The following is adapted from our whitepaper,
"The Expanding Mandate: An Analysis of Federal Agency Adoption of NIST SP 800-171 for the Protection of Controlled Unclassified Information." Download here. (PDF)
As the proposed FAR rule gains momentum, we are starting to see a shift in the way civilian agencies approach CUI protection. They're taking it seriously.
One strong example is NASA (National Aeronautics and Space Administration), which has become an early adopter of NIST SP 800-171. Their stance not only sets a new expectation for its contractors, but it also reinforces a growing trend among other agencies.
The proposed FAR rule promises a future of standardized CUI protection, but the current landscape among civilian agencies is a mix of early adopters and those who have remained largely silent on the issue in their acquisition regulations. The finalization of the FAR rule will serve to codify requirements for leaders and impose entirely new obligations on laggards.
NASA's policy is articulated in their Procedural Requirements¹, stating that their contractors must also adhere to these requirements, or risk ineligibility to bid on future projects.
Others like HHS (Human Health and Services), DOE (Department of Energy) are making similar moves, indicating that we can expect to see more agencies following suit in the coming years.
Here are a few features of the proposed rule.
The FAR will impose an 8-hour reporting requirement for any suspected or confirmed CUI incident. Of course, this is more complex than shooting off an email. This will require contractors to implement the technical capabilities for rapid detection, procedural maturity for immediate triage and confirmation, internal communication pathways, and pre-approved authority to report to the government within a single business day of discovering such an incident.
Contractors are prohibited from allowing any employee to handle CUI unless that employee has first completed training on the proper procedures for safeguarding it.
If a contractor uses a third-party Cloud Service Provider (CSP) to store, process, or transmit CUI, that CSP must meet security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.
Unlike CMMC, the proposed FAR rule does not, by default, require third-party certification. It operates on a self-attestation model, where contractors are responsible for ensuring and attesting to their own compliance.18 However, the rule gives contracting agencies the right to request evidence of compliance at their discretion, which would typically include the contractor's System Security Plan (SSP) and any associated Plans of Action and Milestones (POA&Ms).
This is why federal contractors must stay informed and up to date on the latest regulations. Failure to do so could mean lost opportunities, as well as operational, financial, and even legal repercussions.
If you would like further information, download our whitepaper to learn more.
Notes:
¹ (NPR) 2810.7 - nodis3.gsfc.nasa.gov, accessed August 18, 2025, https://nodis3.gsfc.nasa.gov/npg_img/N_PR_2810_0007_/N_PR_2810_0007_.doc