On January 15, 2025, the Federal Acquisition Regulatory (FAR) Council issued a proposed rule that, if adopted, would uniformly define and protect Controlled Unclassified Information (CUI) across the government. The proposed rule would revise the FAR to impose federal-government wide requirements relating to the handling of CUI by federal government contractors and subcontractors. These requirements, which are modeled on requirements currently applicable to Department of Defense (DoD) contracts, would apply to all federal contracts except those that are for purely commercially available off-the-shelf items. The new rule would require:

• federal agencies to use a prescribed form to notify contractors of any CUI expected to be handled during contract performance, along with any agency-specific CUI handling and training requirements relating to CUI;
• contractors that will handle or generate CUI to implement NIST Special Publication 800-171, Revision 2 to safeguard CUI on contractor information systems;
• contractors to report incidents impacting CUI within eight hours of discovery, and to comply with any additional requirements identified by the contracting agency; and
• contractors that are informed they will not handle or generate CUI to report to agencies—within eight hours—if they receive unanticipated CUI (or potential CUI).

DoD contractors will be familiar with many of these requirements. However, for federal contractors who have not historically implemented DoD requirements, this rule will pose new compliance requirements. Contractors should take time to familiarize themselves with the proposed requirements and new FAR clauses ahead of the rule going into effect—and should evaluate current practices to identify any compliance gaps. Please reach out to a member of Wilson Sonsini’s government contracts practice or data, privacy, and cybersecurity practice with any questions regarding the requirements of, or compliance with, the proposed rule.