Skip to content

What Every Federal Contractor Needs to Know About FAR Case 2017-016

The proposed rule FAR Case 2017-016

If GSA's January 2026 cybersecurity guide CIO-IT Security-21-112 Rev 1 put civilian contractor cybersecurity on your radar, a separate and broader development deserves your attention.

FAR Case 2017-016, published in the Federal Register on January 15, 2025 (90 FR 4278), is a proposed rule that would bring NIST SP 800-171 Rev 2 requirements to every federal contractor across every executive branch agency in the United States.

The rule has been in development eight years, the comment period closed March 2025, and it is now working its way through the federal rulemaking process.

This article breaks down what the proposed rule means, who it affects, how it relates to CMMC and the new GSA guide, and what contractors should be doing now while the final rule is still pending.

What Is the FAR CUI Rule and Why Does It Matter?

The Federal Acquisition Regulation is the primary regulation governing federal procurement across all executive branch agencies.

When a rule amends the FAR, it applies everywhere: defense, civilian, and independent agencies alike.

That scope is what makes FAR Case 2017-016 significant. Right now, formal CUI protection requirements apply mainly to defense contractors. If your company works with the Army, Navy, or anywhere in the defense supply chain, you already know NIST SP 800-171 through DFARS 252.204-7012 and, increasingly, through CMMC.

But if you contract with HHS, DoE, DoT, NASA, or GSA, those requirements have not formally applied to you. GSA contractors are a partial exception: the January 2026 guide CIO-IT Security-21-112 Rev 1 introduced GSA-specific cybersecurity requirements, but it references NIST SP 800-171 Revision 3 and applies only within GSA. 

The FAR CUI rule would sit alongside it as a separate, government-wide obligation under Revision 2. Once finalized, any federal contractor handling CUI will need to implement the 110 security requirements in NIST SP 800-171 Revision 2 and self-attest to compliance. There is no third-party certification requirement under this rule, unlike CMMC. But the compliance obligations are real and the exposure under the False Claims Act for non-compliance is equally real.

FAR Case 2017-016 Nearly 15 Years in the Making

The rule's long history is part of why the contracting community is taking it seriously despite its proposed status. Before 2010, federal agencies each handled sensitive unclassified information their own way. The result was a patchwork of requirements that created confusion and compliance gaps across the supply chain. FAR Case 2017-016 is the government's answer to that problem, and it has been a long time coming. 

FAR CUI Rule Timeline

Date Event
Pre 2010 Federal agencies manage sensitive unclassified information inconsistently, with no government-wide standard for marking, handling, or protecting it.
November 4, 2010 Executive Order 13556 establishes the CUI program; NARA designated as executive agent.
September 14, 2016 NARA publishes final rule (81 FR 63324) establishing CUI policies for federal agencies, effective November 14, 2016.
January 2017 FAR Council opens FAR Case 2017-016 as a placeholder for the FAR CUI rule.
2017 to 2024 Rule remains dormant, DoD proceeds independently through DFARS 252.204-7012 and CMMC.
January 15, 2025 Proposed FAR CUI Rule published in the Federal Register (90 FR 4278) by DoD, GSA, and NASA.
January 20, 2025 New administration takes office; Executive Order "Regulatory Freeze Pending Review" issued, creating uncertainty about rule timing, although the rule remains active and under review. 
March 17, 2025 Public comment period closes; 93 submissions received.
March 19, 2025 DoD Open FAR Cases records public comments received; FAR and DAR staff begin processing.
January 5, 2026 GSA issues CIO-IT Security-21-112 Rev 1, a parallel CMMC-style framework applying to GSA contractors.
January 9, 2026 DoD Open FAR Cases confirms FAR Case 2017-016 remains open, comments being processed. Monitor progress at regulations.gov
March 2026 Rule remains in proposed stage; final rule timing undetermined.
TBD Final rule published; no phase-in, compliance required immediately for in-scope contracts.

What the FAR CUI Rule Would Actually Require

NIST SP 800-171 Rev 2 Compliance for Nonfederal Systems

The core obligation is that contractor systems processing, storing, or transmitting CUI must comply with NIST SP 800-171 Revision 2. That is 110 security controls across 14 control families covering access control, incident response, configuration management, encryption, vulnerability management, and more.

A New Standard Form for Every CUI Contract

Contracting officers would be required to complete a new Standard Form, referred to as SF XXX in the proposed rule, that explicitly identifies what CUI is involved in a contract, what category it falls under, and what handling requirements apply. This form attaches to the contract and creates the contractor's specific compliance perimeter.

Three New FAR Clauses

FAR 52.204-XX would be the primary CUI clause incorporated into any contract where CUI is involved, requiring full NIST 800-171 compliance. FAR 52.204-YY would apply even to contracts where CUI is not expected, requiring contractors to notify the government if they encounter CUI during performance. FAR 52.204-WW would serve as a notice provision in solicitations.

Eight-hour Incident Reporting

Contractors would be required to report suspected or confirmed CUI incidents to the contracting officer within eight hours of discovery, even when the facts are incomplete. Forensic data must be preserved for 90 days. The rule also requires reporting of any CUI that the government failed to mark or mismarked, also within eight hours. This is a demanding operational requirement that most civilian contractors are not currently equipped to meet.

Mandatory Employee Training

Contractors must ensure any employee who handles CUI has completed training before doing so, and must be able to provide evidence of training on request.

Subcontractor Flowdown

If a prime contractor flows CUI to a subcontractor, the prime is responsible for preparing the SF XXX for the subcontractor and ensuring the same compliance obligations apply throughout the supply chain (FAR 52.204-XX(h)).

Who Is Affected by the Proposed FAR CUI Rule?

The scope is broader than most civilian contractors have recognized. Unlike DFARS 252.204-7012, which applies only to defense contractors, the proposed FAR CUI rule would apply government-wide to all executive branch contracts, regardless of dollar value, including contracts at or below the simplified acquisition threshold. The only categorical exception is contracts solely for commercially available off-the-shelf items.

According to the Federal Register notice (90 FR 4278), the rule is estimated to affect approximately 67,547 unique contractors annually based on federal procurement data from fiscal years 2021 through 2023. That includes a large population of organizations that have never engaged with NIST SP 800-171 before and have no existing compliance program to build from.

Organizations That Are Likely In Scope

The proposed rule does not list specific industries or agency types. Scope is determined by whether a contractor handles CUI during contract performance, not by which agency they work for or what sector they operate in. To illustrate, organizations likely to be in scope include GSA Schedule holders across all categories, contractors working with HHS in healthcare IT and clinical research, Department of Energy vendors in engineering and scientific services, Department of Transportation suppliers, university research institutions receiving federal contracts, professional services firms, technology companies selling software or services to any civilian agency, and staffing firms whose personnel access federal systems or information.

The clearest test is whether you receive information marked as CUI, or whether your work generates information that would qualify under the NARA CUI Registry. If either applies, you are likely in scope.

How the FAR CUI Rule Compares to CMMC and the GSA Guide

Two frameworks currently apply. CMMC has been appearing in DoD solicitations since November 2025. The GSA guide has been available for new GSA contracts since January 2026. The proposed FAR CUI rule would extend similar obligations government-wide if finalized.

All three reference NIST SP 800-171, but they diverge in important ways. GSA requires Revision 3. CMMC and the proposed FAR rule are anchored to Revision 2. DoD cannot move to Revision 3 without further rulemaking. GSA has confirmed it has no plans to align with CMMC. The assessor pools are also separate, with no reciprocity: a C3PAO assessment does not satisfy GSA, and a GSA assessment does not count toward CMMC.

For contractors working across both DoD and civilian agencies, this means two compliance programs, two NIST baselines, and two assessor engagements with no credit between them. If the FAR CUI rule finalizes on Revision 2, it reinforces the DoD baseline but leaves the GSA gap open. The fragmentation does not appear to be closing in the near term.


  GSA CIO-IT Security-21-112 Rev 1 Proposed FAR CUI Rule (FAR Case 2017-016) CMMC Level 2
Status In effect January 5, 2026 (internal agency guidance, not formal rulemaking). Proposed rule, in rulemaking (90 FR 4278, published January 15, 2025). 32 CFR Program rule effective December 16, 2024; DFARS acquisition clause effective November 10, 2025.
Applies to GSA contractors whose systems process, store, or transmit CUI. All federal executive branch contractors handling CUI. DoD contractors handling CUI.
NIST baseline SP 800-171 Rev 3, with selected controls from SP 800-172 Rev 3 (draft) and SP 800-53 Rev 5. SP 800-171 Rev 2 SP 800-171 Rev 2
Assessment model Independent 3PAO or GSA-approved assessor; results reviewed by GSA OCISO; authorization via Memorandum for Record. Self-attestation; system security plan required; government may request supporting documentation. C3PAO third-party certification or self-assessment depending on contract requirement.
Cloud requirement FedRAMP authorization as alternative path; contractor-owned cloud systems subject to five-phase GSA assessment process. FedRAMP Moderate baseline required directly under proposed FAR 52.204-XX; cost analysis deferred to FAR Case 2021-019.  FedRAMP Moderate authorized or FedRAMP Moderate equivalent.
Incident reporting One hour from discovery by security operations personnel Eight hours from discovery 72 hours (under DFARS 252.204-7012).
Phase-in None; no formal transition period announced. None when finalized. Three-year phased rollout
Penalty for Non-Compliance  False Claims Act exposure for misrepresentation of compliance; contract eligibility at GSA OCISO discretion (no formal statutory penalty regime).  Financial liability for government incident response costs; False Claims Act exposure for false self-attestation (DOJ Civil Cyber-Fraud Initiative). False Claims Act exposure for false self-assessment or certification; potential suspension or debarment; contract ineligibility if CMMC status not current in SPRS. 

What to Watch For Regarding FAR Case 2017-016

Final rule timing is uncertain

Multiple factors have stalled the proposed rule: the January 2025 regulatory freeze, the current administration's stated preference for reducing regulatory burden, and the complexity of processing 93 public comments across a rule affecting tens of thousands of contractors. The OMB Unified Regulatory Agenda had listed a target final rule date of December 2025, which passed without finalization. As of March 2026, the rule remains in the proposed stage with no confirmed timeline. Any final rule must also clear the administration's standing requirement that new rules receive approval from administration-appointed agency heads before publication, adding further uncertainty.

No phase-in when it does finalize

When the final rule takes effect, federal agencies will begin incorporating the new FAR clauses into solicitations and contracts immediately. There is no grace period for contractors to close compliance gaps after the rule is finalized. Unlike CMMC, which is rolling out over three years, contractors working outside the defense industrial base may have little runway.

Watch the SF XXX form development

The standard form contracting officers will use to identify CUI in contracts is still a placeholder in the proposed rule. How it is designed will significantly affect who is in scope and for what, including which subcontractors are captured throughout the supply chain.

False Claims Act exposure is real and growing

The proposed rule relies on self-attestation, which creates a specific legal risk. The DOJ's Civil Cyber-Fraud Initiative, launched in October 2021, has accelerated sharply: DOJ recovered more than $52 million across nine cybersecurity fraud settlements in fiscal year 2025 alone, with cyber settlements more than tripling in each of the past two years. DOJ has been explicit that this enforcement targets contractors who knowingly misrepresent their cybersecurity posture, not data breach victims. Attesting to NIST SP 800-171 compliance you have not actually achieved is not a low-risk strategy.

What Federal Contractors Should Do Now

The rule is not final. But the compliance work required to meet it takes months, if not years, and contractors in the strongest position when it finalizes will be those who started early.

1. Determine whether your contracts involve CUI

Review existing contracts, task orders, and agency communications. Check whether you receive information marked CUI or whether your work generates information that would qualify under the NARA CUI Registry. If you work with any federal agency outside DoD and handle sensitive government information, start here.

2. Assess your current posture against NIST SP 800-171 Rev 2

All 110 controls, assessed operationally, not on paper. Understand where your gaps are before a solicitation lands.

3. Map where CUI lives across your environment

Which systems process it, which store it, which transmit it, and which SaaS platforms it passes through. Every system in that boundary could carry compliance obligations. The smaller that boundary, the lower your compliance cost.

4. Evaluate your cloud environment

If you are using commercial cloud services that rely on equivalency claims, assess your position against actual FedRAMP Moderate requirements or consider FedRAMP-authorized alternatives approaches or tools (like StratoKey's tokenization capabilties) that can keep CUI out of these systems. 

5. Review subcontractor relationships

If you are a prime, identify which subcontractors receive CUI. If you are a subcontractor, assess whether your prime's contracts are likely to trigger flowdown obligations.

6. Track the rule's progress

Monitor the Federal Register and regulations.gov for developments.

How Tokenization Reduces Your Compliance Scope

A big cost driver under the proposed FAR CUI rule is the same one driving cost under CMMC and the GSA guide: scope. Every system that stores, processes, or transmits CUI falls under the compliance boundary, triggering the full weight of NIST 800-171 controls, documentation, and monitoring obligations.

Tokenization can address this at the architecture level. When CUI is tokenized before it enters a SaaS application or is transmitted through a third-party system, that system never holds actual CUI. It holds a token. A system that never holds CUI is not in scope under NIST 800-171, under the GSA guide, or under the proposed FAR CUI Rule. That is not a workaround: it is a direct application of how these frameworks define their own compliance boundaries.

For contractors running CUI across multiple SaaS platforms with no clear path to FedRAMP authorization for each, scope reduction through tokenization may be the most practical path to a defensible compliance posture while still being able to use the SaaS applications that are operationally vital.

The smaller the boundary going into compliance, the lower the cost, the shorter the timeline, and the more sustainable the ongoing monitoring obligation.

Cut Your CUI Compliance Scope Before the FAR CUI Rule Takes Effect   

StratoKey can assist by keeping CUI out of the systems that would otherwise trigger a compliance burden. Contact us to discuss your environment.

 

Ask Us About Reducing CUI Compliance Scope With Tokenization

Please provide details so we can best assist you.