Skip to main content

RFO Rulemaking Gives Contractors a Second Opportunity to Comment on FAR CUI Rule

Go-To Guide:
  • The recently issued Revolutionary Federal Acquisition Regulation (FAR) Overhaul (RFO) for Parts 1, 2, 4, 22, 39, 40, and 53 includes a revised proposed FAR Controlled Unclassified Information (CUI) rule.
  • The revised proposed rule would extend CUI incident reporting to 72 hours, permit supplemental incident reports, and delete a clause requiring contractors to identify and report potential CUI received under a contract.
  • The FAR Council continues to seek industry feedback on incident reporting requirements, subcontractor flow downs, identification of CUI, and application of the rule to cloud services and telecommunications.
  • With another chance to comment before the rule is finalized, contractors that handle CUI should consider evaluating the revised rule and submitting comments by July 23, 2026.

On June 23, 2026, the Federal Acquisition Regulation (FAR) Council initiated formal notice-and-comment rulemaking for the Revolutionary FAR Overhaul (RFO) and issued the first four proposed rules. As part of the anticipated changes to FAR Part 40, the FAR Council has included a revised FAR CUI Rule (proposed rule), first issued in January 2025. The proposed rule received public comments then, but the RFO proposed rules reopen the public comment period and give contractors and other interested parties another opportunity to weigh in on requirements that might impact how controlled unclassified information (CUI) is handled. Comments are due July 23, 2026.

As previously covered in our January 2025 and March 2025 GT Alerts discussing the FAR CUI rule, the proposed rule would standardize cybersecurity requirements for identifying, safeguarding, and reporting incidents involving CUI for all federal contractors and subcontractors. The proposed rule would also introduce new procedures and define responsibilities for both contractors and the government personnel who handle CUI. The proposed rule includes a standard form that would accompany solicitations to identify CUI involved in the contract, safeguarding obligations, and marking requirements.

Proposed Rule Revisions

While the revised proposed rule includes much of the same structure and content as the initial version, several changes reflect feedback from industry stakeholders. 

  • CUI Incident Reporting Timeline. The proposed rule would require contractors to report a suspected or confirmed CUI incident. The initial proposed rule would have required an eight-hour reporting requirement. The revised proposed rule would increase the timeline to 72 hours from discovery, which aligns with related incident reporting requirements such as DFARS 252.204-7012 and the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The proposed rule would require that parties complete incident reporting through a portal hosted by the Cybersecurity and Infrastructure Security Agency, except for incidents under DoD contracts, which would instead report through the DoD portal. The proposed rule would carve out an exception to the 72-hour reporting requirement for FedRAMP incidents which are reported using FedRAMP procedures. The proposed rule would also remove key provisions relating to financial liability, protection of contractor information, and government use of third parties.
  • Initial and Follow-up Reporting Content. The proposed rule would update the incident reporting procedures, which would require the contractor to submit with the first report as many of the applicable data elements that are available at the time. If the first report does not contain all the applicable data elements or some of the information changes after the investigation is substantially complete, the contractor would be required to submit a subsequent report containing the updated or new information. The proposed rule would require preservation of information related to a CUI incident for at least 90 days.
  • Deletes Identification and Reporting Clause. The clause at FAR 52.240-YY, Identifying and Reporting Information That Is Potentially Controlled Unclassified Information, has been deleted. This clause would have applied to contracts where no CUI is involved in contract performance. The removal of this clause would relieve contractors and subcontractors of the obligation to notify the government if there appears to be unmarked or mismarked CUI or a suspected CUI incident related to information handled by the contractor in performance of the contract.
  • Would Impose National Institute of Standards and Technology (NIST) SP 800-171 rev. 3. The proposed rule would require contractors to protect CUI on non-federal systems using the security requirements of NIST SP 800-171 rev. 3. This is a key change from the original rule and deviates from DoD’s standard, which requires security controls consistent with NIST SP 800-171 rev. 2 pursuant to a class deviation. If the proposed rule takes effect, DoD’s regulations may be revised to reflect the latest version of NIST SP 800-171. However, it is possible there may be a period where the requirements do not align. On the other hand, the proposed rule clarifies that the organizationally defined parameters (ODPs) provided by DoD would apply, which would harmonize ODPs across federal agencies.
  • Would Allow Contractors to Identify Conflicting Obligations. Perhaps in recognition of the potential disconnect between the FAR CUI rule and other regimes governing the protection of classified information, the proposed rule would allow contractors to notify the Contracting Officer within 72 hours if “they are not able to comply with any of the requirements in this clause due to conflict with another law or regulation.”

Requested Industry Feedback

The FAR Council seeks industry feedback on several areas that may impact how the final rule would operate in practice. These areas focus not only on the substance of a contractor’s CUI obligations, but also on how those obligations should be administered and correlate with other regulatory requirements. The FAR Council invites industry comments in the following areas:

  • CUI incident reporting. How contractors should identify and report CUI incidents, including issues involving subcontractors, unmarked or mismarked CUI, and location of CUI in a non-federally controlled facility.
  • Contractor obligations and risk. How the proposed requirements may impact training, liability, identification of proprietary information and its status as CUI, patents, and subcontract flow down obligations.
  • Technical and security controls. How the final rule should address enhanced controls using NIST SP 800-172, cloud services, virtual desktop infrastructure, and telecommunications providers transmitting CUI.
  • Government oversight and implementation. How agencies should implement and oversee compliance, including the use of Standard Form XXX, government access to contractor facilities and systems, government validation actions, definition and interpretation CUI, and consistencies with other regulations.

Takeaways

If finalized, the proposed rule may have a notable impact on contractors who use and handle CUI. Some of the changes to the proposed rule appear to respond to industry feedback on the initially proposed FAR CUI rule. Contractors may wish to review the revised requirements and submit comments, citing “FAR Case 2026-001,” before the July 23, 2026, deadline so their feedback may be considered as the final version of the rule is developed.


*Special thanks to Government Contracts Project Assistant Kaitlyn Brooks for contributing to this GT Alert.