What is the FAR CUI Rule?
On October 24, a significant milestone was reached that could have far-reaching implications for various sectors, marking a pivotal moment in regulatory evolution. However, many within the Defense Industrial Base remain blissfully unaware of this development, as the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program has dominated attention for years, often overshadowing other important regulations that could equally affect operational compliance and security practices. This lack of awareness is not limited to the defense sector; it extends to other critical infrastructure sectors, such as energy, transportation, and healthcare, as well as federal contractors who may not fully grasp the importance of the new regulations now on the horizon.
Notably, the FAR CUI (Controlled Unclassified Information) rule has completed its comprehensive review process with the Office of Information and Regulatory Affairs (OIRA) as of yesterday, signaling an important step forward in the regulatory process. This rule is set to be published in the Federal Register within the next month, paving the way for an official comment period lasting 60 days, during which stakeholders—including industry leaders, legal experts, and compliance officers—will have the opportunity to provide valuable input. This upcoming publication underscores the urgent need for greater awareness and understanding of compliance requirements across all sectors, as these new regulations will significantly influence how organizations manage controlled unclassified information in the future and safeguard sensitive data from unauthorized access or breaches.
Executive Order 13556
While many believe that the Department of Defense (DoD) is solely responsible for the safeguarding of Controlled Unclassified Information (CUI), it is important to note that they represent just the tip of the spear in a much broader effort involving multiple agencies and sectors. The CUI program was established on November 4, 2010, through Executive Order 13556, which aimed to standardize the way the federal government handles unclassified information that requires protection. This Executive Order outlines the specific categories of information considered to be CUI, including but not limited to critical infrastructure information, legal documents, and sensitive personal data.
It also mandates the implementation of uniform policies and procedures across various agencies to ensure the integrity and security of this information. The overarching goal is to enhance the protection of sensitive information while simultaneously promoting information sharing among federal, state, and local entities, thereby fostering a more secure and collaborative environment for handling unclassified information across the board. As we move forward, it is crucial for all stakeholders to stay informed and engaged with these developments to ensure compliance and protect vital information assets.
Future Contracting
For Businesses in the Defense Industrial Base (DIB) who are contemplating the important question, “Do I want to continue in defense contracting?”, it is crucial to take a comprehensive look at their work portfolio. This evaluation should determine what other Federal contracting they do that will need to meet the NIST SP 800-171 requirements. By doing so, they can gain deeper insights into their strengths and weaknesses, enabling them to better define their long-term strategy. This thoughtful assessment allows businesses to explore their opportunities that may align more closely with their strategic goals Ultimately, a thorough evaluation can empower businesses to make informed decisions about their future in the defense sector and future federal contracting.
