Alert

FAR Council Proposes Revised CUI Framework as Part of Revolutionary FAR Overhaul With Important Guidance and Clarifications

July 2, 2026

WHAT: On June 23, 2026, the Federal Acquisition Regulatory Council (FAR Council) published a proposed rule that would establish provisions in the FAR spelling out contractor obligations to safeguard Controlled Unclassified Information (CUI), providing needed clarity and guidance regarding expectations and obligations. The rule is one of several proposed rules (previously covered in our alert here) the FAR Council is issuing to implement Executive Order 14275, “Restoring Common Sense to Federal Procurement,” and the broader “Revolutionary FAR Overhaul.”

Under the proposed rule, contractors would be required to:

  • Report any CUI incidents within 72 hours of discovery;
  • Ensure contractor information systems that handle CUI meet the security requirements of NIST SP 800-171 Revision 3 (Rev. 3); and
  • Flow down security and incident notification requirements to subcontractors that will receive CUI.

The CUI provisions would be implemented through a new solicitation provision (FAR 52.240-6, Notice of Controlled Unclassified Information Requirements), a new contract clause (FAR 52.240-7, Controlled Unclassified Information), and a new Standard Form (SF XXX, Controlled Unclassified Information Requirements) that the procuring agency must complete to identify the CUI involved in a given contract. These clauses would impose obligations under acquisitions for which a contractor is expected to handle CUI, including contracts for commercial products and services (except those for commercially available off-the-shelf (COTS) items).  

WHEN: Comments on the proposed rule are due by July 23, 2026.

WHAT IT MEANS FOR INDUSTRY: The proposed rule would require the procuring activity to identify on a Standard Form XXX what CUI is expected to be involved in a contract and communicate any handling requirements. That Standard Form would then be incorporated into the solicitation and resulting contract. Industry has long been asking for additional guidance regarding CUI, and the use of the Standard Form may provide more clarity regarding CUI expectations. 

The proposed rule would also impose cybersecurity obligations under NIST SP 800-171 on a broader group of contractors than ever before. While last year’s proposed rule signaled this was coming, contractors should evaluate and prepare to obtain and validate those security requirements and related compliance obligations.

The FAR Council has also removed several obligations that were proposed in its January 2025 proposed rule on CUI (which we covered here), including a requirement mandating a one-size-fits all CUI training approach and a clause that would have required contractors to identify and report information about CUI that is inaccurate or information that is potentially CUI that had not been identified on the Standard Form within eight hours of discovery.

Summary of the Proposed CUI Framework

The proposed rule’s provisions and clauses would reside in the expanded FAR Part 40, Information Security and Supply Chain Security (we cover other proposed updates to Part 40 here). It would consolidate into that Part the requirements for contractors to handle and safeguard CUI and report CUI incidents.

Use of a Standard Form to Identify CUI. Under the framework, the procuring activity would complete a Standard Form XXX for each procurement that would involve CUI. The form will indicate:

  • whether the contractor is expected to handle CUI under the contract (Part A);
  • whether CUI will be located within a “Federally-controlled” or non-Federally-controlled facility (Parts B and C);
  • contractor CUI marking responsibilities; and
  • whether the enhanced safeguarding requirements of NIST SP 800-172 will apply (Part D).

“Handling” CUI is defined in the proposed rule as any use of CUI, including accessing, processing, transmitting, safeguarding, re-using, and disposing of the CUI.

Contractors will be required to safeguard the CUI identified on the SF XXX. Contractors also would be required to inform the agency within 72 hours of discovery about information the contractor has reason to believe is unmarked or mismarked CUI, or of any inconsistencies between the SF XXX and any contract clauses. The contractor would have to safeguard information that appears to be unmarked or improperly marked as if it were CUI until the contracting officer determines whether that information is CUI.

Contractors would remain responsible for identifying information that they assert is contractor bid or proposal information or other contractor business proprietary information to the Government.

Leveraging NIST SP 800-171 Rev. 3 for Contractor Systems. The new clause 52.240-7(d) would require contractors to ensure that any contractor information systems that handle CUI meet certain security requirements, adding not only heightened cybersecurity requirements for many contractors but also related compliance obligations. The applicable safeguarding requirements will also depend on where the CUI resides and the nature of the information system on which it is handled. A contractor information system will be required to meet the requirements of NIST SP 800-171 Revision 3 and any other requirements identified in the contract. For contracts involving critical programs or high-value assets, agencies may add requirements to meet certain controls from NIST SP 800-172. Offerors that cannot meet all the requirements at the time they submit a proposal must include with the proposal a disclosure identifying any requirements they currently do not meet and a plan of action and milestones (POA&M) for achieving compliance.

The proposed rule also clarifies that certain assets are out of scope, such as endpoints hosting virtual desktop infrastructure (VDI) that is client configured to prevent any processing, storage, or transmission of CUI beyond the keyboard/mouse/video sent to the VDI client.

Cloud Service Providers (CSPs). The proposed rule would require that any cloud services used to handle CUI must meet requirements equivalent to the FedRAMP Moderate baseline.

Reporting “CUI Incidents.” A CUI incident is defined as “unauthorized disclosure, improper modification, or improper destruction of CUI, in any form or medium, or unauthorized access to the information system on which the CUI resides. The definition also states that “improper handling of CUI (e.g., unmarked or mismarked CUI)” would not constitute a CUI incident unless it results in one of those outcomes. This is likely a welcome change from the January 2025 proposed rule in several ways: for one, the definition of a CUI incident no longer includes “suspected” incidents; secondly, the proposed rule would carve out improper mishandling without other negative outcomes from the definition of a “CUI incident.”

Under the current proposed rule, contractors would be required to report CUI incidents within 72 hours of discovery of the incident; this is also an improvement from the January 2025 proposed rule, which would have required contractors to make incident reports within eight hours of discovery. Reports for civilian contracts would be made to a CISA web portal, while reports involving defense contracts would be submitted to the U.S. Department of Defense’s (DoD) DIBnet web portal. Contractors would be required to include “as many of the applicable data elements as identified in the applicable website that are available at the time,” in their first report. If the requested information is not available at the time of the initial report, contractors must provide all available information in the initial report and, if the investigation later identifies material gaps, supplement that information through a subsequent report. The FAR Council notes in the proposed rule that the decision to adopt a 72-hour reporting requirement was based on industry comments on the January 2025 proposed rule, to standardize the FAR requirement with the timeline to report incidents under DFARS 252.204-7012 for defense contracts, to allow contractors sufficient time to determine whether an event qualifies as a CUI incident, and to help ensure that initial reports are more accurate and complete.

Contractors would also be required to notify the contracting officer when an incident report is submitted.

CUI incidents involving FedRAMP-authorized cloud computing service providers that follow the FedRAMP Incident Communication Procedures would not require additional reporting.

Additional incident response requirements. The proposed rule identifies additional requirements for contractors that have experienced a CUI incident. Contractors must determine and inventory what CUI was or could have been improperly accessed, construct a timeline of user activity, determine the methods used to access CUI, and cooperate with agency officials and provide information the agency determines is necessary to manage the CUI incident. Contractors must also preserve images of the affected information system for at least 90 days from the date of the incident report, or until the Government declines interest in obtaining the images.

Subcontract flowdowns. If a subcontractor will be handling CUI, the contractor must include in the subcontract the substance of FAR 52.240-7 without alteration except as to the party names and relevant information from the SF XXX to share with the subcontractor what CUI applies to the subcontract. Subcontractors would thereby be required to report CUI incidents directly to the Government and notify both the contracting officer and the next higher-tier contractor of any CUI incident reports.

Interactions with other regulations. If there is any inconsistency with other regulations, contractors should “notify the contracting officer within 72 hours of determining that they are not able to comply with any of the requirements in this clause due to conflict with another law or regulation.” This required disclosure is intended to allow agencies to work with contractors on “alternative controls,” permitting flexibility when domestic or foreign law prevents compliance with CUI provisions.

Other changes from the January 2025 Proposed Rule.

Contractor Liability. Language specifying contractor liability for CUI incidents has been deleted.

Employee Trainings. The proposed rule would replace the mandated “one-size-fits-all” training approach with a more flexible framework, allowing contractors to tailor training programs to ensure their employees have the knowledge, skills, and abilities needed to handle CUI appropriately.

*                         *                         *

Given the accelerated 30-day comment period, contractors interested in shaping the final rule should begin preparing comments promptly. Contractors that handle CUI under existing or anticipated federal contracts should evaluate whether the proposed requirements would impact their incident response procedures, security controls for contractor information systems, and subcontract flow-downs and management. In proposing to incorporate NIST SP 800-171 Rev. 3 for security requirements, the proposed rule foreshadows that DoD would also make the shift in a separate rulemaking, and so contractors should continue to evaluate whether that shift necessitates any changes to their cybersecurity posture and practices.

Wiley's Government Contracts and Cybersecurity Practices will continue to monitor this rulemaking and related developments under the Revolutionary FAR Overhaul.

Tessa Jones, a Summer Associate at Wiley Rein LLP, contributed to this alert.

Read Time: 9 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek