FAR CUI Rule 2026: What the Revised Proposed Rule Would Require
The FAR CUI rule 2026 is not a final rule, and it is not binding. FAR Case 2026-001, published June 23, 2026 at 91 FR 37550, is a revised proposal open for comment through July 23, 2026. If finalized close to how it reads today, it would add clauses FAR 52.240-6 and FAR 52.240-7, a new Standard Form (SF XXX), NIST SP 800-171 Revision 3, 72-hour incident reporting, and subcontract flow-down for federal contracts involving Controlled Unclassified Information (CUI) — reaching civilian-agency contractors, not just DoD.
Here’s the part most pages bury: nothing in this proposal changes your contract the moment it was published. What binds you today is the clause set actually written into your solicitation or contract. That single distinction — proposed versus binding — is the reason this page exists. We read the 85-page Federal Register document, checked the docket, and cross-checked every requirement against the current FAR, DFARS, and 32 CFR Part 170 as of July 16, 2026.
This is a proposed rule, not legal advice.The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not a law firm and we are not your contracting officer. Use this as research, then confirm contractual applicability with your contracting officer and, where needed, qualified federal-contracts counsel.
What applies now vs. what is only proposed
Before anything else, orient yourself. This is the whole board on July 16, 2026:
| Item | Status on July 16, 2026 |
|---|---|
| FAR Case 2026-001 (the FAR CUI rule) | Proposed rule — not final (91 FR 37550) |
| July 23, 2026 | Comment deadline — not an effective date |
| FAR 52.240-6 and FAR 52.240-7 | Proposed clauses |
| SF XXX | Proposed standard form (placeholder number) |
| NIST SP 800-171 Rev. 3 under this FAR rule | Proposed for covered nonfederal systems |
| Your current contract clauses | Binding according to their terms |
| DoD RFO class deviation (2026-O0025, effective Feb. 1, 2026) | In effect now. New DoD solicitations use FAR 52.240-93 and DFARS 252.240-7997; legacy contracts may still carry FAR 52.204-21 and DFARS 252.204-7019/-7020 |
| DFARS 252.204-7012 | Still in force where it’s in your contract |
| CMMC Phase 1 — Level 1 (Self) and Level 2 (Self) | Remain available and enforceable where solicitation, contract, modification, or flow-down includes them |
| CMMC Phase 2 — Level 2 (C3PAO) and Level 3 (DIBCAC) | Suspended July 13, 2026, pending review |
| Final FAR CUI rule / effective date | Not announced |
Who this page is for:federal prime contractors and subcontractors who handle — or might be asked to handle — CUI; civilian-agency contractors trying to figure out if this reaches them; and dual defense-and-civilian contractors reconciling a FAR that points to Revision 3 with a CMMC program that still points to Revision 2. CISOs, IT directors, compliance managers, facility security officers, contracts officers, and program managers.
Who it isn’t for:anyone who wants to be told the proposal is already binding (it isn’t), anyone in the middle of a live security incident (call your incident-response plan and counsel), and anyone shopping for a “best CMMC vendor” ranking (we don’t publish those).
The one honest caveat — and why it should make you trust the rest of this page
Because the FAR CUI rule 2026 is still proposed, no one can hand you the final, guaranteed requirements— not us, not the big law firms, not the software vendors. But don’t overcorrect into ignoring it. If this finalizes close to the current draft, it reshapes future bids, your NIST 800-171 Revision 3 planning, your cloud evidence, your incident-response clock, and your subcontract terms. The rational move is reversible preparation— work that helps you no matter how the final rule lands.
The Defense Compliance Reportis the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
What is the FAR CUI rule 2026 — and is it final?
The FAR CUI rule 2026 is a revised proposedgovernmentwide framework — FAR Case 2026-001 — for identifying, safeguarding, and reporting incidents involving Controlled Unclassified Information in federal contracts.It was published June 23, 2026 at 91 FR 37550, and it is not a final rule; publication alone does not make FAR 52.240-6 or FAR 52.240-7 binding contract requirements. Comments close July 23, 2026.
Since Executive Order 13556 created the governmentwide CUI Program in 2010, federal law, regulation, and governmentwide policy have required CUI protections — but agencies have lacked one standard FAR mechanism for identifying and communicating those requirements to contractors. DoD built the most mature defense-specific contract framework, through DFARS clause 252.204-7012 and later the CMMC program. Civilian agencies used varying agency-specific clauses and procedures. FAR Case 2026-001 proposes a uniform mechanism for the entire federal government. For background on what counts as CUI vs. Federal Contract Information, see our FCI vs. CUI guide.
What “proposed rule” means for you
A proposed rule is the government showing its hand and asking for comment before it commits. It tells you where the FAR Council intends to go. It does not amend your contract. A final rule could keep this framework, revise it, renumber the clauses, delay it, or drop pieces of it. Treat the proposal as high-quality planning intelligence— not as a clause you have to comply with tomorrow.
The dates that matter
| Date | Event | What it means |
|---|---|---|
| Nov. 4, 2010 | Executive Order 13556 | Created the governmentwide CUI Program |
| Sept. 14, 2016 | 32 CFR Part 2002 (81 FR 63324) | NARA’s implementing rule for the CUI Program |
| Jan. 15, 2025 | First FAR CUI proposal (FAR Case 2017-016, 90 FR 4278) | The old version — 8-hour clock, Revision 2 |
| Nov. 10, 2025 | CMMC Phase 1 began (32 CFR 170.3(e)) | Start of the original four-phase CMMC rollout |
| Feb. 1, 2026 | DoD Class Deviation 2026-O0025 took effect | Renumbered DoD cyber clauses (see crosswalk below) |
| June 23, 2026 | Revised FAR CUI proposal (FAR Case 2026-001, 91 FR 37550) | The current proposal analyzed on this page |
| June 25, 2026 | Paperwork Reduction Act notice (91 FR 38438) | Burden estimate; separate Aug. 24 comment deadline |
| July 13, 2026 | CMMC Phase 2 suspended | A separate DoD/DIB development |
| July 23, 2026 | FAR CUI comment deadline | Public input closes — not an effective date |
| Unknown | Final FAR CUI rule | We won’t guess a date |
| Unknown | Effective date / clause insertion into contracts | We won’t guess a date |
What still applies today
- ▸The FAR and agency clauses actually written into your solicitation or contract.
- ▸DFARS 252.204-7012(Safeguarding Covered Defense Information and Cyber Incident Reporting) where it’s included — including its existing 72-hour “rapidly report” requirement.
- ▸The current DoD assessment clause.For legacy contracts, DFARS 252.204-7019 and 252.204-7020 may still govern. For solicitations on the DoD Class Deviation 2026-O0025 path (effective February 1, 2026), the deviation uses DFARS 252.240-7997, NIST SP 800-171 DoD Assessment Requirements, and FAR 52.240-93. Verify the actual clause set and contract vintage.
- ▸Current CMMC Phase 1self-assessment requirements — Level 1 (Self) and Level 2 (Self) — where an applicable solicitation, contract, modification, or flow-down includes them.
- ▸Any agency-specific CUI clauses or instructions already in force on your work.
When would the FAR CUI rule take effect?
There are four milestones people routinely blur. Keep them straight:
- Proposal published — done (June 23, 2026).
- Comment deadline — July 23, 2026.
- Final rule published — not scheduled.
- Effective date + insertion into a solicitation or contract — not scheduled.
Right now, the marker sits between steps 1 and 2. What to watch after July 23: docket activity, the final rule, any clause renumbering, the permanent SF number, and any phased implementation schedule. We won’t pretend to know the timing.
What changed between the 2025 and 2026 FAR CUI proposals?
The June 2026 proposal is a material rewrite of the January 2025 version, not a reprint.It moves the framework into FAR Part 40, changes the proposed incident-reporting clock from 8 hours to 72 hours, adopts NIST SP 800-171 Revision 3 instead of Revision 2, deletes the standalone “potential CUI” clause, narrows the definition of a reportable incident, and revises the training, cloud, and flow-down mechanics.
Plenty of pages still describe the January 2025 draft — Revision 2, an eight-hour reporting window, the old clause numbers — as if it were current. It isn’t. Below is our 2025 → 2026 Change-and-Action Ledger, verified July 16, 2026 against both Federal Register proposals.
| Topic | Jan. 2025 draft (90 FR 4278) | June 2026 revised proposal (91 FR 37550) | Binding July 16, 2026? | What to do now |
|---|---|---|---|---|
| Rule identity | FAR Case 2017-016 | FAR Case 2026-001 | No — unless a current contract independently imposes a duty | Put “proposed” in every internal memo, slide, and snippet about it |
| Clause structure | Proposed 52.204-WW / -XX / -YY (FAR Part 4) | Proposed 52.240-6 and 52.240-7 (FAR Part 40) | No | Search current contracts for actual clauses; don’t cite proposed numbers as present duties |
| CUI identification | SF XXX introduced | SF XXX kept and expanded (CUI, location, marking, ODPs, contract-specific requirements) | No new FAR form duty today | Start an internal CUI-by-contract register that can later ingest SF XXX fields |
| Incident clock | 8 hours from discovery | 72 hours from discovery | Only if a current clause independently uses 72 hours (DFARS 7012 does) | Confirm your process can meet every current contract clock |
| Unmarked/mismarked CUI | Separate 52.204-YY mechanism | Duty moved into 52.240-7(c) — contractor must notify CO; safeguard pending a decision | Not under the proposed clause today | Build an internal “route it to contracts/legal” workflow |
| Incident definition | Broader; included “suspected” events | Narrowed to actual unauthorized disclosure, modification, destruction, or access to the system where CUI resides | No | Separate “marking/handling discrepancy” from “reportable cyber incident” in draft procedures |
| Technical baseline | NIST SP 800-171 Revision 2 | NIST SP 800-171 Revision 3 + specified ODPs | Not because of this proposal | Run a Rev. 2 → Rev. 3 delta inventory; don’t relabel a CMMC Rev. 2 environment as “Rev. 3-compliant” |
| Enhanced requirements | Applied NIST SP 800-172 more broadly | Agency-selected 800-172 requirements only for a critical program or high-value asset | No | Note which programs might plausibly qualify; wait for the contract-specific selection |
| POA&M at offer | Gap concepts included | Proposed 52.240-6(d): noncompliant offeror must identify each gap and submit a POA&M with its offer | No new FAR-wide duty today | Improve gap ownership and POA&M quality; don’t volunteer sensitive architecture outside required channels |
| Cloud services | FedRAMP treatment framed differently | Cloud handling identified CUI on a nonfederal system must meet security equivalent to FedRAMP Moderate (52.240-7(d)(3)(ii)(E)) | Only current contract requirements apply | Inventory every cloud/external service that can touch CUI and record its evidence basis |
| VDI/telecom scope | No equivalent exclusion emphasized | KVM-only VDI endpoints and certain shared commercial communications networks are out-of-scope assets (52.240-7(d)(3)(ii)(A)) | No new FAR-wide exclusion today | Document the architecture before treating any endpoint or network as out of scope |
| Subcontract flow-down | Flow-down + separate reporting clause | Substance of 52.240-7 + applicable SF info flow to any tier with access or ability to access CUI; sole-COTS excluded | Only existing clauses flow today | Map actual access, not vendor names, before designing flow-down |
| Training | One-size-fits-all training before handling CUI | One-size-fits-all requirement removed; contractor tailoring allowed | Current clauses + internal policy govern | Keep role-based CUI training; don’t claim the proposal “eliminated” training as a practical need |
| Contractor liability language | Express liability language in the draft | Express liability language removed | No effect on other contractual or legal exposure | State the deletion accurately; don’t claim liability “disappeared” |
| CMMC relationship | CMMC on its own DoD track | Proposed FAR uses Rev. 3 while current CMMC Level 2 stays Rev. 2; CMMC Phase 2 now suspended | Current DFARS + Phase 1 still matter | Keep separate columns for FAR, DFARS, CMMC, and agency-specific duties |
What was removed vs. what merely moved
- ▸ Deleting proposed FAR 52.240-YY did not erase the unmarked-CUI notice duty — it moved into FAR 52.240-7(c).
- ▸ Removing express liability language didn’t erase other contractual or legal exposure.
- ▸ Removing the prescriptive training requirement didn’t remove the practical need for role-appropriate CUI training.
- ▸ The prime not having to attach the actual SF didn’t remove the duty to flow down applicable SF information.
The proof that this rule is still moving: The January 2025 draft required contractors to report a suspected CUI incident within 8 hours. Commenters pushed back hard. The FAR Council listened and moved that to 72 hoursin the June 2026 proposal — evidence that a thoughtful comment filed before July 23 can still shape the final clause.
Every material revision, its current binding status, and the primary source behind each row \u2014 in one printable sheet you can hand to contracts, IT, and leadership.
Download the 2025 \u2192 2026 Change LedgerWho would the FAR CUI rule apply to?
If finalized close to the current draft, the framework would apply when a federal solicitation or contract is expected to involve CUI and the agency marks “Yes” on the new SF XXX.It would not apply where performance involves no CUI. Proposed FAR 52.240-7 excludes acquisitions solely for commercially available off-the-shelf (COTS) items — but other commercial products and commercial services can be covered, and flow-down reaches any subcontract tier that needs access to the identified CUI.
The key shift in mindset: applicability is driven by contract performance, not by who you are.
- Being a federal contractor doesn’t automatically put every system under proposed FAR 52.240-7.
- Being a civilian-agency contractor doesn’t exempt you — that’s the entire point of a “governmentwide” rule.
- The trigger is expected CUI involvement plus incorporation into the contract. Then your actual systems, facilities, cloud services, and subcontracts determine the operational scope.
Which profile are you?
| Your situation | Likely proposed treatment | The question you need to resolve |
|---|---|---|
| Civilian-agency prime expected to handle CUI | FAR 52.240-6 / -7 and SF XXX could be included | What CUI, and where will it live? |
| DoD prime already under DFARS 252.204-7012 | Current DFARS still applies; future FAR interaction to be reconciled | Which clauses and which NIST revision govern this contract? |
| Subcontractor with access (or ability to access) identified CUI | Clause substance + applicable SF info could flow down | Do you actually need that access? |
| Contractor with no CUI in performance | Proposed CUI clauses shouldn’t apply | Can the requiring activity confirm “No” on SF XXX? |
| Sole-COTS seller | Proposed 52.240-7 exception | Is the buy truly solely COTS, with no CUI-handling services attached? |
| Other commercial product/service | Can be covered | Will you or your systems handle CUI? |
| Nonfederal contractor system | Proposed NIST 800-171 Rev. 3 route | Which components access, use, process, store, maintain, or transmit CUI? |
| Cloud service provider | FedRAMP Moderate-equivalent proposed requirement | What evidence supports the service boundary? |
The contract-first test
When someone asks whether the FAR CUI rule “applies to us,” run these five questions before you answer:
- Is CUI expected in performance?
- What does the SF XXX say (or, today, what does the contract/agency policy say)?
- Where will the CUI reside or transit?
- Which systems and providers can access it?
- Which clause — and which NIST revision — is actually incorporated?
For DoD contractors, the right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, your assessment type, your cloud and IT environment, and your contract timeline. Use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
Our FAR CUI Rule 2026 Impact Checker asks a few non-sensitive questions and gives you a dated read on what's binding now, what the June proposal would add, and which issues belong with your contracting officer or counsel. Do not submit CUI, contract documents, drawings, source-selection information, credentials, or sensitive system details.
Check My FAR CUI ImpactWhat FAR 52.240-6, FAR 52.240-7, and SF XXX would actually require
The proposed framework has three moving parts: SF XXX would tell the parties what CUI and contract-specific requirements are in play; FAR 52.240-6 would notify offerors and require them to disclose known compliance gaps; and FAR 52.240-7 would set the contractor’s safeguarding, incident-reporting, conflict-notification, and flow-down duties. None is a final, binding FAR-wide requirement today.
SF XXX — the contract-level CUI map
Under the proposal, the requiring activity (the government) — not the contractor — decides whether a contract involves CUI and completes a new Standard Form, SF XXX (Controlled Unclassified Information Requirements). It’s expected to identify the CUI categories involved, whether the information is CUI Basic or CUI Specified, where it resides (federal or nonfederal systems), who’s responsible for marking, any Organization-Defined Parameters (ODPs), any selected enhanced (NIST SP 800-172) requirements, incident-reporting instructions, and additional contract-specific requirements.
This is the proposed answer to the loudest complaint from the DIB for years: “the government won’t tell me what’s actually CUI.” The SF XXX is a uniform form that’s supposed to say so, up front.
FAR 52.240-6 — Notice of CUI Requirements (the solicitation side)
This is the pre-award provision. It would appear in solicitations that carry FAR 52.240-7 and put offerors on notice of the CUI requirements. Two duties to flag for your capture and proposal teams:
- The proposal says an offeror should notify the contracting officer, generally within 72 hours, of apparent unmarked, mismarked, missing-from-SF, or incident-involved CUI, and should safeguard it pending a determination.
- An offeror that cannot meet an applicable requirement mustidentify each gap and submit a POA&M with its offer (proposed 52.240-6(d)).
Those two modalities — should for the discrepancy notice, mustfor the POA&M — are not the same thing. Don’t let anyone collapse them.
The POA&M-at-offer wrinkle
Read proposed 52.240-6(d) closely with your proposal manager. It contemplates disclosing gaps in the offer itself. The practical risk isn’t only technical readiness; it’s that an inaccurate, incomplete, or overbroad disclosure can create avoidable procurement risk. A POA&M is not the same thing as compliance. Do not paste full System Security Plans (SSPs), network diagrams, or vulnerability details into an ordinary proposal volume without checking the solicitation’s handling instructions first.
FAR 52.240-7 — Controlled Unclassified Information (the contract side)
This is the operational clause that would live in the awarded contract. It covers CUI identification and discrepancy reporting; the split between federal and nonfederal environments; the NIST SP 800-171 Revision 3 baseline and its ODPs; any CUI Specified or selected NIST SP 800-172 requirements; the cloud baseline; SSP and external-service-provider identification; POA&Ms available to the government on request; incident reporting and evidence preservation; conflict-of-law notification; and subcontract flow-down.
The proposed verification approach, in one line:offer-stage gap disclosure and POA&M; SSP and associated POA&Ms available to the government on request; and agency validation under applicable agency procedures. The proposal does not establish one universal third-party certification mechanism — a real difference from CMMC.
Would the FAR CUI rule require NIST SP 800-171 Revision 3?
Yes — for covered nonfederal systems, proposed FAR 52.240-7 would require NIST SP 800-171 Revision 3 plus specified Organization-Defined Parameters. But that proposed baseline does not automatically change a current contract, and it does not automatically replace the Revision 2 baseline written into today’s CMMC Level 2.
This is the single most important technical distinction on this page, and the one most likely to trip up a contractor who already knows CMMC. NIST published Revision 3 on May 14, 2024, superseding Revision 2 — but a NIST publication does not, by itself, rewrite every federal contract. For a full breakdown of the NIST 800-171 requirements and how they map to CMMC, see our requirements checklist.
Revision 3 (proposed FAR) vs. Revision 2 (current CMMC Level 2)
| Issue | Proposed governmentwide FAR CUI rule | Current CMMC Level 2 |
|---|---|---|
| Status | Proposed | Program rule in effect; new Level 2 (C3PAO) designations suspended July 13, 2026 |
| Baseline | NIST SP 800-171 Revision 3 | NIST SP 800-171 Revision 2 (110 requirements across 14 families) |
| Contract mechanism | Proposed FAR 52.240-7 | DFARS 252.204-7021 where implemented |
| Verification | Self-disclosure in the offer + POA&M + documentation on request + agency validation (no universal third-party certification) | Level 2 (Self) or Level 2 (C3PAO), as specified by the solicitation or contract |
| Scope trigger | CUI identified via SF XXX and contract | Contractor systems that process, store, or transmit CUI, plus assets that provide security protection, under 32 CFR Part 170 scoping |
| What to do now | Delta analysis — not automatic migration | Keep meeting your current contractual obligations |
Don’t let anyone tell you Revision 3 has “replaced” Revision 2 for CMMC. It hasn’t. The current CMMC program rule makes CMMC Level 2 identical to NIST SP 800-171 Revision 2— 110 requirements across 14 families. The proposed FAR CUI rule points to Revision 3. A contractor that serves both civilian and defense customers could be asked to satisfy both at the same time.
What the ODP reference means
Revision 3 introduced Organization-Defined Parameters— specific values for certain controls (password lengths, session-timeout windows, review frequencies) that an organization sets rather than treating one number as universal. The proposed FAR rule addresses this by pointing contractors to a government-provided set of ODP values for the applicable requirements — so where the clause specifies government values, you wouldn’t freely pick your own.
The prudent preparation path
If you already run to Revision 2 for DoD work, the reversible move is a crosswalk, not a rebuild:
- Download NIST’s official Rev. 2 → Rev. 3 change analysis from NIST’s Computer Security Resource Center (CSRC).
- Map your current controls, policies, evidence, and architecture first — then requirements.
- Separate genuinely new requirements from reorganized ones.
- Record ODP dependencies and cost/architecture implications.
- Don’t change any contractual representation or baseline without authority.
- Treat high-cost architectural changes as contingent until the rule and your contract are final.
Which NIST SP 800-172 edition would apply?
The proposal lets agencies select enhanced requirements from “NIST SP 800-172” for a critical program or high-value asset — but the edition question is worth pinning down. NIST published SP 800-172 Revision 3 in May 2026 and withdrew the original February 2, 2021 edition on May 13, 2026(NIST CSRC). Meanwhile, the current CMMC rule (32 CFR Part 170) still cites the February 2021 edition for Level 3. That’s a live version question a bidder should resolve in writing, not assume.
| Source | Version status (verified July 16, 2026) |
|---|---|
| Proposed FAR 52.240-7 | Refers to NIST SP 800-172 for agency-selected enhanced requirements |
| NIST publication status | February 2021 edition withdrawn May 13, 2026; Revision 3 is current (expands the objective to the confidentiality-integrity-availability triad; adds ODPs) |
| Current 32 CFR Part 170 (CMMC) | Still cites NIST SP 800-172, February 2021, for CMMC Level 3 |
What we won’t tell you: that the clause “definitely” means Revision 3, or “definitely” means the 2021 edition, or that every contractor must implement all of 800-172. The proposal limits these enhanced requirements to a critical program or high-value asset, selected by the agency — not to ordinary CUI contracts.
The question to send your contracting officer if 800-172 shows up on your SF XXX:
“Please identify the exact edition, the selected requirements, the applicable Organization-Defined Parameters, the assessment expectations, and the precedence for each NIST SP 800-172 requirement incorporated through the SF.”
How would the 72-hour incident-reporting rule work?
For CUI in a nonfederal environment, proposed FAR 52.240-7 would generally require a report within 72 hours of discovery — to DIBNet for DoD contracts and to CISA for non-DoD contracts — plus notice to the contracting officer, and to the next higher-tier contractor where applicable. It allows a tiered approach: report the facts you have, then supplement. A marking problem, by itself, is not a reportable incident unless it results in unauthorized disclosure, modification, destruction, or system access.
The reporting triggers — read the modalities
| Trigger | Who acts | Modality and first step |
|---|---|---|
| Offeror discrepancy notice (apparent unmarked/mismarked CUI, pre-award) | Offeror | Should notify the CO and safeguard pending determination |
| Contractor discrepancy notice (apparent unmarked/mismarked CUI, post-award) | Contractor | Must notify the CO and safeguard pending determination |
| A CUI incident in a nonfederal environment | Contractor | Must report through the specified government channel and provide the required notices |
| A conflict with another law or regulation | Contractor | Must notify the CO within 72 hours after determining it can’t comply |
What counts as a CUI incident
Use the proposal’s four branches, and nothing broader:
- Unauthorized disclosure of CUI,
- Improper modification of CUI,
- Improper destruction of CUI, or
- Unauthorized access to the information system on which CUI resides.
Improper handling or a marking discrepancy doesn’t automatically become a “CUI incident” unless it produces one of those outcomes. Keep the separate unmarked-CUI notice duty (in 52.240-7(c)) in its own lane.
Where a report would go
Under the proposal’s nonfederal route: DoD contracts report to DIBNet; non-DoD contracts report to CISA’s incident-reporting portal. The contractor also notifies the contracting officer that a report was submitted, and notifies the next higher-tier contractor where applicable. For a CUI incident involving a FedRAMP-authorizedcloud service provider that has already reported through FedRAMP Incident Communication Procedures, the contractor isn’t required to file an additional report beyond following those procedures — but you still need to know who reported, what information reached you, and what notices remain owed to your CO or higher tier.
Initial report vs. supplemental report
The proposal doesn’t demand a complete forensic picture in the first 72 hours. You report the required data elements you have, notify the CO and any higher tier, then submit supplemental information as the investigation develops.
How long would incident evidence have to be preserved?
The contractor would preserve and protect available images of all known affected systems and relevant monitoring and packet-capture data until the government declines interest, or until 90 daysafter the report passes without a government request — whichever comes first. Build that retention step into your incident plan now; it’s easy to overlook and hard to reconstruct after the fact.
Don’t let the proposed clock overwrite your current clocks.You may already carry a 72-hour DFARS 252.204-7012 duty, FedRAMP reporting duties, agency-specific clauses, state breach-notification laws, cyber-insurance notice terms, and customer or subcontract notice requirements. The operational answer is a clause-and-law matrix — not the assumption that one 72-hour clock resolves everything.
What happens if CUI is identified after award?
If the agency determines that newly encountered information is CUI and wants the contractor to handle it, the proposed procedures call for the SF XXX to be updated, the contract to be modified, and the contracting officer to consider an appropriate contractor request for equitable adjustment.In plain terms: if the government moves the goalposts mid-performance, there’s a proposed mechanism to reflect that in the contract — but nothing here promises that an adjustment will be granted or fixes an amount.
This is why your internal escalation path matters. When someone on your team believes they’ve received or created information that looks like CUI but isn’t on the SF, the proposal would have you safeguard it and notify the contracting officer — not ignore it and not unilaterally treat everything as CUI. Get that routing — employee to contracts/legal/security — working now, because it’s the same muscle you’ll use whether the final rule looks like this draft or not.
What would the rule require for cloud services, VDI, and telecom?
A cloud service that stores, processes, or transmits CUI identified on the SF XXX would have to meet security requirements equivalent to the FedRAMP Moderate baseline. The proposal also carves out narrow out-of-scope treatment for properly restricted keyboard/video/mouse-only VDI (virtual desktop infrastructure) endpoints and for certain shared commercial communications networks — but neither is a blanket exemption for remote devices, SaaS products, email, or “all telecom.” We pulled the exclusions straight from the clause text at FAR 52.240-7(d)(3)(ii)(A).
Federal vs. nonfederal systems are treated differently
Read the branches, because they’re easy to merge. For a federal information system, proposed FAR 52.240-7(d)(3)(i) would apply agency-identified requirements, with cloud security at no less than the FedRAMP Moderate baseline. For a nonfederal (contractor) system, paragraph (d)(3)(ii)(E) would require a cloud provider handling identified CUI to meet security requirements equivalent to FedRAMP Moderate, along with any selected paragraph (D) NIST SP 800-172 requirements. The VDI and commercial-communications exclusions live in paragraph (d)(3)(ii)(A).
Evidence to inventory for every provider that can touch CUI
| Question | Why it matters |
|---|---|
| Is the exact service and boundary authorized or claimed equivalent? | A brand-level authorization may not cover every product or region |
| Which data locations and support services are in scope? | CUI can reach logs, backups, help desk, and integrations |
| Who reports incidents, and how? | The proposal has a FedRAMP-authorized exception — know if it applies |
| Which external providers appear in your SSP? | The clause expressly requires identification |
| Can the provider support preservation and investigation? | Incident duties run past the initial notice |
| Which subcontractors or fourth parties can access the environment? | Flow-down and supply-chain exposure |
| What contract language supports “equivalent”? | A vendor’s assertion isn’t automatically sufficient evidence |
The VDI exception — with its limits
Proposed FAR 52.240-7(d)(3)(ii)(A) treats an endpoint hosting a VDI client as an out-of-scope assetwhen it’s configured to prevent any processing, storage, or transmission of CUI beyond the keyboard/video/mouse traffic sent to the VDI client. The paths worth checking before you rely on the exclusion include local file transfer, clipboard use, printing, and caching. Scope conclusions require architecture evidence, not the word “VDI” on a diagram.
The commercial-communications exception — narrow
The same paragraph treats as out of scope commercial communications networks that carry government and non-government information using the same equipment, protocols, and methods, without regard to source or recipient — the common-carrier concept. Don’t stretch that into “anything sent over a network is out of scope.” It isn’t.
Use our FAR CUI cloud-and-provider evidence worksheet to record each service boundary, its authorization or equivalence evidence, the incident path, subcontractors, and the questions you still owe your CO.
Build My Provider Evidence RegisterHow would the FAR CUI rule flow down to subcontractors?
Proposed FAR 52.240-7 would flow down at every tier when a subcontract requires access — or the ability to access — CUI identified on the SF XXX.The flow-down would include the substance of the clause and the applicable SF information, reach commercial products and services other than sole-COTS, and require the subcontractor to report incidents through the government channel and notify the next higher tier where applicable. It’s access-based, not “every subcontractor gets the clause.”
The lazy version — “flow it to everyone” — creates cost and risk you don’t need. The decision sequence is narrower:
- Will the subcontractor access, or have the ability to access, identified CUI?
- Which CUI and handling activities are actually necessary?
- Which contract-specific requirements apply?
- Which clause information must flow?
- Which systems and providers support the subcontract?
- Where would incidents be reported?
- Can you reduce the scope or the access instead?
Actual SF vs. applicable SF information
The preamble says the prime does nothave to attach the actual SF XXX or a modified copy — but proposed paragraph (g) still requires the applicable informationfrom the SF to flow down. Build the data sheet; don’t forward the whole contract. Removing unnecessary CUI access is a legitimate business lever — but an enclave or access restriction is a scoping decision, not a compliance guarantee.
Which DoD clause numbers should you look for in 2026?
If you do DoD work, the clause numbers on your 2026 solicitations may not match your old compliance mappings — and that’s not the FAR CUI proposal, it’s a separate Defense class deviation that’s already in effect.On February 1, 2026, DoD Class Deviation 2026-O0025 (“Revolutionary FAR Overhaul Part 40, DFARS Part 240”) renumbered several cyber clauses without new rulemaking. The underlying obligations largely didn’t change — the citations did.
| Function | Legacy citation (older contracts) | 2026 DoD deviation-path citation | What changed |
|---|---|---|---|
| Basic safeguarding of FCI (15 controls) | FAR 52.204-21 | FAR 52.240-93 | Renumbered; the 15 basic safeguarding requirements are unchanged |
| NIST SP 800-171 DoD assessment | DFARS 252.204-7020 | DFARS 252.240-7997 | Renumbered; the standalone “Basic” self-assessment concept was removed from the clause |
| Notice of NIST SP 800-171 DoD assessment | DFARS 252.204-7019 | Eliminated | The standalone provision no longer exists on the deviation path |
| Safeguarding CUI / cyber-incident reporting | DFARS 252.204-7012 | DFARS 252.204-7012 | Unchanged |
| CMMC requirements | DFARS 252.204-7021 | DFARS 252.204-7021 | Unchanged |
Self-assessment and SPRS didn’t disappear.For contractors handling CUI, that obligation now sits under the CMMC clause, DFARS 252.204-7021. Because this was done by class deviation rather than rulemaking, older contracts can still carry the legacy clause numbers. Check the actual clause set and the contract’s vintage before you assume which numbering governs.
Is the FAR CUI rule replacing CMMC or DFARS 252.204-7012?
No. The proposed FAR framework is governmentwide, while CMMC and DFARS 252.204-7012 are DoD-specific mechanisms with their own scopes and current contract effects.Proposed FAR 52.240-7 points to Revision 3; current CMMC Level 2 still points to Revision 2; and the July 13, 2026 suspension of CMMC Phase 2 did not remove existing DFARS 252.204-7012 obligations. These are parallel regimes, not one replacing another.
| Dimension | FAR Case 2026-001 (proposed) | DFARS 252.204-7012 | CMMC |
|---|---|---|---|
| Reach | Governmentwide (civilian + defense) | DoD contracts containing the clause | DoD program + contract mechanism |
| Status | Proposed | In force where included | Phase 1 (Self) remains; Phase 2 designations suspended July 13, 2026 |
| Information | CUI identified via SF XXX | Covered defense information / CUI under the clause | FCI (Level 1) or CUI (Level 2+) |
| Baseline | Proposed NIST SP 800-171 Rev. 3 | NIST SP 800-171 version in effect when the solicitation is issued, or another version authorized by the CO | Level 2 = Rev. 2 (110 requirements, 14 families) |
| Incident reporting | Proposed 72-hour route (DIBNet / CISA) | Current 72-hour “rapidly report” to DIBNet | Not itself a replacement for 7012 reporting |
| Immediate decision | Monitor and prepare reversibly | Follow the clause in your contract | Meet current Phase 1 + contract requirements |
Current update — July 16, 2026: CMMC Phase 2 suspension
On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase 2, including the third-party-assessment transition that had been scheduled to begin November 10, 2026, pending a review. This is a pause of the rollout — not a repeal. During the suspension, requiring activities may newly designate only Level 1 (Self) or Level 2 (Self); they may notnewly designate Level 2 (C3PAO) or Level 3 (DIBCAC). Active solicitations containing the suspended requirements are to be amended, and affected existing contracts are to be modified before the next option exercise or scheduled administrative modification.
What did notchange: Phase 1 self-assessment requirements remain, DFARS 252.204-7012 obligations remain where the clause is in the contract, and the False Claims Act still applies. If you still see “CMMC Phase 2 enforcement begins November 10, 2026” anywhere — including older pages on this topic — that date has been overtaken by the July 13 suspension. This is a fast-moving policy development; we re-verify it on a short cycle.
The CMMC Path Framework routes to a provider category, not a named provider. It is not a compliance score, a certification decision, or a substitute for contract advice.
Separate your FAR question from your CMMC provider question. If your actual contract requires CMMC or DFARS work, map your required level, assessment type, CUI scope, environment, and timeline to the provider category that fits \u2014 before you request quotes.
Use Find My CMMC PathWhat would the FAR CUI rule’s paperwork burden be?
The Paperwork Reduction Act (PRA) notice tied to this rulemaking (91 FR 38438, published June 25, 2026; comments due August 24, 2026) revises two federal information collections and reports the consolidated “FAR Part 40 Requirements” collection at 19,894 respondents, 73,519 annual responses, and 213,987 annual burden hours. Read the fine print: these are paperworkhours for government information collections — not a cybersecurity implementation budget, not a CUI-only figure, and not what any single company will spend.
| Metric | Value | Calculation |
|---|---|---|
| Respondents | 19,894 | (published) |
| Total annual responses | 73,519 | (published) |
| Total annual burden hours | 213,987 | (published) |
| Responses per respondent, per year | 3.70 | 73,519 ÷ 19,894 |
| Burden hours per respondent, per year | 10.76 | 213,987 ÷ 19,894 |
| Burden hours per response | 2.91 | 213,987 ÷ 73,519 |
If you want a real implementation budget, it has to come from your own scoped gap analysis — not from a PRA line item. For a realistic sense of what CMMC-related compliance runs, see our CMMC Level 2 cost guide. Older vendor pages that cite the January 2025 draft’s Revision 2 cost assumptions as if they were the 2026 proposal’s costs aren’t a reliable current answer.
How do I comment on FAR Case 2026-001?
You can comment on the proposed rule through the federal docket until July 23, 2026 — cite “FAR Case 2026-001” (Federal Register document 2026-12559, 91 FR 37550, RIN 9000-AO86).This is the formal notice-and-comment step, which makes it the clearest chance to shape the clause language before it lands in solicitations. The separate Paperwork Reduction Act information-collection comment period runs until August 24, 2026.
Safety point: Comments and attachments submitted to the public docket may be posted publicly. Do not include CUI, proprietary information, export-controlled information, source-selection information, credentials, incident evidence, personal information, or sensitive system details in a public comment. Make your regulatory point; leave the sensitive specifics out.
Open the official FAR docket to file a comment on FAR Case 2026-001 before July 23, 2026. Do not submit CUI, proprietary information, export-controlled information, or sensitive system details in a public comment.
Open the Official FAR DocketWhat should contractors do before the FAR CUI rule is final?
Keep meeting the clauses in your current contracts, and prepare for the proposal through reversible work: inventory your clauses and CUI, map your systems and providers, crosswalk Revision 2 to Revision 3, test your incident escalation, review subcontract access, and write down the questions you need a contracting officer to answer.Don’t represent the proposed clauses as binding, don’t promise a final effective date, and don’t buy an expensive environment solely because a draft exists.
Act now vs. wait
| Act now — reversible and useful | Wait for final text or contract direction |
|---|---|
| Build a current-clause inventory (including the 2026 DoD clause renumbering) | Don’t state that FAR 52.240-6 / -7 already applies |
| Identify contracts expected to involve CUI | Don’t issue mandatory flow-down based only on the proposal |
| Map CUI creation, receipt, storage, transmission, disposal | Don’t tell customers July 23 is an effective date |
| Inventory cloud and external providers | Don’t buy a six-figure environment on a draft assumption |
| Compare Rev. 2 controls/evidence with Rev. 3 | Don’t replace your CMMC Rev. 2 baseline in current representations |
| Test 72-hour escalation | Don’t discard shorter clocks already in your contracts or law |
| Map subcontractors with CUI access | Don’t flow unrelated prime-contract information downstream |
| Improve POA&M ownership and evidence | Don’t submit sensitive SSP material unless required and properly handled |
| Draft questions for the CO | Don’t invent answers to ambiguous clause language |
| Consider filing a comment before July 23 | Don’t treat an advocacy position as settled law |
A 30-day reversible-prep sequence
- Days 1–5Contract inventory. Agency; prime/sub status; the current FAR/DFARS/agency clauses (note legacy vs. 2026 deviation numbers); expected CUI; current incident route; current technical baseline; SPRS/CMMC status. Record contract numbers in your secure internal system, not in any web tool.
- Days 6–10CUI and system map. CUI categories and source; systems, facilities, users, cloud services, external providers, data flows, lower tiers.
- Days 11–15Version delta. Rev. 2 requirement/evidence vs. Rev. 3; new, reorganized, inherited, or not applicable; ODP dependency; effort estimate; which decisions can wait.
- Days 16–20Incident + marking workflow. Discovery timestamp; legal/contracts escalation; DIBNet vs. CISA decision; CO and higher-tier notice; supplemental report; the 90-day image/log preservation step; the unmarked-CUI route; the conflict-of-law route.
- Days 21–25Supplier + cloud register. Access vs. ability to access; flow-down basis; CSP evidence; incident cooperation; fourth parties; data location; termination/data-return controls.
- Days 26–30Executive decision. Current obligations; proposed exposure; high-confidence prep; deferred decisions; questions for CO/counsel; a comment position if you have one; budget scenarios, not one false number.
The questions to send your contracting officer
- Is CUI expected to be involved in this acquisition?
- Which CUI categories and source authorities apply?
- Who is responsible for creating and marking the information?
- Where will the CUI reside or transit?
- Which edition of each NIST publication applies?
- Which ODP values apply?
- Are any NIST SP 800-172 requirements selected — and which edition?
- Which incident-reporting instructions take precedence?
- Which subcontractors need applicable SF information?
- How will disclosed gaps and POA&Ms be evaluated?
- Are there agency-specific requirements beyond the standard clause?
- What happens if CUI is identified after award?
Turn the proposal into an action register. Download the FAR CUI Impact Worksheet that separates current clauses, proposed requirements, CUI locations, external providers, flow-down triggers, unresolved questions, and the decisions that should wait.
Download the FAR CUI Impact WorksheetWhat we verified — and what’s still unsettled
We checked the June 23 proposal against the January 2025 proposal, the current FAR and DFARS, the February 2026 DoD class deviation, current 32 CFR Part 170, NIST’s publication-status pages, the July 13 CMMC suspension, and the associated PRA notice.Several things remain genuinely unsettled — the final effective date, the permanent SF number, the final clause language, and the exact NIST SP 800-172 edition the clause intends. We’d rather tell you that than paper over it with a guess.
What we actually verified (July 16, 2026)
- ✓Proposal type, docket (FAR-2026-0001), publication date, and comment deadline, at 91 FR 37550.
- ✓Proposed FAR 52.240-6 and FAR 52.240-7 text, including the VDI/telecom out-of-scope language at 52.240-7(d)(3)(ii)(A) and the reporting locations (DIBNet for DoD, CISA for non-DoD).
- ✓SF XXX's role and the proposed applicability trigger, including the sole-COTS exclusion.
- ✓The NIST SP 800-171 Revision 3 baseline and ODP language.
- ✓The NIST SP 800-172 reference — that the February 2021 edition was withdrawn May 13, 2026 and superseded by Revision 3, while current 32 CFR Part 170 still cites the February 2021 edition for CMMC Level 3.
- ✓The 72-hour reporting route, tiered reporting, the 90-day preservation window, and the FedRAMP-authorized-CSP exception.
- ✓The POA&M-at-offer, cloud, and flow-down provisions.
- ✓That current CMMC Level 2 remains Revision 2 (110 requirements, 14 families) under 32 CFR Part 170.
- ✓DoD Class Deviation 2026-O0025 (effective February 1, 2026) and the FAR 52.240-93 / DFARS 252.240-7997 renumbering.
- ✓The July 13, 2026 CMMC Phase 2 suspension — and that DFARS 252.204-7012 and Phase 1 self-assessment remain in force.
- ✓The PRA figures (19,894 / 73,519 / 213,987) and the August 24, 2026 PRA comment deadline, at 91 FR 38438.
How we produced this
We read the primary sources first — the Federal Register text, the current FAR and DFARS on Acquisition.gov, the DoD class-deviation memo, 32 CFR Part 170 on eCFR, and NIST’s CSRC pages. We used law-firm and industry analysis to spot common interpretations and errors, not as authority for the requirements themselves. Every “must,” “would,” and “should” on this page was checked against the operative source and its status, and each editorial conclusion is labeled as ours.
What’s still unsettled
| Open question | What’s verified | What we won’t invent |
|---|---|---|
| When will a final rule issue? | Comments close July 23, 2026 | A publication month or effective date |
| When would clauses appear in contracts? | No schedule stated | “Immediately after July 23” |
| Which NIST SP 800-172 edition does the clause mean? | 2021 withdrawn; Rev. 3 current; CMMC still cites 2021 | That it “definitely” means one edition |
| How will FAR Rev. 3 interact with CMMC Rev. 2? | FAR says Rev. 3; CMMC L2 says Rev. 2 | That one automatically replaces the other |
| What will the final SF number be? | Proposal still uses “SF XXX” | A permanent form number |
| How will the CMMC review affect the FAR rule? | The two events overlap in time | A causal or policy outcome not announced |
Corrections: If you spot a superseded source, a clause change, a broken primary-source link, or a factual error, tell us through our corrections policy. We date and summarize substantive corrections, and we don’t silently rewrite a material regulatory conclusion.
FAR CUI rule 2026: frequently asked questions
These answers cover the follow-ups most likely to send a contractor back to search — status, timing, applicability, Revision 3, reporting, cloud, subcontractors, and CMMC. Each is short by design; the deeper explanation lives in the sections above.
- Is the FAR CUI rule final?
- No. FAR Case 2026-001 is a proposed rule published June 23, 2026 (91 FR 37550). It is not binding merely because it was published.
- Is July 23, 2026 the effective date?
- No. July 23 is the deadline to comment on the proposed rule. No final effective date has been announced.
- What is FAR Case 2026-001?
- It's the broader Revolutionary FAR Overhaul proposal covering several FAR parts, including the revised governmentwide CUI framework in FAR Parts 40 and 52.
- What happened to FAR Case 2017-016?
- That was the January 2025 CUI proposal (90 FR 4278). The June 2026 proposal materially revises it after the earlier version drew significant public comment.
- Would the FAR CUI rule apply to civilian-agency contractors?
- Yes, if finalized as proposed and the contract is expected to involve CUI. A governmentwide framework is the whole point.
- Would it apply to every federal contractor?
- No. The proposed clauses and SF XXX attach to acquisitions that involve CUI.
- Is there a COTS exception?
- Yes — the proposed prescription excludes acquisitions solely for commercially available off-the-shelf (COTS) items.
- Could commercial products and services still be covered?
- Yes. The exception is only for sole-COTS buys; other commercial products and services can be covered when CUI is involved.
- What is SF XXX?
- It's the placeholder name for the proposed standard form agencies would use to identify the CUI and the contract-specific safeguarding, marking, system, ODP, enhanced-control, and reporting requirements.
- Would the rule use NIST SP 800-171 Revision 3?
- Yes, for covered nonfederal systems under the proposal — but the proposal itself doesn't change your current contract.
- Does Revision 3 currently replace Revision 2 for CMMC Level 2?
- No. Current 32 CFR Part 170 still makes CMMC Level 2 identical to NIST SP 800-171 Revision 2 — 110 requirements across 14 families.
- Which NIST SP 800-172 edition would apply?
- The 2021 edition was withdrawn May 13, 2026 and superseded by Revision 3, while CMMC still cites the 2021 edition — treat the applicable edition as something to confirm with your contracting officer.
- Is incident reporting 8 hours or 72 hours?
- The June 2026 proposal uses 72 hours. The 8-hour figure belongs to the January 2025 draft. Check your current contract clauses independently.
- Where would incidents be reported?
- Under the proposed nonfederal route, DIBNet for DoD contracts and CISA for non-DoD contracts, plus notice to the contracting officer, with a FedRAMP-authorized-cloud exception in the clause.
- How long would I have to preserve incident evidence?
- The proposal would have you preserve affected-system images and relevant monitoring/packet-capture data until the government declines interest or 90 days pass after the report without a government request, whichever comes first.
- Does deleting former FAR 52.240-YY eliminate unmarked-CUI reporting?
- No. Proposed FAR 52.240-7(c) keeps a contractor duty to flag apparent unmarked or mismarked CUI to the contracting officer. The duty moved; it didn't disappear.
- Would a POA&M have to be submitted with an offer?
- Under proposed FAR 52.240-6(d), yes — when the offeror isn't compliant with an applicable requirement. A POA&M is not the same as compliance.
- Would cloud providers need FedRAMP Moderate authorization?
- The proposal says cloud providers handling identified CUI on a nonfederal system must meet security requirements equivalent to the FedRAMP Moderate baseline. Verify the evidence for your specific service.
- Are VDI endpoints automatically out of scope?
- No. The exception is limited to endpoints configured so CUI doesn't process, store, or transmit beyond the keyboard/video/mouse traffic to the VDI client.
- Would the rule flow down to every subcontractor?
- No. Proposed flow-down is tied to access — or the ability to access — CUI identified on the SF XXX.
- Why does my 2026 DoD solicitation cite DFARS 252.240-7997 instead of 252.204-7020?
- Because of DoD Class Deviation 2026-O0025 (effective February 1, 2026), which renumbered several cyber clauses. FAR 52.204-21 became FAR 52.240-93 and DFARS 252.204-7020 became DFARS 252.240-7997; DFARS 252.204-7019 was eliminated. Older contracts may still carry the legacy numbers.
- Does the FAR proposal replace CMMC?
- No. They're separate frameworks with different reach, baselines, and contract mechanisms.
- Is CMMC Phase 2 still beginning November 10, 2026?
- No. The Department of War suspended Phase 2 on July 13, 2026, including that scheduled transition.
- Did the CMMC suspension remove DFARS 252.204-7012?
- No. That clause remains a current obligation where it's in your contract, and Phase 1 self-assessment remains.
- Should contractors implement the full proposal now?
- Not automatically. Meet your current obligations and do reversible preparation while you wait for final text and contract direction.
- Where should I get a definitive answer for my contract?
- Confirm contractual applicability with your contracting officer and, where needed, qualified federal-contracts counsel; use a current Registered Practitioner or Registered Provider Organization for readiness, scoping, and implementation support.
Need help deciding what type of CMMC provider you need?
If your work actually involves CMMC or DFARS obligations and you’re trying to figure out the right kindof help, we can point you in the right direction. Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Do not submit CUI, drawings, source-selection information, contract documents, credentials, or sensitive system details in the form.
Find My CMMC PathDisclosure:The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense or Department of War, DCMA DIBCAC, NIST, NARA, GSA, the FAR Council, or any U.S. government agency. This page is educational research, not legal, contractual, cybersecurity, or compliance advice. Confirm contractual applicability with your contracting officer and, where needed, qualified federal-contracts counsel; use a Registered Practitioner or Registered Provider Organization for readiness, scoping, and implementation support. The contract clause and CUI handling set your requirements — not a checklist.
Primary sources
- •Proposed rule — FAR Case 2026-001, Revolutionary Federal Acquisition Regulation Overhaul, Parts 1, 2, 4, 33, 39, 40, and 53, 91 FR 37550 (June 23, 2026), FR Doc. 2026-12559; Docket FAR-2026-0001; RIN 9000-AO86.
- •Prior proposal — FAR Case 2017-016, Controlled Unclassified Information, 90 FR 4278 (Jan. 15, 2025), FR Doc. 2024-30437.
- •Paperwork Reduction Act notice — FAR Case 2026-001, 91 FR 38438 (June 25, 2026), FR Doc. 2026-12806 (OMB Control Nos. 9000-0189 and 9000-0199).
- •Executive Order 13556, Controlled Unclassified Information (2010); NARA implementing rule, 32 CFR Part 2002, 81 FR 63324 (Sept. 14, 2016).
- •Executive Order 14275, Restoring Common Sense to Federal Procurement (2025).
- •DoD Class Deviation 2026-O0025, Revolutionary FAR Overhaul Part 40, DFARS Part 240 (effective Feb. 1, 2026); DFARS 252.240-7997 and FAR 52.240-93 deviation text (Defense Acquisition Regulations System).
- •NIST SP 800-171 Rev. 3 (May 14, 2024), superseding Rev. 2 (Feb. 2020, updated Jan. 2021).
- •NIST SP 800-172 Rev. 3 (May 2026), superseding the Feb. 2, 2021 edition (withdrawn May 13, 2026).
- •DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting); DFARS 252.204-7021 (CMMC Requirements) (Acquisition.gov).
- •CMMC Program Rule — 32 CFR Part 170, 89 FR 83092 (published Oct. 15, 2024; effective Dec. 16, 2024); phase schedule at 32 CFR 170.3(e).
- •Department of War, suspension of CMMC Phase II (July 13, 2026), and implementing guidance.
- •CUI incident reporting portals: DoD — DIBNet (dibnet.dod.mil); non-DoD — CISA (cisa.gov/reporting-cyber-incident).