17, 2025, and the instructions for submitting comments are discussed on the first page of the proposed rule.