The FAR CUI rule creates a government-wide contract clause requiring the implementation of NIST SP 800-171 for the protection of Controlled Unclassified Information (CUI).

• The rule will apply the Controlled Unclassified Information (CUI) requirements in Federal contracts to protect CUI.
• The rule is a strategy to improve the efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors.
• The rule is being issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 issued November 4, 2010, as implemented in NARA’s implementing regulations.

You guessed it, NIST 800-171 isn’t just a requirement for Department of Defense contractors (CMMC), but for ALL federal contractors handling any category of Controlled Unclassified Information.

• Department of Agriculture
• Department of Commerce
• Department of Education
• Department of Energy
• Department of Health and Human Services
• Department of Homeland Security
• Department of Housing and Urban Development
• Department of the Interior
• Department of Justice
• Department of Labor
• Department of State
• Department of Transportation
• Department of Treasury
• Department of Veterans Affairs
• Environmental Protection Agency
• National Aeronautics and Space Administration
• Small Business Administration
• Social Security Administration
• U.S. Agency for International Development

The FAR CUI rule is the missing piece of the plan to implement Executive Order 13556 "Controlled Unclassified Information".

SUMMARY:

With this final rule, DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.

DATES:

This rule is effective December 16, 2024. The incorporation by reference of certain material listed in this rule is approved by the Director of the Federal Register as of December 16, 2024.

MORE INFORMATION:

Reach out to ATS and we will help get your started with CMMC.