Start Spreading the News: The FAR Council is Moving to Revised FAR CUI Framework 

July 15, 2026

Big picture: what is it?

The federal government published a proposed rule on June 23, 2026 that could significantly reshape cybersecurity and compliance obligations for federal contractors handling Controlled Unclassified Information (CUI). CUI refers to governmental information that is not formally classified; however, it still requires safeguarding and dissemination controls. The rule aims to create a standardized guideline for how civilian-agency contractors and subcontractors should identify, safeguard, and report CUI incidents. The requirements are much more burdensome than the existing CUI regime, for example, DOD’s CMMC rules.

History

The idea of standardizing cybersecurity requirements across the federal government is not new, but it certainly has been a long and arduous process. Back in 2010, Executive Order 13556, establishing the Controlled Unclassified Information (CUI) Program, was issued, which initially established a requirement of the program and directed the National Archives and Records Administration (NARA) to implement the order and oversee compliance. The current FAR changes are proposed to implement NARA's final CUI rule on the Federal CUI Program as it relates to performance under Federal contracts. Before the regulations become final, they will need to be implemented through the FAR. Currently, there is a FAR case number 2017-016 that seeks to implement the requirements of the Executive Order. The proposed rule was first introduced in January 2025 and went through the public comments component of the rulemaking.1 The June 23, 2026, rule that the FAR Council published significantly revises the January 2025 proposed rule as part of the Administration’s larger Revolutionary FAR Overhaul effort.2 This update includes important structural changes that differ from the January 2025 initial rule. The June 23, 2026, proposed rule is now reopened for further public comment, which provides for another opportunity to shape the finalized version of the rule only through July 23, 2026, so immediate attention is warranted.

Brief overview of the CUI Framework

The proposed June 23, 2026, CUI rule identifies a structure that will consist of a provision, a contract clause, and a new Standard Form.

  • FAR 52.240-6, Notice of Controlled Unclassified Information Requirements solicitation provision will notify offerors before award that the contract will involve CUI and that the contractor will be subject to the CUI safeguarding requirements.
  • FAR 52.240-7, Controlled Unclassified Information is a new contract clause. Where CUI will be involved in performance, contracting officers must include FAR 52.240-7 in the contract, which incorporates the substantive safeguarding and incident-reporting requirements. 
  • Finally, Standard Form (SF) XXX, Controlled Unclassified Information Requirements, is completed by the procuring agency to identify the CUI involved in a particular contract, including where it will reside and applicable safeguards.

As a reminder, the proposed rule, as currently drafted, includes an exception for contracts involving commercially available off-the-shelf (COTS) items,3 but will apply to other commercial-type contracts. Contractors will be expected to safeguard the CUI identified on SF XXX.

June 23, 2026 Revisions

The rule can be broken down into the following three components: reporting timelines, incident reporting procedure, and implementing security controls.

Timeline of Reporting

The timeline for reporting incidents of CUI has been changed from the originally proposed eight hours to a more reasonable 72 hours, after discovery of an incident. The new extended timeline is a welcomed change that should allow contractors enough time to provide accurate information and determine whether the event qualifies as CUI. The updated timeline reflects a decision to align reporting requirements to a related requirement outlined in DFARS 252.204–7012, Cyber Incident Reporting for Critical Infrastructure Act of 2022. Similarly, the reporting of unmarked or mismarked CUI was also extended to 72 hours from discovery, giving more time to contractors to gather information and ensure accuracy.

Incident Reporting Procedures

First, the rule updated incident reporting procedures and subsequent reporting. The contractor’s initial report must include all applicable data elements available at the time. If the initial report is incomplete, or if information changes after the investigation is substantially complete, the contractor must submit a follow-up report with the updated or additional information under FAR 52.240–7(e)(2). The proposed rule also requires contractors to preserve CUI incident-related information for at least 90 days.

Second, locations for reporting CUI incidents have been updated depending on the type of contracts and the governing program. Specifically, the rule provides reporting locations for Department of Defense (DoD) contracts,4 non-DoD contracts,5 and FedRAMP incident reporting.6

Third, the rule includes CUI incident reporting requirements for subcontractors. The rule regarding subcontractor reporting has been updated to require subcontractors to report directly to the government as well as to notify the contractor officer and higher-tier contractor in accordance with FAR 52.240–7(e)(2).

Fourth, the rule revises CUI incident reporting scope by updating the definition of a CUI incident, clarifying when an incident qualifies as CUI-related, and adding exceptions for certain incidents. The rule revises the definition of a CUI incident to focus on events involving the unauthorized disclosure, improper modification, or improper destruction of CUI, as well as unauthorized access to the information system on which CUI resides. The rule additionally clarified that improper handling of CUI does not, by itself, constitute a CUI incident unless it results in an unauthorized disclosure, modification, or destruction of CUI. The rule also creates an exception for incidents involving FedRAMP-authorized cloud service providers when the incident is reported in accordance with applicable FedRAMP requirements.

Finally, the proposed clause FAR 52.240– YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information, has been deleted. The removal of this clause will relieve parties who would have been subject to it from the obligation to notify the government of unmarked or mismarked CUI.

Security Controls Changes

NIST SP 800-171 Revision 3

The proposed rule specifies NIST SP 800-171 Revision 3 as the applicable technical standard.7 This gives contractors a fixed version of the standard to follow, rather than requiring them to track future NIST updates unless the regulation is later revised.

Enhanced Controls Under NIST SP 800-172

The proposed rule clarifies that NIST SP 800-172 requirements apply only when an agency identifies them for a critical program or high-value asset.

Cloud Service Controls-FedRAMP Moderate

The proposed rule would require any cloud service provider that stores, processes, or transmits CUI to meet security requirements equivalent to the FedRAMP Moderate baseline.

Additional updates

Some other notable updates were incorporated in the newest edition of the rule:

Notification of Conflicting Obligations

The proposed rule would give contractors permission to notify Contracting Officers if contractors cannot comply with the requirements of the clause due to a conflict with another law or regulation.

Reduced Prescriptive Compliance Requirements

The proposed rule removes several contractor compliance obligations identified in the January 2025 proposed rule, including:

  1. government access to contractor facilities and systems;
  2. government validation requirements;
  3. contractor liability language for CUI incidents;
  4. prescriptive requirements to identify contractor proprietary information, because other parts of the FAR already detail requirements for handling such information.

The clause also revised flowdown obligations and now gives contractors more flexibility on how to best flow down the requirements.

Standard Form XXX Updates

The proposed rule would revise SF XXX to provide clearer information about the types of CUI involved and the applicable safeguarding requirements, making it easier for contractors to identify and protect CUI.

Training

The rule revision updates training requirements in favor of a more flexible, contractor-determined training approach.

Contractor Proprietary Information as CUI

The proposed rule would clarify that contractor-created or contractor-held information is not CUI unless a law, regulation, or governmentwide policy specifically requires safeguarding or dissemination controls.

Next Steps

First, the comment period for the proposed rule closes very soon on July 23, 2026, and the contracting community should consider providing comments on the proposed rule, including suggesting additional changes related to this rule, where appropriate.

As for practical implementations, contractors who handle CUI should consider beginning to engage in the following diligence process:

  • Identify current contracts and systems that handle CUI, in addition to any future opportunities that might involve CUI, to determine how to best prepare for the rule and identify systems that would need implementation of rule-identified security controls;
  • Review FAR 52.240-7 and the SF XXX and determine whether to submit comments in response to the proposed rule updates;
  • If using FedRAMP cloud solutions, consider reviewing whether these vendors or subcontractors are at least FedRAMP Moderate compliant;
  • Compare the current existing CUI requirements to the ones outlined in the new proposed rule. Once gaps are identified, consider how to ensure any differing requirements can be systematically implemented throughout the organization;
  • Review internal system controls and see whether meeting NIST 800-171 Rev. 3 security requirements would necessitate any additional cyber obligations and how to best prepare for those changes.

Should you have any questions and concerns regarding this proposed rule or need help with drafting a response, please reach out to Cozen O’Connor Government Contracts Team for support.

 


You can review previous Cozen alert on this matter by following this link, as it outlines some of the important contours and initial requirements of the rule. A previous version of the rule by following this link.

2The FAR Council consists of four members: the Administrator for Federal Procurement Policy (who chairs the council), the Secretary of Defense, the Administrator of National Aeronautics and Space (NASA), and the Administrator of General Services.

FAR 2.101 defines “COTS” as:

Commercially available off-the-shelf (COTS) item

  1. Means any item of supply (including construction material) that is–
    1. A commercial product (as defined in paragraph (1) of the definition of “commercial product” in this section)
    2. Sold in substantial quantities in the commercial marketplace; and
    3. Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and
  2. Does not include bulk cargo, as defined in 46 U.S.C. 40102(4), such as agricultural products and petroleum products.

4 The Department of Defense reporting location identified in the proposed rule is https://dibnet.dod.mil

5 Reporting for non-DOD contracts is to Cybersecurity and Infrastructure Security Agency at https://www.cisa.gov/ reporting-cyber-incident. The contractor must also provide a notification to the contracting officer that a CUI incident report has been submitted.

6 CUI incidents involving FedRAMP should be reported in accordance with FedRAMP Incident Communication Procedures.

7 For now, CMMC certification remains tied to NIST SP 800-171 Rev. 2, and contractors seeking certification will be assessed against Rev. 2 requirements despite the publication of Rev. 3. However, the DoD recently indicated that it is beginning the same transition to Rev. 3 for CMMC Level 2.

 

Share on LinkedIn

Authors

Eric Leonard

Co-Chair, Government Contracts

eleonard@cozen.com

(202) 280-6536

Lawrence M. Prosen

Co-Chair, Government Contracts

lprosen@cozen.com

(202) 304-1449

Kristina Zaslavskaya

Associate

kzaslavskaya@cozen.com

(202) 280-6460

Related Practices