FAR Council Proposes Compliance with NIST SP 800-171 for Non-Defense Contractors

Earlier this year, the FAR Council issued a proposed rule to implement the Controlled Unclassified Information (CUI) Program as it relates to federal contracts.¹ The proposed rule is "just one element of a larger strategy to improve the Government's efforts to identify, deter, protect against, detect, and respond to increasingly sophisticated criminals and adversaries targeting Federal information and information systems."²

As proposed, the rule will apply to all contracts at or below the simplified acquisition threshold (currently $250,000), including contracts commercial products and services. Only contracts that are solely for the acquisition of commercially available off-the-shelf (COTS) items are excepted. Comments are due by March 17, 2025.

Key takeaways from the proposed rule, discussed more fully below, include:

• Contractors operating nonfederal information systems that process, store or transmit CUI will be required to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Currently, compliance with all 110 security requirements in NIST SP 800-171 is required only of defense contractors under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The proposed rule would expand this requirement to non-defense contractors handling CUI in the performance of a government contract.
• Contractors will be required to notify the contracting officer within 8 hours of discovering any CUI that is not marked, not properly marked, not identified on the new standard form or involved in a suspected or confirmed CUI incident.
• "Federal contract information" under FAR 52.204-21 is now referred to a "covered federal information" (CFI) and is not considered CUI. Contractors are required to safeguard CFI in accordance with FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems (which mandates compliance with 17 of the 110 NIST SP 800-171 controls), whereas CUI must be safeguarded in accordance with the proposed FAR 52.204-XX, Controlled Unclassified Information (which will require compliance with all 110 NIST SP 800-171 controls).

What Is CUI, and What Is the CUI Program?

CUI is unclassified "information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls."³

The CUI Program, established via executive order (EO), codifies uniform policies and procedures for marking, safeguarding, disseminating, decontrolling and disposing of CUI for federal executive branch agencies at 32 C.F.R. part 2002. The regulations do not apply directly to "non-executive branch entities" (i.e., contractors and grant recipients) but do apply "indirectly" to non-executive branch CUI recipients, through incorporation into agreements.⁴

The Proposed FAR Rule

The proposed FAR rule aims to implement the CUI Program as it relates to federal contractors. To do this, the FAR Council is proposing a new standard form (SF) for contracting officers to identify and communicate the information contractors must manage and safeguard as CUI; a new solicitation provision (FAR 52.204-WW: Notice of Controlled Unclassified Information Requirements); and two new FAR clauses (FAR 52.204-XX and FAR 52.204-YY: Identifying and Reporting Information That Is Potentially Controlled Unclassified Information).

Federal Contract Information Is Now "Covered Federal Information"; Covered Federal Information Is Not Considered CUI

A key point from the proposed rule is that it removes the definition for "federal contract information" (FCI) from FAR 52.204-21 and substitutes the phrase "covered federal information" in its place.⁵ This was done to align with the term "covered contractor information system."

Consistent with existing regulations, the proposed regulations define "CUI" to specifically exclude classified information, covered federal information (now "CFI," formerly "FCI"); information a contractor "possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency" and certain federally funded basic and applied research.⁶

The proposed rule explains that CFI is "more ubiquitous" and "a much broader category than CUI[.]"⁷ Federal contractors that handle CFI on their information systems are required to implement 17 of the 110 security requirements in NIST SP 800-171, pursuant to FAR 52.204-21. Thus, as explained more fully below, federal contractors that handle only CFI will be required to maintain these 17 security requirements, whereas non-defense contractors that handle CUI will soon be required to implement all 110 security requirements in NIST SP 800-171.⁸"

New Standard Form and the Proposed Solicitation Provision

The FAR Council's proposal of a new standard form (SF XXX) should be a welcome change for contractors. Under the proposed rule, procuring agencies will be required to prepare an SF that identifies what CUI is involved in the contract and specifies if and how the contractor is to mark CUI during contract performance (e.g., when the contractor is generating or developing the CUI). The SF XXX will be included in solicitations and contracts that may result in the handling of CUI during contract performance and ultimately become performance requirements that the contractor must adhere to. Additionally, the SF XXX is to specify requirements for contractor employee trainings on properly handling CUI, as well as the frequency at which the contractor must provide the training.

Though it has always been the case that anyone can create CUI (as long as the information is created for or on behalf of an executive branch agency and it falls into one of the CUI categories), contractors often lack clarity in terms of whether certain information received or developed during contract performance constitutes CUI that must be controlled. This has been the case even though the CUI regulations and published agency guidance provide that the government activity is responsible for identifying information as CUI and communicating the applicable protective measures and dissemination controls via the contract.

By using SF XXX to identify the CUI involved in contract performance and specify the required safeguarding and dissemination controls, should greatly reduce the uncertainty contractors currently may experience in identifying, marking and controlling CUI.

That said, the government is not assuming all responsibility for identifying and marking CUI. The proposed solicitation provision, FAR 52.204-WW, will require contractors to notify their contracting officer within eight hours if the contractor discovers any CUI that is not marked, not properly marked or is not identified on the SF XXX.

And though the proposed clause FAR 52.204-XX provides that the contractor "is required to safeguard only the CUI that is identified in the SF XXX[,]" the clause nonetheless requires the contractor to appropriately safeguard any information it believes to be CUI that is not identified in the SF XXX or marked or properly marked until the contracting officer makes a determination.⁹

Proposed FAR Clause and Associated Compliance Requirements

The proposed FAR clause, FAR 52.204-XX, will incorporate the SF XXX into the contract and require the contractor to comply with applicable CUI requirements. The clause, which is modeled after the existing DFARS 252.204-7012 clause, seeks to impose the following compliance requirements:

• Review and Distribute the SF XXX. When the contract includes an SF XXX that identifies CUI, the contract will include the FAR CUI clause. The contractor is responsible for reviewing the SF XXX to determine what information is considered CUI and subject to the compliance requirements of the CUI clause. If the contractor intends to flow down CUI to a subcontractor during performance, the contractor is responsible for preparing an SF XXX for the specific CUI that will flow down and distributing it to the subcontractor that will be handling CUI.
• Train Contractor Employees on Handling CUI. The proposed FAR clause prohibits contractors from permitting any employee "to have or retain access to, create, collect, use, process, store, maintain, disseminate, disclose, dispose of, or otherwise handle CUI unless the employee has completed training on properly handling CUI that, at a minimum, includes the elements required in the SF XXX."¹⁰ The SF XXX will also specify the frequency at which the contractor will be required to provide the training, "which is dependent on the type of CUI being handled and the critically of the program being supported."¹¹ Contractors must document evidence of employee trainings and be prepare to submit such documentation to the contracting officer upon request.
• Comply with NIST SP 800-171 Revision 2. For contractors operating nonfederal information systems (i.e., those that are not part of an information technology (IT) service or a system operated on behalf of the government) that process, store or transmit CUI identified in the contract, compliance with NIST SP 800-171 Revision 2 is required. Most U.S. Department of Defense (DOD) contractors will be familiar with this requirement already as compliance with the 110 security controls in NIST SP 800-171 is mandated under DFARS 252.204-7012. Non-defense contractors that handle FCI (now CFI) should be familiar with 17 of the 110 security requirements as compliance with these controls is mandated under FAR 52.204-21. Though NIST has released Revision 3 of NIST SP 800-171, this initial rulemaking (and the initial rulemaking for DOD cybersecurity programs) is utilizing Revision 2 for now. It is anticipated that there will be a transition period to allow contractors to familiarize themselves with and implement Revision 3 in the next couple of years.
• Submit Supporting Documentation to Verify Compliance and Cooperate with Validation Actions. The proposed FAR clause will require contractors to submit their organization's "system security plan" to the contracting officer upon request, as required by NIST SP 800-171 Revision 2 (i.e., a description of how the contractor's organization meets or plans to meet the security requirements), along with any associated plans of action for planned implementations or mitigations. Additionally, contractors will be required to cooperate with an agency's validation actions in accordance with NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information – and, if applicable, NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. These type of validation actions are similar to those being conducted by DOD under DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, and NIST SP 800-171, DoD Assessment Requirements, and may require the contractor to provide the agency with access to its facilities, systems and personnel."
• Comply with Any Additional Security Requirements Identified. As proposed, the FAR clause will require contractors to comply with any additional security requirements – beyond NIST SP 800-171 and those outlined in the SF XXX – to address any unique requirements or to "provide adequate security in a dynamic environment[.]"¹²"
• Comply with Additional Notification Requirements. In addition to the requirements in the new solicitation provision, the new FAR clause will require contractors to notify the contracting officer within eight hours of discovery of any CUI that is not marked, not properly marked, not identified in the SF XXX or is part of a suspected or confirmed "CUI incident." As defined in the proposed rule, a CUI incident means "improper access, use, disclosure, modification, or destruction of CUI, in any form or medium." The proposed regulation provides that "[u]nmarked or mismarked CUI is not considered a CUI incident unless the mismarking or lack of marking has resulted in the mishandling or improper dissemination of the information."¹³"
• Assess and Report Suspected "CUI Incidents." In the event of a suspected or confirmed CUI incident, as noted, contractors will be required to file a report within eight hours of discovery. The initial report is to include "[a]s many of the applicable data elements" listed on the Defense Industrial Base Cybersecurity Portal as possible and be supplemented with additional applicable data as it becomes available. Additionally, the contractor will be required to 1) determine and inventory what CUI was or could have been implicated, 2) construct a timeline of user activity, 3) determine the methods and techniques used to access the CUI, and 4) cooperate and exchange information with agency officials as necessary to effectively report and manage the incident. Critically, the proposed regulation provides, "If the Contractor is determined to be at fault for a CUI incident (e.g., not safeguarding CUI in accordance with contract requirements), the Contractor may be financially liable for Government costs incurred in the course of the response and mitigation efforts in addition to any other damages at law or remedies available to the Government for noncompliance."¹⁴
• Preserve and Protect. In addition to the reporting and assessment requirements, in the event of a suspected or confirmed CUI incident, contractors will be required to "preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least 90 days from the submission of the report[.]"¹⁵

There are additional compliance requirements for a limited number of contractors that handle high-value CUI or operate federal systems.¹⁶

Conclusion

Once implemented, the new FAR rule is expected to provide much-needed clarity and direction for both industry and government navigating the complex issues surrounding management of sensitive information in the performance of federal contracts. If you have any questions about the proposed rule or cybersecurity requirements for federal contractors generally, please contact the authors.

Notes

¹ Federal Acquisition Regulation: Controlled Unclassified Information, 90 Fed. Reg. 4,278 (proposed Jan. 15, 2025) (to be codified throughout 48 C.F.R.)."

² Id. at 4,279."

³ 32 C.F.R. § 2002.4(h)."

⁴ 32 C.F.R. § 2002.1(f)."

⁵ 90 Fed. Reg. 4,278 at 4,296 (to be codified at FAR 52.204-21)."

⁶ See id.; see also id. at 4,290 (to be codified at FAR 2.101)."

⁷ Id. at 4,280."

⁸ This is already a requirement for most defense contractors pursuant to DFARS 252.204-7012; see also 90 Fed. Reg. 4,278 at 4,298 (to be codified at FAR 52.204-XX (noting, "When information is not identified as CUI, it may be covered Federal information requiring information system security controls in accordance with [FAR 52.204-21].").

⁹ See 90 Fed. Reg. 4,278 at 4,297 (to be codified at FAR 52.204-XX).

¹⁰ Id. at 4,298 (to be codified at FAR 52.204-XX).

¹¹ Id. at 4,287.

¹² Id. at 4,298 (to be codified at FAR 52.204-XX).

¹³ Id. at 4,298, 4,299 (to be codified at FAR 52.204-XX).

¹⁴ Id. at 4,299 (to be codified at FAR 52.204-XX).

¹⁵ Id.

¹⁶ E.g., compliance with NIST SP 800-172 (applicable only to components of nonfederal systems that process, store or transmit CUI or provide security protection for such components when the designated CUI is associated with a critical program or high-value asset); compliance with NIST SP 800-53 (applicable to contractors operating n information identified as a federal information system).