On January 15, 2025, the Federal Acquisition Regulatory Council (FAR Council) proposed two significant rule changes that could reshape compliance obligations for government contractors: one establishing standardized safeguards for Controlled Unclassified Information (CUI) and another updating the framework for addressing organizational conflicts of interest (OCI). These proposed rules aim to bring long-needed clarity and consistency to federal procurement, with public comments due by March 17, 2025.
FAR Council Seeks Consistent Approach to Controlled Information
On January 15, 2025, the FAR Council published a proposed FAR CUI Rule to integrate the Controlled Unclassified Information (CUI) Program into federal acquisitions, aiming to standardize CUI protections and clarify contractor responsibilities across industries, while also aligning them with broader cybersecurity and compliance initiatives. The proposed rule would create uniform cybersecurity, training, and incident reporting requirements for contractors and subcontractors managing CUI. The FAR CUI Rule is advancing through the rulemaking process, with the public comment period ending on March 17, 2025.
CUI In Procurement
For years, contractors have struggled with the inconsistent and often conflicting requirements for handling CUI across different federal agencies. While the CUI designation was introduced under Executive Order 13556 in 2010 to replace the patchwork of agency-specific markings and protections, a uniform compliance framework has remained elusive. As a result, contractors have faced uncertainty in determining their obligations, particularly when working with multiple agencies that apply different safeguarding and reporting standards. This lack of consistency has increased compliance burdens, heightened cybersecurity risks, and exposed contractors to potential liability. The FAR CUI Rule aims to resolve these long-standing challenges by establishing a single, government-wide standard for identifying, safeguarding, and reporting CUI in federal procurements.
The federal government defines CUI as “information that the Government creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” However, despite this definition, the absence of a uniform regulatory approach has led to varied interpretations and implementation challenges across the various federal agencies. Contractors working on projects involving CUI have been required to navigate a complex web of agency-specific controls, each with its own safeguarding expectations, incident reporting timelines, and compliance mechanisms. The proposed FAR CUI Rule seeks to eliminate these inconsistencies by standardizing protections for CUI across agencies, bringing long-needed clarity and uniformity for contractors navigating disparate compliance requirements. Given that CUI includes over 100 different categories, the FAR CUI Rule is expected to affect a substantial portion of the federal contracting community. Whether this Rule will clear things up remains to be seen.
The FAR CUI Rule would achieve these aims through two key mechanisms: (1) a standardized form to be used in all CUI procurements, and (2) standardized safeguards.
Standard Form (SF) XXX
The FAR CUI Rule introduces Standard Form (SF) XXX, Controlled Unclassified Information Requirements (the CUI Standard Form), as a new compliance mechanism to standardize the management and safeguarding of CUI. This form will assist contractors and subcontractors in:
- Identifying the categories of CUI they may handle during federal contract performance;
- Understanding agency-specific requirements for handling, safeguarding, disseminating, decontrolling, and marking CUI; and
- Complying with standardized reporting procedures for CUI incidents.
While existing laws and policies already mandate protections for CUI, this new standard form will unify and streamline how those requirements are communicated and implemented across government contracts, reducing inconsistencies and confusion for contractors. The SF XXX will be included in solicitations and contracts involving CUI, establishing clear performance requirements from the outset.
Standardized Safeguards
The FAR CUI Rule also aims to harmonize CUI safeguards across all federal agencies, including the U.S. Department of Defense (DoD). While applicable to all federal contracts, this rule is particularly significant for defense contractors already navigating the Cybersecurity Maturity Model Certification (CMMC) program. Unlike the CMMC program, which includes a tiered certification framework for handling CUI, the FAR CUI Rule does not mandate certification. Instead, it requires contractors to self-attest to compliance with NIST SP 800-171 Rev. 2.
Adopting basic cybersecurity requirements can prevent significant financial losses from cyber incidents. The Cybersecurity and Infrastructure Security Agency (CISA) estimates that the median cost of a cybersecurity incident ranges from $0.5 million to $1.6 million, with maximum costs exceeding $1 billion. By standardizing cybersecurity requirements across all federal contracts, the FAR CUI Rule will not only enhance compliance but also reduce cybersecurity risks and financial exposure for contractors.
Included in the Rule is a requirement that contractors must report suspected or confirmed CUI incidents within eight (8) hours of discovery, allowing the federal government to respond swiftly and mitigate potential damages. This stringent reporting requirement underscores the government’s emphasis on timely incident response in order to ensure data protection.
Intersection with CMMC Compliance
For defense contractors, the FAR CUI Rule serves as another critical puzzle piece in the evolving landscape of cybersecurity compliance. While CMMC imposes certification-based security measures on contractors handling CUI within the defense supply chain, the FAR CUI Rule complements these efforts by introducing uniform requirements for all federal contractors. Defense contractors already investing in CMMC compliance will likely find alignment between these frameworks beneficial, as the FAR CUI Rule provides a clearer roadmap for safeguarding CUI across government and defense contracts.
Updates to Organizational Conflict of Interest Provisions
Proposed Changes to OCI Treatment
FAR 2.101 currently defines Organizational Conflict of Interest broadly as:
- a situation in which because of other activities or relationships with other persons, a person is unable or potentially unable to render impartial assistance or advice to the Government, or the person’s objectivity in performing the contract work is or might be otherwise impaired, or a person has an unfair competitive advantage.
While not expressly identified in FAR 2.101—case law, GAO decisions, and agency-level OCI guidance have interpreted FAR 2.101 to encompass three categories of OCI:
- Impaired Objectivity: A company or affiliate has financial or other interests that may compromise its impartial advice to the government.
- Unequal Access to Information: A company gains a competitive advantage from non-public information obtained through government access.
- Biased Ground Rules: A company materially influences the development of government contract requirements, evaluation criteria, or source selection procedures.
The Proposed OCI Rule aims to provide clarity to agencies with “tailorable” provisions agencies can use for solicitations and contractors. In addition to these new definitions, the proposed rule includes new guidance and examples of relationships between a contractor and a private or foreign entity that may create an OCI under FAR 3.1204.
When an OCI arises, the proposed rule outlines specific methods that contractors can use to address such conflicts, including mitigation strategies, avoidance measures, and—where appropriate—government acceptance of the risk when it is in the government's best interest (FAR 3.1205). By formalizing these options, the rule seeks to reduce uncertainty for contractors navigating OCI concerns while providing agencies with greater flexibility in managing potential conflicts in federal procurements.
Recommended Steps for Compliance with the FAR CUI Rule
To ensure compliance with the Proposed OCI Rule, organizations should take several important steps. First, familiarize yourself with the specific obligations and requirements imposed by the rule, particularly the new 8-hour incident reporting period outlined in the FAR clause. Next, update your incident response plan to incorporate this brief reporting timeframe. Conduct a gap analysis to compare your existing cybersecurity measures with the standards and protocols in NIST SP 800-171 Rev. 2, identifying and addressing any discrepancies. Develop protocols for the proper handling and identification of CUI, ensuring that your policies align with the requirements of the FAR CUI Rule. Additionally, establish procedures to manage subcontractor compliance, including updates to contractual language to reflect these new obligations.
Recommended Steps for Compliance with the FAR OCI Rule
For proper guidance as to how to properly comply with the FAR OCI rule, companies can first look to the proposed provisions for instructions. For instance, the proposed rule contains language on methods to address OCIs when they are known to a company (see FAR 3.1205). The rule also provides a list of responsibilities companies have in order to identify, analyze, and address OCIs whenever they arise. These provisions are located in FAR 3.1207. To ensure proper compliance, companies can engage in due diligence during the various stages of Government contracting, including prior to entering the contract, during the beginning of the contract, and after the enforcement of the contract.
Prior to entering a Government contract, companies can ensure OCI provisions are placed within standard agreements and contracts the company aims to utilize when soliciting government cooperation. Companies can use mock provisions and definitions as provided in the proposed rule as standard contract clauses. Such due diligence should continue during the beginning stages of Government contracting. Companies should engage in thorough investigations to ensure no conflicts arise between the contracting parties or affiliates. This is an ongoing responsibility. In the case that such conflicts do arise, companies should promptly notify the contracting parties as to the nature and detail of the conflict, ensuring to disclose pertinent information while adhering to confidentiality requirements. Parties can decide to use the mitigating factors as described in the FAR to proceed with the contract or withhold from continuing the contract if the conflict is substantial.
As noted, parties should continue to monitor and conduct due diligence to ensure that no conflicts of interest arise during the performance of the contract. And in such a case where a conflict may arise, that the parties take the proper steps to address the conflict promptly.
Conclusion
The proposed FAR CUI and OCI Rules represent significant steps toward standardizing federal procurement compliance. The FAR CUI Rule seeks to eliminate inconsistencies in safeguarding controlled information, while the FAR OCI Rule aims to clarify and streamline conflict-of-interest requirements across agencies. Together, these rules reflect the government’s increasing focus on cybersecurity, data protection, and ethical contracting with an emphasis on aligning these goals across all the agencies.
If finalized as proposed, the FAR CUI Rule will establish uniform safeguards, training, reporting obligations, and, perhaps most importantly, reducing uncertainty for contractors handling sensitive information. Likewise, the FAR OCI Rule will provide clearer guidelines for identifying, mitigating, and disclosing conflicts of interest, helping contractors navigate these risks proactively. Given that noncompliance—whether with CUI requirements or OCI disclosures—can lead to contractual disputes, enforcement actions, or even False Claims Act liability, contractors should take steps now to assess their internal controls, update policies, and strengthen compliance programs.
With public comments on both rules due by March 17, 2025, contractors should evaluate how these changes could impact their operations and consider submitting feedback to help shape the final regulations. Preparing now will not only ensure compliance but also position companies for success in an increasingly regulated procurement environment.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2025 White & Case LLP
