Federal Acquisition Regulation: Controlled Unclassified Information

DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION <CFR>48 CFR Parts 1, 2, 3, 4, 5, 7, 9, 11, 12, 15, 27, 33, 42, 52, and 53</CFR> <DEPDOC>[FAR Case 2017-016, Docket No. 2017-0016, Sequence No. 1]</DEPDOC> <RIN>RIN 9000-AN56</RIN> <SUBJECT>Federal Acquisition Regulation: Controlled Unclassified Information</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). <HD SOURCE="HED">ACTION:</HD> Proposed rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to implement the National Archives and Records Administration's Controlled Unclassified Information Program enacted under an Executive Order entitled Controlled Unclassified Information. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Interested parties should submit written comments to the Regulatory Secretariat Division at the address shown below on or before March 17, 2025 to be considered in the formation of the final rule. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Submit comments in response to FAR Case 2017-016 to the Federal eRulemaking portal at <E T="03">https://www.regulations.gov</E> by searching for “FAR Case 2017-016”. Select the link “Comment Now” that corresponds with “FAR Case 2017-016”. Follow the instructions provided on the “Comment Now” screen. Please include your name, company name (if any), and “FAR Case 2017-016” on your attached document. If your comment cannot be submitted using <E T="03">https://www.regulations.gov,</E> call or email the points of contact in the <E T="02">FOR FURTHER INFORMATION CONTACT</E> section of this document for alternate instructions. <E T="03">Instructions:</E> Please submit comments only and cite “FAR Case 2017-016” in all correspondence related to this case. Public comments may be submitted as an individual, as an organization, or anonymously (see frequently asked questions at <E T="03">https://www.regulations.gov/faq</E> ). Comments submitted in response to this rule will be made publicly available and are subject to disclosure under the Freedom of Information Act. For this reason, please do not include in your comments information of a confidential nature, such as sensitive personal information or proprietary information, or any information that you would not want publicly disclosed unless you follow the instructions below for confidential comments. Summary information of the public comments received, including any specific comments, will be posted on <E T="03">https://www.regulations.gov.</E> All filers using the portal should use the name of the person or entity submitting comments as the name of their files, in accordance with the instructions below. Anyone submitting business confidential/proprietary information should clearly identify any business confidential/proprietary portion at the time of submission, file a statement justifying nondisclosure and referencing the specific legal authority claimed, and provide a non-confidential/non-proprietary version of the submission. Any business confidential information should be in an uploaded file that has a file name beginning with the characters “BC.” Any page containing business confidential information must be clearly marked “BUSINESS CONFIDENTIAL/PROPRIETARY” on the top of that page. The corresponding non-confidential/non-proprietary version of those comments must be clearly marked “PUBLIC.” The file name of the non-confidential version should begin with the character “P.” The “BC” and “P” should be followed by the name of the person or entity submitting the comments or rebuttal comments. All filers should name their files using the name of the person or entity submitting the comments. Any submissions with file names that do not begin with a “BC” will be assumed to be public and will be made publicly available through <E T="03">https://www.regulations.gov.</E> To confirm receipt of your comment(s), please check <E T="03">https://www.regulations.gov,</E> approximately two-to-three days after submission to verify posting. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> For clarification of content, contact Mr. Michael O. Jackson, Procurement Analyst, at 202-821-9776 or by email at <E T="03">michaelo.jackson@gsa.gov.</E> For information pertaining to status, publication schedules, or alternate instructions for submitting comments if <E T="03">https://www.regulations.gov</E> cannot be used, contact the Regulatory Secretariat Division at 202-501-4755 or <E T="03">GSARegSec@gsa.gov.</E> Please cite FAR Case 2017-016. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> Today, Federal information and information systems are increasingly the targets of sophisticated attacks by criminals and our adversaries, as well as subject to risks involving non-adversarial threats ( <E T="03">e.g.,</E> accidental misuse of information). Executive Order (E.O.) 13556, <E T="03">Controlled Unclassified Information,</E> established the Controlled Unclassified Information (CUI) Program to manage information that requires safeguarding or dissemination controls and designated the National Archives and Records Administration (NARA) as the executive agent of the CUI Program. NARA published a final rule on September 14, 2016 (81 FR 63324) to implement the CUI requirements of E.O. 13556. As part of the implementation of the NARA final rule, NARA maintains a registry ( <E T="03">https://www.archives.gov/cui</E> ) of unclassified information that requires safeguarding or dissemination controls. NARA's CUI Registry identifies the organizational index grouping and related categories of information and specifies how the information should be marked and disseminated, among other actions that must be taken. NARA's rule codified uniform policies and procedures for marking, safeguarding, disseminating, decontrolling, and disposing of CUI for Federal executive branch agencies at 32 CFR part 2002. These policies also affect contractors that are expected to collect, develop, receive, transmit, use, handle, or store CUI during contract performance. To apply the policies to contractors, the CUI Program must be incorporated into the acquisition process, specifically, when agencies define their requirements, issue solicitations, and award contracts. In order to do so, Government and contractor roles and responsibilities for safeguarding, using, marking, disseminating, and decontrolling CUI residing on both Federal and non-Federal information systems must be identified. DoD has implemented the requirements of the CUI Program within the clause at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. DoD has also proposed amending the DFARS to incorporate contractual requirements associated with the Cybersecurity Maturity Model Certification program (CMMC) in order to verify contractor implementation of security controls through a proposed rule published in the <E T="04">Federal Register</E> on August 15, 2024, at 89 FR 66327. Separately, the CMMC program was established in Title 32 of the Code of Federal Regulations through a final rule published in the <E T="04">Federal Register</E> on October 15, 2024, at 89 FR 83092. DoD, GSA, and NASA are proposing to revise the FAR to implement NARA's final rule on the Federal CUI Program as it relates to performance under Federal contracts. The Privacy Act requirements at FAR part 24 are not changed by this rulemaking. DoD, GSA, and NASA propose to create a common mechanism, the Standard Form XXX, Controlled Unclassified Information (CUI) Requirements, to enable a uniform process for communicating the information contractors must manage and safeguard as well as identify where a CUI incident must be reported and when there are CUI incident reporting requirements that differ from or are in addition to those in the clause at FAR 52.204-XX(g). Currently laws, Federal regulations, and Government-wide policies already mandate these protections, but there is not a standard way these requirements are identified and shared with contractors. This proposed rule is just one element of a larger strategy to improve the Government's efforts to identify, deter, protect against, detect, and respond to increasingly sophisticated criminals and adversaries targeting Federal information and information systems. <HD SOURCE="HD1">II. Discussion and Analysis</HD> The proposed rule introduces a new standard form (SF) to support uniformity in Governmentwide implementation of these policies. It identifies roles and responsibilities for agencies and contractors when controlled unclassified information (CUI) is located on Federal information systems within a Federal facility or resides on or transits through contractor information systems or within contractor facilities, and it adds two new clauses and a provision to enable contractor reporting and compliance responsibilities in Federal solicitations and contracts. The proposed rule is intended to provide for the following: (1) SF XXX, Controlled Unclassified Information (CUI) Requirements, was developed to promote consistency, assist Federal agencies and contractors in the identification of CUI in agency requirements, and uniformly define all associated handling requirements in accordance with 32 CFR part 2002. The SF XXX will be included in solicitations and contracts that may result in the handling of CUI that will ultimately become performance requirements during contract performance. (2) FAR 2.101 definitions for “contractor-attributional information,” “controlled unclassified information (CUI),” “CUI incident ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 172k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━