FAR CUI Rule Proposed!

The Federal Acquisitions Regulation (FAR) rule regarding the protection of Controlled Unclassified Information (CUI) has officially been proposed as FAR 2024-30437 and released for public inspection. Its adoption would mandate minimum information security practices for all federal contractors, expanding beyond the Cybersecurity Maturity Model Certification (CMMC) program for Department of Defense (DoD) contractors.

The FAR CUI Rule Has Been Proposed

As of January 14, 2025, the U.S. General Services Administration (GSA), which oversees all federal contracting activity, has proposed FAR 2024-30437 and released a draft for public inspection. The FAR CUI Rule would require all federal contractors to protect CUI by aligning with rules for DoD contractors. Most significantly, this includes defining minimum information security standards aligned with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171).

Be on the lookout for more updates on the FAR CUI Rule soon! In the days and weeks to come, we will dig into the details of the rule, provide further insights, and assist organizations with meeting these requirements. In the meantime, you can view the proposed rule below.

About Us

Triumvirate Cybersecurity is a consulting firm specializing in helping organizations achieve certification under the U.S. DoD Cybersecurity Maturity Model Certification (CMMC) program. However, we are eager to assist any organization meet the information security requirements associated with NIST SP 800-171, including federal contractors impacted by the upcoming FAR CUI Rule.