FAR Council Releases Updated CUI Proposed Rule as Part of the Revolutionary FAR Overhaul
Time 8 Minute Read
Categories: Regulatory

As we noted last week, the FAR Council released proposed rules remaking 19 separate FAR parts. Included in the first tranche of proposed rules under the Revolutionary FAR Overhaul (RFO), the Federal Acquisition Regulatory (FAR) Council has released a significantly revised proposed rule governing the protection of Controlled Unclassified Information (CUI) by civilian contractors. Published on June 23, 2026, at 91 FR 37550, this version updates and supersedes the standalone proposed rule that the FAR Council issued in January 2025 (90 FR 4278, FAR Case 2017-016). The comment deadline for the new proposed rule is July 23, 2026.

The CUI proposed rule has been long in coming. Its origins trace back to Executive Order 13556 (2010), which established a governmentwide CUI program to standardize how executive agencies handle sensitive but unclassified information. While NIST SP 800-171 and the DFARS clause at 252.204-7012 imposed CUI-related obligations on defense contractors, civilian contractors faced a patchwork of inconsistent, agency-specific requirements with no uniform FAR-level framework. The January 2025 proposed rule was the first serious attempt to close that gap. This new revision addresses public comments on that earlier version and integrates the CUI requirements into the streamlined architecture of the RFO.

New Home: FAR Part 40

One of the most structurally significant changes from the January 2025 version is where the CUI requirements now live. The earlier proposed rule placed the CUI provisions within FAR Part 4 (Administrative and Information Matters). The June 2026 version relocates them to an expanded and reorganized FAR Part 40, Information Security and Supply Chain Security, which now contains three subparts: (1) Processing Supply Chain Risk Information, (2) Security Prohibitions and Exclusions, and (3) Safeguarding Information.

This consolidation is consistent with the RFO’s broader goal of creating logical, lifecycle-based organization within the FAR. By housing CUI requirements in Part 40 alongside the Section 889 telecommunications ban, the Federal Acquisition Supply Chain Security Act (FASCSA) rules, and drone prohibitions, the FAR Council has created a single authoritative location for national security-oriented contracting controls. Contractors and contracting officers will no longer need to cross-reference multiple FAR parts to understand their full suite of information security obligations.

The SF XXX Standard Form and Core Clause Framework

Both the January 2025 and June 2026 versions retain the SF XXX, Controlled Unclassified Information Requirements, as the cornerstone mechanism for communicating CUI obligations to contractors. The SF XXX is a standardized form that contracting officers must complete for every solicitation and contract, identifying whether CUI will be involved in contract performance, which CUI categories are at issue, where the CUI will reside, and the applicable safeguarding and reporting requirements. The consistency of this mechanism across both versions reflects the FAR Council’s view that a uniform disclosure vehicle is essential to replacing the ad hoc, agency-specific approaches that have long plagued civilian CUI administration.

The June 2026 version pairs the SF XXX with updated contract clauses now designated as FAR 52.240-6 and FAR 52.240-7. Where CUI will be involved in performance, contracting officers must include FAR 52.240-7 in the contract, which incorporates the substantive safeguarding and incident-reporting requirements. The June 2026 version eliminates proposed clause FAR 52.204-YY (Identifying and Reporting Information That Is Potentially Controlled Unclassified Information) that appeared in the January 2025 version. That clause would have imposed obligations on contractors in contracts where no CUI was identified but CUI might nonetheless be encountered. Its removal simplifies the framework and responds to contractor concerns about open-ended obligations. That being said, there are still obligations for contractors to notify the contracting officer when CUI is not properly marked.

Key Changes from the January 2025 Proposed Rule

The FAR Council incorporated public comments from the 93 respondents to the January 2025 rule, resulting in several notable revisions:

  • Incident Reporting Timeline: 72 Hours, Not 8. The January 2025 proposed rule required contractors to report suspected CUI incidents within 8 hours of discovery—a timeline that drew significant pushback from commenters as insufficient to investigate, triage, and accurately characterize a potential incident. The June 2026 rule revises this to 72 hours, aligning with the reporting framework under DFARS 252.204-7012 and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The rule also clarifies that contractors must submit whatever applicable data elements are available at the time of the initial report, with supplemental reports required if additional information becomes available after the investigation is substantially complete. This tiered approach is a meaningful improvement that balances speed of disclosure with the practicalities of incident response.
  • Consolidation and Standardization of Security Timelines. By moving CUI requirements into Part 40 alongside the other security prohibitions, the June 2026 rule creates a uniform 72-hour reporting timeline that now applies consistently across both security-prohibition-related reports (e.g., the Section 889 telecommunications ban) and CUI incident reports. This cross-program harmonization reduces compliance complexity for contractors that are subject to multiple security requirements simultaneously.
  • NIST SP 800-171 Rev. 3 as the Baseline. Both versions require contractors whose SF XXX identifies CUI to implement NIST SP 800-171, but this revised rule requires compliance with the newer Rev. 3. And a limited number of contractors handling CUI associated with critical programs or high-value assets may also be subject to the enhanced requirements of NIST SP 800-172. If the rule is finalized as is, contractors already compliant with Rev. 2 will have to explore the delta between the two versions of NIST SP 800-171 to ensure compliance with both control regimes.
  • Subcontract Flow-Down Obligations. Both versions require prime contractors to flow down CUI requirements through all subcontract tiers where subcontractors will handle CUI. Prime contractors must prepare and distribute an SF XXX to downstream subcontractors identifying the CUI involved. This mirrors the flow-down model under DFARS 7012 and creates a supply-chain-wide compliance obligation. The FAR Council estimates that approximately 7,560 subcontractors will be subject to these requirements each year.
  • Contractor Liability for CUI Incidents. The previous version specified that contractors determined to be at fault for a CUI incident may be held financially liable for costs incurred by the government in responding and mitigating damages. While this updated version removes that language, it does not mean that contractors could not be held responsible for cybersecurity incidents—especially if they are rooted in a failure to institute required cybersecurity controls. This is especially true given the broader cybersecurity enforcement posture and should prompt contractors to assess the adequacy of their indemnification and cyber insurance arrangements.
  • Broad Applicability, Including Commercial Acquisitions. Both versions apply the CUI clauses to contracts for commercial products and services, with a narrow exception for contracts solely for commercially available off-the-shelf (COTS) items. This means the vast majority of federal contractors—civilian and defense, commercial and non-commercial—will be subject to these requirements if their contracts involve CUI.

When the previous version of the proposed CUI rule was released, the FAR Council estimated the cost of implementing NIST SP 800-171 Rev 2. For small businesses, the initial year would require a $148,200 investment and $543,400 for other than small businesses. The annual recurring costs were estimated to be $98,800 for small businesses and $494,000 for other than small businesses. This is obviously a significant investment to continue doing business with the federal government when handling CUI.

What’s Next?

Comments on the June 2026 CUI proposed rule are due by July 23, 2026, along with comments on the other RFO proposed rules released as part of the same package. Given the breadth of changes from the January 2025 version and the compressed 30-day comment window, contractors should prioritize reviewing the updated SF XXX mechanism, the revised incident reporting requirements, and the cloud services provisions. Contractors that submitted comments in response to the January 2025 rule should assess whether the June 2026 version adequately addresses those earlier concerns or whether renewed engagement is warranted.

The FAR Council expects to finalize the RFO rules, including the CUI requirements, before the end of 2026. Once finalized and adopted by agencies in new contracts, there will be no phase-in period: contractors handling CUI under covered contracts will need to comply as soon as the new versions of the FAR are inserted into contracts. Contractors that are not already implementing NIST SP 800-171 across their federal practice and that have not yet assessed their cloud service providers’ FedRAMP compliance should begin those efforts now. Given that the DFARS framework has long imposed similar requirements on defense contractors, companies with mature DFARS 7012 compliance programs will have a meaningful head start, though civilian-specific nuances in the SF XXX and Part 40 structure will still require attention.

Hunton Andrews Kurth will continue to monitor the RFO rulemaking process and will provide further analysis of other components of the June 2026 proposed rules in upcoming posts. Please contact our government contracts team with any questions.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Authors

Archives

Jump to Page