Department of Defense (DOD) contractors are likely already familiar with the protection of Controlled Unclassified Information (CUI), but contractors working exclusively with other government agencies have mostly avoided CUI related compliance requirements. A new proposed government-wide contract clause for the protection of CUI will bring detailed CUI protection requirements to all government contractors, including some requirements for contractors that don’t handle CUI.

To learn more about what government contractors, including DOD contractors, will need to do to comply with the new CUI requirements, read this blog.

What is CUI?

CUI is a designation used for information that the government itself is required to protect as per a specific law, regulation, or government-wide policy. The CUI program is intended to replace the variety of agency-specific legacy designations like Sensitive but Unclassified (SBU), For Official Use Only (FOUO), Law Enforcement Sensitive (LES), etc.

From a contractor’s perspective, CUI can be thought of as a subset of Federal Contract Information (FCI) that all government contractors are already required to protect using the 15 Basic Safeguards as per the FAR 52.204-21 contract clause. All information provided by or generated for the government under a contract is FCI unless that information is classified, intended for public release, or is purely transactional (e.g., payment details). If there is a law, regulation, or government-wide policy that requires the government itself (not the contractor) to protect a certain piece of information then that piece of information that would otherwise be FCI becomes CUI.

It should be easy for contractors to tell when they are handling CUI because the government is required to mark all documents (including emails) containing CUI with a banner that says either “CUI” or “CONTROLLED” and the name of the agency that designated it as CUI (An optional cover page and additional markings may also be applied). The government should also tell the contractor what information the contractor creates needs to be designated as CUI.

Contractors that want to understand more about the CUI program in general may want to review our previous blog post and webinar that take a deep dive into this topic. We also have a webinar specific to the DOD CUI contractor compliance program: DOD Contract Compliance: DFARS 7012 and CMMC.

What About Other Markings?

The government uses lots of different document markings but only “CUI” or “CONTROLLED” banners indicate the presence of CUI. Other markings may be legacy markings that have since been since been merged into the CUI program as categories of CUI. Some may be markings used internally by agencies or markings related to other laws and regulations that have no bearing on the CUI program.

When agencies implement the CUI program, they must stop using legacy markings on new documents and must apply CUI markings to all relevant legacy documents before releasing them outside their own agency.

Contractors should not assume that all documents with legacy markings are or will become CUI. Many of these markings are the result of an agency's own internal policies (as opposed to a government-wide policy necessary for a CUI designation) and cannot be CUI because there is no other law, regulation, or government-wide policy that applies to the information.

Similarly, internal markings may still be used by agencies and may appear on documents regardless of whether they are CUI. The presence of these markings does not indicate the presence or absence of CUI because they are based on internal agency policies independent of the CUI program.

What is a Contractor’s Relationship With CUI?

There are no laws or regulations that directly apply CUI protection requirements to anyone outside of the government. This means a contractor’s obligations with regard to CUI are purely contractual.

Each document containing CUI must be protected in accordance with the requirements of the contract it is received under. There is no single universal set of rules for contractors to protect CUI because:

• Standard CUI protection clauses already in use by various agencies differ from each other.
• Agencies revise their contract clauses from time to time.
• Some contracts may require extra protection for certain categories of CUI.
• The new government-wide CUI contract clause is in addition to existing agency-specific CUI contract clauses and does not replace them with a single standard.

Relationship With Other Contract Clauses

Some contractors may be handling legacy data that predates the CUI program (or a specific agency’s adoption of the CUI program), while other contractors may already have CUI protection clauses from specific agencies.

The new CUI rule does not change any existing contracts. Contractors must continue handling legacy data and CUI in accordance with the requirements of the contracts that information was received under, even if they sign a new contract with this proposed CUI protection clause sometime in the future.

This new CUI protection clause effectively sets a government-wide minimum for contractor CUI protection in new contracts that individual agencies can build on with their own agency-specific clauses. The existing agency-specific CUI protection clauses (e.g., Department of Homeland Security’s HSAR 3052.204-72 and DOD’s DFARS 252.204-7012 and upcoming DFARS 252.204-7021 / CMMC clauses) will be included in relevant contracts and remain fully applicable in addition to this new government-wide clause. There may be some overlap between the new government-wide clause and existing agency-specific clauses, but these may be resolved over time as agency-specific clauses are modified to omit overlaps.

The new government-wide clause is based on the existing DFARS 252.204-7012 clause so not much effort should be required for DOD contractors that are already protecting CUI to align with the new clause. The proposed rule contains a list of requirements that will be new for DOD contractors that already comply with DFARS 252.204-7012 requirements and a list of requirements that are already covered in DFARS 252.204-7012.

What if I Don’t Handle CUI?

The proposed rule introduces a new contract clause specifically for contractors that are not expected to handle CUI under a contract. This clause is temporarily referred to in the proposal as FAR 52.204-YY and will be assigned a permanent number once the Final Rule is published.

This clause requires the contractor to:

• Notify the government within 8 hours:
  • Upon receiving information believed to be CUI (whether properly or improperly marked) and protect that information until the government makes a determination.
  • If information believed to be CUI is involved in a security incident and cooperate with government Incident Response requirements.
• Identify information owned by the contractor before providing it to the government, e.g., contractor bid or proposal information, contractor-attributional information, or contractor proprietary business information.
• Pass the entire FAR 52.204-YY contract clause along unaltered in any subcontracts.

The notification requirements are notable. As CUI protection obligations are purely contractual, contractors that receive CUI without a CUI protection agreement in place are currently under no legal obligation to protect or report that CUI. These parts of the clause will effectively put all federal contractors under at least a basic CUI protection agreement for the first time.

The requirement to identify contractor owned information is because procurement and acquisition, source selection, and proprietary business information are all categories of CUI that the government must protect as per a long list of laws and regulations. This does not mean the contractor must start treating their own proprietary information as CUI because it was provided to the government. From a contractor’s perspective, the definitions of FCI and CUI only apply to information they create if it is created specifically for the government under a contract; therefore, information created independently of a government contract cannot be FCI or CUI. Although the government must protect the contractor’s proprietary information as CUI, the contractor remains free to do whatever they want with their own information.

What if I Do Handle CUI?

The proposed rule introduces another new contract clause specifically for contractors that are expected to handle CUI under a contract. This clause is temporarily referred to in the proposal as FAR 52.204-XX and will also be assigned a permanent number once the Final Rule is published.

This clause requires the government to include a new standard form, SF XXX (also a temporary designation), with the contract. This form will identify in detail all of the CUI that a contractor is expected to receive and/or create under the contract along with agency-specific requirements. This mandatory list of CUI should help clear up confusion among contractors with CUI protection agreements that are unsure of what, if any, CUI they are handling.

The requirements of the FAR 52.204-YY non-CUI clause described above are included in the FAR 52.204-XX CUI clause with a few differences:

• Notify the government within 8 hours upon receiving information believed to be CUI that is not listed in the SF XXX form (as opposed to all CUI in the FAR 52.204-YY clause) or is not properly marked and protect that information until the government makes a determination.
• Follow the detailed incident response procedures in FAR 52.204-XX if information believed to be CUI is involved in a security incident (as opposed to the simple 8 hour reporting requirement in FAR 52.204-YY).
• Identify information owned by the contractor before providing it to the government, e.g., contractor bid or proposal information, contractor-attributional information, or contractor proprietary business information (no changes from FAR 52.204-YY).
• Pass the entire unaltered FAR 52.204-XX contract clause in any subcontracts that will involve CUI (as opposed to all subcontracts for FAR 52.204-YY) along with the SF XXX form modified to reflect the CUI a subcontractor will be handling.

In addition to the requirements shared with FAR 52.204-YY above, the FAR 52.204-XX clause requires the contractor to:

• Notify the government within 8 hours if there is inconsistency between the contract clause and the SF XXX form.
• Only allow access to CUI as described in the SF XXX form.
• Provide employees that will handle CUI with initial and periodic training including general CUI training and additional agency-specific training described in the SF XXX form.
• Maintain training documentation and provide it to the agency upon request.
• When contractor personnel handle CUI within a Federally-controlled facility:
  • Follow agency policies identified in SF XXX form.
  • Meet training and access prerequisites listed in the SF XXX form.
• When contractor personnel handle CUI outside a Federal-controlled facility:
  • Follow CUI policies.
  • Meet requirements listed in the SF XXX form.
• When operating a Federal Information System on behalf of the government (as identified in the SF XXX and explained below):
  • Implement agency-specific NIST SP 800-53 requirements and any additional requirements listed in the SF XXX form.
  • Require cloud computing services to meet at least the FedRAMP Moderate baseline plus any agency-specific requirements.
  • Report CUI incidents in accordance with agency policy.
• For non-Federal information systems (i.e., contractor owned systems):
  • Implement the security controls from NIST SP 800-171r2.
  • Implement security controls from NIST SP 800-172 identified by the agency in the SF XXX form.
  • Implement agency-specific requirements in the SF XXX form.
  • Implement additional requirements the contractor deems necessary (described in more detail below).
  • Require cloud services used to handle CUI to meet the FedRAMP Moderate baseline plus agency-specific requirements in the SF XXX form and any additional requirements the contractor deems necessary.
  • Submit the System Security Plan (SSP) and any Plans of Action and Milestones (POA&Ms), both explained below, to the government upon request.
  • Allow the agency to validate compliance with NIST SP 800-171 and NIST SP 800-172.
  • Report any suspected or confirmed CUI incident within 8 hours, including specific data elements in the initial report.
• Submit supporting documentation to verify compliance and provide access to contractor facilities if required by the agency.
• Document specific details of any CUI incidents; protect system images, packet captures, and other monitoring of an incident for 90 days; and share this information as requested the Government.
• Follow any reporting requirements listed in the SF XXX form.

The SF XXX form

Clearly, the SF XXX document is very important as it describes both the CUI that must be protected as well as the requirements an agency is imposing regarding the CUI handled under a specific contract. A draft of this form is available in the proposal which shows the level of detail that can be expected.

The numerous references to the SF XXX form in FAR 52.204-XX also emphasizes the concept that there is no “one size fits all” approach to handling CUI. The new contract clause establishes minimum requirements for handling CUI, but there will be a variety of additional requirements depending on what CUI is being handled and what agency it is handled on behalf of.

Subcontracts

The FAR 52.204-XX clause should only be passed on to subcontractors that will handle CUI, and the clause requires contractors to review and adjust the SF XXX before sending it to subcontractors. This should make it clear to each subcontractor what their CUI they are responsible for.

That said, there are concerns that lazy contractors may include the FAR 52.204-XX clause and the original unaltered SF XXX in every subcontract regardless of what CUI, if any, will be passed along, leading to confusion about subcontractor CUI responsibilities. Subcontractors should be prepared for this possibility and should push back before signing a subcontract to get an accurate SF XXX or get the FAR 52.204-XX clause removed when appropriate.

Unmarked CUI and creating CUI

Contractors subject to existing CUI protection agreements are often confused about the potential for receiving unmarked CUI and their responsibilities for marking CUI.

There is a common myth that nearly any information received from the government may be CUI, even if it does not carry CUI markings. This is not true (that information is likely FCI, not CUI). The FAR 52.204-XX and FAR 52.204-YY reporting requirements for mismarked CUI make clear that unmarked CUI should be a rare exception, otherwise the government is about to get spammed with lots of reports.

Another myth is that nearly any information a contractor creates may be CUI and must be marked by the contractor. Again, this is not true, but that information is likely FCI. FAR 52.204-XX makes clear that contractors are only expected to identify and mark CUI specifically listed in the SF XXX form.

Federal Information Systems operated on behalf of the government

A system operated on behalf of the government is not the same as a contractor’s own systems.

Federal Information System or a system “operated on behalf of the government” is used to denote systems that the government is treating as its own, but for which the operation of the system has been outsourced to a contractor. This is often applicable to cloud services used by government agencies. The SF XXX form will identify when contractors are operating Federal Information Systems. These systems are subject to the NIST SP 800-53 security controls that the government uses for all of its systems (FedRAMP is a cloud-specific certification program for NIST SP 800-53 compliance).

A contractor’s own systems are not Federal Information Systems and are subject to the security controls in NIST SP 800-171 (and potentially NIST SP 800-172) rather than NIST SP 800-53 or FedRAMP security controls which are applied to Federal Information Systems. NIST SP 800-171 and NIST SP 800-172 are derivatives of NIST SP 800-53 which are specifically for non-Federal information systems handling CUI.

Additional requirements deemed necessary by the contractor

The requirement to implement additional requirements deemed necessary by the contractor is a notable catch-all and aligns with a similar clause in the DOD’s current DFARS 252.204-7012 CUI protection clause. This is telling contractors that the NIST SP 800-171, NIST SP 800-53, and FedRAMP safeguarding requirements in this clause are the minimum, and adhering to the published safeguards is not an excuse to ignore other obvious security issues that are not addressed by them.

Contractors should perform a risk assessment of their environment to determine if there are additional threats that are not adequately mitigated by the requirements and address those threats. NIST SP 800-37 defines a risk management program suitable for this purpose, and NIST SP 800-30 provides a step-by-step risk assessment methodology.

SSPs and POA&Ms

SSPs and POA&Ms are foundational documents for NIST SP 800-171 and NIST SP 800-53 (including FedRAMP) and are critically important to understand and document correctly but are often misunderstood and neglected by contractors. These are not the same as a contractor’s own internal policies and procedures.

The United States Government has an ongoing suit against Georgia Tech because Georgia Tech initially failed to document an SSP, then documented an SSP with an incorrect scope, and submitted an incorrect self-assessment score to the DOD based on an SSP describing a fictitious environment that was not the environment used to handle CUI.

The SSP defines the collection of individual components such as servers, workstations, networking devices, people, locations, and security controls that work together to implement a business process that handles CUI. The SSP must document the following information in detail:

• Physical and logical boundaries and interconnections of the system that handles CUI
• A hardware and software inventory of the system
• Ownership and responsibilities for the system
• The roles and number of personnel accessing the system
• Details of how every applicable security control from NIST SP 800-171 or NIST SP 800-53 and other applicable requirements are implemented with justification for each security control deemed not applicable.

The POA&M is used when required security controls are not currently met. In some cases, contractors may be able to handle CUI on a system that is not 100% compliant once POA&Ms have been created. The POA&M documents:

• The security weakness (i.e. missing control)
• Responsibility for remediation
• Required resources
• Scheduled completion
• Milestones
• Current status

SSP and POA&M templates are available on the NIST SP 800-171 and FedRAMP websites.

What is the Rollout Timeline?

The proposed rule was published on January 15, 2025, and the public comment period closed on March 17, 2025. It usually takes about a year for the government to review and reply to public comments, so we should expect a Final Rule to be published in early 2026. The Final Rule may become effective immediately when it is published or may contain a future rollout date.

Regardless of when the Final Rule becomes effective, it does not immediately change anything that contractors are doing. As explained above, a contractor’s obligations with regard to CUI are purely contractual so none of the new requirements will apply to a contractor until it enters into a new contract with the new CUI protection clause. Even then, the new requirements only apply to CUI handled under that specific contract and do not change any protection obligations for information handled under prior contracts. Contractors that are not ready to handle CUI can make the business decision to refuse contracts that contain the CUI protection clause.

It should also go without saying that the Final Rule may differ from the proposal as a result of the public comments. However, the broad principles in this clause are already well established and are not expected to change so contractors can start preparing now:

• NIST SP 800-53 Moderate baseline controls (including FedRAMP Moderate for cloud services) must be used to protect CUI on Federal Information Systems.
• NIST SP 800-171 controls must be used to protect CUI on Non-Federal Information Systems (i.e., contractor systems).

What Are the Penalties?

The new rule does not contain any explicit penalties of its own. Failure to comply with contract terms is instead covered under the False Claims Act (31 U.S.C. §§ 3729 – 3733). Effectively, a contractor is claiming that they will implement the CUI protection requirements when they agree to a contract containing a relevant clause and failure to implement those requirements is a false claim.

Violations of the False Claims Act result in liability for triple the government’s damages plus a penalty fine. The penalty is regularly adjusted for inflation and as of February 12, 2024, ranges from $13,946 to $27,894. The triple damages can be much more significant than the penalty.

The government regularly enforces the false claims act with $2.9 billion in settlements and judgements in FY2024. This includes individual settlements of $7.6 million and $3.7 million specifically for failure to implement cybersecurity controls.

Next Steps

The first step for contractors that already handle CUI is to understand what CUI they are receiving and/or creating based on document markings and government instructions.

Contractors that are not currently receiving or creating CUI will need to think about what information they handle that may become CUI in the future either as a result of agencies they already work with implementing the CUI program and remarking legacy information or new contracts with agencies that have already implemented the CUI program.

Contractors will also need to understand if they are operating a Federal Information System (described above), including a cloud service, or if they will only be handling CUI on their own non-federal contractor systems.

From there, contractors will need to write an SSP and any necessary POA&Ms (described above) that align with the minimum safeguard requirements that apply to the type of system(s) they operate that are or will be handling CUI:

• Non-cloud Federal Information Systems: NIST SP 800-53 Moderate baseline
• Cloud-based Federal Information Systems: FedRAMP Moderate baseline
• Non-Federal Information Systems: NIST SP 800-171

Contractors need to consider how they are using any cloud services, as cloud services used to handle CUI must meet at least the FedRAMP Moderate baseline. Contractors may find that they need to switch cloud providers or stop using cloud services to handle CUI in order to achieve compliance.

It will also be important to understand additional agency-specific requirements beyond these minimums. This may include additional controls from NIST SP 800-53 and FedRAMP for Federal Information Systems, controls from NIST SP 800-172 for Non-Federal Information Systems, and/or additional agency-specific requirements for any system. Agencies may also impose additional compliance requirements for service providers that can access or affect the security of CUI, e.g., DOD’s CMMC program.

Even if agencies do not provide information on planned additional requirements yet, it will be much easier to add a few new controls to a well-defined system that meets the minimum safeguarding requirements than it would be to stand up a new system or bring an existing system into compliance from scratch to win a contract. It usually takes many months to initially implement the required controls.

Although this is a new contract clause, it relies on safeguarding standards that have long been widely used to protect CUI. TrustedSec has many years of experience helping contractors understand similar CUI protection contract clauses, reduce their compliance scope, and implement NIST SP 800-171, CMMC, NIST SP 800-53, and FedRAMP compliance programs. TrustedSec’s experience assessing government agencies’ own internal security controls against NIST SP 800-53 also helps us understand the level of detail that agencies expect from an SSP.

Organizations that are looking for help protecting CUI can reach us by filling out our contact form.