The history of the FAR CUI Rule

The FAR CUI Rule has been years in the making. More specifically, fifteen years in the making. 

Its origins can be traced back to Executive Order 13556, issued in 2010, which established a government-wide CUI program. The EO aimed to standardize how executive agencies handle sensitive unclassified information, addressing inconsistencies in protection and labeling. However, the EO did not actually implement the CUI program so contractors continued to be uncertain what their obligations were, particularly when working with multiple agencies that had different safeguarding and reporting standards. This left contractors vulnerable to potential liability and the entire federal supply chain vulnerable to cybersecurity risk. 

So NIST 800-171 was introduced in 2015 as a stop-gap measure. This framework provided baseline security requirements for protecting CUI in non-federal systems.

In 2016, National Archives and Records Administration (NARA) published a final rule to implement the CUI requirements of EO 13556, but it still did not incorporate those requirements into the federal acquisition process. 

This same year, the Department of Defense adopted the CUI requirements through DFARS 252.204-7012, which required defense contractors to implement NIST 800-171 Revision 2 and report cybersecurity incidents.

These CUI requirements did not extend to other federal contractors—until this year. The FAR Council published the FAR CUI Rule in January 2025. Once finalized, this rule will make CUI protection mandatory across all federal contracts.

When will the FAR CUI Rule take effect?

While the proposed FAR CUI Rule was released earlier this year, it is still advancing through the rulemaking process. The final rule is expected in late 2025 or early 2026.

Once it is finalized, federal agencies will incorporate the rule’s new FAR clauses into contracts. There is no phased implementation timeline; meaning, all contractors handling CUI will have to comply immediately. That’s why organizations should begin preparing now to avoid compliance gaps when the rule takes effect.

5 Key takeaways of the FAR CUI Rule

The FAR CUI Rule introduces several key provisions that reshape how CUI must be handled across the federal contracting ecosystem. Below are the most significant changes.

1. Introduced form for agencies to identify CUI in contracts

Federal agencies will now be required to fill out a standardized form to identify when CUI is part of a contract. This is referred t o as Standard Form XXX, Controlled Unclassified Information (CUI) Requirements or SF XXX for short. The goal of this form is to ensure both the agency and contractor clearly understand CUI obligations from the outset.

This change aims to address long-standing confusion around whether certain contracts actually involve CUI, helping contractors better scope their compliance responsibilities.

2. Eliminated the equivalency loophole for FedRAMP Moderate

Under DFARS 7012, cloud service providers (CSPs) handling CUI are required to be FedRAMP Moderate authorized or meet “equivalent” security requirements. This “equivalency” loophole allowed many CSPs to self-attest to meeting the requirements without formal validation, creating significant risk in the supply chain.

A 2023 DoD memo attempted to close this gap by placing the burden on contractors to prove their CSP’s equivalency—requiring extensive documentation, 3PAO validation, and continuous monitoring of the provider’s compliance over time.

The FAR CUI Rule formally requires a 3PAO assessment and validation whether via FedRAMP Moderate authorization or a 3PAO assessment against the FedRAMP Moderate baseline to attest to equivalence. If cloud services are used to store, process, or transmit CUI identified in the SF XXX, the CSP must be FedRAMP Moderate authorized or equivalent. FedRAMP Moderate equivalency can no longer be determined by self-assessment.

This closes a longstanding gap and ensures that cloud-based systems are held to the same rigorous security standards as on-premises environments when handling sensitive federal data.

3. Introduced two new FAR contract clauses

The rule introduces two new clauses:

• FAR 52.204-XX, Controlled Unclassified Information: Contractors must comply with CUI Requirements if the SF XX indicates that they are expected to to collect, develop, receive, transmit, use, handle, or store CUI as part of the work performed under contract.
• FAR 52.204-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information: If a contract does not identify CUI, contractors must notify the government if there appears to be unmarked or mismarked CUI or if they had a suspected CUI incident related to work performed under contract.

These clauses will be inserted into applicable contracts and flowed down to subcontractors, creating clear contractual obligations for protecting CUI.

4. Established new incident reporting timeframe

Under the new rule, contractors must report cybersecurity incidents involving CUI within 8 hours of discovery. This is more stringent than the current DFARS 7012 requirement, which mandates reporting within 72 hours. It is intended to enable the government to respond effectively and swiftly to mitigate financial losses and other potential damages.  

The rule also outlines specific information that must be included in the report and mandates that follow-up updates be submitted as investigations progress. 

5. Provided cost estimates

The FAR Council included detailed cost projections in the proposed rule to help stakeholders understand the financial burden of compliance, especially for small businesses. 

The largest projected cost is the estimated $1.52 billion in the initial year for labor, hardware, and software to implement the NIST SP 800-171 Revision 2 requirements. This includes upgrades to information systems, policy development, technical control implementation, and documentation.

Once initial implementation is complete, organizations will still face significant recurring expenses:

• $1.07 billion in total annual recurring maintenance costs for maintaining NIST 800-171 compliance
• $334.9 million to review standardized contract forms (Standard Form XXX)
• $82.8 million to prepare and distribute those forms
• $166.5 million to train employees on proper handling of CUI
• $11.7 million in annual SSP recordkeeping costs
• $67,925 to submit a System Security Plan (SSP) upon agency request
• $275,500 for annual incident reporting costs among non-defense contractors

These are industry-wide estimates. To get a better sense of how much compliance might cost you, let’s look at these numbers for individual contractors:

• A small business may spend $148,200 (approx. 1,560 hours) in the initial year to comply with the FAR CUI Rule and $98,800 (approx. 1,040 hours) annually thereafter.
• A larger business may spend $543,400 in the initial year (approx. 5,720 hours) and $494,000 annually thereafter (approx. 5,200 hours)

While the projected compliance costs are substantial, they pale in comparison to the cost of a serious CUI incident. 

According to the Office of Cost Estimation (OCE)’s landmark report released in October 2020, the median cost of a CUI incident ranged from $0.5 million to $1.6 million, with maximum costs reported as high as $11.7 million and in some cases, even exceeding $1 billion.