The FAR CUI Rule Just Cleared a Major Hurdle for Publication

    Learn about the potential impact of the impending FAR CUI Rule in federal contracting. Explore key updates and the regulatory process ahead.

    2 Minutes Read

    The FAR CUI proposed rule has officially moved into regulatory review with the Office of Information and Regulatory Affairs (OIRA).

    With the FAR CUI rule one step away from publication in the Federal Register, we dive a little deeper into what it is and some open questions we’re looking forward to resolving when the rule, after nearly 10 years, is finally released.

    Watch the Podcast

    Listen to the Podcast

    This episode is from the Sum IT Up podcast. Click here to learn more.

    What is the FAR CUI Rule?

    The FAR CUI rule creates a government-wide contract clause requiring the implementation of NIST SP 800-171 for the protection of Controlled Unclassified Information.

    “This rule will apply the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI.

    This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors.

    This rule is being issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 issued November 4, 2010, as implemented in NARA’s implementing regulations.”

    That’s right, NIST SP 800-171 isn’t just a requirement for Department of Defense contractors, but for all federal contractors handling any category of Controlled Unclassified Information.

    Saying the FAR CUI rule is a big deal is an understatement.

    In addition to DoD and the SBA office of advocacy, the Civilian Agency Acquisition Council is comprised of representatives from 19 departments and agencies:

    • Department of Agriculture
    • Department of Commerce
    • Department of Education
    • Department of Energy
    • Department of Health and Human Services
    • Department of Homeland Security
    • Department of Housing and Urban Development
    • Department of the Interior
    • Department of Justice
    • Department of Labor
    • Department of State
    • Department of Transportation
    • Department of Treasury
    • Department of Veterans Affairs
    • Environmental Protection Agency
    • National Aeronautics and Space Administration
    • Small Business Administration
    • Social Security Administration
    • U.S. Agency for International Development
    • The FAR CUI rule is the missing piece of the 3-part plan to implement Executive Order 13556 "Controlled Unclassified Information".

    It was the original regulatory "harmonization" before that was the cool thing to say.

    Status of the FAR CUI rule

    On May 20th, 2024 the Chair of the Civilian Agency Acquisition Council (CAAC) sent the proposed FAR CUI rule to OIRA.

    OIRA review is the last step prior to publication in the Federal Register.

    After waiting 8 years, we should see a published FAR CUI proposed rule by mid-August.

    Rulemaking calendar

    On paper, OIRA has 90 days to review rules.

    OIRA received the rule on May 21st, 2024 + 90 days = August 19th, 2024

    OIRA can request a 30-day extension = September 18th, 2024

    We could easily end up with both the FAR CUI proposed rule and the 48 CFR CMMC proposed rule published in the same month: 

    Check out the full episode for explanations of the top things we’d like to know about the FAR CUI Rule

    • Will the FAR CUI rule define Organizationally Defined Parameters (ODPs)?
    • Which revision of NIST SP 800-171 will be specified?
    • Will the FAR CUI rule include NIST SP 800-172 requirements?
    • Will the rule expand and clarify Federal Contract Information (FCI)?
    • Will there be a “phased roll-out" for the FAR CUI clause in federal contracts?
    • Will the rule discuss the need for external assessments like CMMC?

    Sum IT Up Podcast

    With Jacob Horne and Jason Sproesser

    We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.

    SumItUp Spotify Podcast Button SumItUp Apple Podcast Button SumItUp YouTube Podcast Button

    Picture of Jacob Horne

    Jacob Horne

    Jacob has 15 years of interdisciplinary cybersecurity experience. He uses his knowledge of cybersecurity, NIST standards, and federal rulemaking to help people make sense of cybersecurity regulations and requirements.