Federal Acquisition Regulation: Controlled Unclassified Information
Published Date: 1/15/2025
Proposed Rule
Summary
The Department of Defense, GSA, and NASA want to update rules to better protect Controlled Unclassified Information (CUI) in government contracts. This means contractors handling sensitive but not secret info will follow new security steps. Comments on these changes are open until March 17, 2025, so get ready to share your thoughts—this could affect how contracts are managed and might add some costs for compliance.
Analyzed Economic Effects
6 provisions identified: 0 benefits, 5 costs, 1 mixed.
New SF XXX and CUI Contract Clauses
The rule creates a new Standard Form (SF XXX) called Controlled Unclassified Information (CUI) Requirements and adds new solicitation/contract clauses (FAR 52.204-XX, 52.204-YY, and provision 52.204-WW). If the SF XXX indicates CUI, contractors must follow 32 CFR part 2002 handling rules and the contract clause, and must flow down CUI requirements to subcontractors.
Applies to SAT and Commercial Contracts
The proposed FAR changes apply to contracts at or below the Simplified Acquisition Threshold (SAT) and to commercial products and commercial services, but do not apply to contracts solely for commercially available off-the-shelf (COTS) items.
NIST SP 800‑171 Compliance Costs
Non‑defense contractors may be required to implement NIST SP 800-171 Revision 2; the RIA estimates an average initial labor cost for a small business of about $148,200 and recurring annual labor cost of about $98,800, plus estimated initial hardware/software costs of about $27,500 and $5,000 annually.
Enhanced NIST SP 800‑172 for ~160 Contractors
A limited set of contractors (about 160) may need to implement enhanced security in NIST SP 800-172; the RIA estimates total initial implementation costs of about $132,850,000 for those contractors, with individual estimates such as $202,500 initial cost for 100 small businesses (25–50 endpoints), $1,000,000 for 20 medium businesses, and $2,315,000 for 40 large businesses. Annual recurring costs are estimated at 20% of initial implementation.
8‑Hour Reporting and 90‑Day Image Preservation
If a contractor discovers or suspects a CUI incident, the contractor must notify the Government within 8 hours (unless a different timeframe is specified) and preserve system images and relevant monitoring/packet-capture data for 90 days so the Government can request them.
Mandatory CUI Training for Employees
Any contractor or subcontractor employee who handles CUI must complete training on safeguarding CUI as specified on the SF XXX; the rule estimates this training will take about one hour per employee and contractors must keep training records and provide evidence upon request.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in