
What the FAR CUI Rule Means for All Federal Contractors: 5 Key Takeaways
Anna Fitzgerald
Senior Content Marketing Manager
Rob Gutierrez
Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP
Government is the third most targeted sector by nation-states and cybercriminals worldwide, according to a recent report by Microsoft.
Given that cyber attacks are increasing in frequency and sophistication, particularly against governments, US federal agencies have a duty to safeguard not only classified data but also sensitive unclassified information known as Controlled Unclassified Information (CUI).
Previously, requirements for protecting CUI were largely limited to the Department of Defense (DoD) via DFARS 7012. However, these requirements will soon apply to virtually all federal contractors and subcontractors with the new Federal Acquisition Regulation (FAR) CUI Rule.
This rule marks a significant step in standardizing how CUI is handled across the entire federal supply chain. Given this rule’s far-reaching impact, it’s important that you understand its requirements, history, and timeline, all covered below.
The FAR CUI Rule, explained
The FAR CUI Rule is a proposed regulation that establishes uniform requirements for the protection of CUI across all federal executive branch contracts.
Namely, it would require that federal contractors implement the standards in NIST Special Publication 800-171 for the protection of CUI. Previously, the Department of Defense had mandated this for defense contractors via DFARS 252.204–7012, but no similar uniform requirement existed across other federal agencies.
That’s because the FAR does not presently cover CUI. Only federal contract information (FCI) is protected under FAR 52.204-21, which requires contractors to apply 15 basic safeguarding requirements and procedures to protect covered contractor information systems.
In the absence of a government-wide rule, federal agencies have employed different policies to manage CUI on an ad hoc basis, resulting in agencies marking and handling information inconsistently and inefficiently and contractors not realizing that they are handling confidential information that requires safeguarding.
In response to increasingly sophisticated and frequent cyber attacks targeting the federal government and larger supply chain for this sensitive information, the Federal Acquisition Regulatory (FAR) Council has led the development of the proposed FAR CUI rule.
What are the requirements of the FAR CUI Rule?
The FAR CUI Rule mandates that federal contractors and subcontractors implement NIST 800-171 controls when handling CUI. This rule does not mandate certification. Instead, federal contractors must self-attest to compliance with NIST 800-171 Revision 2 and, if the government asks, provide supporting documentation to verify compliance with their system security plan (SSP).
Contractors are also required to train employees on handling CUI before allowing them to collect, develop, receive, transmit, use, handle, or store CUI.
Finally, contractors must flow these requirements down to subcontractors that handle CUI to create a consistent baseline of protection throughout the supply chain.
Since the FAR CUI Rule is largely modeled after DFARS 7012, these requirements might sound familiar. However, there are some key differences between the FAR CUI Rule and DFARS 7012. The FAR CUI rule introduces some new definitions for terms like CUI incident and uses the term “covered federal information” instead of “federal contract information.” Aside from these new definitions and terms, the most notable difference is the 8-hour reporting requirement for a CUI incident in FAR versus the 72-hour reporting requirement for a cyber incident in DFARS.
Recommended reading

What is DFARS? A Guide to the Four Clauses Behind CMMC 2.0
The history of the FAR CUI Rule
The FAR CUI Rule has been years in the making. More specifically, fifteen years in the making.
Its origins can be traced back to Executive Order 13556, issued in 2010, which established a government-wide CUI program. The EO aimed to standardize how executive agencies handle sensitive unclassified information, addressing inconsistencies in protection and labeling. However, the EO did not actually implement the CUI program so contractors continued to be uncertain what their obligations were, particularly when working with multiple agencies that had different safeguarding and reporting standards. This left contractors vulnerable to potential liability and the entire federal supply chain vulnerable to cybersecurity risk.
So NIST 800-171 was introduced in 2015 as a stop-gap measure. This framework provided baseline security requirements for protecting CUI in non-federal systems.
In 2016, National Archives and Records Administration (NARA) published a final rule to implement the CUI requirements of EO 13556, but it still did not incorporate those requirements into the federal acquisition process.
This same year, the Department of Defense adopted the CUI requirements through DFARS 252.204-7012, which required defense contractors to implement NIST 800-171 Revision 2 and report cybersecurity incidents.
These CUI requirements did not extend to other federal contractors—until this year. The FAR Council published the FAR CUI Rule in January 2025. Once finalized, this rule will make CUI protection mandatory across all federal contracts.
When will the FAR CUI Rule take effect?
While the proposed FAR CUI Rule was released earlier this year, it is still advancing through the rulemaking process. The final rule is expected in late 2025 or early 2026.
Once it is finalized, federal agencies will incorporate the rule’s new FAR clauses into contracts. There is no phased implementation timeline; meaning, all contractors handling CUI will have to comply immediately. That’s why organizations should begin preparing now to avoid compliance gaps when the rule takes effect.

5 Key takeaways of the FAR CUI Rule
The FAR CUI Rule introduces several key provisions that reshape how CUI must be handled across the federal contracting ecosystem. Below are the most significant changes.
1. Introduced form for agencies to identify CUI in contracts
Federal agencies will now be required to fill out a standardized form to identify when CUI is part of a contract. This is referred t o as Standard Form XXX, Controlled Unclassified Information (CUI) Requirements or SF XXX for short. The goal of this form is to ensure both the agency and contractor clearly understand CUI obligations from the outset.
This change aims to address long-standing confusion around whether certain contracts actually involve CUI, helping contractors better scope their compliance responsibilities.
2. Eliminated the equivalency loophole for FedRAMP Moderate
Under DFARS 7012, cloud service providers (CSPs) handling CUI are required to be FedRAMP Moderate authorized or meet “equivalent” security requirements. This “equivalency” loophole allowed many CSPs to self-attest to meeting the requirements without formal validation, creating significant risk in the supply chain.
A 2023 DoD memo attempted to close this gap by placing the burden on contractors to prove their CSP’s equivalency—requiring extensive documentation, 3PAO validation, and continuous monitoring of the provider’s compliance over time.
The FAR CUI Rule formally requires a 3PAO assessment and validation whether via FedRAMP Moderate authorization or a 3PAO assessment against the FedRAMP Moderate baseline to attest to equivalence. If cloud services are used to store, process, or transmit CUI identified in the SF XXX, the CSP must be FedRAMP Moderate authorized or equivalent. FedRAMP Moderate equivalency can no longer be determined by self-assessment.
This closes a longstanding gap and ensures that cloud-based systems are held to the same rigorous security standards as on-premises environments when handling sensitive federal data.
3. Introduced two new FAR contract clauses
The rule introduces two new clauses:
- FAR 52.204-XX, Controlled Unclassified Information: Contractors must comply with CUI Requirements if the SF XX indicates that they are expected to to collect, develop, receive, transmit, use, handle, or store CUI as part of the work performed under contract.
- FAR 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information: If a contract does not identify CUI, contractors must notify the government if there appears to be unmarked or mismarked CUI or if they had a suspected CUI incident related to work performed under contract.
These clauses will be inserted into applicable contracts and flowed down to subcontractors, creating clear contractual obligations for protecting CUI.
4. Established new incident reporting timeframe
Under the new rule, contractors must report cybersecurity incidents involving CUI within 8 hours of discovery. This is more stringent than the current DFARS 7012 requirement, which mandates reporting within 72 hours. It is intended to enable the government to respond effectively and swiftly to mitigate financial losses and other potential damages.
The rule also outlines specific information that must be included in the report and mandates that follow-up updates be submitted as investigations progress.
5. Provided cost estimates
The FAR Council included detailed cost projections in the proposed rule to help stakeholders understand the financial burden of compliance, especially for small businesses.
The largest projected cost is the estimated $1.52 billion in the initial year for labor, hardware, and software to implement the NIST SP 800-171 Revision 2 requirements. This includes upgrades to information systems, policy development, technical control implementation, and documentation.
Once initial implementation is complete, organizations will still face significant recurring expenses:
- $1.07 billion in total annual recurring maintenance costs for maintaining NIST 800-171 compliance
- $334.9 million to review standardized contract forms (Standard Form XXX)
- $82.8 million to prepare and distribute those forms
- $166.5 million to train employees on proper handling of CUI
- $11.7 million in annual SSP recordkeeping costs
- $67,925 to submit a System Security Plan (SSP) upon agency request
- $275,500 for annual incident reporting costs among non-defense contractors
These are industry-wide estimates. To get a better sense of how much compliance might cost you, let’s look at these numbers for individual contractors:
- A small business may spend $148,200 (approx. 1,560 hours) in the initial year to comply with the FAR CUI Rule and $98,800 (approx. 1,040 hours) annually thereafter.
- A larger business may spend $543,400 in the initial year (approx. 5,720 hours) and $494,000 annually thereafter (approx. 5,200 hours)
While the projected compliance costs are substantial, they pale in comparison to the cost of a serious CUI incident.
According to the Office of Cost Estimation (OCE)’s landmark report released in October 2020, the median cost of a CUI incident ranged from $0.5 million to $1.6 million, with maximum costs reported as high as $11.7 million and in some cases, even exceeding $1 billion.
Preparing for the future of the FAR CUI Rule
The FAR CUI Rule represents a major expansion in how federal data is protected. Rather than treating CUI protection as a concern limited to the defense industry, it makes CUI protection a government-wide mandate.
As the final rule approaches, organizations should take proactive steps to assess their current cybersecurity posture, review their information systems, and begin aligning with NIST 800-171.
Secureframe can accelerate time-to-compliance by:
- Integrating with the tools and environments federal contractors rely on, including AWS GovCloud, Azure Government, Microsoft GCC High, and Intune GCC High
- Mapping your existing controls, policies, and procedures to CMMC & the 110 NIST 800-171 requirements to identify gaps
- Generating remediation guidance to close those gaps
- Automatically calculating your SPRS score based on control implementation and keeping it up to date with system changes
- Providing step-by-step guidance for completing each required section of the SSP, and version control and easy updates as your controls or architecture evolve
- Automatically linking POA&M items directly to framework requirements in your SSP and offering structured workflows to assign owners, track deadlines, and update progress
- Automatically collecting evidence and continuously monitoring control implementation across your tech stack to maintain continuous compliance
- Providing expert guidance from former federal auditors who understand the technical complexities of NIST 800-171 requirements
Request a demo to see how we can help federal contractors reduce the cost and complexity of FAR CUI Rule compliance.
Use trust to accelerate growth
FAQs
What is the purpose of the FAR CUI Rule?
The FAR CUI Rule aims to standardize the protection of CUI across all federal executive branch agencies by requiring contractors to implement NIST 800-171 Revision 2 controls. This aligns with the government’s larger strategy to protect against increasingly sophisticated cyber attacks targeting the federal government and its contractors.
What information is the FAR CUI Rule designed to protect?
The FAR CUI Rule is designed to protect Controlled Unclassified Information (CUI). CUI refers to sensitive but unclassified federal information that requires safeguarding or dissemination controls according to federal law, regulation, or government-wide policy. Examples of CUI include:
- Social Security numbers
- Information related to national security
- Sensitive defense or warfare related information that contractors handle
Who needs to comply with the FAR CUI Rule?
Any contractor or subcontractor that handles CUI in the course of fulfilling a federal contract with an executive branch agency (civilian or defense) will need to comply. This includes commercial entities, cloud service providers, managed service providers, and IT consultants.
Is FedRAMP Moderate still enough for cloud providers under the proposed FAR CUI Rule?
Yes, but the proposed FAR CUI Rule eliminates the longstanding “equivalency” loophole. Previously, under DFARS 7012, cloud service providers (CSPs) could claim they met FedRAMP Moderate-equivalent security requirements without formal validation. The new rule closes this gap by requiring third-party assessment organization (3PAO) validation, either through FedRAMP Moderate authorization or a separate 3PAO assessment against the same baseline. This is one of the most significant changes in the FAR CUI Rule.
How can organizations prepare for the FAR CUI Rule?
Organizations should assess whether they handle CUI, familiarize themselves with requirements related to the FAR, conduct a NIST 800-171 gap analysis, and begin implementing required security controls. Compliance automation tools like Secureframe can help manage documentation, control tracking, remediation, and audit readiness efficiently and at scale.
What is the FAR Council?
With representatives from the Department of Defense, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), the FAR Council is responsible for preparing, issuing, and maintaining the Federal Acquisition Regulation (FAR) for use by executive agencies in acquiring goods and services.