Shared from our friends at BDO.
The Federal Government continues to mandate protections for CUI and other sensitive but unclassified information along with cybersecurity best practices down to DoD contractors. Many contractors are aware of the Defense Acquisition Regulation Supplement (DFARS) CUI Rule (DFARS 252.204-7012) rule which was introduced in 2017, which regulates the Defense Industrial Base to implement cybersecurity standards on their network (NIST SP 800-171) in order to safeguard Controlled Unclassified Data (CUI).
The adoption for CUI protections is becoming more widespread than just the Department of Defense (DoD) contractors. Now there’s a new regulation being implemented which stretches CUI protection requirements, initially only for DoD contractors, but now to the federal contracting arena to include DoD, GSA, NASA and many other Federal organizations. The release of this new Federal Acquisition Regulation (FAR) Controlled Unclassified Information (CUI) Rule has been long-anticipated, and was initially supposed to go to public comment on November 1st (currently the date for public comment is to be announced). This new FAR clause extends the requirement for Contractors to safeguard CUI on their systems to applicable Federal contracts.
It is yet unclear what the requirements will be suggested in the FAR CUI rule but it is anticipated that the DFARS 7012 requirements like FedRamp moderate baseline and reporting to be included in the FAR CUI Rule. We cannot determine yet if this clause will mean the extension of the NIST SP 800-171 prescribed security controls we see in DFARS 252.204-7012. BDO will notify our clients as soon as this regulation drops and will determine what protections are prescribed for CUI at the Federal level. We hope the FAR CUI Rule will give guidance for those contractors who have been waiting for it.