Understanding the Requirements for FAR CUI Compliance

The United States classifies certain types of information as “Controlled Unclassified Information” (CUI). While it isn’t considered classified, it still requires safeguards to prevent unauthorized access. Think of it as sensitive data like technical details, business records, or legal documents that wouldn’t put national security at risk if exposed, but could still cause harm if it ended up in the wrong hands. In early 2025, the Federal Acquisition Regulatory Council introduced a proposed rule—commonly referred to as the “FAR CUI Rule” to expand cybersecurity requirements across all federal contractors handling Controlled Unclassified Information (CUI). This rule proposes mandating full compliance with NIST SP 800‑171 Revision 2 for such contractors, similar to requirements aligned with the Department of Defense (DoD). Therefore, it is important to keep up with the latest FAR CUI rules if you operate as a contractor with the federal government.

What is FAR CUI?

Simply put, FAR CUI refers to rules set out by the government in relation to controlled unclassified information that needs to remain out of the public view. At the same time, this information does not rise to the level of being so sensitive that it can be considered a threat to national security. As such, it lies somewhere in between being top secret material and being public information.

A few examples of FAR CUI material include the following:

• Financial Data
• Trade secrets
• Sensitive acquisition documents
• Personally Identifiable Information (PII)
• Export-controlled information (ITAR/EAR)
• Critical infrastructure information
• Law enforcement sensitive data

These are just some examples of the types of data that could fall under the umbrella of FAR CUI information. Such information must be protected from becoming public knowledge. The government will not consider contracting with anyone long term who is not able to keep themselves in compliance with the Proposed FAR CUI rule in the long run.

Key Compliance Requirements Under the Proposed FAR CUI Rule

There are some key compliance standards under the Proposed FAR CUI rule that all contractors or prospective contractors should make themselves familiar with. The more that they know about these requirements, the better they can position themselves to obtain the government contracts that they wish to obtain. Let’s take a look at some of the key requirements under these rules:

• Align with NIST SP 800-171 Standards – First and foremost, it is necessary for all contractors to align with the previously established NIST SP 800-171 standards set up by the government. These standards existed before the Proposed FAR CUI rule, and is designed to extend compliance beyond the Department of Defense (DoD).

• Data Protection and Handling of CUI – There are certain data protection standards such as data encryption parameters that must be maintained for CUI. Keeping that data safe and protected from the public view is something that must be adhered to.

• Incident Reporting Obligations – There are also incident reporting obligations that government contractors need to think about as well. They are required to let the proper authorities know that there has been an incident of some kind.

• Supply Chain Security Considerations – It is not only the individual contractors who have to think about how they are handling CUI, but also the suppliers and partners they work with. This is to say that every link in the supply chain has a responsibility to keep sensitive material safe. While it is necessary to a certain extent to share details with your partners, it is equally important to be intentional about how much of that information is passed along and ensure it is protected along with way.

How the Proposed FAR CUI Rule Impacts Contractors

The importance of the Proposed FAR CUI rule and its impact on contractors is difficult to understate. There are new requirements that those contractors must think about carefully and understand how those requirements impact them. Here are some of the most important ways that contractors could be impacted:

• Increased Compliance Obligations – Contractors will face increased layers of compliance to maintain their contracts. They must show that they are serious about staying within the good graces of the government agencies that they work with, and the best way to do so is to follow the Proposed FAR CUI rule that is laid out for them.

• Financial and Operational Impacts – Along with the additional layers of compliance come additional financial costs. As such, it is important to think about how much of an impact these new rules might have on the contractor’s wallets.

• Legal and Contractual Risks – Don’t forget that these new rules might also increase the risks that you end up having your government contracts terminated if you don’t keep up with the new compliance rules. Even if you don’t face outright termination of your contract, it is still possible that you might end up facing fines or other penalties for not following the rules. Check out how the Department of Justice is keeping the DoD supply chain accountable with the False Claims Act.

Steps Contractors Should Take to Remain Compliant

There are certain steps that you can take as a contractor which can help you to remain compliant with FAR CUI. Here are some helpful suggestions:

• Conduct a NIST SP 800-171 Gap Assessment – You might have gaps in your compliance with the NIST SP 800-171 rules that exist now, and you need to close those gaps. Conduct an assessment of the potential gap that you have between where you are now and where you should be to figure out your next steps to close that gap.

• Train Employees on CUI Handling – Take the time necessary to train employees on how best to handle CUI material. They might need a refresher on what they should do to keep that information or assets safe and secure.

• Have an Incident Response Plan in Place – Reacting and responding to an incident as rapidly as possible is the best way to handle any situation that might arise. As such, you should do your best to have an incident response plan in place to document and remediate any situation that arises.

These are just some of the steps that you can take to put yourself in a better position to remain compliant within the Proposed FAR CUI rule.

Challenges When Adopting Proposed FAR CUI Rule

Compliance with the proposed FAR CUI rule is not as simple as checking a box. There are going to be some challenges along the way, including possibly updating legacy systems, getting buy-in from leadership, and managing compliance along your entire supply chain. These challenges are very real and should be addressed as quickly as possible to ensure you are compliant when the rule becomes effective. Waiting can cost you time and money.

Struggling With FAR CUI Compliance?

Compliance with the proposed FAR CUI rule can feel overwhelming—especially when it involves legacy systems, shifting regulations, and limited internal bandwidth. But you don’t have to figure it out alone. Contact us to get expert help from a team that specializes in helping government contractors navigate CUI compliance. Let’s simplify your path to compliance and get your organization on solid ground—before the rule takes effect.