The Governmentwide FAR CUI Safeguarding Rule (Emerging)
Also known as: FAR CUI rule, governmentwide CUI safeguarding rule, FAR Case 2017-016
What you do here: Track the pending FAR CUI rule that will extend standardized CUI safeguarding across all agencies
At a Glance
- Status
- Emerging β proposed under FAR Case 2017-016; not yet a final governmentwide clause (confirm the current status before relying on it)
- Who it will apply to
- Contractors across all federal agencies that handle CUI β extending beyond DoD's existing DFARS regime
- What it would obligate
- Standardized CUI identification, marking, training, and safeguarding (expected to reference NIST SP 800-171)
- Governing authority
- The FAR Council (FAR Case 2017-016), building on EO 13556 and 32 CFR Part 2002
- Why it matters
- It would bring civilian-agency CUI requirements in line with DoD's, so the safeguarding skills transfer
What It Is
The governmentwide FAR CUI safeguarding rule is the long-anticipated Federal Acquisition Regulation rule (docketed as FAR Case 2017-016) that would extend standardized Controlled Unclassified Information requirements to contracts across every federal agency, not just DoD. Today there's an asymmetry: DoD has a mature CUI-safeguarding regime (DFARS 252.204-7012, NIST SP 800-171, SPRS, and CMMC), while civilian agencies have applied CUI protection inconsistently, often through agency-specific clauses. The CUI program itself (Executive Order 13556 and 32 CFR Part 2002) is governmentwide, but the acquisition-side rules that turn it into concrete contract obligations have lagged for non-DoD work. The FAR CUI rule is intended to close that gap by creating a uniform, governmentwide baseline: consistent definitions, marking expectations, training, incident-handling, and safeguarding requirements β widely expected to lean on NIST SP 800-171 as the technical standard, mirroring DoD. For an SDVOSB, the practical significance is twofold. First, it signals that CUI safeguarding is becoming table stakes for federal work generally, so the investment a firm makes for DoD (an SSP, NIST 800-171 implementation, a CUI enclave) will increasingly transfer to civilian-agency contracts. Second, because it is still working through the rulemaking process, its exact requirements, effective date, and relationship to CMMC are not final β so this page is a forward-looking marker rather than a current obligation. Treat it as a planning signal: build your CUI program to the DoD standard now, and you'll be positioned when the governmentwide rule lands.
When It Applies
- As a planning signal β the rule is expected to standardize CUI safeguarding across civilian agencies, not just DoD.
- When evaluating whether cybersecurity investments made for DoD work will transfer to civilian-agency contracts.
- When a civilian agency applies its own interim CUI-safeguarding clause pending the governmentwide FAR rule.
- When tracking the rulemaking to anticipate the effective date and the technical standard (expected NIST SP 800-171).
Key Features
| Feature | What It Means |
|---|---|
| Extends CUI rules beyond DoD | It would create a governmentwide acquisition baseline for CUI, closing the gap between DoD's mature regime and inconsistent civilian-agency practice. |
| Expected to rely on NIST SP 800-171 | The technical safeguarding standard is widely anticipated to mirror DoD's, so the same control set would apply governmentwide. |
| Standardized marking and training | Consistent CUI identification, marking, and training expectations across agencies would replace agency-by-agency variation. |
| Still in rulemaking | As FAR Case 2017-016, the exact requirements, scope, and effective date aren't final β confirm the current status before relying on it. |
| A transferability signal | Investments made to meet DoD CUI requirements should increasingly count toward civilian-agency work under the coming rule. |
The SDVOSB Angle
For an SDVOSB that works β or wants to work β outside DoD, the emerging FAR CUI rule is a reason to stop treating cybersecurity as a DoD-only cost. The direction of travel is clear: standardized CUI safeguarding, built on NIST SP 800-171, is spreading to civilian agencies. A small firm that builds a genuine CUI program now (a scoped enclave, an honest SSP, basic NIST 800-171 implementation, and simple CUI-handling training) is making an investment that will increasingly pay off across the whole federal market, and that already differentiates it from competitors treating security as an afterthought. Because the rule isn't final, don't over-build to speculative specifics β build to the known DoD standard, which the governmentwide rule is expected to track, and watch the rulemaking (and each civilian solicitation's own CUI clauses) so you're ready when concrete requirements attach. This is a rare case where getting ahead of a regulation is cheaper than catching up to it.
How to Comply
- Treat the DoD CUI standard (NIST SP 800-171 + a scoped enclave + an SSP) as the baseline to build toward now.
- Watch FAR Case 2017-016 and confirm its current status before assuming any specific governmentwide requirement.
- Read each civilian-agency solicitation for its own interim CUI-safeguarding clause and any marking/training terms.
- Keep your CUI program documented and portable so it transfers cleanly across agencies as the rule lands.
- Fold likely CUI-safeguarding costs into your bid decisions for civilian work, not just DoD work.
Watch Out For
- Assuming CUI safeguarding is a DoD-only concern β the governmentwide direction is clearly toward all agencies.
- Over-building to a rule that isn't final β build to the known DoD standard the rule is expected to track.
- Ignoring a civilian agency's own interim CUI clause because 'the FAR rule isn't out yet.'
- Relying on this page's specifics as settled law β verify the rulemaking's current status and text.
Run the Numbers
Frequently Asked
Is there a governmentwide FAR rule for CUI safeguarding?
A governmentwide FAR rule for CUI safeguarding has been in development for years under FAR Case 2017-016. It is intended to extend standardized Controlled Unclassified Information identification, marking, training, and safeguarding β widely expected to rely on NIST SP 800-171 β to contracts across all federal agencies, not just DoD. Because it is still working through the rulemaking process, its final requirements and effective date are not settled, so you should confirm the current status of the rule before relying on any specific provision.
Will civilian-agency contractors have to meet CMMC-style requirements?
The CMMC program is specific to DoD. However, the emerging governmentwide FAR CUI rule signals that civilian agencies are moving toward standardized CUI safeguarding built on NIST SP 800-171 β the same technical standard underlying CMMC Level 2. Whether civilian agencies will adopt a formal third-party certification like CMMC is not settled, but the safeguarding controls a firm implements for DoD work are expected to transfer, so building a genuine NIST SP 800-171 program positions a contractor for both DoD and civilian CUI requirements.
Primary Sources
- FAR Case 2017-016 β Controlled Unclassified Information (rulemaking status)
- Executive Order 13556 β Controlled Unclassified Information
- 32 CFR Part 2002 β Controlled Unclassified Information
Plain-English reference, not legal advice. Cybersecurity and information-safeguarding rules are fact-specific and change often β the FAR, DFARS, NIST publications, and the CMMC program rule are amended and phased in over time. Always read the current FAR/DFARS text and the safeguarding clauses in your specific contract, check the version of NIST SP 800-171 your contract requires, confirm the SPRS and CMMC requirements with the contracting officer, and consult qualified counsel or a cybersecurity professional before relying on a compliance position or making a certification.
Change log (1)
- LaunchedPublished the federal contract cybersecurity & information safeguarding requirements reference covering the obligations an SDVOSB takes on across a federal (especially DoD) set-aside β basic safeguarding of Federal Contract Information (FAR 52.204-21), the Section 889 covered-telecom prohibition (FAR 52.204-25), the DoD safeguarding of Covered Defense Information and 72-hour cyber-incident reporting (DFARS 252.204-7012), the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score (DFARS 252.204-7019 / -7020), the CMMC program and its three levels (DFARS 252.204-7021 / 32 CFR Part 170), Controlled Unclassified Information marking and handling (32 CFR Part 2002 / EO 13556), and the emerging governmentwide FAR CUI rule β each with an at-a-glance quick-facts card, a when-it-applies list, a key-features table, an SDVOSB-specific angle, a how-to-comply checklist, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source FAR/DFARS/CFR/NIST citations, and cross-links into the glossary, contracting systems (SPRS, SAM.gov), clauses, forms, contract types, how-to guides, FAQ, and the price-to-win and win-probability calculators.