Governmentwide CUI Rule: What FAR Case 2026-001 Means Now
If you searched governmentwide CUI rule, you probably want to know one thing first: are we already late?
Here’s the bottom line, up front. The governmentwide CUI rule — FAR Case 2026-001, published June 23, 2026 at 91 FR 37550 — is a proposed rule, not a final one. The public comment window closes July 23, 2026. If it’s finalized substantially as written, it would create a single, uniform way for federal contracts — defense and civilian alike— to spell out CUI requirements: new clauses (FAR 52.240-6 and FAR 52.240-7), a new agency-completed form (Standard Form XXX), NIST SP 800-171 Revision 3 for the parts of your systems that handle CUI, and 72-hour CUI incident reporting.
Now the distinction almost every headline blurs — and getting it wrong costs you either money or time. Two different things get called “the CUI rule,” and only one of them is new.
We read the 85-page proposed rule (91 FR 37550), cross-checked the clause text against multiple analyses, and confirmed the rule’s status directly against the Federal Register on July 16, 2026. This page is our attempt to end your search: what’s binding today, what’s only proposed, whether it reaches you, which NIST version applies, how it overlaps with DFARS and CMMC, and the moves worth making now — without treating a draft like a contract clause.
The Defense Compliance Reportis the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
A quick, honest boundary: This is educational research, not legal, contractual, or compliance advice. The Defense Compliance Report is not affiliatedwith the FAR Council, the Department of Defense (recently redesignated the Department of War), the National Archives (NARA), NIST, DCMA DIBCAC, or the Cyber AB. Your current contract, subcontract, agency requirements, and applicable law set today’s obligations — not a checklist and not this article. Confirm scope and applicability with your contracting officer, a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) where relevant, and qualified federal-contracts counsel.
Looking for the clause-by-clause deep dive?This page covers the governmentwide CUI rule and what applies now. For the full analysis of the revised June 2026 proposal — including the 2025→2026 change ledger, the 72-hour reporting mechanics, the cloud/VDI provisions, and the NIST 800-172 edition question — see our FAR CUI rule 2026 guide.
Is the governmentwide CUI rule actually in effect right now?
This is the single most important distinction on the page, so let’s be precise.
The CUI Program is real and old.Controlled Unclassified Information is unclassified information the government creates or possesses — or that a contractor creates or possesses for or on behalf of the government — that a law, regulation, or governmentwide policy requires or permits an agency to protect with safeguarding or dissemination controls. Plainer version: sensitive-but-unclassified government information you’re required to guard. Executive Order 13556 created the CUI Program in 2010, NARA issued the implementing rule at 32 CFR Part 2002 (effective 2016), and the CUI Registry catalogs 100-plus categories. Current law, agency policy, and contract terms can already require civilian and defense contractors alike to safeguard CUI. For background on what counts as CUI vs. general federal contract information, see our FCI vs. CUI guide.
The 2026 FAR clauses are new and proposed.What has been missing is a uniform FAR-level mechanism for identifying and communicating those requirements across agencies — the reason “governmentwide” is in the name. FAR Case 2026-001 is the FAR Council’s attempt to standardize that, and it’s part of the larger “Revolutionary FAR Overhaul,” the rewrite of the Federal Acquisition Regulation launched by Executive Order 14275 in April 2025.
So both statements below are wrong, and both are common:
- “The CUI rule doesn’t exist yet.”Incorrect — the CUI Program has governed federal information for over a decade.
- “The new governmentwide CUI rule is already in effect.”Also incorrect — the June 2026 FAR clauses are proposed.
Governmentwide CUI rule: the status timeline
| Date | Event | What it means for you |
|---|---|---|
| Nov 4, 2010 | Executive Order 13556 | Created the governmentwide CUI Program. |
| Nov 14, 2016 | 32 CFR Part 2002 effective | The directive implementing the CUI Program for executive-branch agencies. |
| Jan 15, 2025 | FAR Case 2017-016 proposed (90 FR 4278) | First governmentwide FAR CUI proposal. Now superseded. |
| Apr 15, 2025 | Executive Order 14275 | Launched the Revolutionary FAR Overhaul. |
| Jun 23, 2026 | FAR Case 2026-001 proposed (91 FR 37550) | The revised, current proposal. New clause structure, materially revised requirements. |
| Jul 23, 2026 | Comment period closes | Your last scheduled chance to shape the text. |
| Not announced | Final rule / effective date | You cannot assume timing. |
The one honest catch — and why it should speed you up, not slow you down
Here’s the admission we owe you: this is a proposal.The clause numbers, the exact controls, even the timeline can still change before it’s final. Treat every specific below as “current as of the proposed rule,” not settled law. If you re-architect your whole environment tomorrow against a draft, you can waste real money.
Now the flip side, because “wait and see” is the more expensive mistake here:
- ▸Many of you already have current duties. Because the CUI Program already exists, existing law, agency policy, or contract clauses may already require you to protect CUI — regardless of what happens with this proposal. Waiting on the FAR rule doesn't pause obligations you already carry.
- ▸The direction is clear. The proposal adopts NIST SP 800-171 Revision 3 and even anticipates that the Department of Defense will move its own contractors to Revision 3 through a separate rulemaking. “Anticipates” isn’t “has done” — but it tells you where this is heading.
- ▸There’s no multi-year phase-in. Unlike CMMC, the proposal doesn’t lay out a phased, multi-year rollout. No effective date has been announced — but when a FAR rule is finalized, its clauses begin flowing into new solicitations, so the practical planning window is now, not “someday.”
- ▸The comment window is a real, closing opportunity. Until July 23, 2026, you can formally push back on anything that would burden you unfairly. After that, you're reacting to whatever survives.
The rational move isn’t to panic or to ignore it. It’s to pin down whether your contracts involve CUI, separate what already binds you from what’s merely proposed, and start the gap analysis you’ll need either way.
The fastest way to stop guessing is to see what applies to your specific contract. Answer a handful of non-sensitive questions and get a dated, plain-English read on what looks binding today, what's proposal-only, and which documents to pull next. Do not upload contracts, drawings, CUI, or system diagrams.
Check what applies to my contractWhat CUI requirements bind contractors today, while FAR Case 2026-001 is still proposed?
Here’s the hierarchy to check, top to bottom:
- Existing law, regulation, or governmentwide policy. The CUI Program is already in force. If a statute or governmentwide policy makes information CUI, protection obligations can already attach.
- Your agency’s current CUI policy. Civilian agencies implement the CUI Program at different speeds and in different ways. Your requiring activity’s policy may already impose handling rules.
- The clauses already in your contract. For DoD work, that commonly includes DFARS 252.204-7012 (safeguarding covered defense information and rapid incident reporting) and, where applicable, CMMC. For civilian work, it may be an agency-specific clause. These are what bind you today.
- Flowdowns already in your subcontracts. If a prime has already flowed a CUI or covered-information clause to you, that clause governs now.
- The proposed FAR clauses — not yet. FAR 52.240-6, FAR 52.240-7, and SF XXX are proposed. They would communicate new contract-specific CUI requirements only after finalization and incorporation.
The practical point: if someone tells you “the CUI rule now requires X,” your first question is which document is creating that obligation?A vendor alert isn’t a clause. A current contract clause is. The proposed FAR rule is a preview of what’s coming, not a live requirement.
Does the governmentwide CUI rule apply to DoD contracts, civilian contracts, or both?
You are likely in scope if:
- You hold or bid federal contracts — civilian or defense — that involve CUI.
- You’re a subcontractor who will receive CUI under a covered prime.
- You provide commercial products or services that nonetheless involve CUI handling or access.
You are likely not in scope (yet) if:
- Your contracts involve no CUI — only public or otherwise non-covered information.
- You sell only COTS items, with no associated CUI-handling services.
One point worth clearing up: DoD-only contractors are not categorically excluded from this rule. Because the FAR is the governmentwide foundation and DFARS is the DoD supplement on top of it, a finalized FAR CUI clause could apply to a DoD contract involving CUI alongside existing DFARS clauses and CMMC. How those overlapping obligations reconcile is exactly the kind of detail the final rule and DoD would have to sort out.
Which contractor are you? The applicability matrix
| Your situation | The binding question today | Exposure if the rule is finalized as written | First move |
|---|---|---|---|
| Civilian contractor, no identified CUI | Does any current contract, agency policy, or data exchange actually impose CUI duties? | The clauses wouldn’t apply where CUI isn’t involved. | Confirm the source of the “CUI” claim. Don’t treat a vendor email as a clause. |
| Civilian contractor handling CUI | What agency-specific clause or policy governs the data now? | Likely if the resulting contract includes SF XXX and FAR 52.240-7: Revision 3, the 72-hour process, cloud and flowdown duties. | Pull the contract and agency CUI policy; start a Rev. 3 gap map. |
| DoD contractor with DFARS 252.204-7012 | What does your existing DFARS clause and solicitation require now? | A finalized FAR CUI clause could apply on top of your DFARS obligations, to be reconciled. | Keep your current 7012 duties running; watch how the frameworks overlap. |
| DoD contractor under CMMC | What level, assessment type, and affirmation are in the contract today? | The FAR proposal doesn’t amend CMMC or move Level 2 to Rev. 3. | Continue truthful self-assessment; track the CMMC review (below). |
| Mixed civilian + DoD portfolio | Which authority governs each contract and system boundary? | Highest risk of blending Rev. 2, Rev. 3, DFARS, agency, and CMMC obligations. | Build a contract-by-contract authority map, not one companywide “CUI” answer. |
| Subcontractor with a prime questionnaire | Is the request tied to an actual flowdown, or a “get-ready” survey? | Future FAR 52.240-7 flowdown if you’ll access identified CUI. | Ask for the clause, the data type, the standard, and the timing before you commit. |
| Commercial SaaS / MSP / cloud provider | Will your service store, process, transmit, or be able to access CUI? | Commercial services can be covered; COTS is not a blanket exemption for services. | Map your technical and privileged access and your incident duties. |
| COTS-only seller | Is the deal truly COTS-only, with no CUI handling or covered service? | The CUI clause is excluded from COTS-only buys. | Confirm that support, remote access, or customization doesn’t change the facts. |
For DoD contractors specifically:
The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Use Find My CMMC Path to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
Quick vocabulary: a C3PAO is a Certified Third-Party Assessment Organization; an RPO/RP is a Registered Provider Organization / Registered Practitioner; an MSSP is a Managed Security Service Provider; a GRC platform is governance-risk-compliance software; and a CUI enclaveis a walled-off, hardened environment built to hold CUI. For civilian contractors: the CMMC certification path isn’t yours — the proposed FAR rule creates no CMMC-style certification body. Start with your actual contract, your agency’s CUI policy, your CUI scope, and the required standard.
What would the governmentwide CUI rule actually require?
| Proposed requirement | What it means in practice | Where it lives |
|---|---|---|
| SF XXX (CUI Requirements form) | The agency completes it per contract to say whether CUI is involved, which categories, where it resides, marking duties, and whether enhanced controls apply. You safeguard the CUI the form identifies. | FAR Part 40; SF XXX |
| FAR 52.240-6 (solicitation provision) | “Notice of Controlled Unclassified Information Requirements” — puts offerors on notice and requires disclosure of unmet requirements plus a POA&M at proposal time. | FAR 52.240-6 |
| FAR 52.240-7 (contract clause) | “Controlled Unclassified Information” — carries the safeguarding, incident-reporting, cloud, and flowdown obligations. | FAR 52.240-7 |
| NIST SP 800-171 Revision 3 | The security baseline for the nonfederal system components that process, store, or transmit CUI, or provide security protection for them. Not Revision 2. | FAR 52.240-7(d); NIST SP 800-171 Rev. 3 |
| NIST SP 800-172 (limited) | Enhanced controls the agency may add for critical programs or high-value assets. | SF XXX Part D; NIST SP 800-172 |
| 72-hour reporting & notice | Distinct 72-hour clocks for a real CUI incident, for suspected unmarked/mismarked CUI, and for a legal conflict (detailed below). | FAR 52.240-7 |
| Cloud = FedRAMP Moderate equivalent | Any cloud service handling CUI must meet requirements equivalent to the FedRAMP Moderate baseline. | FAR 52.240-7(d) |
| Subcontract flowdown | Flow the substance of 52.240-7 to any tier that will access the identified CUI (COTS-only excluded). | FAR 52.240-7 |
NIST SP 800-171 Rev. 3 vs. Rev. 2: which one applies to you?
This is the trap. It catches good compliance teams because both statements are true at once and seem to contradict each other:
- Proposed FAR 52.240-7, for covered nonfederal systems, → Revision 3.
- CMMC Level 2 → Revision 2(written into 32 CFR Part 170, and held there for covered DoD contracts by DoD’s class deviation — Class Deviation 2024-O0013, Revision 1).
NIST published Revision 3 in May 2024. But publishing a standard doesn’t amend anyone’s contract. Revision 3 only binds you when a contract or program makes it apply — which, under an applicable contract, is what proposed FAR 52.240-7 would do if finalized and incorporated. See our full NIST SP 800-171 requirements checklist for the Revision 2 control families and evidence your contract likely requires today.
Rev. 2 vs. Rev. 3, side by side
| Question | Revision 2 | Revision 3 |
|---|---|---|
| Current CMMC Level 2 baseline? | Yes | No |
| Proposed FAR 52.240-7 baseline? | No | Yes |
| Security-requirement families | 14 | 17 |
| Total requirements | 110 | 97 |
| Organization-defined parameters (ODPs) | Not used the same way | Introduced for selected requirements |
| Relationship to NIST SP 800-53 | Basic requirements derive from FIPS 200; derived requirements draw from SP 800-53 | Restructured by tailoring the SP 800-53B Revision 5 moderate baseline |
| Binds you today? | Only if your current contract says so | Only if your current contract says so — the June proposal alone isn’t enough |
What an ODP is, in plain terms:some Revision 3 requirements leave a value to be set — a frequency, a duration, a threshold — that the organization (often the agency) defines. The proposal points contractors to a published ODP set for the applicable requirements, and agencies can specify their own for any SP 800-172 controls they add. Practical upshot: the ODP source is an external, changeable artifact, so re-check it rather than assume it’s frozen.
If you’re a Revision 2 shop today, don’t panic-rebuild.The two revisions overlap heavily, so genuine Rev. 2 work is not wasted. The smart, no-regret move is a crosswalk: map your systems first, then map Rev. 2 controls to their Rev. 3 equivalents, flag the genuinely new requirements (the new families, the ODPs), and prioritize the gaps that also strengthen your security. Just don’t represent that crosswalk as a completed Rev. 3 assessment — it isn’t one.
Our CMMC Readiness Checklist lays out the 14 NIST SP 800-171 Rev. 2 control families so you can size the gap honestly before you talk to anyone. No CUI, no login required.
Download the Rev. 2 → Rev. 3 planning worksheetHow does the governmentwide CUI rule overlap with DFARS 252.204-7012 and CMMC?
Think of it as layers, not lanes — DFARS sits on top of the FAR for DoD buys, so a DoD contract can carry both.
How the current and proposed authorities overlap
| DoD authorities (current) | Governmentwide FAR CUI rule (proposed) | |
|---|---|---|
| Instruments | DFARS 252.204-7012 / -7019 / -7020 / -7021; CMMC Program Rule (32 CFR Part 170) | FAR Case 2026-001 (91 FR 37550): FAR 52.240-6, 52.240-7, SF XXX |
| Status (July 2026) | In force — but the transition to CMMC’s third-party (C3PAO) assessment phase was suspended July 13, 2026 pending review | Proposed; comments close July 23, 2026 |
| Who it covers | DoD contractors/subs handling FCI or CUI | DoD and non-DoD contractors/subs when the clauses are prescribed and performance involves identified CUI (commercial included; COTS-only excluded) |
| NIST baseline | 800-171 Rev. 2 (110 reqs / 14 families) | 800-171 Rev. 3 (97 reqs / 17 families) for covered nonfederal systems |
| Verification | Self-assessment or a C3PAO (varies by level/contract); third-party transition currently paused | Offer-stage disclosure of unmet requirements plus a POA&M, and ordinary contract administration; no CMMC-style certification body in the proposal |
| Incident reporting | 72-hour “rapid report” under DFARS 252.204-7012 when that clause applies | Under proposed 52.240-7: DIBNet for DoD contracts, CISA for non-DoD, plus contracting-officer and higher-tier notices |
| How obligations are set | Contract clause + required CMMC level | Contract clause (FAR 52.240-7) + the SF XXX form |
Why Revision 3 does not automatically move CMMC to Revision 3: NIST publishing Rev. 3 didn’t touch 32 CFR Part 170, and neither does this FAR proposal. CMMC Level 2 still incorporates Revision 2 (110 controls, 14 families, per 32 CFR § 170.14). The proposal says harmonization is intendedto happen through separate DoD rulemaking — but it doesn’t set when, whether, or exactly how. So keep separate authority maps, and don’t rebuild your CMMC program around Revision 3 on the strength of this proposal.
What changed for CMMC on July 13, 2026 — and what didn’t
On July 13, 2026, the Department suspended the transition to CMMC Phase II— the phase that would have started requiring third-party (C3PAO) assessments in DoD contracts on November 10, 2026 — and held pending and future implementation milestones in abeyance while it conducts a review.
Here’s the part people miss: the pause did not erase anything you already owe. During the suspension, contracting officers may still require CMMC Level 1 (Self) or Level 2 (Self) self-assessments. DFARS 252.204-7012 is unchanged. NIST SP 800-171 Revision 2 remains the enforced defense standard. Your SPRS obligations continue — that includes maintaining a current NIST SP 800-171 DoD Assessment score under DFARS 252.204-7019/-7020, and, where CMMC applies, your CMMC self-assessment result and annual affirmation under DFARS 252.204-7021. Knowingly false cybersecurity representations can carry False Claims Act risk — ordinary noncompliance or an honest inaccuracy doesn’t automatically create liability, but the government’s Civil Cyber-Fraud Initiative targets knowing misrepresentations.
The takeaway for this page:the Department paused the transition to CMMC’s assessment phase while the FAR Council kept a separate governmentwide rulemaking moving. It’s a study in contrasts, not a contradiction — the FAR rule is neither DoD-only nor civilian-only, and none of this changes CMMC’s current Revision 2 baseline.
If your exposure is on the DoD side and you need help choosing a path, map it to a category before you request quotes. Find My CMMC Path routes you to a provider category — readiness, managed security, GRC, enclave, or assessment — never a specific vendor, and never a certification promise. Do not submit CUI, drawings, or sensitive contract details.
Map my DoD CMMC pathWhat is Standard Form XXX, and how would it identify your CUI?
We read the form’s proposed structure so you know what to expect on it:
- Part A — whether you’re expected to handle CUI under the contract. (“Handling” is defined broadly: accessing, processing, transmitting, safeguarding, re-using, or disposing of CUI.)
- Parts B and C — whether the CUI will reside in a federally controlled facility or a non-federally controlled (your) facility.
- Marking responsibilities — what you must mark and how.
- Part D — whether the enhanced requirements of NIST SP 800-172 apply.
What the agency owns vs. what you own:
- Identifying the CUI categories
- Completing and validating the SF XXX
- Correcting the form when needed
- Modifying the contract if it later discovers CUI is involved
- Safeguarding the identified CUI
- Following the marking duties on the form
- Escalating anything that looks like unmarked, mismarked, or omitted CUI (72-hour notice clock applies)
- Flagging your own bid/proposal and business-proprietary information
If the SF XXX is missing, incomplete, or contradicts the clauses: don’t ignore it. Preserve and limit access to the information, document the exact inconsistency, notify the contracting officer, and get written clarification or a contract modification.
What would you have to report within 72 hours?
The three 72-hour clocks
| What starts the clock | Report to | First action | The distinction that matters |
|---|---|---|---|
| A CUI incident in a contractor facility | CISA (non-DoD contracts) or DIBNet (DoD contracts); also notify the contracting officer, and the next higher-tier contractor when applicable | Submit the available data elements; supplement later if the investigation finds gaps | This is a real security event, not a paperwork error |
| Suspected unmarked / mismarked / omitted CUI, or an SF XXX inconsistency | The contracting officer | Notify, and safeguard the information as if it were CUI until the CO decides | A notice-and-hold duty, not an incident report |
| A legal conflict preventing compliance with the clause | The contracting officer | Notify within 72 hours of determining you can’t comply because of another law or regulation | Opens the door to agency-approved “alternative controls” |
What counts as a “CUI incident.”The proposal defines it as unauthorized disclosure, improper modification, or improper destruction of CUI — in any form — or unauthorized access to the information system where CUI resides. Two things the June 2026 version fixed from the 2025 draft: it dropped “suspected” incidents from the definition, and it expressly says improper handling (like unmarked or mismarked CUI) is notan incident unless it results in one of those outcomes. That’s a meaningful narrowing, and it’s why the marking-notice path is separate from the incident path.
The first report can be incomplete.You submit the data elements you have; if the investigation later turns up material gaps, you supplement. The FAR Council chose 72 hours specifically to align with DFARS 252.204-7012, to give you time to confirm whether an event even qualifies, and to make initial reports more accurate. Use that time — but build the internal triage path now so security, legal, contracts, and leadership can move fast when the clock starts.
After an incident, the proposal also expects you to inventory what CUI was or could have been accessed, reconstruct a timeline of user activity, determine how the access happened, cooperate with the agency, and preserve available images of the affected systems and relevant monitoring or packet-capture data until the government declines interest, or until 90 days pass after the report without a government request — whichever comes first. If your logging and imaging can’t support that today, that’s a gap worth closing regardless of this rule.
What would the rule require for the cloud and FedRAMP Moderate?
| Term | What it means here |
|---|---|
| Equivalent to FedRAMP Moderate | A security threshold your cloud provider must meet. Depending on the contract, you may need evidence of equivalence — which is not automatically the same as holding a current authorization. |
| FedRAMP-authorized CSP | A provider that actually holds a FedRAMP authorization. The proposal’s incident exception applies specifically to these providers when they report through FedRAMP Incident Communication Procedures. |
Worth knowing: the January 2025 draft required cloud providers to be FedRAMP Moderate authorized, with no room for an equivalency determination — a stricter posture than even DoD’s. The June 2026 version added the equivalency path. So on cloud, the current proposal is actually more flexible than its predecessor.
Map every relationship that could touch CUI— SaaS, IaaS, PaaS, managed security tooling, backup, SIEM/log collection, help desk, identity providers, file transfer, and email — and, for each, get the architecture, the authorization-or-equivalence evidence, the incident-responsibility matrix, and the subprocessor list. A platform marketed as “CUI-ready” can shrink your scope and your burden, but buying it does not decide your contract obligation, your system boundary, or your compliance status. That’s still on you.
One proposed scoping relief worth knowing:the rule would treat certain endpoints as out of scope — specifically, a virtual desktop infrastructure (VDI) endpoint configured so that nothing but keyboard, video, and mouse signals move to the client, with no processing, storage, or transmission of CUI on the device itself. If you rely on that, document the configuration that proves it. The word “VDI” alone won’t carry it.
What would flow down to your subcontractors?
If you’re the prime, the mechanics are specific: you include the substanceof FAR 52.240-7 in the subcontract without alteration (except party names) and share the relevant SF XXX information so the sub knows exactly which CUI applies. The sensible move is data minimization — flow only what the work actually requires, strip unnecessary CUI from the package, and don’t paper every purchase order with a full CUI flowdown it doesn’t need.
If you’re the sub who just got a prime’s questionnaire,slow down and ask the questions that separate a real obligation from a “get-ready” survey:
- Which prime contract or solicitation drives this?
- What CUI will I actually receive or create?
- Where is it identified — is there an SF XXX?
- Which systems are expected to touch it?
- Which NIST revision and ODP set are being required?
- Is this a current clause, prime policy, or future-readiness request?
- Where must incidents be reported?
- Can I structure the work to avoid receiving the data at all?
A prime can make CUI your problem quickly. Knowing which of those eight answers applies is the difference between an informed yes and an expensive one.
What changed between the January 2025 and June 2026 FAR CUI proposals?
| Element | January 2025 (90 FR 4278, FAR Case 2017-016) | June 2026 (91 FR 37550, FAR Case 2026-001) |
|---|---|---|
| Home in the FAR | Part 4 (Administrative and Information Matters) | Part 40 (Information Security and Supply Chain Security) |
| NIST baseline | Revision 2 | Revision 3 |
| Main reporting clock | 8 hours | 72 hours |
| Core clauses | 52.204-WW / XX / YY | 52.240-6 and 52.240-7 |
| Separate “no-CUI / potential-CUI” clause | Yes (52.204-YY) | Deleted; the notice duty folds into 52.240-6/-7 |
| “Suspected” incidents | Included | Removed from the incident definition |
| Cloud | FedRAMP Moderate authorized, no equivalency | FedRAMP Moderate equivalent allowed |
| Contractor financial-liability language | Present | Deleted |
| Training | Prescriptive, one-size-fits-all | Flexible, tailored |
| Vehicle | Standalone CUI rule | Folded into the Revolutionary FAR Overhaul |
A real example of why the comment window matters
The January 2025 draft demanded incident reports within eight hours. Commenters told the FAR Council that eight hours wasn’t enough time to investigate, triage, and accurately characterize an event. In the June 2026 rule, the Council changed it to 72 hours, and said so — citing those industry comments, alignment with DFARS 252.204-7012, and the goal of more accurate first reports. That’s documented evidence, in the rule’s own preamble, that this proposal is still movable — and that the comment period closing July 23 is a real lever, not a formality. (Some current summaries still describe the January 2025 draft; check the date before you trust a “CUI rule” explainer.)
What would complying with the governmentwide CUI rule cost?
| Contractor size | Labor (yr 1 / recurring) | Hardware & software (yr 1 / recurring) | Estimated total (yr 1 / recurring) |
|---|---|---|---|
| Small business | $148,200 / $98,800 | $27,500 / $5,000 | ≈ $175,700 / $103,800 |
| Other than small | $543,400 / $494,000 | $140,000 / $80,000 | ≈ $683,400 / $574,000 |
Two honest notes on these numbers. First, they’re the reason “before you spend six figures” isn’t hyperbole — the government’s own estimate puts total first-year costs into six figures for both small and larger firms. Second, your actual number depends entirely on where you’re starting: a firm with mature DFARS 7012 practices has a real head start, while a contractor without an existing NIST SP 800-171 program may face a materially larger implementation gap. That’s precisely why the first dollar you spend should confirm scope, not buy tools.
Before you price anything, get your starting point on paper. The CMMC & NIST 800-171 Readiness Checklist maps the control families so you can size the gap honestly before you talk to anyone. Free, no CUI.
Download the readiness checklistWhat should you do now — without overreacting to a draft?
A prioritized starting sequence:
- Inventory the paper. Pull your active solicitations, contracts, subcontracts, modifications, and any prime questionnaires. For each asserted “CUI” duty, write down the exact clause or authority behind it. Half the anxiety on this topic evaporates once you separate a vendor email from a contract clause.
- Confirm CUI scope. Identify the CUI categories you actually handle and the open classification questions. Confirm with your contracting officer or counsel — CUI status comes from law and policy, and the agency identifies it, not a checklist.
- Map the environment. Systems, cloud services, external providers, and subcontractors that touch the information. You can't scope controls before you scope data flows.
- Fix the record. If any internal or public statement claims Revision 3 is already the CMMC Level 2 baseline, correct it. It isn't.
- Crosswalk Rev. 2 → Rev. 3. Build the gap map. Prioritize the changes that also strengthen your security today.
- Rehearse the 72 hours. Test whether a suspected-CUI or incident event reaches contracts, legal, and security fast enough — and whether you can preserve system images under the proposed retention condition.
- Decide whether to comment. If the proposal would burden you unfairly, file a comment before July 23, 2026, referencing FAR Case 2026-001 at regulations.gov (docket FAR-2026-0001).
Who should answer which question?
One reason this rule feels overwhelming is that it mixes questions that belong to very different people. It helps to route each one to the right place.
| The question | Who owns the answer |
|---|---|
| What does this solicitation or contract legally require? | Contracting officer, prime contracts contact, or federal-contracts counsel |
| Is this information actually CUI? | The agency / requiring activity, using the governing CUI authority |
| How do I map my level, scope, and provider category (DoD)? | An RP/RPO or qualified CMMC advisor |
| How do I implement and operate the controls? | A readiness provider, MSSP, or your security engineering team |
| Am I ready for a formal CMMC assessment? | Readiness first; a C3PAO only when you're assessment-ready — and kept separate from remediation |
| What evidence should my cloud provider supply? | Security, contracts, and cloud-compliance specialists |
| Does another law conflict with the clause? | Qualified counsel plus the contracting officer |
Notice we did nottell you to call a C3PAO to fix your gaps. Readiness and formal assessment must stay separate: under the CMMC rules, a firm that served as your consultant preparing for a CMMC assessment in the prior three years generally can’t perform your Level 2 certification assessment (32 CFR Part 170), and C3PAOs must identify and mitigate conflicts of interest under the CMMC Assessment Process. Keep those lanes clean. See our CMMC provider categories guide for how to choose the right kind of help.
You've done the diagnosis. If you now know you have a real gap and want to move, the fastest next step is to match your situation to the right category of help — readiness (RPO/MSSP), evidence and workflow (GRC platform), a hardened environment (CUI enclave), or, when you're truly assessment-ready, a C3PAO. Do not submit CUI, drawings, or sensitive contract details.
Get matched with source-checked provider categoriesWhat could still change — and what the headlines get wrong
Still unsettled as of : the final publication and effective dates, any grandfathering, the final form and clause wording, how the ODP set will be maintained, whether agencies will layer on deviations, how enforcement will work, and what the CMMC review concludes.
Eight things we keep seeing stated as fact that are not:
- “The proposal is already effective.” It’s proposed.
- “Every federal contractor will get the CUI clause.” Only when the agency identifies CUI in the work.
- “Everyone must move to Revision 3 now.” Only where a current contract requires it.
- “Revision 3 has replaced Revision 2 for CMMC.” It hasn’t — CMMC Level 2 is still Rev. 2.
- “Every marking error is a reportable incident.” It isn’t, unless it causes disclosure, alteration, destruction, or unauthorized access.
- “Every cloud provider must hold a FedRAMP authorization.” The baseline is equivalent to FedRAMP Moderate; “authorized” appears only in the narrow incident exception.
- “COTS and commercial mean the same thing.” They don’t — commercial services can be covered; COTS-only is excluded.
- “The July 13 CMMC pause wiped out my current duties.” It didn’t — DFARS 7012, Revision 2, SPRS obligations, and knowing-misrepresentation risk all remain.
How The Defense Compliance Report verified this analysis
We built this page from primary sources and dated the verification.Our editorial team read the June 23, 2026 proposed rule and its draft clause text, NARA’s CUI Program guidance, NIST’s Revision 3 publication, the current DFARS clauses, the CMMC Program Rule at 32 CFR Part 170, and the Department’s July 13, 2026 CMMC suspension release. We used law-firm and vendor summaries only to spot issues and cross-check ourselves — never as the authority for a requirement.
What we actually verified —
- Federal Register legal status, docket, comment deadline, applicability (DoD and non-DoD), the SF XXX, and the draft clauses (91 FR 37550, doc 2026-12559).
- NARA’s description of the existing CUI Program and Registry (32 CFR Part 2002).
- NIST SP 800-171 Revision 3’s structure; Revision 2’s 110 requirements across 14 families.
- That CMMC Level 2 still maps to Revision 2 under 32 CFR Part 170, held for covered DoD contracts by Class Deviation 2024-O0013, Rev. 1.
- The current DFARS 252.204-7012 72-hour “rapid report” and cloud language.
- The July 13, 2026 suspension of the transition to CMMC Phase II and what remains in force.
- The specific changes between the January 2025 and June 2026 proposals.
Why this page exists:contractors are being asked to reconcile an existing CUI Program, a revised proposed FAR rule, current DFARS clauses, two NIST revisions, prime-contractor questionnaires, and a freshly suspended CMMC schedule — all at once. This page exists to keep you from mistaking a proposal for a contract requirement, and from dismissing the current duties you already owe just because the new FAR rule isn’t final.
Governmentwide CUI rule FAQ
- Is the governmentwide CUI rule final?
- No. FAR Case 2026-001 is a proposed rule, published June 23, 2026 (91 FR 37550). The comment period closes July 23, 2026, and no final effective date has been announced.
- When will the governmentwide CUI rule take effect?
- No effective date has been set. It would take effect only after the FAR Council finalizes the rule and the clauses are inserted into contracts. Unlike CMMC, the proposal doesn’t lay out a phased, multi-year rollout.
- Does it apply to DoD contracts, civilian contracts, or both?
- Both. The rule is governmentwide; the proposed clause routes incident reports to DIBNet for DoD contracts and to CISA for non-DoD contracts, and it would apply whenever a covered acquisition involves CUI.
- Does every federal contractor have to comply with FAR 52.240-7?
- No. The clause would apply only when the buying agency determines CUI is involved and completes an SF XXX identifying it.
- Are COTS-only contracts excluded?
- Yes. Acquisitions solely for commercially available off-the-shelf items are excluded, though a COTS product bundled with services or CUI handling may not qualify as COTS-only.
- Does NIST SP 800-171 Revision 3 apply to contractors today?
- Only when a current contract or program makes it apply. The June 2026 proposal alone does not bind anyone.
- Has CMMC Level 2 moved to Revision 3?
- No. CMMC Level 2 still incorporates NIST SP 800-171 Revision 2 (110 requirements, 14 families) under 32 CFR Part 170.
- Did the Department cancel CMMC?
- No. On July 13, 2026, it suspended the transition to Phase II (third-party assessments) and pending and future milestones pending a review. CMMC Level 1 and Level 2 self-assessments, DFARS 252.204-7012, and SPRS obligations remain in force.
- Is unmarked or mismarked CUI automatically a CUI incident?
- No. Under the proposed definition, improper handling alone is not an incident unless it results in unauthorized disclosure, improper modification or destruction, or unauthorized access. It triggers a separate 72-hour notice to the contracting officer and an interim duty to safeguard the information.
- Where would CUI incident reports go?
- Under the proposal, to CISA for non-DoD contracts and to DoD’s DIBNet portal for DoD contracts, within 72 hours, with notice to the contracting officer (and the next higher-tier contractor when applicable).
- Does a FedRAMP provider’s report eliminate my duties?
- Not entirely. A FedRAMP-authorized cloud provider reporting through FedRAMP procedures wouldn’t require a duplicate report, but you still need to confirm what information reaches you and which notices you still owe.
- Would POA&Ms be allowed?
- The proposal requires offerors that can’t meet all requirements at proposal time to disclose the gaps and submit a Plan of Action and Milestones. A POA&M is not the same as being compliant, and don’t assume CMMC’s specific POA&M rules carry over to the FAR proposal.
- Are VDI endpoints out of scope?
- Only the narrowly described configuration is — a VDI endpoint set up so that nothing but keyboard, video, and mouse signals reach the client, with no CUI processed, stored, or transmitted on the device. Keep the configuration evidence.
- How can I comment on the proposal?
- Before July 23, 2026, submit comments at regulations.gov under docket FAR-2026-0001, referencing FAR Case 2026-001.
The next step, depending on where you are
If you’re still figuring out whether this even applies to you, use the path tool before you request implementation quotes — no CUI, no login.
If you’re a DoD contractor who needs to choose a compliance path, the Find My CMMC Path tool routes you to the right provider category before you spend.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options. Do not submit CUI, drawings, contract documents, system diagrams, credentials, or sensitive program details.
Get matched with source-checked CMMC provider options →Primary sources referenced on this page
- Federal Register — FAR Case 2026-001, 91 FR 37550 (June 23, 2026) — the governing proposed rule
- Official rule PDF (govinfo)
- Comment docket (regulations.gov) — FAR-2026-0001
- Federal Register — January 2025 CUI proposed rule (superseded), FAR Case 2017-016, 90 FR 4278
- NARA — Controlled Unclassified Information Program (32 CFR Part 2002; CUI Registry)
- NIST SP 800-171 Rev. 3 (CSRC)
- NIST SP 800-171 Rev. 2 (CSRC)
- NIST SP 800-172 (CSRC)
- DFARS 252.204-7012 (Acquisition.gov)
- DFARS 252.204-7019 / -7020 / -7021 (Acquisition.gov)
- DoD Class Deviation 2024-O0013, Rev. 1 (NIST SP 800-171 Rev. 2)
- CMMC Program Rule, 32 CFR Part 170 (eCFR)
- U.S. Department of War — CMMC Phase II suspension release (July 13, 2026)