Contractors need to keep a lookout for new cybersecurity regulations or requirements when completing work for federally funded contracts. If you’ve heard of the newly proposed CUI rule submitted by the Federal Acquisition Regulation (FAR) Council earlier this year, it’s aimed at standardizing the handling of Controlled Unclassified Information (CUI). This proposed rule was created to enhance the integrity and security of federal contracting processes by establishing uniform requirements across agencies for safeguarding CUI.
The FAR Council also plans to address challenges in federal acquisitions related to the handling and protection of CUI within this rule. The absence of standardized guidelines has led to different regulations among agencies, creating compliance issues for contractors. This new rule will consolidate these requirements, providing a plan for identifying, marking, and handling CUI in federal contracts. Let’s dive into this rule and what it means for contractors.
What is Controlled Unclassified Information (CUI)?
The federal government defines CUI as “information that the Government creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” CUI refers to information that, while unclassified, requires safeguarding or dissemination control due to federal laws, regulations, or government-wide policies.
Currently, the rules and regulations vary from federal agency to federal agency, which could lead to confusion and compliance issues for contractors. The new CUI rule would establish a clear, consistent plan for managing a contractor’s CUI throughout federal contracting.
Key Aspects of the Proposed CUI Rule
- Standardization of Definitions: The proposed rule would introduce uniform definitions for CUI, ensuring consistency across all federal agencies
- Standard Form: The rule would also introduce Standard Form (SF) XXX, CUI Requirements as a new compliance mechanism to standardize the management and safeguarding of CUI
- Safeguarding Requirements: Contractors must implement specific security measures to protect CUI, aligning with the National Institute of Standards and Technology (NIST) guidelines.
- Incident Reporting: Contractors must report suspected or confirmed CUI incidents within eight (8) hours of discovery, allowing the federal government to respond swiftly and mitigate potential damages
- Required Training: The proposed rule will also standardize a training requirement for all contractor employees that might handle CUI, although the rule does defer to the agency for specific aspects
- Flow-Down Clauses for Subcontractors: Prime contractors are required to include CUI safeguarding clauses in their subcontracts, ensuring that subcontractors adhere to the same security standards
Similarities with CMMC Compliance
Defense contractors will also need to ensure that they are keeping an eye on the new proposed rule. While the Cybersecurity Maturity Model Certification (CMMC) imposes certification-based security measures on contractors handling CUI for defense contracting, the FAR CUI will add to CMMC compliance by standardizing and consolidating the language across all agencies. Contractors that are able to meet CMMC requirements should have no issue meeting and maintaining compliance with the proposed rule.
Next Steps for Federal Contractors
The proposed rule is a significant change for contractors who regularly handle CUIs or plan to expand their services, which may include the use of CUI. However, the rule should strengthen the security of sensitive but unclassified information within federal procurement. For contractors, this means that you may need to adapt to new compliance obligations and implement stricter security measures.
If you are a contractor that does handle CUI, there are a few steps that you should consider. First, you should familiarize yourself with the specific rules and regulations imposed by the rule, especially the new 8-hour incident reporting window. Additionally, it’s recommended to update your incident response plan to include this brief reporting timeframe.
You will also likely need to compare your existing cybersecurity measures to ensure compliance with the new proposed rule and identify any potential problem areas. Lastly, contractors will want to establish procedures to ensure subcontractor compliance, including updates to contractual obligations to reflect these new changes.
Staying Ahead of Future Regulations
The FAR Council’s proposed rule on CUI is a significant step forward in consolidating the many differing rules and regulations between federal agencies. It will standardize the requirements to ensure contractor compliance and ensure data security for the federal government. By being proactive and identifying any potential compliance issues, contractors can stay on top of the changing regulations. If you’re unsure of what your next steps are or the potential implications for the new proposed rule in regards to your contract, reach out to your Winvale consultant today.
