Protecting Controlled Unclassified Information – What is CUI & What are the Rules?

The Federal Acquisition Regulation (FAR) Council recently announced the arrival of its long-awaited rule to enhance the safeguarding of Controlled Unclassified Information (CUI) in federal contracts (the Proposed Rule). Published in the Federal Register on January 15, 2025 (90 FR 4278), the Proposed Rule is intended to establish a government-wide standard (civilian and military) for protecting CUI across all agencies and federal contracts.

One of the key questions for government contractors, especially when working with the DoD, is whether you have CUI related to government contracts right now or will receive and/or create CUI on contracts in the future. If the answer is yes or even maybe, then cybersecurity compliance regulations may apply to you. While Deltek cannot answer this question for you, we can provide informational guidance to help you make an informed decision with your legal counsel and/or compliance teams.

What Does This Mean for Government Contractors?

This new rule will impact every government contractor that will receive or create CUI as part of their government contracts. Since 2017, the Department of Defense (DoD) has required contractors to comply with the DFARS 252.204-7012 clause. Civilian agencies, like the Department of Energy (DoE) and the Department of Homeland Security (DHS), currently have their own specific approach to protecting CUI, so this new rule aims to uniform standards across all government agencies, which would then be supplemented by specific agency needs and specify the types of CUI for each contract.

In the new Proposed FAR CUI Rule, government contractors using non-federal information systems must protect CUI using the universal standard of the NIST SP 800-171 control framework. If a contractor uses a cloud service provider (CSP) to process, store or handle CUI, that cloud provider must demonstrate FedRAMP Moderate Baseline security to meet compliance requirements. This standard is very similar to the existing DFARS 252.204-7012 requirement that DoD contractors must comply with today, which will soon be verified and enforced by the Cybersecurity Maturity Model Certification (CMMC) program.

As a result of this increased emphasis on cybersecurity compliance, government contractors need their mission-critical business applications, like their ERP, to comply with strict requirements for protecting CUI. To address this market need for our customers, Deltek has invested heavily in security and compliance with our Costpoint GovCon Cloud Moderate (GCCM) offering, which has completed its FedRAMP Moderate Equivalency assessment and is listed on the FedRAMP Marketplace. This unique distinction sets Deltek apart and will help government contractors meet cybersecurity compliance certification requirements like DFARS 7012, CMMC, and eventually, the new FAR CUI Rule, as a cloud service provider.

An Introduction to CUI

Controlled Unclassified Information (CUI) is a category of data that, while unclassified, still receives special protections under federal laws, regulations, and policies. Specifically, CUI is a labeling system to identify sensitive information that requires protection in accordance with a law, regulation, or government-wide policy. Not all CUI that is listed in the National Archives and Records Administration (NARA) registry is CUI for your organization, so it’s important to be aware of what data you are working with.

The CUI program was established under Executive Order 13556 "Controlled Unclassified Information" and designates the National Archives and Records Administration (NARA) to implement the program and oversee agency actions to ensure compliance.

Examples of CUI include:

• Personnel and student records
• Budget
• Export-controlled data
• DoD Critical Infrastructure Information
• Details of corporate mergers and financial assets
• Contract Use

Source: National Archives CUI Markings Categories

Developing the implementation of CUI protections has been a long journey for federal agencies. The U.S. Department of Defense (DoD), which introduced the first agency-specific CUI program, has required the protection of CUI since 2017 with the DFARS 252.204-7012 contract clause. Recently, the Cybersecurity Maturity Model Certification (CMMC) program has brought more awareness to these requirements with mandatory certifications designed to verify compliance through independent verification prior to contract award.

How Do You Know if You Have CUI?

Typically, CUI is clearly marked by the person, company or agency that creates it with labels like "CUI" or "Controlled." However, CUI can also be indirectly identified through contracts or agreements specifying its handling.

For DoD contractors, there are two key guidance documents on CUI marking and a sub-category of CUI called Controlled Technical Information (CTI):

• DoD Instruction 5200.48 outlines the marking requirements for unclassified DoD documents and also establishes the definition for identifying CTI - a specific type of CUI with military or space applications created or possessed by or on behalf of DoD.
• DoD Instruction 5230.24 defines how DoD personnel are to identify and mark (CTI) and requires that if information is marked with distribution statements B-F, then that information is CUI, even if not explicitly labeled.

The following are common federal contracting clauses that may trigger CUI requirements:

Best Practices for Managing CUI

1. Understand Your Obligations: In addition to compliance obligations like CMMC or other relevant regulations, your contracts may contain specific requirements for how you should mark and safeguard CUI.
2. Mark Information Properly: Use the appropriate labels and follow guidelines like the CUI Marking Handbook.
3. Control Access: Disseminate CUI only to individuals with a lawful government purpose.
4. Seek Training: NARA and DoD offer free training courses on CUI handling. Completing these can help contractors stay compliant.
5. Work with Appropriate Subject Matter Experts: Whether it is your internal compliance and legal teams or external specialists, work with these experts to validate your CUI handling practices.
6. Verify Third-Party CUI Handling Requirements: Ensure your Cloud Service Provider meets FedRAMP Moderate Baseline Requirements.

Want to Learn More?

The National Archives and Records Administration (NARA) oversees the CUI program and maintains a CUI Registry listing the laws and regulations applicable to CUI. Additionally, resources like training programs and detailed guides can help contractors understand and implement CUI requirements effectively.

For the categories of CUI, visit https://www.archives.gov/cui/registry/category-list