CUI Requirements In Federal Contracts Aren't FAR Away

min read

Federal rule-making to incorporate controlled unclassified information (CUI) requirements into federal contracts is set to start this December. It could have implications for how such requirements are addressed in agency agreements impacting all of higher education.

Policy Blog Artwork - Policy Spotlight

In addition to the PII breach response rule-making for federal contractors set to start in November, the Trump Administration's Spring 2018 regulatory agenda announced that a similar rule-making to amend the Federal Acquisition Regulation (FAR) for controlled unclassified information (CUI) requirements will begin in December.

As the agenda listing notes, the National Archives and Records Administration (NARA) CUI Program published a final rule establishing uniform requirements for non-defense federal agencies regarding "designating, safeguarding, disseminating, marking, decontrolling and disposing of CUI" in the fall of 2016. (The rule in essence codified the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171 guidelines for the handling of CUI in "nonfederal systems and organizations" into regulatory requirements for federal agencies.) The pending rule-making will establish the FAR provision(s) and related contract clause(s) for consistently integrating NARA CUI Rule requirements into federal procurement contracts across non-defense agencies.

While FAR applies only to federal procurement contracts, changes to it that address implementation of broadly applicable standards and guidelines may influence how federal agencies frame similar requirements in agreements with outside organizations. It is therefore worthwhile to watch for what the FAR rule-making process produces. Agencies may attempt to repurpose relevant uniform contract text, for example, as standard provisions for cooperative agreements. And NARA guidance makes clear that agency "agreements and arrangements" must include provisions covering CUI requirements when relevant. With that in mind, colleges and universities can expect that agreements affecting much of higher education, such as the Federal Student Aid (FSA) Program Participation Agreement (PPA) and Student Aid Internet Gateway Agreement (SAIG), will eventually include CUI requirements based on NIST SP 800-171 and that the implementing text for those requirements may take a similar form as the FAR CUI clause(s).

Since all higher education institutions must sign a PPA in order to participate in federal student aid programs, as well as have an SAIG agreement in place to exchange data with FSA systems, integration of CUI Rule requirements based on 800-171 into those agreements would have far-reaching implications for EDUCAUSE members. There is no indication that the U.S. Department of Education and FSA are ready to begin that process, but EDUCAUSE will continue to follow CUI developments such as the FAR process for clues about what our members will likely face in the not-too-distant future.

© 2018 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.