The FAR CUI Rule: Beyond DoD

Word count: ~950 Specificity markers hit: (1) Regulatory reference — FAR Case 2017-016, NIST SP 800-171; (5) Decision point — how non-DoD contractors should prepare; (4) Common mistake — treating CUI obligations as DoD-only

---

Most people who know about CUI (Controlled Unclassified Information) requirements learned about them through the DoD (Department of Defense) and CMMC (Cybersecurity Maturity Model Certification). Fair — DoD has been the loudest and most structured about it. But DoD isn't the only agency with CUI to protect, and for years there's been a regulatory effort to extend CUI security requirements across the entire federal government.

That's the FAR CUI rule.

What FAR Is

FAR stands for the Federal Acquisition Regulation — the government-wide rulebook that governs how federal agencies buy goods and services. It applies to virtually every civilian agency: the Department of Energy, Health and Human Services, Transportation, Agriculture, and hundreds of others. When an agency wants to include a new requirement in contracts across the government, it works through FAR.

DFARS (Defense Federal Acquisition Regulation Supplement) is DoD's supplement to FAR — it adds requirements specific to defense contracts. DFARS is how the DoD has imposed CUI and CMMC requirements on defense contractors. But non-DoD agencies have no equivalent mechanism today. The FAR CUI rule is meant to fill that gap.

FAR Case 2017-016

The proposed rule — FAR Case 2017-016, "Controlled Unclassified Information" — was originally proposed in 2017 and has moved slowly. The rule would add a new FAR clause that federal agencies could include in contracts where CUI is involved. The clause would require contractors to:

• Implement security controls from NIST SP 800-171 (National Institute of Standards and Technology Special Publication 800-171, the same standard that underlies CMMC Level 2)
• Report cyber incidents involving CUI
• Flow the requirements down to subcontractors
• Maintain a System Security Plan (SSP) documenting how controls are implemented

If the rule is finalized, a company that contracts with both DoD and civilian agencies would face similar CUI security obligations across both. The standard being applied is the same: NIST 800-171.

The rule has been in development for years, and its finalization timeline has shifted multiple times. As of this writing, it has not been finalized. But its direction is clear: the government intends to extend CUI protections beyond DoD.

How It Differs from CMMC

CMMC goes further than a FAR clause would — for now.

Verification: CMMC Level 2 requires third-party assessment by a C3PAO (Certified Third-Party Assessor Organization). The proposed FAR rule, as currently structured, relies on contractor self-assessment and attestation. There's no FAR equivalent of a C3PAO. Contractors would self-certify rather than being independently assessed.

Specificity: CMMC ties specific level requirements to specific contract types and CUI categories. The FAR rule is broader and less prescriptive about which contracts trigger which level of security.

Scope: CMMC applies to DoD contractors and their subcontractors. The FAR rule would apply to any federal contractor handling CUI, which is a much larger population — federal contractors across procurement, healthcare, environmental, scientific, and dozens of other domains.

Consequences: CMMC creates a certification barrier — you can't win DoD contracts above a threshold without the certification. The FAR rule creates contractual obligations with civil and potentially criminal liability for false attestation, but not a certification gating mechanism (at least not in current proposals).

What This Means for Non-DoD Contractors

If you only hold contracts with civilian federal agencies today, you may not currently have formal CUI security requirements in your contracts. That's changing. Several agencies have already begun including CUI-related clauses in contracts even ahead of the FAR rule being finalized, because their existing data security authorities allow them to require it.

Agencies like the Department of Energy and NASA have historically been more proactive about security requirements. Others have been less consistent. The FAR rule, when finalized, would standardize this across all agencies.

The Common Mistake

Treating CUI as a DoD problem.

If you hold non-DoD federal contracts and receive technical information, personnel data, law enforcement data, financial information, or other government-generated information, there's a reasonable chance some of it is CUI. The lack of a formal marking on those documents doesn't mean the information isn't CUI — it may mean the originating agency hasn't been consistent about marking.

The smart move is to inventory what information you receive from all your federal customers, check it against the CUI Registry (at archives.gov/cui), and identify what qualifies — now, before a contract clause formally requires you to. Companies that have already implemented NIST 800-171 for their DoD work are largely prepared. Companies that haven't face a larger gap.

What NIST 800-171 Requires at a High Level

Whether you're coming at this from a DoD contract or a potential FAR obligation, the standard is NIST SP 800-171. It has 110 requirements across 14 control families. The core themes:

• Access control: Only authorized users access systems with CUI
• Audit logging: All access and activity is logged and reviewable
• Configuration management: Systems are hardened and documented
• Identification and authentication: Users prove who they are, with multi-factor authentication (MFA) for remote access
• Incident response: You can detect, report, and respond to security events
• Media protection: CUI on physical and digital media is controlled and properly destroyed
• Risk assessment: You know what your risks are and manage them
• System protection: CUI is encrypted in transit and at rest, networks are segmented

Getting to full NIST 800-171 compliance is a significant undertaking. Small-to-mid organizations that are starting from a low security baseline typically take 12–24 months and spend $50,000–$250,000 on implementation. The time to start is before the contract clause appears in your renewals.

The Practical Takeaway

If you hold only non-DoD federal contracts: review your contracts for existing CUI clauses, inventory the information you receive from government customers, and assess your NIST 800-171 readiness. The FAR rule's direction has been consistent even if its timeline hasn't.

If you hold both DoD and non-DoD contracts: your CMMC preparation covers the technical requirements for the FAR rule too. The same NIST 800-171 controls, the same SSP, the same incident reporting disciplines. Your DoD compliance work has residual value beyond CMMC.

CUI security is a government-wide initiative. DoD just happened to build the most formal verification structure around it first.

---

Want the full picture of how the regulatory stack fits together? Our Tier 2 article on how CMMC, DFARS, NIST, and FAR relate to each other explains how all the pieces connect — and why getting one right usually advances the others.