The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
PROPOSED — NOT YET IN EFFECT

Governmentwide CUI Rule: What FAR Case 2026-001 Means Now

2026 FAR proposal status and a contractor’s action guide — from The Defense Compliance Report

By The Defense Compliance Report Editorial Team · · Federal Register status verified

If you searched governmentwide CUI rule, you probably want to know one thing first: are we already late?

Here’s the bottom line, up front. The governmentwide CUI rule — FAR Case 2026-001, published June 23, 2026 at 91 FR 37550 — is a proposed rule, not a final one. The public comment window closes July 23, 2026. If it’s finalized substantially as written, it would create a single, uniform way for federal contracts — defense and civilian alike— to spell out CUI requirements: new clauses (FAR 52.240-6 and FAR 52.240-7), a new agency-completed form (Standard Form XXX), NIST SP 800-171 Revision 3 for the parts of your systems that handle CUI, and 72-hour CUI incident reporting.

Now the distinction almost every headline blurs — and getting it wrong costs you either money or time. Two different things get called “the CUI rule,” and only one of them is new.

We read the 85-page proposed rule (91 FR 37550), cross-checked the clause text against multiple analyses, and confirmed the rule’s status directly against the Federal Register on July 16, 2026. This page is our attempt to end your search: what’s binding today, what’s only proposed, whether it reaches you, which NIST version applies, how it overlaps with DFARS and CMMC, and the moves worth making now — without treating a draft like a contract clause.

The Defense Compliance Reportis the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

A quick, honest boundary: This is educational research, not legal, contractual, or compliance advice. The Defense Compliance Report is not affiliatedwith the FAR Council, the Department of Defense (recently redesignated the Department of War), the National Archives (NARA), NIST, DCMA DIBCAC, or the Cyber AB. Your current contract, subcontract, agency requirements, and applicable law set today’s obligations — not a checklist and not this article. Confirm scope and applicability with your contracting officer, a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) where relevant, and qualified federal-contracts counsel.

Looking for the clause-by-clause deep dive?This page covers the governmentwide CUI rule and what applies now. For the full analysis of the revised June 2026 proposal — including the 2025→2026 change ledger, the 72-hour reporting mechanics, the cloud/VDI provisions, and the NIST 800-172 edition question — see our FAR CUI rule 2026 guide.


Is the governmentwide CUI rule actually in effect right now?

No. As of July 16, 2026, the governmentwide CUI rule is a proposed rule (FAR Case 2026-001), not a final one, and it does not bind any contractor on its own. The federal CUI Program already exists under Executive Order 13556 and 32 CFR Part 2002. What’s still just a proposal is the uniform way federal contracts would communicate and enforce CUI requirements — the new FAR clauses and the SF XXX form. Comments close July 23, 2026, and no final rule or effective date has been announced.

This is the single most important distinction on the page, so let’s be precise.

The CUI Program is real and old.Controlled Unclassified Information is unclassified information the government creates or possesses — or that a contractor creates or possesses for or on behalf of the government — that a law, regulation, or governmentwide policy requires or permits an agency to protect with safeguarding or dissemination controls. Plainer version: sensitive-but-unclassified government information you’re required to guard. Executive Order 13556 created the CUI Program in 2010, NARA issued the implementing rule at 32 CFR Part 2002 (effective 2016), and the CUI Registry catalogs 100-plus categories. Current law, agency policy, and contract terms can already require civilian and defense contractors alike to safeguard CUI. For background on what counts as CUI vs. general federal contract information, see our FCI vs. CUI guide.

The 2026 FAR clauses are new and proposed.What has been missing is a uniform FAR-level mechanism for identifying and communicating those requirements across agencies — the reason “governmentwide” is in the name. FAR Case 2026-001 is the FAR Council’s attempt to standardize that, and it’s part of the larger “Revolutionary FAR Overhaul,” the rewrite of the Federal Acquisition Regulation launched by Executive Order 14275 in April 2025.

So both statements below are wrong, and both are common:

Governmentwide CUI rule: the status timeline

Governmentwide CUI rule status timeline
DateEventWhat it means for you
Nov 4, 2010Executive Order 13556Created the governmentwide CUI Program.
Nov 14, 201632 CFR Part 2002 effectiveThe directive implementing the CUI Program for executive-branch agencies.
Jan 15, 2025FAR Case 2017-016 proposed (90 FR 4278)First governmentwide FAR CUI proposal. Now superseded.
Apr 15, 2025Executive Order 14275Launched the Revolutionary FAR Overhaul.
Jun 23, 2026FAR Case 2026-001 proposed (91 FR 37550)The revised, current proposal. New clause structure, materially revised requirements.
Jul 23, 2026Comment period closesYour last scheduled chance to shape the text.
Not announcedFinal rule / effective dateYou cannot assume timing.

Primary sources: Federal Register (91 FR 37550, doc 2026-12559); Executive Order 13556; NARA (32 CFR Part 2002).

The one honest catch — and why it should speed you up, not slow you down

Here’s the admission we owe you: this is a proposal.The clause numbers, the exact controls, even the timeline can still change before it’s final. Treat every specific below as “current as of the proposed rule,” not settled law. If you re-architect your whole environment tomorrow against a draft, you can waste real money.

Now the flip side, because “wait and see” is the more expensive mistake here:

The rational move isn’t to panic or to ignore it. It’s to pin down whether your contracts involve CUI, separate what already binds you from what’s merely proposed, and start the gap analysis you’ll need either way.

The fastest way to stop guessing is to see what applies to your specific contract. Answer a handful of non-sensitive questions and get a dated, plain-English read on what looks binding today, what's proposal-only, and which documents to pull next. Do not upload contracts, drawings, CUI, or system diagrams.

Check what applies to my contract

What CUI requirements bind contractors today, while FAR Case 2026-001 is still proposed?

Today, your CUI obligations come from existing law and your actual contract — not from the proposed FAR rule. In rough order of authority, that means: the CUI Program itself (Executive Order 13556 and 32 CFR Part 2002), your agency’s current CUI policy, the clauses already written into your solicitation or contract, and any flowdowns already in your subcontracts. The proposed FAR clauses and SF XXX would add a new, uniform layer if and whenthey’re finalized and inserted into a contract — but they don’t bind anyone on their own right now.

Here’s the hierarchy to check, top to bottom:

  1. Existing law, regulation, or governmentwide policy. The CUI Program is already in force. If a statute or governmentwide policy makes information CUI, protection obligations can already attach.
  2. Your agency’s current CUI policy. Civilian agencies implement the CUI Program at different speeds and in different ways. Your requiring activity’s policy may already impose handling rules.
  3. The clauses already in your contract. For DoD work, that commonly includes DFARS 252.204-7012 (safeguarding covered defense information and rapid incident reporting) and, where applicable, CMMC. For civilian work, it may be an agency-specific clause. These are what bind you today.
  4. Flowdowns already in your subcontracts. If a prime has already flowed a CUI or covered-information clause to you, that clause governs now.
  5. The proposed FAR clauses — not yet. FAR 52.240-6, FAR 52.240-7, and SF XXX are proposed. They would communicate new contract-specific CUI requirements only after finalization and incorporation.

The practical point: if someone tells you “the CUI rule now requires X,” your first question is which document is creating that obligation?A vendor alert isn’t a clause. A current contract clause is. The proposed FAR rule is a preview of what’s coming, not a live requirement.


Does the governmentwide CUI rule apply to DoD contracts, civilian contracts, or both?

Both. The proposed rule is genuinely governmentwide — it expressly addresses defense and non-defense contracts. The proposed clause even routes CUI incident reports to the Department of Defense’s DIBNet portal for DoD contracts and to CISA for non-DoD contracts, which is only possible because it applies to both. It would kick in only when the buying agency determines that CUI will be involved. Commercial products and services can be covered; contracts solely for commercially available off-the-shelf (COTS) items are excluded. And it flows down to any subcontractor, at any tier, that needs access to the identified CUI.

You are likely in scope if:

You are likely not in scope (yet) if:

One point worth clearing up: DoD-only contractors are not categorically excluded from this rule. Because the FAR is the governmentwide foundation and DFARS is the DoD supplement on top of it, a finalized FAR CUI clause could apply to a DoD contract involving CUI alongside existing DFARS clauses and CMMC. How those overlapping obligations reconcile is exactly the kind of detail the final rule and DoD would have to sort out.

Which contractor are you? The applicability matrix

Editorial guidance grounded in the proposed clause text at 91 FR 37550 — not a legal determination.

Contractor applicability matrix for FAR Case 2026-001
Your situationThe binding question todayExposure if the rule is finalized as writtenFirst move
Civilian contractor, no identified CUIDoes any current contract, agency policy, or data exchange actually impose CUI duties?The clauses wouldn’t apply where CUI isn’t involved.Confirm the source of the “CUI” claim. Don’t treat a vendor email as a clause.
Civilian contractor handling CUIWhat agency-specific clause or policy governs the data now?Likely if the resulting contract includes SF XXX and FAR 52.240-7: Revision 3, the 72-hour process, cloud and flowdown duties.Pull the contract and agency CUI policy; start a Rev. 3 gap map.
DoD contractor with DFARS 252.204-7012What does your existing DFARS clause and solicitation require now?A finalized FAR CUI clause could apply on top of your DFARS obligations, to be reconciled.Keep your current 7012 duties running; watch how the frameworks overlap.
DoD contractor under CMMCWhat level, assessment type, and affirmation are in the contract today?The FAR proposal doesn’t amend CMMC or move Level 2 to Rev. 3.Continue truthful self-assessment; track the CMMC review (below).
Mixed civilian + DoD portfolioWhich authority governs each contract and system boundary?Highest risk of blending Rev. 2, Rev. 3, DFARS, agency, and CMMC obligations.Build a contract-by-contract authority map, not one companywide “CUI” answer.
Subcontractor with a prime questionnaireIs the request tied to an actual flowdown, or a “get-ready” survey?Future FAR 52.240-7 flowdown if you’ll access identified CUI.Ask for the clause, the data type, the standard, and the timing before you commit.
Commercial SaaS / MSP / cloud providerWill your service store, process, transmit, or be able to access CUI?Commercial services can be covered; COTS is not a blanket exemption for services.Map your technical and privileged access and your incident duties.
COTS-only sellerIs the deal truly COTS-only, with no CUI handling or covered service?The CUI clause is excluded from COTS-only buys.Confirm that support, remote access, or customization doesn’t change the facts.

For DoD contractors specifically:

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Use Find My CMMC Path to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.

Quick vocabulary: a C3PAO is a Certified Third-Party Assessment Organization; an RPO/RP is a Registered Provider Organization / Registered Practitioner; an MSSP is a Managed Security Service Provider; a GRC platform is governance-risk-compliance software; and a CUI enclaveis a walled-off, hardened environment built to hold CUI. For civilian contractors: the CMMC certification path isn’t yours — the proposed FAR rule creates no CMMC-style certification body. Start with your actual contract, your agency’s CUI policy, your CUI scope, and the required standard.


What would the governmentwide CUI rule actually require?

If finalized substantially as proposed, the rule would add a solicitation provision (FAR 52.240-6) and a contract clause (FAR 52.240-7), plus the SF XXX form; require NIST SP 800-171 Revision 3 for the covered components of a nonfederal system that handle CUI; standardize a 72-hour reporting-and-notice process; set cloud, evidence, and subcontract-flowdown duties; and require offerors to disclose unmet requirements with a plan to fix them. These are proposed changes, and all of them live in a reorganized FAR Part 40, “Information Security and Supply Chain Security.”
What FAR Case 2026-001 would require if finalized
Proposed requirementWhat it means in practiceWhere it lives
SF XXX (CUI Requirements form)The agency completes it per contract to say whether CUI is involved, which categories, where it resides, marking duties, and whether enhanced controls apply. You safeguard the CUI the form identifies.FAR Part 40; SF XXX
FAR 52.240-6 (solicitation provision)“Notice of Controlled Unclassified Information Requirements” — puts offerors on notice and requires disclosure of unmet requirements plus a POA&M at proposal time.FAR 52.240-6
FAR 52.240-7 (contract clause)“Controlled Unclassified Information” — carries the safeguarding, incident-reporting, cloud, and flowdown obligations.FAR 52.240-7
NIST SP 800-171 Revision 3The security baseline for the nonfederal system components that process, store, or transmit CUI, or provide security protection for them. Not Revision 2.FAR 52.240-7(d); NIST SP 800-171 Rev. 3
NIST SP 800-172 (limited)Enhanced controls the agency may add for critical programs or high-value assets.SF XXX Part D; NIST SP 800-172
72-hour reporting & noticeDistinct 72-hour clocks for a real CUI incident, for suspected unmarked/mismarked CUI, and for a legal conflict (detailed below).FAR 52.240-7
Cloud = FedRAMP Moderate equivalentAny cloud service handling CUI must meet requirements equivalent to the FedRAMP Moderate baseline.FAR 52.240-7(d)
Subcontract flowdownFlow the substance of 52.240-7 to any tier that will access the identified CUI (COTS-only excluded).FAR 52.240-7

Primary source: FAR Case 2026-001, 91 FR 37550. A POA&Mis a Plan of Action and Milestones — a documented plan to close security gaps by set dates. Federal systems and contractor-operated federal systems follow the separate, agency-identified federal-system requirements in the proposed clause.


NIST SP 800-171 Rev. 3 vs. Rev. 2: which one applies to you?

The governmentwide CUI rule points to NIST SP 800-171 Revision 3. CMMC Level 2 — the DoD certification track — still points to Revision 2, and will until DoD changes it through separate rulemaking. Revision 2 has 110 security requirements across 14 families. Revision 3 reorganizes them into 97 requirements across 17 families, adds new areas (including Planning and Supply Chain Risk Management), and introduces organization-defined parameters (ODPs). If FAR Case 2026-001 is finalized and incorporated — or an existing non-DoD contract independently requires Revision 3 — a contractor could carry Revision 2 and Revision 3 obligations at the same time.

This is the trap. It catches good compliance teams because both statements are true at once and seem to contradict each other:

NIST published Revision 3 in May 2024. But publishing a standard doesn’t amend anyone’s contract. Revision 3 only binds you when a contract or program makes it apply — which, under an applicable contract, is what proposed FAR 52.240-7 would do if finalized and incorporated. See our full NIST SP 800-171 requirements checklist for the Revision 2 control families and evidence your contract likely requires today.

Rev. 2 vs. Rev. 3, side by side

NIST SP 800-171 Rev. 2 vs. Rev. 3 comparison
QuestionRevision 2Revision 3
Current CMMC Level 2 baseline?YesNo
Proposed FAR 52.240-7 baseline?NoYes
Security-requirement families1417
Total requirements11097
Organization-defined parameters (ODPs)Not used the same wayIntroduced for selected requirements
Relationship to NIST SP 800-53Basic requirements derive from FIPS 200; derived requirements draw from SP 800-53Restructured by tailoring the SP 800-53B Revision 5 moderate baseline
Binds you today?Only if your current contract says soOnly if your current contract says so — the June proposal alone isn’t enough

Primary sources: NIST SP 800-171 Rev. 2 and Rev. 3 (NIST CSRC); 32 CFR Part 170; DoD Class Deviation 2024-O0013, Rev. 1.

What an ODP is, in plain terms:some Revision 3 requirements leave a value to be set — a frequency, a duration, a threshold — that the organization (often the agency) defines. The proposal points contractors to a published ODP set for the applicable requirements, and agencies can specify their own for any SP 800-172 controls they add. Practical upshot: the ODP source is an external, changeable artifact, so re-check it rather than assume it’s frozen.

If you’re a Revision 2 shop today, don’t panic-rebuild.The two revisions overlap heavily, so genuine Rev. 2 work is not wasted. The smart, no-regret move is a crosswalk: map your systems first, then map Rev. 2 controls to their Rev. 3 equivalents, flag the genuinely new requirements (the new families, the ODPs), and prioritize the gaps that also strengthen your security. Just don’t represent that crosswalk as a completed Rev. 3 assessment — it isn’t one.

Our CMMC Readiness Checklist lays out the 14 NIST SP 800-171 Rev. 2 control families so you can size the gap honestly before you talk to anyone. No CUI, no login required.

Download the Rev. 2 → Rev. 3 planning worksheet

How does the governmentwide CUI rule overlap with DFARS 252.204-7012 and CMMC?

They’re separate but potentially overlapping authorities. FAR Case 2026-001 is governmentwide and expressly covers both DoD and non-DoD contracts, using Revision 3 for covered nonfederal systems; DFARS 252.204-7012 and CMMC apply to covered DoD acquisitions and currently use Revision 2. And there’s a timing wrinkle: on July 13, 2026, the Department suspended the transition to CMMC’s third-party assessment phase, while the FAR Council kept its separate governmentwide rulemaking moving.

Think of it as layers, not lanes — DFARS sits on top of the FAR for DoD buys, so a DoD contract can carry both.

How the current and proposed authorities overlap

DoD authorities vs. governmentwide FAR CUI rule comparison
DoD authorities (current)Governmentwide FAR CUI rule (proposed)
InstrumentsDFARS 252.204-7012 / -7019 / -7020 / -7021; CMMC Program Rule (32 CFR Part 170)FAR Case 2026-001 (91 FR 37550): FAR 52.240-6, 52.240-7, SF XXX
Status (July 2026)In force — but the transition to CMMC’s third-party (C3PAO) assessment phase was suspended July 13, 2026 pending reviewProposed; comments close July 23, 2026
Who it coversDoD contractors/subs handling FCI or CUIDoD and non-DoD contractors/subs when the clauses are prescribed and performance involves identified CUI (commercial included; COTS-only excluded)
NIST baseline800-171 Rev. 2 (110 reqs / 14 families)800-171 Rev. 3 (97 reqs / 17 families) for covered nonfederal systems
VerificationSelf-assessment or a C3PAO (varies by level/contract); third-party transition currently pausedOffer-stage disclosure of unmet requirements plus a POA&M, and ordinary contract administration; no CMMC-style certification body in the proposal
Incident reporting72-hour “rapid report” under DFARS 252.204-7012 when that clause appliesUnder proposed 52.240-7: DIBNet for DoD contracts, CISA for non-DoD, plus contracting-officer and higher-tier notices
How obligations are setContract clause + required CMMC levelContract clause (FAR 52.240-7) + the SF XXX form

Primary sources: DFARS 252.204-7012 and -7019/-7020/-7021; 32 CFR Part 170; 91 FR 37550; U.S. Department of War release (July 13, 2026). FCIis Federal Contract Information — information not for public release, generated for or provided by the government under a contract. DIBNet is DoD’s incident-reporting portal; CISA is the Cybersecurity and Infrastructure Security Agency.

Why Revision 3 does not automatically move CMMC to Revision 3: NIST publishing Rev. 3 didn’t touch 32 CFR Part 170, and neither does this FAR proposal. CMMC Level 2 still incorporates Revision 2 (110 controls, 14 families, per 32 CFR § 170.14). The proposal says harmonization is intendedto happen through separate DoD rulemaking — but it doesn’t set when, whether, or exactly how. So keep separate authority maps, and don’t rebuild your CMMC program around Revision 3 on the strength of this proposal.

What changed for CMMC on July 13, 2026 — and what didn’t

On July 13, 2026, the Department suspended the transition to CMMC Phase II— the phase that would have started requiring third-party (C3PAO) assessments in DoD contracts on November 10, 2026 — and held pending and future implementation milestones in abeyance while it conducts a review.

Here’s the part people miss: the pause did not erase anything you already owe. During the suspension, contracting officers may still require CMMC Level 1 (Self) or Level 2 (Self) self-assessments. DFARS 252.204-7012 is unchanged. NIST SP 800-171 Revision 2 remains the enforced defense standard. Your SPRS obligations continue — that includes maintaining a current NIST SP 800-171 DoD Assessment score under DFARS 252.204-7019/-7020, and, where CMMC applies, your CMMC self-assessment result and annual affirmation under DFARS 252.204-7021. Knowingly false cybersecurity representations can carry False Claims Act risk — ordinary noncompliance or an honest inaccuracy doesn’t automatically create liability, but the government’s Civil Cyber-Fraud Initiative targets knowing misrepresentations.

The takeaway for this page:the Department paused the transition to CMMC’s assessment phase while the FAR Council kept a separate governmentwide rulemaking moving. It’s a study in contrasts, not a contradiction — the FAR rule is neither DoD-only nor civilian-only, and none of this changes CMMC’s current Revision 2 baseline.

If your exposure is on the DoD side and you need help choosing a path, map it to a category before you request quotes. Find My CMMC Path routes you to a provider category — readiness, managed security, GRC, enclave, or assessment — never a specific vendor, and never a certification promise. Do not submit CUI, drawings, or sensitive contract details.

Map my DoD CMMC path

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.


What is Standard Form XXX, and how would it identify your CUI?

SF XXX, “Controlled Unclassified Information Requirements,” is the proposal’s contract-level CUI map. The buying agency completes it to tell you whether CUI is involved, whether it sits in a government-controlled or contractor facility, your marking responsibilities, and whether enhanced NIST SP 800-172 controls apply. Once completed, it’s incorporated into the solicitation and the resulting contract — and you’re responsible for safeguarding the CUI it identifies.

We read the form’s proposed structure so you know what to expect on it:

What the agency owns vs. what you own:

Agency responsibilities

  • Identifying the CUI categories
  • Completing and validating the SF XXX
  • Correcting the form when needed
  • Modifying the contract if it later discovers CUI is involved

Your responsibilities

  • Safeguarding the identified CUI
  • Following the marking duties on the form
  • Escalating anything that looks like unmarked, mismarked, or omitted CUI (72-hour notice clock applies)
  • Flagging your own bid/proposal and business-proprietary information

If the SF XXX is missing, incomplete, or contradicts the clauses: don’t ignore it. Preserve and limit access to the information, document the exact inconsistency, notify the contracting officer, and get written clarification or a contract modification.


What would you have to report within 72 hours?

The proposal contains three distinct 72-hour clocks, and they are not interchangeable: one for an actual CUI incident, one for information you suspect is unmarked or mismarked CUI, and one for a legal conflict that prevents compliance. Critically, a marking mistake by itself is nota CUI incident — it only becomes one if it leads to unauthorized disclosure, improper modification or destruction, or unauthorized access.

The three 72-hour clocks

Three distinct 72-hour reporting clocks under proposed FAR 52.240-7
What starts the clockReport toFirst actionThe distinction that matters
A CUI incident in a contractor facilityCISA (non-DoD contracts) or DIBNet (DoD contracts); also notify the contracting officer, and the next higher-tier contractor when applicableSubmit the available data elements; supplement later if the investigation finds gapsThis is a real security event, not a paperwork error
Suspected unmarked / mismarked / omitted CUI, or an SF XXX inconsistencyThe contracting officerNotify, and safeguard the information as if it were CUI until the CO decidesA notice-and-hold duty, not an incident report
A legal conflict preventing compliance with the clauseThe contracting officerNotify within 72 hours of determining you can’t comply because of another law or regulationOpens the door to agency-approved “alternative controls”

Primary source: FAR 52.240-7, at 91 FR 37550.

What counts as a “CUI incident.”The proposal defines it as unauthorized disclosure, improper modification, or improper destruction of CUI — in any form — or unauthorized access to the information system where CUI resides. Two things the June 2026 version fixed from the 2025 draft: it dropped “suspected” incidents from the definition, and it expressly says improper handling (like unmarked or mismarked CUI) is notan incident unless it results in one of those outcomes. That’s a meaningful narrowing, and it’s why the marking-notice path is separate from the incident path.

The first report can be incomplete.You submit the data elements you have; if the investigation later turns up material gaps, you supplement. The FAR Council chose 72 hours specifically to align with DFARS 252.204-7012, to give you time to confirm whether an event even qualifies, and to make initial reports more accurate. Use that time — but build the internal triage path now so security, legal, contracts, and leadership can move fast when the clock starts.

After an incident, the proposal also expects you to inventory what CUI was or could have been accessed, reconstruct a timeline of user activity, determine how the access happened, cooperate with the agency, and preserve available images of the affected systems and relevant monitoring or packet-capture data until the government declines interest, or until 90 days pass after the report without a government request — whichever comes first. If your logging and imaging can’t support that today, that’s a gap worth closing regardless of this rule.


What would the rule require for the cloud and FedRAMP Moderate?

Any cloud service that stores, processes, or transmits CUI identified on the SF XXX would have to meet security requirements equivalent to the FedRAMP Moderate baseline. The proposal says “equivalent” for the baseline — it does not flatly require a current FedRAMP authorization for every provider. It refers to a “FedRAMP-authorized” provider separately, in a narrow incident-reporting exception. That distinction is easy to miss and expensive to get wrong.
FedRAMP terminology distinction under the proposed rule
TermWhat it means here
Equivalent to FedRAMP ModerateA security threshold your cloud provider must meet. Depending on the contract, you may need evidence of equivalence — which is not automatically the same as holding a current authorization.
FedRAMP-authorized CSPA provider that actually holds a FedRAMP authorization. The proposal’s incident exception applies specifically to these providers when they report through FedRAMP Incident Communication Procedures.

Worth knowing: the January 2025 draft required cloud providers to be FedRAMP Moderate authorized, with no room for an equivalency determination — a stricter posture than even DoD’s. The June 2026 version added the equivalency path. So on cloud, the current proposal is actually more flexible than its predecessor.

Map every relationship that could touch CUI— SaaS, IaaS, PaaS, managed security tooling, backup, SIEM/log collection, help desk, identity providers, file transfer, and email — and, for each, get the architecture, the authorization-or-equivalence evidence, the incident-responsibility matrix, and the subprocessor list. A platform marketed as “CUI-ready” can shrink your scope and your burden, but buying it does not decide your contract obligation, your system boundary, or your compliance status. That’s still on you.

One proposed scoping relief worth knowing:the rule would treat certain endpoints as out of scope — specifically, a virtual desktop infrastructure (VDI) endpoint configured so that nothing but keyboard, video, and mouse signals move to the client, with no processing, storage, or transmission of CUI on the device itself. If you rely on that, document the configuration that proves it. The word “VDI” alone won’t carry it.


What would flow down to your subcontractors?

The proposed clause would flow down to any subcontractor, at any tier, that needs access to — or the ability to access — the CUI identified on the SF XXX, including commercial-product and commercial-service subcontracts, but excluding COTS-only buys. Subcontractors would report incidents directly to the government and notify both the contracting officer and the next higher-tier contractor. The trigger is not “you’re a subcontractor” — it’s whether the work requires access to the identified CUI.

If you’re the prime, the mechanics are specific: you include the substanceof FAR 52.240-7 in the subcontract without alteration (except party names) and share the relevant SF XXX information so the sub knows exactly which CUI applies. The sensible move is data minimization — flow only what the work actually requires, strip unnecessary CUI from the package, and don’t paper every purchase order with a full CUI flowdown it doesn’t need.

If you’re the sub who just got a prime’s questionnaire,slow down and ask the questions that separate a real obligation from a “get-ready” survey:

  1. Which prime contract or solicitation drives this?
  2. What CUI will I actually receive or create?
  3. Where is it identified — is there an SF XXX?
  4. Which systems are expected to touch it?
  5. Which NIST revision and ODP set are being required?
  6. Is this a current clause, prime policy, or future-readiness request?
  7. Where must incidents be reported?
  8. Can I structure the work to avoid receiving the data at all?

A prime can make CUI your problem quickly. Knowing which of those eight answers applies is the difference between an informed yes and an expensive one.


What changed between the January 2025 and June 2026 FAR CUI proposals?

A lot — this is not a cosmetic republication. The June 2026 version moves the baseline from Revision 2 to Revision 3, extends the main reporting clock from 8 hours to 72, relocates the requirements from FAR Part 4 to FAR Part 40, renumbers the clauses to 52.240-6 and 52.240-7, deletes the separate “potential CUI” clause and the contractor-liability language, adds a FedRAMP equivalency path, and swaps a one-size-fits-all training mandate for a flexible one. Some changes are more demanding and some are less — so if you’re reading an article that still says “8 hours” or “Revision 2,” it’s describing the old draft.
Changes between January 2025 and June 2026 FAR CUI proposals
ElementJanuary 2025 (90 FR 4278, FAR Case 2017-016)June 2026 (91 FR 37550, FAR Case 2026-001)
Home in the FARPart 4 (Administrative and Information Matters)Part 40 (Information Security and Supply Chain Security)
NIST baselineRevision 2Revision 3
Main reporting clock8 hours72 hours
Core clauses52.204-WW / XX / YY52.240-6 and 52.240-7
Separate “no-CUI / potential-CUI” clauseYes (52.204-YY)Deleted; the notice duty folds into 52.240-6/-7
“Suspected” incidentsIncludedRemoved from the incident definition
CloudFedRAMP Moderate authorized, no equivalencyFedRAMP Moderate equivalent allowed
Contractor financial-liability languagePresentDeleted
TrainingPrescriptive, one-size-fits-allFlexible, tailored
VehicleStandalone CUI ruleFolded into the Revolutionary FAR Overhaul

Primary sources: 90 FR 4278 (Jan. 2025); 91 FR 37550 (June 2026).

A real example of why the comment window matters

The January 2025 draft demanded incident reports within eight hours. Commenters told the FAR Council that eight hours wasn’t enough time to investigate, triage, and accurately characterize an event. In the June 2026 rule, the Council changed it to 72 hours, and said so — citing those industry comments, alignment with DFARS 252.204-7012, and the goal of more accurate first reports. That’s documented evidence, in the rule’s own preamble, that this proposal is still movable — and that the comment period closing July 23 is a real lever, not a formality. (Some current summaries still describe the January 2025 draft; check the date before you trust a “CUI rule” explainer.)


What would complying with the governmentwide CUI rule cost?

The only official numbers so far come from the January 2025 version and are keyed to Revision 2 — so treat them as a directional baseline, not a current Revision 3 estimate. In that analysis, the FAR Council split the cost into labor and hardware/software. For a small business, that was about $175,700 in the first year and $103,800 a year after. For a larger firm, about $683,400 in the first year and $574,000 a year after — and the labor figures explicitly exclude the time to maintain a system security plan.
FAR Council compliance cost estimates (January 2025 baseline)
Contractor sizeLabor (yr 1 / recurring)Hardware & software (yr 1 / recurring)Estimated total (yr 1 / recurring)
Small business$148,200 / $98,800$27,500 / $5,000≈ $175,700 / $103,800
Other than small$543,400 / $494,000$140,000 / $80,000≈ $683,400 / $574,000

Source: FAR Council regulatory-impact analysis in the January 2025 proposed rule (90 FR 4278), Revision 2 baseline, at a $95/hour labor rate; excludes system-security-plan maintenance time. The June 2026 version keys to Revision 3, so the current figures could differ. Confirm in 91 FR 37550 before budgeting. For comparison, see also our analysis of CMMC Level 2 certification costs (a separate, DoD-specific program).

Two honest notes on these numbers. First, they’re the reason “before you spend six figures” isn’t hyperbole — the government’s own estimate puts total first-year costs into six figures for both small and larger firms. Second, your actual number depends entirely on where you’re starting: a firm with mature DFARS 7012 practices has a real head start, while a contractor without an existing NIST SP 800-171 program may face a materially larger implementation gap. That’s precisely why the first dollar you spend should confirm scope, not buy tools.

Before you price anything, get your starting point on paper. The CMMC & NIST 800-171 Readiness Checklist maps the control families so you can size the gap honestly before you talk to anyone. Free, no CUI.

Download the readiness checklist

What should you do now — without overreacting to a draft?

Don’t certify to proposal-only requirements, and don’t ignore changes that could affect your future contracts if the rule is finalized and incorporated. The no-regret path: identify the authority behind each current contract, map your CUI and system boundaries, crosswalk Revision 2 to Revision 3, test a 72-hour response, review your cloud and subcontract dependencies, and document every assumption that needs a contracting officer, prime, RP/RPO, or attorney to resolve. Every one of those steps improves your security and your compliance posture whether the rule is finalized soon or later.

A prioritized starting sequence:

  1. Inventory the paper. Pull your active solicitations, contracts, subcontracts, modifications, and any prime questionnaires. For each asserted “CUI” duty, write down the exact clause or authority behind it. Half the anxiety on this topic evaporates once you separate a vendor email from a contract clause.
  2. Confirm CUI scope. Identify the CUI categories you actually handle and the open classification questions. Confirm with your contracting officer or counsel — CUI status comes from law and policy, and the agency identifies it, not a checklist.
  3. Map the environment. Systems, cloud services, external providers, and subcontractors that touch the information. You can't scope controls before you scope data flows.
  4. Fix the record. If any internal or public statement claims Revision 3 is already the CMMC Level 2 baseline, correct it. It isn't.
  5. Crosswalk Rev. 2 → Rev. 3. Build the gap map. Prioritize the changes that also strengthen your security today.
  6. Rehearse the 72 hours. Test whether a suspected-CUI or incident event reaches contracts, legal, and security fast enough — and whether you can preserve system images under the proposed retention condition.
  7. Decide whether to comment. If the proposal would burden you unfairly, file a comment before July 23, 2026, referencing FAR Case 2026-001 at regulations.gov (docket FAR-2026-0001).

Who should answer which question?

One reason this rule feels overwhelming is that it mixes questions that belong to very different people. It helps to route each one to the right place.

Question routing guide for governmentwide CUI rule compliance
The questionWho owns the answer
What does this solicitation or contract legally require?Contracting officer, prime contracts contact, or federal-contracts counsel
Is this information actually CUI?The agency / requiring activity, using the governing CUI authority
How do I map my level, scope, and provider category (DoD)?An RP/RPO or qualified CMMC advisor
How do I implement and operate the controls?A readiness provider, MSSP, or your security engineering team
Am I ready for a formal CMMC assessment?Readiness first; a C3PAO only when you're assessment-ready — and kept separate from remediation
What evidence should my cloud provider supply?Security, contracts, and cloud-compliance specialists
Does another law conflict with the clause?Qualified counsel plus the contracting officer

Notice we did nottell you to call a C3PAO to fix your gaps. Readiness and formal assessment must stay separate: under the CMMC rules, a firm that served as your consultant preparing for a CMMC assessment in the prior three years generally can’t perform your Level 2 certification assessment (32 CFR Part 170), and C3PAOs must identify and mitigate conflicts of interest under the CMMC Assessment Process. Keep those lanes clean. See our CMMC provider categories guide for how to choose the right kind of help.

You've done the diagnosis. If you now know you have a real gap and want to move, the fastest next step is to match your situation to the right category of help — readiness (RPO/MSSP), evidence and workflow (GRC platform), a hardened environment (CUI enclave), or, when you're truly assessment-ready, a C3PAO. Do not submit CUI, drawings, or sensitive contract details.

Get matched with source-checked provider categories

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.


What could still change — and what the headlines get wrong

The final clause text, the SF XXX design, the effective date, any transition period, the ODP source, and the rule’s relationship to the DFARS can all still change. Plan around durable security and evidence improvements, and don’t repeat the common myths that the proposal has already amended your contracts, CMMC, or every agency’s process. Uncertainty is real here; vagueness is not an excuse.

Still unsettled as of : the final publication and effective dates, any grandfathering, the final form and clause wording, how the ODP set will be maintained, whether agencies will layer on deviations, how enforcement will work, and what the CMMC review concludes.

Eight things we keep seeing stated as fact that are not:

  1. “The proposal is already effective.” It’s proposed.
  2. “Every federal contractor will get the CUI clause.” Only when the agency identifies CUI in the work.
  3. “Everyone must move to Revision 3 now.” Only where a current contract requires it.
  4. “Revision 3 has replaced Revision 2 for CMMC.” It hasn’t — CMMC Level 2 is still Rev. 2.
  5. “Every marking error is a reportable incident.” It isn’t, unless it causes disclosure, alteration, destruction, or unauthorized access.
  6. “Every cloud provider must hold a FedRAMP authorization.” The baseline is equivalent to FedRAMP Moderate; “authorized” appears only in the narrow incident exception.
  7. “COTS and commercial mean the same thing.” They don’t — commercial services can be covered; COTS-only is excluded.
  8. “The July 13 CMMC pause wiped out my current duties.” It didn’t — DFARS 7012, Revision 2, SPRS obligations, and knowing-misrepresentation risk all remain.

How The Defense Compliance Report verified this analysis

We built this page from primary sources and dated the verification.Our editorial team read the June 23, 2026 proposed rule and its draft clause text, NARA’s CUI Program guidance, NIST’s Revision 3 publication, the current DFARS clauses, the CMMC Program Rule at 32 CFR Part 170, and the Department’s July 13, 2026 CMMC suspension release. We used law-firm and vendor summaries only to spot issues and cross-check ourselves — never as the authority for a requirement.

What we actually verified —

  • Federal Register legal status, docket, comment deadline, applicability (DoD and non-DoD), the SF XXX, and the draft clauses (91 FR 37550, doc 2026-12559).
  • NARA’s description of the existing CUI Program and Registry (32 CFR Part 2002).
  • NIST SP 800-171 Revision 3’s structure; Revision 2’s 110 requirements across 14 families.
  • That CMMC Level 2 still maps to Revision 2 under 32 CFR Part 170, held for covered DoD contracts by Class Deviation 2024-O0013, Rev. 1.
  • The current DFARS 252.204-7012 72-hour “rapid report” and cloud language.
  • The July 13, 2026 suspension of the transition to CMMC Phase II and what remains in force.
  • The specific changes between the January 2025 and June 2026 proposals.

What we did not state as settled:the proposed clause numbers (52.240-6/-7) are verified in the rule but aren’t final until final rulemaking; the cost figures are the January 2025 / Revision 2 estimates, clearly labeled — we did not identify a current June 2026 Revision 3 per-company cost estimate. We’ll update this page as the rulemaking moves.

Why this page exists:contractors are being asked to reconcile an existing CUI Program, a revised proposed FAR rule, current DFARS clauses, two NIST revisions, prime-contractor questionnaires, and a freshly suspended CMMC schedule — all at once. This page exists to keep you from mistaking a proposal for a contract requirement, and from dismissing the current duties you already owe just because the new FAR rule isn’t final.


Governmentwide CUI rule FAQ

These answers cover the edge cases most likely to send you back to search. Each is written to stand on its own and points to the governing authority.

Is the governmentwide CUI rule final?
No. FAR Case 2026-001 is a proposed rule, published June 23, 2026 (91 FR 37550). The comment period closes July 23, 2026, and no final effective date has been announced.
When will the governmentwide CUI rule take effect?
No effective date has been set. It would take effect only after the FAR Council finalizes the rule and the clauses are inserted into contracts. Unlike CMMC, the proposal doesn’t lay out a phased, multi-year rollout.
Does it apply to DoD contracts, civilian contracts, or both?
Both. The rule is governmentwide; the proposed clause routes incident reports to DIBNet for DoD contracts and to CISA for non-DoD contracts, and it would apply whenever a covered acquisition involves CUI.
Does every federal contractor have to comply with FAR 52.240-7?
No. The clause would apply only when the buying agency determines CUI is involved and completes an SF XXX identifying it.
Are COTS-only contracts excluded?
Yes. Acquisitions solely for commercially available off-the-shelf items are excluded, though a COTS product bundled with services or CUI handling may not qualify as COTS-only.
Does NIST SP 800-171 Revision 3 apply to contractors today?
Only when a current contract or program makes it apply. The June 2026 proposal alone does not bind anyone.
Has CMMC Level 2 moved to Revision 3?
No. CMMC Level 2 still incorporates NIST SP 800-171 Revision 2 (110 requirements, 14 families) under 32 CFR Part 170.
Did the Department cancel CMMC?
No. On July 13, 2026, it suspended the transition to Phase II (third-party assessments) and pending and future milestones pending a review. CMMC Level 1 and Level 2 self-assessments, DFARS 252.204-7012, and SPRS obligations remain in force.
Is unmarked or mismarked CUI automatically a CUI incident?
No. Under the proposed definition, improper handling alone is not an incident unless it results in unauthorized disclosure, improper modification or destruction, or unauthorized access. It triggers a separate 72-hour notice to the contracting officer and an interim duty to safeguard the information.
Where would CUI incident reports go?
Under the proposal, to CISA for non-DoD contracts and to DoD’s DIBNet portal for DoD contracts, within 72 hours, with notice to the contracting officer (and the next higher-tier contractor when applicable).
Does a FedRAMP provider’s report eliminate my duties?
Not entirely. A FedRAMP-authorized cloud provider reporting through FedRAMP procedures wouldn’t require a duplicate report, but you still need to confirm what information reaches you and which notices you still owe.
Would POA&Ms be allowed?
The proposal requires offerors that can’t meet all requirements at proposal time to disclose the gaps and submit a Plan of Action and Milestones. A POA&M is not the same as being compliant, and don’t assume CMMC’s specific POA&M rules carry over to the FAR proposal.
Are VDI endpoints out of scope?
Only the narrowly described configuration is — a VDI endpoint set up so that nothing but keyboard, video, and mouse signals reach the client, with no CUI processed, stored, or transmitted on the device. Keep the configuration evidence.
How can I comment on the proposal?
Before July 23, 2026, submit comments at regulations.gov under docket FAR-2026-0001, referencing FAR Case 2026-001.

The next step, depending on where you are

If you’re still figuring out whether this even applies to you, use the path tool before you request implementation quotes — no CUI, no login.

If you’re a DoD contractor who needs to choose a compliance path, the Find My CMMC Path tool routes you to the right provider category before you spend.

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options. Do not submit CUI, drawings, contract documents, system diagrams, credentials, or sensitive program details.

Get matched with source-checked CMMC provider options →

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This matching step may generate referral or qualified-introduction compensation. It does not determine your legal obligation, CMMC status, assessment result, or certification outcome.


Primary sources referenced on this page

The Defense Compliance Report — the independent CMMC decision layer for defense contractors. Choose the right CMMC path before you hire.

By The Defense Compliance Report Editorial Team · · Federal Register status verified

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense / Department of War, DCMA DIBCAC, NIST, NARA, the FAR Council, or any U.S. government agency. Found something out of date? Contact us through our corrections process and we’ll verify and fix it.