EDUCAUSE Recommends Changes to Proposed FAR CUI Rules

A few days before the start of the second Trump administration, the Federal Acquisition Regulatory Council, which comprises the agencies that oversee federal contracting regulations, released a notice of proposed rulemaking (NPRM) on revising the Federal Acquisition Regulation (FAR) to incorporate the National Archives and Records Administration's Controlled Unclassified Information (CUI) Program requirements into federal contracting. EDUCAUSE subsequently worked with COGR, the American Council on Education (ACE), the Association of American Universities (AAU), and the Association of Public and Land-grant Universities (APLU) to submit a joint response to the Council recommending a series of changes to provisions in the NPRM.

EDUCAUSE and its sister associations noted that the definition of CUI in the proposed regulations does not match the definition in the CUI Program rule. This inconsistency is problematic because the CUI Program is intended to establish uniformity across the federal government in the marking and handling of CUI, including the cybersecurity requirements for it. The associations stated that the Council seemed to have deviated from the CUI Program definition so it could include a small set of exceptions in the FAR version of the definition. However, our organizations argued that the minor convenience of having exceptions to the definition of CUI integrated directly into the definition did not warrant the risk of creating undue confusion among federal contractors about which definition of CUI they should rely on. We argued that the Council should use the CUI Program definition of CUI in the final rule for clarity and consistency while incorporating the exceptions to the definition in a separate provision.^Footnote1

One of the exceptions to the CUI definition presented in the NPRM specifically excludes data related to fundamental research in science, technology, and engineering from the scope of the definition, citing a Reagan-era presidential memorandum that clarified the nature of fundamental research in relation to federal research funding.^Footnote2 Our associations expressed concern that this narrowly tailored exception could imply that federal agencies might consider federally funded fundamental research in fields other than science, technology, and engineering as subject to CUI requirements. By definition, though, fundamental research is intended for public release, and therefore, attempting to apply CUI restrictions might reduce the interest of researchers in pursuing such projects and make it more difficult for the federal government to meet its fundamental research needs. With that in mind, EDUCAUSE and its sister associations proposed that the Council revise the exception to clarify that the original presidential directive on fundamental research does not limit the definition of such research to solely science, technology, and engineering. Instead, we suggested it should cover basic and applied research intended for public release in general.^Footnote3

Our groups similarly took issue with the proposed definition of "covered federal information" (CFI), which is intended to replace the existing definition of "federal contract information" (FCI) as presented in the government's basic safeguarding requirements for federal contractor information systems. The FCI definition makes clear that only data "not intended for public release" falls within the scope of the basic safeguarding requirements, which excludes fundamental research. This exclusion is important for federally funded research at higher education institutions because the basic safeguarding requirements are designed to address baseline data security issues in administrative environments. While some of those requirements may be applied to fundamental research contexts without too much difficulty, others (e.g., physical access controls) may not be adaptable to such contexts. Thus, we argued that the proposed CFI definition be revised to limit its scope to data "not intended for public release." In addition, we noted that the CFI definition included the exception that might be read as exposing fundamental research in fields other than science, technology, and engineering to CUI requirements and asked that it be revised in line with our recommendation for the proposed exception to the CUI definition.^Footnote4

Another key provision with which EDUCAUSE and its sister associations took issue would establish an eight-hour deadline for institutions to report cyber incidents involving CUI or the discovery of unmarked or mismarked CUI to the relevant federal contracting officer. According to the NPRM, the changes in federal contracting regulations that it presents are modeled on an existing defense contracting regulation that provides a seventy-two-hour deadline for cyber incident reporting. Given the likelihood that many colleges and universities engaged in federal research projects may not have the operational capacity to comply with an eight-hour deadline, we urged the Council to adopt the more reasonable seventy-two-hour deadline from the relevant defense regulations in its FAR CUI contracting provisions.

Our groups also took issue with the attempt to displace responsibility for identifying and managing unmarked or mismarked CUI from federal agencies to contractors, such as our member institutions. We stressed that placing the burden for catching and dealing with agency mistakes on institutions would exacerbate the already unduly expansive CUI training requirements in the proposed regulations and drain resources from the intended research. We also highlighted how the proposed extension of CUI requirements to patent applications might conflict with higher education institutions' obligations under existing law for licensing patents generated by federally funded research. Finally, we noted that the proposed revisions to the FAR to integrate CUI Program requirements may indicate a need for the National Archives and Records Administration, the Council agencies, and other stakeholders to explore whether CUI markings should be incorporated into the names of digital files, feeds, code, algorithms, and other means of digital data exchange to facilitate compliance with CUI requirements.^Footnote5

Since the release of the NPRM, the Trump administration has instituted several executive actions intended to limit—as much as possible—the ability of federal agencies to impose new regulations. Thus, uncertainty surrounds when or if the proposed FAR CUI regulations will be finalized and whether any resulting final regulations will consider the findings and recommendations of stakeholders such as EDUCAUSE and its sister associations. Our groups will continue to monitor further developments in this space and any opportunities to minimize the negative effects of federal contracting regulations on higher education institutions.

Notes

1. American Council on Education et al., letter to William F. Clark, Director, Office of Government-wide Acquisition Policy, "Comments Regarding FAR Case 2017-016, 'Federal Acquisition Regulation: Controlled Unclassified Information' (Proposed Rule)," March 17, 2025. Jump back to footnote 1 in the text.↩
2. U.S. Department of Defense, General Services Administration, and National Aeronautics and Space Administration, "Federal Acquisition Regulation: Controlled Unclassified Information," proposed rule, Federal Register 90, no. 9 (January 15, 2025): 4297, 4300. Jump back to footnote 2 in the text.↩
3. ACE et al., letter to Clark, "Comments Regarding FAR Case 2017-016." Jump back to footnote 3 in the text.↩
4. Ibid. Jump back to footnote 4 in the text.↩
5. Ibid. Jump back to footnote 5 in the text.↩

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.