2026年7月15日

FAR Council Proposes Revised CUI Safeguarding and Incident-Reporting Framework, While DoW Pauses CMMC Implementation

Share

On June 23, 2026, the Federal Acquisition Regulatory Council (FAR Council) published a Proposed Rule that would establish a government-wide framework for safeguarding Controlled Unclassified Information (CUI) and reporting CUI incidents. These obligations traditionally have applied to defense contractors, but would now impact civilian-agency contractors as well. The proposal is one of a series of rules the FAR Council is issuing to implement Executive Order 14275, Restoring Common Sense to Federal Procurement, and the broader “Revolutionary FAR Overhaul.” Comments are due July 23, 2026.

Meanwhile, as discussed at the end of this Legal Update, on July 13, 2026, the Department of War (DoW) announced a suspension of the implementation of the Cybersecurity Maturity Model Certification (CMMC) program. Although defense contractors remain obligated to handle CUI and report incidents under DFARS clause 252.204-7012, the requirement to obtain a third-party assessment of their compliance with the controls of NIST SP 800-171 is being held in abeyance pending a “top-to-bottom” review of the CMMC program.

Background

CUI is a category of unclassified information created by statute, regulation, or government-wide policy that requires safeguarding or dissemination controls but does not qualify for classification under Executive Order 13556. Common examples include personally identifiable information (PII), export-controlled technical data, law enforcement sensitive information, and certain financial records.

In broad strokes, the Proposed Rule would expand the universe of contractors subject to standardized CUI requirements, which have applied to defense contractors for nearly a decade. Although DoW has imposed NIST SP 800-171-based requirements through the DFARS since 2017, many civilian agency contractors have operated without comparable mandates. The new framework would bring civilian contractors handling CUI under contracts for commercial products and services within the CUI safeguarding regime for the first time, potentially affecting thousands of vendors across the federal supply base.

The Proposed Rule would require covered contractors to: (i) ensure that contractor information systems handling CUI meet the security requirements of NIST SP 800-171 Revision 3 (Rev. 3); (ii) report CUI incidents within 72 hours of discovery; and (iii) flow down the safeguarding and reporting obligations to subcontractors that will receive CUI. Notably, the proposed clauses could apply to contracts for commercial products and services, excepting only commercially available, off-the-shelf (COTS) items.

The FAR Council first unveiled a government-wide CUI rule in January 2025, following another proposal for standardizing cybersecurity requirements for federal information systems in 2023 that we discussed in a prior Legal Update. The current proposal revises that January 2025 approach and folds the CUI requirements into an expanded FAR Part 40, Information Security and Supply Chain Security. The CUI provisions would be implemented through a new solicitation provision (FAR 52.240-6, Notice of Controlled Unclassified Information Requirements), a new contract clause (FAR 52.240-7, Controlled Unclassified Information), and a new Standard Form (SF XXX) that the procuring agency must complete to identify the CUI involved in a given contract.

The proposal continues a broader push toward standardizing federal cyber and supply-chain requirements that we have tracked across the current Administration’s procurement agenda, including the shifting compliance landscape we outlined in our overview of what US federal contractors can expect in 2026 and beyond and highlighted in our analysis of the Cyber Strategy for America.

Using a Standard Form to Identify CUI

Under the Proposed Rule’s framework, the contracting agency would complete an SF XXX for each procurement expected to involve CUI, and that form would be incorporated into the solicitation and resulting contract. This approach could be welcome news for contractors, who have long struggled to identify what information constitutes CUI and triggers cybersecurity compliance obligations. Instead of navigating ambiguous marking practices and inconsistent agency guidance, contractors would receive clearer direction up front: the form would identify the CUI the contractor is expected to handle, indicate whether the CUI will reside in a federally controlled or non-federally controlled facility, specify the contractor’s marking responsibilities, and note whether enhanced NIST SP 800-172 requirements apply. “Handling” is defined broadly to include any use of CUI, such as accessing, processing, transmitting, safeguarding, re-using, and disposing of it.

Contractors would have to safeguard the CUI identified on the SF XXX, and would be required to inform the agency within 72 hours of discovering information they believe is unmarked or mismarked CUI, or any inconsistency between the SF XXX and the contract clauses. Pending a contracting officer’s determination, contractors would treat apparently unmarked or improperly marked information as if it were CUI. Contractors would remain responsible for their own bid, proposal, and business-proprietary information submitted to the Government, including any applicable identification and marking obligations.

NIST SP 800-171 Rev. 3 for Contractor Systems

The new clause at FAR 52.240-7(d) would require contractor information systems that handle CUI to meet the security requirements of NIST SP 800-171 Rev. 3, plus any additional requirements identified in the contract. For contracts involving critical programs or high-value assets, agencies could layer on selected controls from NIST SP 800-172. The applicable requirements would depend in part on where the CUI resides and the nature of the system handling it. Offerors unable to meet all requirements at proposal submission would have to disclose the gaps and provide a plan of action and milestones (POA&M) for achieving compliance.

The proposed rule would clarify that certain assets are out of scope. For example, endpoints hosting virtual desktop infrastructure (VDI) configured so that no CUI is processed, stored, or transmitted beyond the keyboard, mouse, and video sent to the VDI client would fall outside the rule’s coverage. Separately, any cloud services used to handle CUI would need to meet requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.

Contractors currently subject to the DFARS cyber clause at 252.204-7012 should note that the proposed FAR rule largely tracks the DFARS requirements, but incorporates several updates. Both regimes require NIST SP 800-171 compliance and 72-hour incident reporting, though the DFARS clause currently references Rev. 2 while this proposal mandates Rev. 3. The third revision, published in May 2024, reorganizes the security requirements into 17 control families (up from 14) and introduces new requirements addressing topics such as software inventory, system use restrictions, and enhanced access control. Contractors already maintaining a Rev. 2-compliant environment should expect some implementation effort to meet the more recent Rev. 3 baseline.

Reporting CUI Incidents

A “CUI incident” would be defined as the unauthorized disclosure, improper modification, or improper destruction of CUI, or unauthorized access to the information system on which CUI resides. Importantly, the definition would carve out improper handling of CUI (such as unmarked or mismarked CUI) that does not result in unauthorized disclosure, improper modification, improper destruction, or unauthorized access. The definition also drops the January 2025 proposal’s reference to “suspected” incidents.

Contractors would report CUI incidents within 72 hours of discovery, an increase from the eight-hour window in the January 2025 proposal. The FAR Council explains that this timeline was chosen to align with the reporting requirements under DFARS 252.204-7012 for defense contracts and to allow more accurate initial reports. Reports on civilian contracts would go to a CISA web portal, while defense-contract reports would continue to go to the DoW’s DIBnet portal. Contractors would provide the available data elements in the initial report and supplement later if the investigation identifies material gaps, and would notify the contracting officer when a report is submitted. Incidents involving FedRAMP-authorized cloud providers that follow the FedRAMP Incident Communication Procedures would not require additional reporting.

Contractors that experience a CUI incident would face additional response obligations: determining and inventorying the CUI that was or could have been accessed; constructing a timeline of user activity; identifying the methods used to access the CUI; cooperating with agency officials; and preserving images of affected systems for at least 90 days from the report (or until the Government declines interest).

Subcontract Flowdowns and Conflicting Laws

Where a subcontractor will handle CUI, the contractor would be required to include the substance of FAR 52.240-7 in the subcontract without alteration, except as to party names and relevant SF XXX information. Subcontractors would report CUI incidents directly to the Government and notify both the contracting officer and the next higher-tier contractor. If a requirement conflicts with another law or regulation—including foreign law—contractors must notify the contracting officer that they are unable to comply with the requirements of this clause within 72 hours of such a determination, allowing agencies to work with them on alternative controls.

Contractors should also consider interactions with state data breach notification laws. Most states require notification to affected individuals and state regulators within specified timeframes—often 30 to 60 days—following a breach involving personal information. Where a CUI incident also constitutes a breach under state law, contractors may face parallel reporting obligations with different timelines, content requirements, and recipient agencies. Coordination between cybersecurity, legal, and compliance teams will be essential to ensure timely and consistent responses.

Notable Changes from the January 2025 Proposal

There are several notable changes from the January 2025 proposal, some of which appear to have been prompted by industry feedback:

  • Incident-reporting window: Extended from eight hours to 72 hours of discovery.
  • “CUI incident” definition: Narrowed to exclude “suspected” incidents and improper handling that does not result in actual disclosure, modification, destruction, or unauthorized access.
  • Subcontractor reporting: Subcontractors will now report directly to the Government, in addition to the contracting officer and the next higher-tier subcontractor, instead of reporting only to the prime contractor or next higher-tier subcontractor.
  • Contractor liability: Language specifying contractor liability for CUI incidents has been removed.
  • Training: The mandated “one-size-fits-all” training approach is replaced with a flexible framework letting contractors tailor training to their workforce.
  • Eight-hour mismarking reports: The proposal drops the prior requirement to identify and report inaccurate or unidentified potential CUI within eight hours.
  • FedRAMP carve-out: No additional reporting of incidents is required if FedRAMP procedures are followed.

CMMC Suspension and Enforcement Considerations

Meanwhile, defense contractors face fresh uncertainty after DoW announced a suspension of the next phase of the CMMC program. Less than a year ago, DoW published a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements to implement the CMMC program. In yet another twist in the evolution of the CMMC program, on July 13, 2026, DoW announced a suspension Phase 2 of the CMMC requirements, which would have required third-party cybersecurity certifications across all contracts involving sensitive but unclassified information starting November 10, 2026. In its place, DoW launched a 60-day “top-to-bottom” review of the CMMC program. In a memo signed by DoW Chief Information Officer Kirsten Davies, the Pentagon characterized the current CMMC program as “structurally incompatible” with the Department’s need to rapidly expand the defense industrial base, citing prohibitive compliance costs and severe shortages in third-party assessment capacity that are “actively forcing innovative new entrants and small businesses to opt out of DoW contracts.”

The Phase 1 self-assessment requirements, which went into effect in November 2025, remain in force. In addition, the memorandum notes that, “[t]he cybersecurity requirements outlined in DFARS clause 252.204-7012 [Safeguarding Covered Defense Information and Cyber Incident Reporting] are still in effect,” meaning that contractors remain obligated to truthfully report whether they are meeting the 110 controls of NIST SP 800-171 Rev. 2 and to meet their CUI handling and reporting obligations under the clause. The memorandum also warns that DoW “will continue enforcing baseline compliance with through DIB self-assessments and select government-led assessments,” and, as we have noted in prior Legal Updates, false certifications of compliance with those NIST controls have been a frequent basis for False Claims Act investigations and settlements with the Department of Justice.

Takeaways

Federal contractors should continue to monitor developments under the Proposed Rule and CMMC, as the CMMC review could result in changes to the third-party assessment framework and/or inform the evolution of the Proposed Rule for civilian contractors.

The Proposed Rule for civilian contractors does not specify penalties for non-compliance, though civilian contractors should be aware that CUI incidents and compliance failures could expose them to contract termination, suspension or debarment proceedings, or False Claims Act liability if they misrepresent their security posture, as multiple defense contractors have seen.

Although the DoW suspension of Phase 2 of the CMMC program eliminates—for now, at least—the requirement to obtain a third-party (or “C3PAO”) assessment of compliance with NIST SP 800-171, the DFARS’s CUI handling and reporting obligations remain in place. In fact, the proposed expansion of those requirements in the Proposed Rule would extend NIST SP 800-171-based cybersecurity obligations to a broader set of contractors, including many commercial-item contractors, and would add meaningful validation and POA&M compliance mechanics. The introduction of an agency-completed SF XXX responds to industry’s longstanding request for clearer articulation of CUI expectations, which many defense contractors would likewise welcome.

The Proposed Rule does not forecast a timeline for implementation, so contractors should watch for compliance timelines when the Final Rule is released. Given the accelerated 30-day comment period closing July 23, 2026, contractors interested in shaping the Proposed Rule should prepare comments promptly. Contractors that handle CUI under existing or anticipated contracts should also assess whether the proposed requirements would affect their incident response procedures, system security controls, and subcontract flow-down management, and whether the move to NIST SP 800-171 Rev. 3 warrants changes to their current cybersecurity posture.

Mayer Brown will continue to monitor this rulemaking, the broader Revolutionary FAR Overhaul, and the CMMC program review.

最新のInsightsをお届けします

クライアントの皆様の様々なご要望にお応えするための、当事務所の多分野にまたがる統合的なアプローチをご紹介します。
購読する