The FAR CUI: What It Means for Contractors and How to Stay Compliant
Learn about the FAR CUI, its security requirements, and how it impacts federal contractors. Understand the key compliance measures and steps to align with Federal Acquisition Regulation (FAR) guidelines.
This is Post #2 of our FAR CUI Compliance Deep Dive Series
Catch up on the first post and then finish the series:
The federal government handles a significant amount of data that it would prefer to keep out of public view. Some of that data falls into a category known as CUI, Controlled Unclassified Information. Although that information hasn’t been given the label of classified, it is vital that information remains secure. CUI is an umbrella term that covers sensitive information that is NOT classified but technically protected, this includes data such as personally identifiable information (healthcare) or pre-award pricing and technical information (contracts). Such information is often handled by contractors, and they must abide by the FAR CUI rule, among other regulations, to help keep that information as safe and secure as possible.
What is FAR CUI?
Born from Executive Order 13556 established in 2010, NIST Special Publication 800-171 titled, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, was initially released in 2015 and provided 110 recommended requirements to ensure the protection of government CUI handled by contractors and subcontractors. Instead of that mouthful, we affectionately call it the FAR CUI rule.
But wait…Isn’t FAR CUI the same as CMMC? NO! Quick story: The US Government decides that we need cybersecurity protection across all executive agencies and creates NIST Special Publication 800-171 in 2015. The Department of Defense agrees but the pace is slow to establish the law. At this point, the FAR CUI rule does not automatically enforce compliance. The DoD, however, had already established DFARS clause 252.204-7012 in 2017, which mandates compliance. To expedite and improve assurance, the DoD created the CMMC program to assess and certify contractors’ implementation of NIST SP 800-171 (L2) and FAR 52.204-21 (L1). The CMMC program has two parts, the why and the how. 32 CFR Part 170 (finalized) is the why and 48 CFR Part 204 is the how. Once 48 CFR Part 204 is final, expected sometime in Q4 2025, and the how is legally finalized, CMMC becomes an official enforceable compliance program. It is important to note that enforcement is already occurring via contract clauses.
Cybersecurity is A LOT! Here is a simple breakdown for you.
| Reg | Description | NIST 800-171 Involvement |
|---|---|---|
| FAR 52.204-21 | Requires basic safeguarding of Federal Contract Information (FCI) | Based on a subset of NIST SP 800-171 (15 basic controls); does not require full implementation |
| FAR CUI Rule (Proposed) | Would require protection of Controlled Unclassified Information (CUI) across all federal agencies | Would mandate full implementation of NIST SP 800-171 for contractors handling CUI |
| DFARS 252.204-7012 | Requires DoD contractors to protect CUI | Requires full implementation of NIST SP 800-171; includes cyber incident reporting |
| CMMC | DoD’s certification program to verify implementation of cybersecurity practices | Level 1 aligns with FAR 52.204-21 (15 controls); Level 2 requires full NIST SP 800-171 compliance with third-party or self-assessment, depending on contract |
Now that is out of the way, let’s talk more about what the FAR CUI rule really means. It is coming faster than you think!
Key Compliance Requirements Under the FAR CUI Rule
There are certain requirements that have emerged under the FAR CUI rule that are particularly important to take note of before the rule becomes official. Once that happens, possibly in Q4 2025, those requirements will likely include the following:
-
Alignment with NIST 800-171 Standards – First and foremost, it is important to note that all contractors that handle CUI are expected to meet the previously established NIST SP 800-171 Rev. 2 standards. And, in some cases, select 800-172 controls, where specified in contract.
-
Data Protection and Handling of CUI – Certain measures must be taken by contractors to guarantee the integrity of the CUI that they manage. This includes requiring CSPs touching CUI to be FedRAMP Moderate.
-
Incident Reporting Obligations – Another important step in the process is for any government contractor who handles CUI to know that they must report any security incident that takes place with that data. They should do so immediately to try to contain any additional damage. Currently, the proposed rule requires an 8-hour reporting timeframe from discovery.
-
Supply Chain Security Considerations – Most contractors also work with a supply chain of other individuals and companies that provide them with some of the resources they require to fulfill the contract. This means that they must ensure the flow down of their particular security requirements to applicable subcontractors.
These are the types of things that the FAR CUI rule is all about. Maintaining the highest levels of security from start to finish helps keep more information safe and away from those who have no business seeing it.
How the FAR CUI Rule Impacts Contractors
The new Federal Acquisition Regulation rule for Controlled Unclassified Information isn’t just more red tape — it’s a fundamental shift in how government contractors are expected to secure sensitive data. And the stakes are high. Contractors who fail to comply risk more than just warnings or corrective action — they may lose their contracts entirely.
At Agile IT, we help contractors cut through the complexity. Here’s a look at some of the most immediate and critical impacts of the FAR CUI rule:
-
Increased Compliance Obligations – Contractors must bring their security up to the new standards laid out in this rule. This is a higher bar to get over than what they once faced, and it is important to act immediately to make that happen. “Good enough” is no longer enough.
-
Financial Impacts – Contractors should expect upfront financial impacts as they work to align with these new standards, especially if you haven’t already started. Implementing NIST SP 800-171 often requires upgrading or replacing legacy systems, investing in secure cloud infrastructure, and staff training on those new systems, processes, and responsibilities. All of those things cost money to get done properly.
-
Legal Risks – There are legal penalties that one may face for non-compliance with the new standards. It is also possible that current and/or future contracts can be terminated for failing to meet the new standards.
It is fair to say that contractors are under a lot of pressure to get things right. This makes sense given the fact that they are handling extremely important and sensitive data that are at the core of America’s infrastructure.
Steps Contractors Should Take to Reach Compliance Standards
Although these standards are strict and can seem difficult to reach, there are common sense steps that contractors can take to reach their objectives. Here are some things that contractors should do immediately:
-
Conduct a NIST SP 800-171 compliance gap analysis
-
Implement any missing safeguards discovered in the gap analysis
-
Begin to train employees on the standards for handling CUI data and explain the importance of keeping data secure
-
Develop an incident response plan to address and remediate any issues
-
Perform routine audits to maintain compliance, prove due diligence, and continuously improve security.
These things can put any contractor in a better position to handle CUI data and keep things safe and secure.
Challenges in Adopting the FAR CUI Standards
It is certainly not the case that FAR CUI standards are easy to adopt. The reality is that there are some stumbling blocks that contractors have run into before. Here are some things to think about as far as potential challenges to adopting these standards:
-
Legacy Systems are Not Easy to Update – People get used to using certain pieces of technology, and it can become a challenge to get those individuals to update to newer systems. This takes time, training, and patience to do it correctly.
-
Maintaining Compliance Standards Across Multiple Subcontractors – Compliance doesn’t stop at your firewall. As a contractor, you are responsible for ensuring that all your subcontractors handling CUI meet the same standards you do. They need to understand the vital nature of getting this done correctly, and only you can make sure it is understood. If one subcontractor fails, your entire contract is at risk.
These are just a couple of things to keep in the back of your mind as you work towards complying with the FAR CUI standards that will soon be a required part of every government contractor.
Take on the Standards of the FAR CUI Rule Starting Today
There is no getting around the fact that you will need to implement the FAR CUI rule standards if you work with federal contracts. With the DoD’s CMMC program taking effect imminently, the FAR CUI rule will surely follow as the government moves to standardize safeguarding requirements for CUI across all federal contractors.
At Agile IT, we specialize in helping defense contractors and federal partners navigate the complexities of DFARS, NIST SP 800-171, and CMMC 2.0—including readiness for the upcoming FAR CUI rule. From building secure enclaves and deploying GCC High to conducting gap analyses and ongoing compliance monitoring, our team ensures you’re not just prepared but positioned for success.
Get ahead of the curve. Contact Agile IT today to safeguard your CUI environment and achieve lasting compliance.
