The FAR CUI Rule is Here: 6 Key Takeaways for Government Contractors

By Carly Devlin and Serge Kikonda

The FAR CUI rule, published on January 14, 2025, is a governmentwide contract clause requiring the implementation of NIST SP 800-171 to protect Controlled Unclassified Information (CUI). It outlines the specific requirements for how contractors and subcontractors are expected to handle CUI. The FAR CUI rule intends to improve the government’s ongoing efforts to identify, detect, respond to, and protect against malicious threat actors.

1) The FAR CUI rule creates a standard form (SF) for identifying if CUI will be incorporated into the contract, what category of CUI it is, and the corresponding safeguarding requirements for the protection of said CUI.

“The SF XXX, Controlled Unclassified Information, which is incorporated into this contract identifies what controlled unclassified information (CUI) is involved in the contract. The Contractor is required to safeguard only the CUI that is identified in the SF XXX.” (1)

2) There is a clear definition of what CUI is and is not.

As defined in the proposed rule, CUI is “information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” (2)

3) Contractors must secure any information they believe is CUI, even if that information is not identified in the SF XXX or is not marked or properly marked as required in the SF XXX. The information must be safeguarded until the Contracting Officer can make a final determination on the proper marking of the information.

4) Contractors must now report any suspected or confirmed CUI incidents to their Contracting Officer within 8 hours, compared to 72 hours.

5) If a Contractor uses cloud services to store, process, or transmit any CUI identified in SF XXX, then the cloud service provider must meet the FedRAMP Moderate baseline requirements. This is a non-negotiable requirement as FedRAMP equivalency is no longer accepted.

6) The government has released official cost estimates for implementing NIST 800-171 Rev 2 (CMMC). Below is a breakdown of the anticipated costs:

The estimates above do not consider the cost of the specific software or hardware that may need to be implemented, the number of users, the complexity of the network, and more. For those, as outlined in the proposed rule, the government estimates that “a small business, on average, may spend $27,500 on hardware and software during initial implementation and $5,000 annually thereafter to maintain compliance” while a business other than small “may spend $140,000 on hardware and software in the initial year and $80,000 annually thereafter.” (3)

Don’t let the complexities of the FAR CUI rule impact your government contracts. Our team of expert consultants can help you understand the new requirements, develop a cost-effective implementation plan, and prepare you for CMMC certification. Contact us today for a free consultation and let us simplify the process.

Footnotes [Source used throughout article below]:

1,2,3 Federal Register. (2025, January 15). Federal Acquisition Regulation: Controlled Unclassified Information.