The Federal Acquisition Regulation (FAR) Council published the long-anticipated Controlled Unclassified Information proposed rule on January 15, 2025 (90 FR 4283). The rule has been in development since 2010, when the National Archives and Records Administration's CUI Office was established under Executive Order 13556. Its arrival closes the gap between DoD contractors (who have been subject to DFARS 252.204-7012 since 2016) and the rest of the federal contracting base (who have not been subject to comparable controls). The 60-day comment period closed March 17, 2025. The final rule has not published as of late 2025, but the structure is unlikely to shift materially. For contractors selling to any federal agency, this is the regulation that finally federalizes CUI handling.
What does the proposed rule actually require?
Three new FAR clauses. FAR 52.204-WW informs offerors of restricted-use requirements on Government-provided information and procedures for notifying the Government of unmarked or mismarked CUI. FAR 52.204-XX is the substantive clause inserted where the government expects the contractor will handle CUI; it requires compliance with NIST SP 800-171 Rev. 2 and additional security requirements specified on a Standard Form, an 8-hour incident reporting timeline, and flow-down to subcontractors at any tier. FAR 52.204-YY is inserted where the agency has determined CUI is not involved, and requires contractors to notify the government within 8 hours if they discover CUI during performance. The structure deliberately mirrors DFARS 252.204-7012, but expanded government-wide and with a tighter incident clock.
Why the 8-hour incident clock?
DFARS 252.204-7012 requires reporting cyber incidents affecting Covered Defense Information within 72 hours to DIBNet. The FAR CUI proposed rule imposes 8 hours for incidents involving CUI at non-federally controlled facilities — eight, not 72. The preamble explains the choice: civilian agencies do not have DIBNet-equivalent infrastructure, the broader contractor population includes entities new to formal cyber reporting, and the shorter window forces tighter incident response capabilities at the contractor. Industry comments contested the 8-hour clock as operationally impractical, particularly for small and medium businesses. The final rule may extend the window or stratify it by contractor size; both options were discussed in the preamble. Even the most aggressive industry counter-proposal accepts a 24-hour clock as a worst-case outcome.
What does the new Standard Form do?
The proposed rule introduces a new Standard Form (SF XXX in the NPRM, number TBD) that the agency completes during solicitation drafting. The form indicates whether CUI is involved in the contract, identifies the specific CUI categories (controlled technical information, export controlled, financial records, source selection information, and so on), and lists any additional security requirements above NIST SP 800-171 Rev. 2 that the agency requires. The form becomes part of the contract documentation. The structure shifts CUI handling from a contractor inference exercise (which has produced inconsistent practice for 15 years) to an explicit agency designation. It also creates a stable audit trail: a contractor's CUI handling obligations are now contained in a single attached form rather than scattered across contract clauses and statements of work.
FAR CUI Proposed Rule: Clause matrix (90 FR 4283)
+----------------+----------------------------------------+
| Clause | Applies When |
+----------------+----------------------------------------+
| 52.204-WW | Government-provided information present|
| | (informational; restricted use) |
| 52.204-XX | CUI is involved in the contract |
| | (substantive; 800-171, 8h reporting) |
| 52.204-YY | Agency determined CUI not involved |
| | (notification if CUI discovered) |
+----------------+----------------------------------------+
Subcontractor flow-down: Required at any tier
Standard Form: Attached to solicitation, completed by agency
NIST SP 800-171: Revision 2 (per current DoD class deviation)
How does this interact with CMMC?
CMMC applies only to DoD contracts. The FAR CUI rule applies government-wide. Where the two overlap — a DoD contract handling CUI — the contractor will be subject to both. The proposed rule explicitly states that CMMC continues to govern DoD contracts, and that the FAR CUI rule does not create duplicative assessment requirements. In practice, a contractor with CMMC Level 2 certification will satisfy the NIST SP 800-171 compliance element of FAR 52.204-XX. The 8-hour incident reporting requirement, however, is additive: a DoD contractor reporting under DFARS 252.204-7012 within 72 hours will need to also report within 8 hours under the FAR clause if a civilian-agency CUI element is in scope. The dual-report scenario is real for contractors with mixed portfolios.
What is the assessment expectation?
Unlike CMMC, the FAR CUI proposed rule does not require third-party assessment. The contractor self-attests to compliance with NIST SP 800-171, similar to the legacy DFARS 252.204-7019/7020 self-assessment regime that pre-dated CMMC. The assessment artifacts (System Security Plan, Plan of Action and Milestones, SPRS-equivalent score) are expected to follow the existing structure. The civilian-agency equivalent of SPRS has not been specified; the preamble references "an electronic repository" that the FAR Council will identify in the final rule. Without third-party assessment, enforcement will likely depend on False Claims Act exposure and contracting officer due diligence, which is a softer regime than CMMC's C3PAO model.
Who is affected?
Approximately 195,000 federal contractors hold one or more federal awards. Of these, the FAR Council estimates that roughly 80,000 will handle CUI in some form. The civilian portion of that population — contractors selling to GSA, HHS, DOI, Treasury, and so on — has not historically been subject to the 800-171 requirements that defense contractors have lived with. For these entities, the proposed rule is a significant new compliance obligation. For contractors already subject to DFARS 252.204-7012, the marginal cost is lower: the 800-171 SSP is already in place, and the additional cost is primarily in tightening incident response to the 8-hour clock and managing the dual-report scenario.
What should contractors do now?
Build the SSP if you do not have one. The NIST SP 800-171 Rev. 2 control set is the floor. If you already have a CMMC-aligned SSP, the FAR rule will not require a new artifact. If you do not, the 110 controls are the place to start. Pre-stage your incident response runbook to the 8-hour clock; the documentation, contact lists, and notification templates need to exist before an incident, not be assembled during one. For contractors with both DoD and civilian portfolios, build the dual-report capability — a single detection should produce both a DFARS 7012-compatible report (72 hours, DIBNet, more detailed) and a FAR CUI-compatible report (8 hours, civilian agency, summary). And start mapping which of your subcontractors will need flow-down clauses, because the rule extends responsibility down any tier.
How Safeguard Helps
Safeguard maintains a single source of truth for NIST SP 800-171 control implementation that produces both the DFARS 252.204-7012 SSP and the FAR 52.204-XX self-attestation artifact, eliminating the dual-maintenance burden. The platform's incident workflow includes a configurable 8-hour clock with pre-staged notification templates for civilian-agency CUI events, alongside the 72-hour DIBNet workflow for DoD events. Griffin AI tracks the CUI Standard Form attached to each contract and binds it to the relevant security boundary, so contractors know which controls apply per award. For flow-down management, TPRM continuously scores subcontractors against the FAR CUI clause requirements and alerts the prime when an upstream contractor's posture drifts before the agency's review.