Module 7: Contract Clauses – FAR, DFARS, and CUI Obligations

Module Overview – From CUI Concepts to Contract Clauses

In Modules 5 and 6, you learned what must be protected (CUI, high‑value CUI) and how (NIST SP 800‑171 Rev. 3 and 800‑172).

This module shows where those obligations actually appear for IT service providers: in FAR and DFARS contract clauses.

By the end of this 15‑minute module, you should be able to:

• Recognize key FAR and DFARS clauses that impose data protection duties on contractors and cloud/IT service providers.
• Connect CUI categories to specific contract language and reporting deadlines.
• Read a contract and quickly spot: “What security standard applies?” and “How fast do we have to report incidents?”

We will focus on the most important clauses as of late 2025:

• FAR 52.204‑21 – Basic safeguarding of covered contractor information systems.
• Proposed FAR CUI clause (FAR Case 2017‑016) – Extending NIST SP 800‑171 requirements beyond DoD.
• DFARS 252.204‑7012 – Safeguarding Covered Defense Information (CDI) and cyber incident reporting.
• How incident reporting and notification for CUI works in practice.

> Context note (as of December 2025):

> - FAR 52.204‑21 is final and in force.

> - The FAR CUI rule is still proposed but advanced; many agencies are already drafting contracts to align with it.

> - DFARS 252.204‑7012 is in force and still references NIST SP 800‑171 (with DoD moving toward CMMC, covered in other modules).

Step 1 – Mapping Information Types to Clauses

Before looking at specific clauses, connect the data classification to which clause applies.

For non‑federal IT systems used by contractors, you will commonly see three buckets:

1. Federal Contract Information (FCI)

• Information provided by or generated for the government under a contract, not intended for public release.
• Example: internal project schedules, non‑public requirements documents.
• Typical clause: FAR 52.204‑21.

1. Controlled Unclassified Information (CUI)

• Information that requires safeguarding or dissemination controls under federal law, regulation, or government‑wide policy, but is not classified.
• Example: export‑controlled technical data, law enforcement sensitive data, some health or financial data.
• Typical clauses:
• DoD: DFARS 252.204‑7012 (Covered Defense Information = CUI in the DoD context).
• Civilian agencies (increasingly): Proposed FAR CUI clause (will require NIST SP 800‑171 Rev. 3 once finalized).

1. High‑value CUI / Critical Programs

• A subset of CUI tied to national security or critical missions.
• Example: critical weapons systems, critical infrastructure control systems.
• Typical clauses:
• May reference NIST SP 800‑172 or DoD‑specific program protection clauses.

Key idea:

The classification label (FCI, CUI, high‑value CUI/CDI) tells you which clause to look for and which NIST publication applies.

In the next steps, we will zoom into each major clause and see how it shows up in real contracts.

Step 2 – FAR 52.204‑21: Basic Safeguarding of FCI

FAR 52.204‑21, Basic Safeguarding of Covered Contractor Information Systems, is a baseline clause that appears in most federal contracts where contractors handle FCI.

When it applies (high level):

• Non‑cloud and cloud IT systems owned or operated by the contractor that process, store, or transmit FCI.
• It is not limited to DoD; it is government‑wide.

What it requires (conceptually):

FAR 52.204‑21 lists 15 basic safeguarding requirements (mirroring a subset of older NIST SP 800‑171 controls). Examples include:

• Limit system access to authorized users.
• Verify and control/limit connections to external systems.
• Control information posted or processed on publicly accessible systems.
• Identify and authenticate users.
• Sanitize or destroy media before disposal.
• Update malicious code protection mechanisms.

You do not see the full NIST SP 800‑171 catalog here; instead, you see a minimum floor of security practices.

Why it matters for IT service providers:

• Many small IT services or SaaS providers assume, “We only have low‑risk info; no CUI, so no heavy requirements.”
• But FAR 52.204‑21 still legally obligates you to implement specific safeguards if you handle any FCI.
• It often appears along with more demanding clauses (like DFARS 252.204‑7012) in DoD contracts.

Step 3 – Example: Spotting FAR 52.204‑21 in a Contract

Imagine you work for a small managed service provider (MSP). A civilian agency wants you to host an internal project management tool.

The Statement of Work (SOW) says:

> The contractor shall provide a secure web‑based project management platform for internal government use. The platform will contain non‑public schedules, budget estimates, and internal communications.

The contract’s clause section includes:

> 52.204‑21 Basic Safeguarding of Covered Contractor Information Systems (NOV 2021)

As an IT provider, you should:

1. Recognize the signal:

• Non‑public internal project data = FCI.
• FAR 52.204‑21 = you must implement 15 basic safeguards on the systems hosting that data.

1. Translate into actions:

• Implement access control and authentication (e.g., unique accounts, strong passwords, MFA where possible).
• Configure anti‑malware, patching, and secure configurations.
• Ensure secure disposal of logs, backups, and decommissioned disks.

1. Document compliance:

• Keep policy documents, screenshots, or configuration exports showing how you meet each of the 15 requirements.
• Be prepared to explain these controls in a security questionnaire or audit.

> Visual tip: Picture a pyramid of obligations:

> - Base layer: FAR 52.204‑21 (for FCI).

> - Middle layer: NIST SP 800‑171 via CUI clauses.

> - Top layer: NIST SP 800‑172 for high‑value CUI.

> Each higher layer includes and builds on the lower ones.

Step 4 – The Emerging FAR CUI Clause (Beyond DoD)

Historically, DoD led the way in requiring NIST SP 800‑171 via DFARS 252.204‑7012.

For civilian agencies, requirements were fragmented.

To fix this, the FAR Council drafted a government‑wide CUI rule (FAR Case 2017‑016). As of late 2025, this rule is not yet fully finalized, but it is far along and agencies are planning around it.

Key features of the emerging FAR CUI framework:

1. Standardization across agencies

• Creates a FAR CUI clause that most agencies will insert when contractors handle CUI, not just FCI.

1. Reference to NIST SP 800‑171 (Rev. 3)

• Instead of custom agency checklists, contracts will point to NIST SP 800‑171 Rev. 3 as the baseline for CUI.

1. Flow‑down to subcontractors

• If your subcontractor processes, stores, or transmits CUI, you must flow down the clause.

1. Incident reporting

• The FAR CUI clause is expected to include incident reporting obligations, though details may differ by agency and will need to be checked in the final rule and contract language.

Practical implication for IT providers (today):

• Even before finalization, many agencies already draft CUI‑related clauses that mirror NIST SP 800‑171 and DFARS‑style reporting.
• When you see language like “The contractor shall implement NIST SP 800‑171 Rev. 3 for all systems that process CUI”, treat it as functionally similar to the coming FAR CUI clause.

> Exam tip: Be able to explain the difference between:

> - FAR 52.204‑21 (FCI, basic safeguarding) and

> - The FAR CUI clause (CUI, NIST SP 800‑171 Rev. 3 baseline) even though the latter is still in the rulemaking pipeline.

Step 5 – DFARS 252.204‑7012: CUI in the DoD World

DFARS 252.204‑7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the core DoD clause for CUI.

Key concepts:

1. Covered Defense Information (CDI)

• CDI is essentially CUI in the DoD context. It includes:
• CUI provided by DoD to the contractor.
• CUI developed by the contractor in performance of the contract that requires safeguarding.

1. Required safeguards

• Contractors must implement NIST SP 800‑171 (now generally interpreted with reference to Rev. 3 as it matures, though contract text may still reference earlier revisions until updated).
• For some critical programs, DoD may also require NIST SP 800‑172 (enhanced protections).

1. Cloud service specifics

• If using cloud services to store/process CDI, they must meet FedRAMP Moderate (or higher) equivalency and additional DoD conditions.

1. Cyber incident reporting

• Contractors must rapidly report cyber incidents that affect CDI or the contractor’s ability to perform on operationally critical support contracts.

1. Flow‑down

• You must include DFARS 252.204‑7012 in subcontracts where the subcontractor will handle CDI.

Why this clause is central for IT providers:

• If you host, manage, or secure systems for a DoD prime contractor, you may be directly subject to 252.204‑7012 through flow‑down.
• Even if your contract is not with DoD, a prime might require you to follow 252.204‑7012 to keep its own compliance intact.

Step 6 – Thought Exercise: Classify the Obligations

Read the three short contract snippets below. For each, decide:

1. Which information category is involved (FCI vs. CUI/CDI)?
2. Which clause is most likely to apply (FAR 52.204‑21 vs. DFARS 252.204‑7012 vs. a FAR‑style CUI clause)?

---

Snippet A

> The contractor shall host a secure document repository for internal budget drafts, non‑public meeting minutes, and internal planning documents of the Department of Education. The system shall comply with FAR 52.204‑21.

• Q1: Information category?
• Q2: Clause?

---

Snippet B

> The contractor shall process export‑controlled technical data related to a weapons system. The contractor shall implement NIST SP 800‑171 for all nonfederal systems that process this information and report cyber incidents in accordance with DFARS 252.204‑7012.

• Q1: Information category?
• Q2: Clause?

---

Snippet C

> The contractor shall maintain a case management system containing law enforcement sensitive CUI for a civilian agency. The contractor shall implement the security requirements of NIST SP 800‑171 Rev. 3 for all systems processing CUI and shall report cyber incidents to the agency within 72 hours of discovery, as specified in this contract.

• Q1: Information category?
• Q2: Clause or clause type?

---

Reflect (mentally or in notes):

• How did you decide whether something was FCI or CUI/CDI?
• What wording tipped you off to DFARS 252.204‑7012 vs. a FAR‑style CUI clause?

Suggested answers (self‑check):

• A: FCI → FAR 52.204‑21 only.
• B: CUI/CDI (DoD context) → DFARS 252.204‑7012.
• C: CUI (civilian context) → FAR‑style CUI clause referencing NIST SP 800‑171 Rev. 3 plus a custom incident reporting timeline.

Step 7 – Incident Reporting and Notification for CUI

Incident reporting is where contract language becomes very concrete: specific timelines, destinations, and data to provide.

DFARS 252.204‑7012 (DoD)

As of late 2025, DFARS 252.204‑7012 requires contractors to:

1. Report cyber incidents to DoD within 72 hours of discovery via the DoD reporting portal (DIBNet).
2. Preserve and protect images and logs of affected systems for at least 90 days.
3. Provide malware samples to DoD when requested.
4. Support DoD damage assessment activities (e.g., additional forensic data).

An incident is reportable if it:

• Affects a covered contractor information system that processes, stores, or transmits CDI, or
• Affects the contractor’s ability to provide operationally critical support.

FAR‑style CUI clauses (civilian agencies)

For civilian agencies, incident reporting is less standardized but trending toward:

• Short reporting windows (often within 72 hours, sometimes shorter).
• Reporting to an agency‑specific portal or security office.
• Requirements to cooperate with investigations, similar to DoD.

Practical steps for IT providers

When you see CUI/CDI clauses:

1. Find the timeline

• Highlight phrases like “within 72 hours of discovery” or “immediately”.

1. Identify the reporting channel

• DoD portal? Agency SOC email? Prime contractor’s incident form?

1. Clarify scope

• Does the requirement apply to all systems you manage for that client, or only those tagged as handling CUI/CDI?

1. Integrate into your IR plan

• Update your incident response (IR) playbook to include:
• Who notifies the government/prime.
• What information must be collected.
• How you will meet log and evidence preservation requirements.

> Connection to earlier modules:

> Your ability to detect, analyze, and contain incidents (NIST SP 800‑171/172 requirements) is what makes it possible to meet these contract reporting obligations on time.

Step 8 – Quick Check: Incident Reporting

Answer this question about incident reporting under DFARS 252.204‑7012.

Step 9 – Reading a Contract for CUI Obligations (Template)

Use this pseudo‑template to systematically extract CUI‑related obligations from any federal contract or subcontract.

```text

1. Identify information types

• Search for: "CUI", "Covered Defense Information", "FCI", "sensitive", "export-controlled".
• Note which systems or services you provide that will touch these data.

1. Locate data protection clauses

• Search for clauses like:
• "52.204-21" (FAR basic safeguarding)
• "252.204-7012" (DFARS CDI and incident reporting)
• Any clause referencing "NIST SP 800-171" or "NIST SP 800-172"
• Agency-specific CUI clauses

1. Map clauses to controls

• If 52.204-21:
• Implement the 15 basic safeguards.
• If 252.204-7012 or CUI clause:
• Implement NIST SP 800-171 (and 800-172 if specified).
• Verify FedRAMP / cloud requirements if you are a cloud provider.

1. Extract incident reporting requirements

• Timeline: "within X hours/days of discovery".
• Reporting destination: portal URL, email, or point of contact.
• Evidence: logs, images, malware samples, forensic data.

1. Check flow-down obligations

• Look for language like: "The Contractor shall include the substance of this clause in all subcontracts...".
• Make a list of subcontractors that handle FCI/CUI/CDI and ensure they accept these obligations.

1. Document your interpretation

• Create a short summary like:
• Data types handled: FCI, CUI (export-controlled), etc.
• Applicable clauses: 52.204-21, 252.204-7012.
• Key timelines: 72-hour incident reporting, 90-day log retention.
• Use this summary to update your security plan and incident response playbook.

```

Step 10 – Flashcard Review: Key Terms and Clauses

Flip these cards (mentally or with a partner) to reinforce the core concepts from this module.