The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
REVISED PROPOSED RULE — NOT FINAL

FAR CUI Rule 2026: What the Revised Proposed Rule Would Require

2026 FAR proposal analysis and contractor action guide — from The Defense Compliance Report

By The Defense Compliance Report Editorial Team · · Last verified

The FAR CUI rule 2026 is not a final rule, and it is not binding. FAR Case 2026-001, published June 23, 2026 at 91 FR 37550, is a revised proposal open for comment through July 23, 2026. If finalized close to how it reads today, it would add clauses FAR 52.240-6 and FAR 52.240-7, a new Standard Form (SF XXX), NIST SP 800-171 Revision 3, 72-hour incident reporting, and subcontract flow-down for federal contracts involving Controlled Unclassified Information (CUI) — reaching civilian-agency contractors, not just DoD.

Here’s the part most pages bury: nothing in this proposal changes your contract the moment it was published. What binds you today is the clause set actually written into your solicitation or contract. That single distinction — proposed versus binding — is the reason this page exists. We read the 85-page Federal Register document, checked the docket, and cross-checked every requirement against the current FAR, DFARS, and 32 CFR Part 170 as of July 16, 2026.

This is a proposed rule, not legal advice.The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not a law firm and we are not your contracting officer. Use this as research, then confirm contractual applicability with your contracting officer and, where needed, qualified federal-contracts counsel.


What applies now vs. what is only proposed

Before anything else, orient yourself. This is the whole board on July 16, 2026:

FAR CUI rule 2026 status on July 16, 2026
ItemStatus on July 16, 2026
FAR Case 2026-001 (the FAR CUI rule)Proposed rule — not final (91 FR 37550)
July 23, 2026Comment deadlinenot an effective date
FAR 52.240-6 and FAR 52.240-7Proposed clauses
SF XXXProposed standard form (placeholder number)
NIST SP 800-171 Rev. 3 under this FAR ruleProposed for covered nonfederal systems
Your current contract clausesBinding according to their terms
DoD RFO class deviation (2026-O0025, effective Feb. 1, 2026)In effect now. New DoD solicitations use FAR 52.240-93 and DFARS 252.240-7997; legacy contracts may still carry FAR 52.204-21 and DFARS 252.204-7019/-7020
DFARS 252.204-7012Still in force where it’s in your contract
CMMC Phase 1 — Level 1 (Self) and Level 2 (Self)Remain available and enforceable where solicitation, contract, modification, or flow-down includes them
CMMC Phase 2 — Level 2 (C3PAO) and Level 3 (DIBCAC)Suspended July 13, 2026, pending review
Final FAR CUI rule / effective dateNot announced

Who this page is for:federal prime contractors and subcontractors who handle — or might be asked to handle — CUI; civilian-agency contractors trying to figure out if this reaches them; and dual defense-and-civilian contractors reconciling a FAR that points to Revision 3 with a CMMC program that still points to Revision 2. CISOs, IT directors, compliance managers, facility security officers, contracts officers, and program managers.

Who it isn’t for:anyone who wants to be told the proposal is already binding (it isn’t), anyone in the middle of a live security incident (call your incident-response plan and counsel), and anyone shopping for a “best CMMC vendor” ranking (we don’t publish those).

The one honest caveat — and why it should make you trust the rest of this page

Because the FAR CUI rule 2026 is still proposed, no one can hand you the final, guaranteed requirements— not us, not the big law firms, not the software vendors. But don’t overcorrect into ignoring it. If this finalizes close to the current draft, it reshapes future bids, your NIST 800-171 Revision 3 planning, your cloud evidence, your incident-response clock, and your subcontract terms. The rational move is reversible preparation— work that helps you no matter how the final rule lands.

The Defense Compliance Reportis the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.


What is the FAR CUI rule 2026 — and is it final?

The FAR CUI rule 2026 is a revised proposedgovernmentwide framework — FAR Case 2026-001 — for identifying, safeguarding, and reporting incidents involving Controlled Unclassified Information in federal contracts.It was published June 23, 2026 at 91 FR 37550, and it is not a final rule; publication alone does not make FAR 52.240-6 or FAR 52.240-7 binding contract requirements. Comments close July 23, 2026.

Since Executive Order 13556 created the governmentwide CUI Program in 2010, federal law, regulation, and governmentwide policy have required CUI protections — but agencies have lacked one standard FAR mechanism for identifying and communicating those requirements to contractors. DoD built the most mature defense-specific contract framework, through DFARS clause 252.204-7012 and later the CMMC program. Civilian agencies used varying agency-specific clauses and procedures. FAR Case 2026-001 proposes a uniform mechanism for the entire federal government. For background on what counts as CUI vs. Federal Contract Information, see our FCI vs. CUI guide.

What “proposed rule” means for you

A proposed rule is the government showing its hand and asking for comment before it commits. It tells you where the FAR Council intends to go. It does not amend your contract. A final rule could keep this framework, revise it, renumber the clauses, delay it, or drop pieces of it. Treat the proposal as high-quality planning intelligence— not as a clause you have to comply with tomorrow.

The dates that matter

Key dates in the FAR CUI rule 2026 timeline
DateEventWhat it means
Nov. 4, 2010Executive Order 13556Created the governmentwide CUI Program
Sept. 14, 201632 CFR Part 2002 (81 FR 63324)NARA’s implementing rule for the CUI Program
Jan. 15, 2025First FAR CUI proposal (FAR Case 2017-016, 90 FR 4278)The old version — 8-hour clock, Revision 2
Nov. 10, 2025CMMC Phase 1 began (32 CFR 170.3(e))Start of the original four-phase CMMC rollout
Feb. 1, 2026DoD Class Deviation 2026-O0025 took effectRenumbered DoD cyber clauses (see crosswalk below)
June 23, 2026Revised FAR CUI proposal (FAR Case 2026-001, 91 FR 37550)The current proposal analyzed on this page
June 25, 2026Paperwork Reduction Act notice (91 FR 38438)Burden estimate; separate Aug. 24 comment deadline
July 13, 2026CMMC Phase 2 suspendedA separate DoD/DIB development
July 23, 2026FAR CUI comment deadlinePublic input closes — not an effective date
UnknownFinal FAR CUI ruleWe won’t guess a date
UnknownEffective date / clause insertion into contractsWe won’t guess a date

Primary sources: Federal Register (91 FR 37550, doc 2026-12559); 32 CFR 170.3(e); DoD Class Deviation 2026-O0025.

What still applies today


When would the FAR CUI rule take effect?

No final publication date, effective date, or phased rollout schedule appears in the June 2026 proposal. July 23, 2026 is the deadline to comment on the proposed rule — not the date the proposed clauses become contract requirements. Anyone telling you the rule “takes effect after July 23” is reading a comment deadline as an effective date.

There are four milestones people routinely blur. Keep them straight:

  1. Proposal published — done (June 23, 2026).
  2. Comment deadline — July 23, 2026.
  3. Final rule published — not scheduled.
  4. Effective date + insertion into a solicitation or contract — not scheduled.

Right now, the marker sits between steps 1 and 2. What to watch after July 23: docket activity, the final rule, any clause renumbering, the permanent SF number, and any phased implementation schedule. We won’t pretend to know the timing.


What changed between the 2025 and 2026 FAR CUI proposals?

The June 2026 proposal is a material rewrite of the January 2025 version, not a reprint.It moves the framework into FAR Part 40, changes the proposed incident-reporting clock from 8 hours to 72 hours, adopts NIST SP 800-171 Revision 3 instead of Revision 2, deletes the standalone “potential CUI” clause, narrows the definition of a reportable incident, and revises the training, cloud, and flow-down mechanics.

Plenty of pages still describe the January 2025 draft — Revision 2, an eight-hour reporting window, the old clause numbers — as if it were current. It isn’t. Below is our 2025 → 2026 Change-and-Action Ledger, verified July 16, 2026 against both Federal Register proposals.

FAR CUI rule 2025 to 2026 change ledger
TopicJan. 2025 draft (90 FR 4278)June 2026 revised proposal (91 FR 37550)Binding July 16, 2026?What to do now
Rule identityFAR Case 2017-016FAR Case 2026-001No — unless a current contract independently imposes a dutyPut “proposed” in every internal memo, slide, and snippet about it
Clause structureProposed 52.204-WW / -XX / -YY (FAR Part 4)Proposed 52.240-6 and 52.240-7 (FAR Part 40)NoSearch current contracts for actual clauses; don’t cite proposed numbers as present duties
CUI identificationSF XXX introducedSF XXX kept and expanded (CUI, location, marking, ODPs, contract-specific requirements)No new FAR form duty todayStart an internal CUI-by-contract register that can later ingest SF XXX fields
Incident clock8 hours from discovery72 hours from discoveryOnly if a current clause independently uses 72 hours (DFARS 7012 does)Confirm your process can meet every current contract clock
Unmarked/mismarked CUISeparate 52.204-YY mechanismDuty moved into 52.240-7(c) — contractor must notify CO; safeguard pending a decisionNot under the proposed clause todayBuild an internal “route it to contracts/legal” workflow
Incident definitionBroader; included “suspected” eventsNarrowed to actual unauthorized disclosure, modification, destruction, or access to the system where CUI residesNoSeparate “marking/handling discrepancy” from “reportable cyber incident” in draft procedures
Technical baselineNIST SP 800-171 Revision 2NIST SP 800-171 Revision 3 + specified ODPsNot because of this proposalRun a Rev. 2 → Rev. 3 delta inventory; don’t relabel a CMMC Rev. 2 environment as “Rev. 3-compliant”
Enhanced requirementsApplied NIST SP 800-172 more broadlyAgency-selected 800-172 requirements only for a critical program or high-value assetNoNote which programs might plausibly qualify; wait for the contract-specific selection
POA&M at offerGap concepts includedProposed 52.240-6(d): noncompliant offeror must identify each gap and submit a POA&M with its offerNo new FAR-wide duty todayImprove gap ownership and POA&M quality; don’t volunteer sensitive architecture outside required channels
Cloud servicesFedRAMP treatment framed differentlyCloud handling identified CUI on a nonfederal system must meet security equivalent to FedRAMP Moderate (52.240-7(d)(3)(ii)(E))Only current contract requirements applyInventory every cloud/external service that can touch CUI and record its evidence basis
VDI/telecom scopeNo equivalent exclusion emphasizedKVM-only VDI endpoints and certain shared commercial communications networks are out-of-scope assets (52.240-7(d)(3)(ii)(A))No new FAR-wide exclusion todayDocument the architecture before treating any endpoint or network as out of scope
Subcontract flow-downFlow-down + separate reporting clauseSubstance of 52.240-7 + applicable SF info flow to any tier with access or ability to access CUI; sole-COTS excludedOnly existing clauses flow todayMap actual access, not vendor names, before designing flow-down
TrainingOne-size-fits-all training before handling CUIOne-size-fits-all requirement removed; contractor tailoring allowedCurrent clauses + internal policy governKeep role-based CUI training; don’t claim the proposal “eliminated” training as a practical need
Contractor liability languageExpress liability language in the draftExpress liability language removedNo effect on other contractual or legal exposureState the deletion accurately; don’t claim liability “disappeared”
CMMC relationshipCMMC on its own DoD trackProposed FAR uses Rev. 3 while current CMMC Level 2 stays Rev. 2; CMMC Phase 2 now suspendedCurrent DFARS + Phase 1 still matterKeep separate columns for FAR, DFARS, CMMC, and agency-specific duties

Source: Verified July 16, 2026 against 91 FR 37550 (June 23, 2026) and 90 FR 4278 (Jan. 15, 2025).

What was removed vs. what merely moved

  • ▸ Deleting proposed FAR 52.240-YY did not erase the unmarked-CUI notice duty — it moved into FAR 52.240-7(c).
  • ▸ Removing express liability language didn’t erase other contractual or legal exposure.
  • ▸ Removing the prescriptive training requirement didn’t remove the practical need for role-appropriate CUI training.
  • ▸ The prime not having to attach the actual SF didn’t remove the duty to flow down applicable SF information.

The proof that this rule is still moving: The January 2025 draft required contractors to report a suspected CUI incident within 8 hours. Commenters pushed back hard. The FAR Council listened and moved that to 72 hoursin the June 2026 proposal — evidence that a thoughtful comment filed before July 23 can still shape the final clause.

Every material revision, its current binding status, and the primary source behind each row \u2014 in one printable sheet you can hand to contracts, IT, and leadership.

Download the 2025 \u2192 2026 Change Ledger

Who would the FAR CUI rule apply to?

If finalized close to the current draft, the framework would apply when a federal solicitation or contract is expected to involve CUI and the agency marks “Yes” on the new SF XXX.It would not apply where performance involves no CUI. Proposed FAR 52.240-7 excludes acquisitions solely for commercially available off-the-shelf (COTS) items — but other commercial products and commercial services can be covered, and flow-down reaches any subcontract tier that needs access to the identified CUI.

The key shift in mindset: applicability is driven by contract performance, not by who you are.

Which profile are you?

Applicability profiles for the proposed FAR CUI rule 2026
Your situationLikely proposed treatmentThe question you need to resolve
Civilian-agency prime expected to handle CUIFAR 52.240-6 / -7 and SF XXX could be includedWhat CUI, and where will it live?
DoD prime already under DFARS 252.204-7012Current DFARS still applies; future FAR interaction to be reconciledWhich clauses and which NIST revision govern this contract?
Subcontractor with access (or ability to access) identified CUIClause substance + applicable SF info could flow downDo you actually need that access?
Contractor with no CUI in performanceProposed CUI clauses shouldn’t applyCan the requiring activity confirm “No” on SF XXX?
Sole-COTS sellerProposed 52.240-7 exceptionIs the buy truly solely COTS, with no CUI-handling services attached?
Other commercial product/serviceCan be coveredWill you or your systems handle CUI?
Nonfederal contractor systemProposed NIST 800-171 Rev. 3 routeWhich components access, use, process, store, maintain, or transmit CUI?
Cloud service providerFedRAMP Moderate-equivalent proposed requirementWhat evidence supports the service boundary?

The contract-first test

When someone asks whether the FAR CUI rule “applies to us,” run these five questions before you answer:

  1. Is CUI expected in performance?
  2. What does the SF XXX say (or, today, what does the contract/agency policy say)?
  3. Where will the CUI reside or transit?
  4. Which systems and providers can access it?
  5. Which clause — and which NIST revision — is actually incorporated?

For DoD contractors, the right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, your assessment type, your cloud and IT environment, and your contract timeline. Use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.

Our FAR CUI Rule 2026 Impact Checker asks a few non-sensitive questions and gives you a dated read on what's binding now, what the June proposal would add, and which issues belong with your contracting officer or counsel. Do not submit CUI, contract documents, drawings, source-selection information, credentials, or sensitive system details.

Check My FAR CUI Impact

What FAR 52.240-6, FAR 52.240-7, and SF XXX would actually require

The proposed framework has three moving parts: SF XXX would tell the parties what CUI and contract-specific requirements are in play; FAR 52.240-6 would notify offerors and require them to disclose known compliance gaps; and FAR 52.240-7 would set the contractor’s safeguarding, incident-reporting, conflict-notification, and flow-down duties. None is a final, binding FAR-wide requirement today.

SF XXX — the contract-level CUI map

Under the proposal, the requiring activity (the government) — not the contractor — decides whether a contract involves CUI and completes a new Standard Form, SF XXX (Controlled Unclassified Information Requirements). It’s expected to identify the CUI categories involved, whether the information is CUI Basic or CUI Specified, where it resides (federal or nonfederal systems), who’s responsible for marking, any Organization-Defined Parameters (ODPs), any selected enhanced (NIST SP 800-172) requirements, incident-reporting instructions, and additional contract-specific requirements.

This is the proposed answer to the loudest complaint from the DIB for years: “the government won’t tell me what’s actually CUI.” The SF XXX is a uniform form that’s supposed to say so, up front.

FAR 52.240-6 — Notice of CUI Requirements (the solicitation side)

This is the pre-award provision. It would appear in solicitations that carry FAR 52.240-7 and put offerors on notice of the CUI requirements. Two duties to flag for your capture and proposal teams:

Those two modalities — should for the discrepancy notice, mustfor the POA&M — are not the same thing. Don’t let anyone collapse them.

The POA&M-at-offer wrinkle

Read proposed 52.240-6(d) closely with your proposal manager. It contemplates disclosing gaps in the offer itself. The practical risk isn’t only technical readiness; it’s that an inaccurate, incomplete, or overbroad disclosure can create avoidable procurement risk. A POA&M is not the same thing as compliance. Do not paste full System Security Plans (SSPs), network diagrams, or vulnerability details into an ordinary proposal volume without checking the solicitation’s handling instructions first.

FAR 52.240-7 — Controlled Unclassified Information (the contract side)

This is the operational clause that would live in the awarded contract. It covers CUI identification and discrepancy reporting; the split between federal and nonfederal environments; the NIST SP 800-171 Revision 3 baseline and its ODPs; any CUI Specified or selected NIST SP 800-172 requirements; the cloud baseline; SSP and external-service-provider identification; POA&Ms available to the government on request; incident reporting and evidence preservation; conflict-of-law notification; and subcontract flow-down.

The proposed verification approach, in one line:offer-stage gap disclosure and POA&M; SSP and associated POA&Ms available to the government on request; and agency validation under applicable agency procedures. The proposal does not establish one universal third-party certification mechanism — a real difference from CMMC.


Would the FAR CUI rule require NIST SP 800-171 Revision 3?

Yes — for covered nonfederal systems, proposed FAR 52.240-7 would require NIST SP 800-171 Revision 3 plus specified Organization-Defined Parameters. But that proposed baseline does not automatically change a current contract, and it does not automatically replace the Revision 2 baseline written into today’s CMMC Level 2.

This is the single most important technical distinction on this page, and the one most likely to trip up a contractor who already knows CMMC. NIST published Revision 3 on May 14, 2024, superseding Revision 2 — but a NIST publication does not, by itself, rewrite every federal contract. For a full breakdown of the NIST 800-171 requirements and how they map to CMMC, see our requirements checklist.

Revision 3 (proposed FAR) vs. Revision 2 (current CMMC Level 2)

Comparison of NIST 800-171 Revision 3 under proposed FAR vs. Revision 2 under current CMMC Level 2
IssueProposed governmentwide FAR CUI ruleCurrent CMMC Level 2
StatusProposedProgram rule in effect; new Level 2 (C3PAO) designations suspended July 13, 2026
BaselineNIST SP 800-171 Revision 3NIST SP 800-171 Revision 2 (110 requirements across 14 families)
Contract mechanismProposed FAR 52.240-7DFARS 252.204-7021 where implemented
VerificationSelf-disclosure in the offer + POA&M + documentation on request + agency validation (no universal third-party certification)Level 2 (Self) or Level 2 (C3PAO), as specified by the solicitation or contract
Scope triggerCUI identified via SF XXX and contractContractor systems that process, store, or transmit CUI, plus assets that provide security protection, under 32 CFR Part 170 scoping
What to do nowDelta analysis — not automatic migrationKeep meeting your current contractual obligations

Source: 32 CFR Part 170 (CMMC Program Rule, effective Dec. 16, 2024); 91 FR 37550; NIST SP 800-171 Rev. 3 (May 14, 2024).

Don’t let anyone tell you Revision 3 has “replaced” Revision 2 for CMMC. It hasn’t. The current CMMC program rule makes CMMC Level 2 identical to NIST SP 800-171 Revision 2— 110 requirements across 14 families. The proposed FAR CUI rule points to Revision 3. A contractor that serves both civilian and defense customers could be asked to satisfy both at the same time.

What the ODP reference means

Revision 3 introduced Organization-Defined Parameters— specific values for certain controls (password lengths, session-timeout windows, review frequencies) that an organization sets rather than treating one number as universal. The proposed FAR rule addresses this by pointing contractors to a government-provided set of ODP values for the applicable requirements — so where the clause specifies government values, you wouldn’t freely pick your own.

The prudent preparation path

If you already run to Revision 2 for DoD work, the reversible move is a crosswalk, not a rebuild:

  1. Download NIST’s official Rev. 2 → Rev. 3 change analysis from NIST’s Computer Security Resource Center (CSRC).
  2. Map your current controls, policies, evidence, and architecture first — then requirements.
  3. Separate genuinely new requirements from reorganized ones.
  4. Record ODP dependencies and cost/architecture implications.
  5. Don’t change any contractual representation or baseline without authority.
  6. Treat high-cost architectural changes as contingent until the rule and your contract are final.

Which NIST SP 800-172 edition would apply?

The proposal lets agencies select enhanced requirements from “NIST SP 800-172” for a critical program or high-value asset — but the edition question is worth pinning down. NIST published SP 800-172 Revision 3 in May 2026 and withdrew the original February 2, 2021 edition on May 13, 2026(NIST CSRC). Meanwhile, the current CMMC rule (32 CFR Part 170) still cites the February 2021 edition for Level 3. That’s a live version question a bidder should resolve in writing, not assume.

NIST SP 800-172 version status as of July 16, 2026
SourceVersion status (verified July 16, 2026)
Proposed FAR 52.240-7Refers to NIST SP 800-172 for agency-selected enhanced requirements
NIST publication statusFebruary 2021 edition withdrawn May 13, 2026; Revision 3 is current (expands the objective to the confidentiality-integrity-availability triad; adds ODPs)
Current 32 CFR Part 170 (CMMC)Still cites NIST SP 800-172, February 2021, for CMMC Level 3

What we won’t tell you: that the clause “definitely” means Revision 3, or “definitely” means the 2021 edition, or that every contractor must implement all of 800-172. The proposal limits these enhanced requirements to a critical program or high-value asset, selected by the agency — not to ordinary CUI contracts.

The question to send your contracting officer if 800-172 shows up on your SF XXX:

“Please identify the exact edition, the selected requirements, the applicable Organization-Defined Parameters, the assessment expectations, and the precedence for each NIST SP 800-172 requirement incorporated through the SF.”


How would the 72-hour incident-reporting rule work?

For CUI in a nonfederal environment, proposed FAR 52.240-7 would generally require a report within 72 hours of discovery — to DIBNet for DoD contracts and to CISA for non-DoD contracts — plus notice to the contracting officer, and to the next higher-tier contractor where applicable. It allows a tiered approach: report the facts you have, then supplement. A marking problem, by itself, is not a reportable incident unless it results in unauthorized disclosure, modification, destruction, or system access.

The reporting triggers — read the modalities

72-hour reporting triggers under proposed FAR 52.240-7
TriggerWho actsModality and first step
Offeror discrepancy notice (apparent unmarked/mismarked CUI, pre-award)OfferorShould notify the CO and safeguard pending determination
Contractor discrepancy notice (apparent unmarked/mismarked CUI, post-award)ContractorMust notify the CO and safeguard pending determination
A CUI incident in a nonfederal environmentContractorMust report through the specified government channel and provide the required notices
A conflict with another law or regulationContractorMust notify the CO within 72 hours after determining it can’t comply

What counts as a CUI incident

Use the proposal’s four branches, and nothing broader:

Improper handling or a marking discrepancy doesn’t automatically become a “CUI incident” unless it produces one of those outcomes. Keep the separate unmarked-CUI notice duty (in 52.240-7(c)) in its own lane.

Where a report would go

Under the proposal’s nonfederal route: DoD contracts report to DIBNet; non-DoD contracts report to CISA’s incident-reporting portal. The contractor also notifies the contracting officer that a report was submitted, and notifies the next higher-tier contractor where applicable. For a CUI incident involving a FedRAMP-authorizedcloud service provider that has already reported through FedRAMP Incident Communication Procedures, the contractor isn’t required to file an additional report beyond following those procedures — but you still need to know who reported, what information reached you, and what notices remain owed to your CO or higher tier.

Initial report vs. supplemental report

The proposal doesn’t demand a complete forensic picture in the first 72 hours. You report the required data elements you have, notify the CO and any higher tier, then submit supplemental information as the investigation develops.

How long would incident evidence have to be preserved?

The contractor would preserve and protect available images of all known affected systems and relevant monitoring and packet-capture data until the government declines interest, or until 90 daysafter the report passes without a government request — whichever comes first. Build that retention step into your incident plan now; it’s easy to overlook and hard to reconstruct after the fact.

Don’t let the proposed clock overwrite your current clocks.You may already carry a 72-hour DFARS 252.204-7012 duty, FedRAMP reporting duties, agency-specific clauses, state breach-notification laws, cyber-insurance notice terms, and customer or subcontract notice requirements. The operational answer is a clause-and-law matrix — not the assumption that one 72-hour clock resolves everything.


What happens if CUI is identified after award?

If the agency determines that newly encountered information is CUI and wants the contractor to handle it, the proposed procedures call for the SF XXX to be updated, the contract to be modified, and the contracting officer to consider an appropriate contractor request for equitable adjustment.In plain terms: if the government moves the goalposts mid-performance, there’s a proposed mechanism to reflect that in the contract — but nothing here promises that an adjustment will be granted or fixes an amount.

This is why your internal escalation path matters. When someone on your team believes they’ve received or created information that looks like CUI but isn’t on the SF, the proposal would have you safeguard it and notify the contracting officer — not ignore it and not unilaterally treat everything as CUI. Get that routing — employee to contracts/legal/security — working now, because it’s the same muscle you’ll use whether the final rule looks like this draft or not.


What would the rule require for cloud services, VDI, and telecom?

A cloud service that stores, processes, or transmits CUI identified on the SF XXX would have to meet security requirements equivalent to the FedRAMP Moderate baseline. The proposal also carves out narrow out-of-scope treatment for properly restricted keyboard/video/mouse-only VDI (virtual desktop infrastructure) endpoints and for certain shared commercial communications networks — but neither is a blanket exemption for remote devices, SaaS products, email, or “all telecom.” We pulled the exclusions straight from the clause text at FAR 52.240-7(d)(3)(ii)(A).

Federal vs. nonfederal systems are treated differently

Read the branches, because they’re easy to merge. For a federal information system, proposed FAR 52.240-7(d)(3)(i) would apply agency-identified requirements, with cloud security at no less than the FedRAMP Moderate baseline. For a nonfederal (contractor) system, paragraph (d)(3)(ii)(E) would require a cloud provider handling identified CUI to meet security requirements equivalent to FedRAMP Moderate, along with any selected paragraph (D) NIST SP 800-172 requirements. The VDI and commercial-communications exclusions live in paragraph (d)(3)(ii)(A).

Evidence to inventory for every provider that can touch CUI

Cloud provider evidence checklist for the proposed FAR CUI rule
QuestionWhy it matters
Is the exact service and boundary authorized or claimed equivalent?A brand-level authorization may not cover every product or region
Which data locations and support services are in scope?CUI can reach logs, backups, help desk, and integrations
Who reports incidents, and how?The proposal has a FedRAMP-authorized exception — know if it applies
Which external providers appear in your SSP?The clause expressly requires identification
Can the provider support preservation and investigation?Incident duties run past the initial notice
Which subcontractors or fourth parties can access the environment?Flow-down and supply-chain exposure
What contract language supports “equivalent”?A vendor’s assertion isn’t automatically sufficient evidence

The VDI exception — with its limits

Proposed FAR 52.240-7(d)(3)(ii)(A) treats an endpoint hosting a VDI client as an out-of-scope assetwhen it’s configured to prevent any processing, storage, or transmission of CUI beyond the keyboard/video/mouse traffic sent to the VDI client. The paths worth checking before you rely on the exclusion include local file transfer, clipboard use, printing, and caching. Scope conclusions require architecture evidence, not the word “VDI” on a diagram.

The commercial-communications exception — narrow

The same paragraph treats as out of scope commercial communications networks that carry government and non-government information using the same equipment, protocols, and methods, without regard to source or recipient — the common-carrier concept. Don’t stretch that into “anything sent over a network is out of scope.” It isn’t.

Use our FAR CUI cloud-and-provider evidence worksheet to record each service boundary, its authorization or equivalence evidence, the incident path, subcontractors, and the questions you still owe your CO.

Build My Provider Evidence Register

How would the FAR CUI rule flow down to subcontractors?

Proposed FAR 52.240-7 would flow down at every tier when a subcontract requires access — or the ability to access — CUI identified on the SF XXX.The flow-down would include the substance of the clause and the applicable SF information, reach commercial products and services other than sole-COTS, and require the subcontractor to report incidents through the government channel and notify the next higher tier where applicable. It’s access-based, not “every subcontractor gets the clause.”

The lazy version — “flow it to everyone” — creates cost and risk you don’t need. The decision sequence is narrower:

  1. Will the subcontractor access, or have the ability to access, identified CUI?
  2. Which CUI and handling activities are actually necessary?
  3. Which contract-specific requirements apply?
  4. Which clause information must flow?
  5. Which systems and providers support the subcontract?
  6. Where would incidents be reported?
  7. Can you reduce the scope or the access instead?

Actual SF vs. applicable SF information

The preamble says the prime does nothave to attach the actual SF XXX or a modified copy — but proposed paragraph (g) still requires the applicable informationfrom the SF to flow down. Build the data sheet; don’t forward the whole contract. Removing unnecessary CUI access is a legitimate business lever — but an enclave or access restriction is a scoping decision, not a compliance guarantee.


Which DoD clause numbers should you look for in 2026?

If you do DoD work, the clause numbers on your 2026 solicitations may not match your old compliance mappings — and that’s not the FAR CUI proposal, it’s a separate Defense class deviation that’s already in effect.On February 1, 2026, DoD Class Deviation 2026-O0025 (“Revolutionary FAR Overhaul Part 40, DFARS Part 240”) renumbered several cyber clauses without new rulemaking. The underlying obligations largely didn’t change — the citations did.

DoD cyber clause crosswalk: legacy citations vs. 2026 deviation-path citations
FunctionLegacy citation (older contracts)2026 DoD deviation-path citationWhat changed
Basic safeguarding of FCI (15 controls)FAR 52.204-21FAR 52.240-93Renumbered; the 15 basic safeguarding requirements are unchanged
NIST SP 800-171 DoD assessmentDFARS 252.204-7020DFARS 252.240-7997Renumbered; the standalone “Basic” self-assessment concept was removed from the clause
Notice of NIST SP 800-171 DoD assessmentDFARS 252.204-7019EliminatedThe standalone provision no longer exists on the deviation path
Safeguarding CUI / cyber-incident reportingDFARS 252.204-7012DFARS 252.204-7012Unchanged
CMMC requirementsDFARS 252.204-7021DFARS 252.204-7021Unchanged

Source: DoD Class Deviation 2026-O0025 (effective Feb. 1, 2026); DFARS 252.240-7997 and FAR 52.240-93 deviation text (Defense Acquisition Regulations System). For a full explanation of DFARS 252.204-7012 requirements, see our dedicated explainer.

Self-assessment and SPRS didn’t disappear.For contractors handling CUI, that obligation now sits under the CMMC clause, DFARS 252.204-7021. Because this was done by class deviation rather than rulemaking, older contracts can still carry the legacy clause numbers. Check the actual clause set and the contract’s vintage before you assume which numbering governs.


Is the FAR CUI rule replacing CMMC or DFARS 252.204-7012?

No. The proposed FAR framework is governmentwide, while CMMC and DFARS 252.204-7012 are DoD-specific mechanisms with their own scopes and current contract effects.Proposed FAR 52.240-7 points to Revision 3; current CMMC Level 2 still points to Revision 2; and the July 13, 2026 suspension of CMMC Phase 2 did not remove existing DFARS 252.204-7012 obligations. These are parallel regimes, not one replacing another.

Comparison of FAR CUI rule, DFARS 252.204-7012, and CMMC
DimensionFAR Case 2026-001 (proposed)DFARS 252.204-7012CMMC
ReachGovernmentwide (civilian + defense)DoD contracts containing the clauseDoD program + contract mechanism
StatusProposedIn force where includedPhase 1 (Self) remains; Phase 2 designations suspended July 13, 2026
InformationCUI identified via SF XXXCovered defense information / CUI under the clauseFCI (Level 1) or CUI (Level 2+)
BaselineProposed NIST SP 800-171 Rev. 3NIST SP 800-171 version in effect when the solicitation is issued, or another version authorized by the COLevel 2 = Rev. 2 (110 requirements, 14 families)
Incident reportingProposed 72-hour route (DIBNet / CISA)Current 72-hour “rapidly report” to DIBNetNot itself a replacement for 7012 reporting
Immediate decisionMonitor and prepare reversiblyFollow the clause in your contractMeet current Phase 1 + contract requirements

Current update — July 16, 2026: CMMC Phase 2 suspension

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase 2, including the third-party-assessment transition that had been scheduled to begin November 10, 2026, pending a review. This is a pause of the rollout — not a repeal. During the suspension, requiring activities may newly designate only Level 1 (Self) or Level 2 (Self); they may notnewly designate Level 2 (C3PAO) or Level 3 (DIBCAC). Active solicitations containing the suspended requirements are to be amended, and affected existing contracts are to be modified before the next option exercise or scheduled administrative modification.

What did notchange: Phase 1 self-assessment requirements remain, DFARS 252.204-7012 obligations remain where the clause is in the contract, and the False Claims Act still applies. If you still see “CMMC Phase 2 enforcement begins November 10, 2026” anywhere — including older pages on this topic — that date has been overtaken by the July 13 suspension. This is a fast-moving policy development; we re-verify it on a short cycle.

The CMMC Path Framework routes to a provider category, not a named provider. It is not a compliance score, a certification decision, or a substitute for contract advice.

Separate your FAR question from your CMMC provider question. If your actual contract requires CMMC or DFARS work, map your required level, assessment type, CUI scope, environment, and timeline to the provider category that fits \u2014 before you request quotes.

Use Find My CMMC Path

What would the FAR CUI rule’s paperwork burden be?

The Paperwork Reduction Act (PRA) notice tied to this rulemaking (91 FR 38438, published June 25, 2026; comments due August 24, 2026) revises two federal information collections and reports the consolidated “FAR Part 40 Requirements” collection at 19,894 respondents, 73,519 annual responses, and 213,987 annual burden hours. Read the fine print: these are paperworkhours for government information collections — not a cybersecurity implementation budget, not a CUI-only figure, and not what any single company will spend.

FAR Part 40 paperwork burden metrics, from the PRA notice (91 FR 38438)
MetricValueCalculation
Respondents19,894(published)
Total annual responses73,519(published)
Total annual burden hours213,987(published)
Responses per respondent, per year3.7073,519 ÷ 19,894
Burden hours per respondent, per year10.76213,987 ÷ 19,894
Burden hours per response2.91213,987 ÷ 73,519

Source: 91 FR 38438 (June 25, 2026), OMB Control Nos. 9000-0189 and 9000-0199. These are information-collection paperwork figures, not cybersecurity implementation costs.

If you want a real implementation budget, it has to come from your own scoped gap analysis — not from a PRA line item. For a realistic sense of what CMMC-related compliance runs, see our CMMC Level 2 cost guide. Older vendor pages that cite the January 2025 draft’s Revision 2 cost assumptions as if they were the 2026 proposal’s costs aren’t a reliable current answer.


How do I comment on FAR Case 2026-001?

You can comment on the proposed rule through the federal docket until July 23, 2026 — cite “FAR Case 2026-001” (Federal Register document 2026-12559, 91 FR 37550, RIN 9000-AO86).This is the formal notice-and-comment step, which makes it the clearest chance to shape the clause language before it lands in solicitations. The separate Paperwork Reduction Act information-collection comment period runs until August 24, 2026.

Safety point: Comments and attachments submitted to the public docket may be posted publicly. Do not include CUI, proprietary information, export-controlled information, source-selection information, credentials, incident evidence, personal information, or sensitive system details in a public comment. Make your regulatory point; leave the sensitive specifics out.

Open the official FAR docket to file a comment on FAR Case 2026-001 before July 23, 2026. Do not submit CUI, proprietary information, export-controlled information, or sensitive system details in a public comment.

Open the Official FAR Docket

What should contractors do before the FAR CUI rule is final?

Keep meeting the clauses in your current contracts, and prepare for the proposal through reversible work: inventory your clauses and CUI, map your systems and providers, crosswalk Revision 2 to Revision 3, test your incident escalation, review subcontract access, and write down the questions you need a contracting officer to answer.Don’t represent the proposed clauses as binding, don’t promise a final effective date, and don’t buy an expensive environment solely because a draft exists.

Act now vs. wait

Act now vs. wait: reversible preparation guidance for the FAR CUI rule 2026
Act now — reversible and usefulWait for final text or contract direction
Build a current-clause inventory (including the 2026 DoD clause renumbering)Don’t state that FAR 52.240-6 / -7 already applies
Identify contracts expected to involve CUIDon’t issue mandatory flow-down based only on the proposal
Map CUI creation, receipt, storage, transmission, disposalDon’t tell customers July 23 is an effective date
Inventory cloud and external providersDon’t buy a six-figure environment on a draft assumption
Compare Rev. 2 controls/evidence with Rev. 3Don’t replace your CMMC Rev. 2 baseline in current representations
Test 72-hour escalationDon’t discard shorter clocks already in your contracts or law
Map subcontractors with CUI accessDon’t flow unrelated prime-contract information downstream
Improve POA&M ownership and evidenceDon’t submit sensitive SSP material unless required and properly handled
Draft questions for the CODon’t invent answers to ambiguous clause language
Consider filing a comment before July 23Don’t treat an advocacy position as settled law

A 30-day reversible-prep sequence

The questions to send your contracting officer

  1. Is CUI expected to be involved in this acquisition?
  2. Which CUI categories and source authorities apply?
  3. Who is responsible for creating and marking the information?
  4. Where will the CUI reside or transit?
  5. Which edition of each NIST publication applies?
  6. Which ODP values apply?
  7. Are any NIST SP 800-172 requirements selected — and which edition?
  8. Which incident-reporting instructions take precedence?
  9. Which subcontractors need applicable SF information?
  10. How will disclosed gaps and POA&Ms be evaluated?
  11. Are there agency-specific requirements beyond the standard clause?
  12. What happens if CUI is identified after award?

Turn the proposal into an action register. Download the FAR CUI Impact Worksheet that separates current clauses, proposed requirements, CUI locations, external providers, flow-down triggers, unresolved questions, and the decisions that should wait.

Download the FAR CUI Impact Worksheet

What we verified — and what’s still unsettled

We checked the June 23 proposal against the January 2025 proposal, the current FAR and DFARS, the February 2026 DoD class deviation, current 32 CFR Part 170, NIST’s publication-status pages, the July 13 CMMC suspension, and the associated PRA notice.Several things remain genuinely unsettled — the final effective date, the permanent SF number, the final clause language, and the exact NIST SP 800-172 edition the clause intends. We’d rather tell you that than paper over it with a guess.

What we actually verified (July 16, 2026)

How we produced this

We read the primary sources first — the Federal Register text, the current FAR and DFARS on Acquisition.gov, the DoD class-deviation memo, 32 CFR Part 170 on eCFR, and NIST’s CSRC pages. We used law-firm and industry analysis to spot common interpretations and errors, not as authority for the requirements themselves. Every “must,” “would,” and “should” on this page was checked against the operative source and its status, and each editorial conclusion is labeled as ours.

What’s still unsettled

Open questions in the FAR CUI rule 2026 as of July 16, 2026
Open questionWhat’s verifiedWhat we won’t invent
When will a final rule issue?Comments close July 23, 2026A publication month or effective date
When would clauses appear in contracts?No schedule stated“Immediately after July 23”
Which NIST SP 800-172 edition does the clause mean?2021 withdrawn; Rev. 3 current; CMMC still cites 2021That it “definitely” means one edition
How will FAR Rev. 3 interact with CMMC Rev. 2?FAR says Rev. 3; CMMC L2 says Rev. 2That one automatically replaces the other
What will the final SF number be?Proposal still uses “SF XXX”A permanent form number
How will the CMMC review affect the FAR rule?The two events overlap in timeA causal or policy outcome not announced

Corrections: If you spot a superseded source, a clause change, a broken primary-source link, or a factual error, tell us through our corrections policy. We date and summarize substantive corrections, and we don’t silently rewrite a material regulatory conclusion.


FAR CUI rule 2026: frequently asked questions

These answers cover the follow-ups most likely to send a contractor back to search — status, timing, applicability, Revision 3, reporting, cloud, subcontractors, and CMMC. Each is short by design; the deeper explanation lives in the sections above.

Is the FAR CUI rule final?
No. FAR Case 2026-001 is a proposed rule published June 23, 2026 (91 FR 37550). It is not binding merely because it was published.
Is July 23, 2026 the effective date?
No. July 23 is the deadline to comment on the proposed rule. No final effective date has been announced.
What is FAR Case 2026-001?
It's the broader Revolutionary FAR Overhaul proposal covering several FAR parts, including the revised governmentwide CUI framework in FAR Parts 40 and 52.
What happened to FAR Case 2017-016?
That was the January 2025 CUI proposal (90 FR 4278). The June 2026 proposal materially revises it after the earlier version drew significant public comment.
Would the FAR CUI rule apply to civilian-agency contractors?
Yes, if finalized as proposed and the contract is expected to involve CUI. A governmentwide framework is the whole point.
Would it apply to every federal contractor?
No. The proposed clauses and SF XXX attach to acquisitions that involve CUI.
Is there a COTS exception?
Yes — the proposed prescription excludes acquisitions solely for commercially available off-the-shelf (COTS) items.
Could commercial products and services still be covered?
Yes. The exception is only for sole-COTS buys; other commercial products and services can be covered when CUI is involved.
What is SF XXX?
It's the placeholder name for the proposed standard form agencies would use to identify the CUI and the contract-specific safeguarding, marking, system, ODP, enhanced-control, and reporting requirements.
Would the rule use NIST SP 800-171 Revision 3?
Yes, for covered nonfederal systems under the proposal — but the proposal itself doesn't change your current contract.
Does Revision 3 currently replace Revision 2 for CMMC Level 2?
No. Current 32 CFR Part 170 still makes CMMC Level 2 identical to NIST SP 800-171 Revision 2 — 110 requirements across 14 families.
Which NIST SP 800-172 edition would apply?
The 2021 edition was withdrawn May 13, 2026 and superseded by Revision 3, while CMMC still cites the 2021 edition — treat the applicable edition as something to confirm with your contracting officer.
Is incident reporting 8 hours or 72 hours?
The June 2026 proposal uses 72 hours. The 8-hour figure belongs to the January 2025 draft. Check your current contract clauses independently.
Where would incidents be reported?
Under the proposed nonfederal route, DIBNet for DoD contracts and CISA for non-DoD contracts, plus notice to the contracting officer, with a FedRAMP-authorized-cloud exception in the clause.
How long would I have to preserve incident evidence?
The proposal would have you preserve affected-system images and relevant monitoring/packet-capture data until the government declines interest or 90 days pass after the report without a government request, whichever comes first.
Does deleting former FAR 52.240-YY eliminate unmarked-CUI reporting?
No. Proposed FAR 52.240-7(c) keeps a contractor duty to flag apparent unmarked or mismarked CUI to the contracting officer. The duty moved; it didn't disappear.
Would a POA&M have to be submitted with an offer?
Under proposed FAR 52.240-6(d), yes — when the offeror isn't compliant with an applicable requirement. A POA&M is not the same as compliance.
Would cloud providers need FedRAMP Moderate authorization?
The proposal says cloud providers handling identified CUI on a nonfederal system must meet security requirements equivalent to the FedRAMP Moderate baseline. Verify the evidence for your specific service.
Are VDI endpoints automatically out of scope?
No. The exception is limited to endpoints configured so CUI doesn't process, store, or transmit beyond the keyboard/video/mouse traffic to the VDI client.
Would the rule flow down to every subcontractor?
No. Proposed flow-down is tied to access — or the ability to access — CUI identified on the SF XXX.
Why does my 2026 DoD solicitation cite DFARS 252.240-7997 instead of 252.204-7020?
Because of DoD Class Deviation 2026-O0025 (effective February 1, 2026), which renumbered several cyber clauses. FAR 52.204-21 became FAR 52.240-93 and DFARS 252.204-7020 became DFARS 252.240-7997; DFARS 252.204-7019 was eliminated. Older contracts may still carry the legacy numbers.
Does the FAR proposal replace CMMC?
No. They're separate frameworks with different reach, baselines, and contract mechanisms.
Is CMMC Phase 2 still beginning November 10, 2026?
No. The Department of War suspended Phase 2 on July 13, 2026, including that scheduled transition.
Did the CMMC suspension remove DFARS 252.204-7012?
No. That clause remains a current obligation where it's in your contract, and Phase 1 self-assessment remains.
Should contractors implement the full proposal now?
Not automatically. Meet your current obligations and do reversible preparation while you wait for final text and contract direction.
Where should I get a definitive answer for my contract?
Confirm contractual applicability with your contracting officer and, where needed, qualified federal-contracts counsel; use a current Registered Practitioner or Registered Provider Organization for readiness, scoping, and implementation support.

Need help deciding what type of CMMC provider you need?

If your work actually involves CMMC or DFARS obligations and you’re trying to figure out the right kindof help, we can point you in the right direction. Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, source-selection information, contract documents, credentials, or sensitive system details in the form.

Find My CMMC Path

Disclosure:The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense or Department of War, DCMA DIBCAC, NIST, NARA, GSA, the FAR Council, or any U.S. government agency. This page is educational research, not legal, contractual, cybersecurity, or compliance advice. Confirm contractual applicability with your contracting officer and, where needed, qualified federal-contracts counsel; use a Registered Practitioner or Registered Provider Organization for readiness, scoping, and implementation support. The contract clause and CUI handling set your requirements — not a checklist.


Primary sources