The FAR overhaul's proposed Controlled Unclassified Information (CUI) rule creates a single, government-wide framework for how contractors identify, safeguard, and report CUI — replacing today's agency-by-agency patchwork. Public comments close July 23, 2026. If you hold or pursue any federal contract that touches sensitive government data, this rule will reshape your compliance obligations.
I spent eighteen years in federal acquisition as a Contracting Specialist and Contracting Officer at GSA, IRS, DoD, and DOI, and CUI was one of the most inconsistently handled requirements I saw on both sides of the desk. Agencies marked documents differently, flowed down different clauses, and expected different safeguards. This rule is the government's attempt to end that. Here is what it actually changes and what to do before the comment window closes.
What is the proposed FAR CUI rule and where did it come from?
The rule implements the CUI Program — established by Executive Order 13556 and codified at 32 CFR Part 2002 — directly into the Federal Acquisition Regulation. It standardizes CUI identification, marking, safeguarding, incident reporting, and flowdown across all civilian and defense contracts, closing the gap that left non-DoD contractors without uniform requirements.
Until now, only the Department of Defense had a mature contractual CUI regime through DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC) program. Civilian agencies improvised. The proposed rule ends the improvisation:
- A standard CUI identification form. Agencies must tell you, in the solicitation, exactly what CUI the contract involves — you are no longer expected to guess.
- NIST SP 800-171 as the safeguarding baseline. The same security-control framework DoD contractors already know becomes the government-wide standard for CUI on contractor systems.
- A uniform incident-reporting clock. Suspected or confirmed CUI incidents must be reported on a standardized timeline instead of each agency's homegrown rule.
- Mandatory flowdown. Primes must flow CUI requirements to every subcontractor whose performance touches CUI.
Who does the proposed CUI rule affect?
Every contractor whose contract performance involves CUI — regardless of agency, contract type, or business size. GSA Schedule holders, civilian-agency service providers, and commercial-item sellers who never dealt with DFARS cyber clauses are the biggest group of newly affected firms.
| Contractor profile | Today | Under the proposed rule |
|---|---|---|
| DoD contractor with DFARS 252.204-7012 | NIST SP 800-171, 72-hour incident reporting, CMMC path | Largely aligned already — expect harmonized definitions and forms |
| Civilian-agency contractor (GSA, HHS, DHS, etc.) | Inconsistent agency-specific clauses, often silent on CUI | New: standard identification form, NIST SP 800-171 safeguarding, uniform reporting |
| Commercial products / COTS seller | Minimal exposure | Limited — but check whether order-level data (e.g., delivery schedules to secure sites) is designated CUI |
| Subcontractor at any tier | Flowdown varies by prime | Mandatory flowdown whenever performance touches CUI |
From the Contracting Officer seat, the firms that struggled most with new cybersecurity clauses were never the IT companies — they were professional-services firms holding personnel files, financial data, or agency program documents without realizing that material was CUI. If your staff handles government-furnished information of any kind, assume this rule reaches you.
What compliance evidence should you assemble now?
Do not wait for the final rule. The safeguarding baseline — NIST SP 800-171 — is already knowable, and the assessment, documentation, and subcontract mapping take months. Firms that start after award of a CUI-designated contract will be racing their own performance clock.
- Inventory where government data lives. Map every system, cloud tenant, and third-party tool that stores or transmits information received from an agency.
- Run a NIST SP 800-171 self-assessment. Score yourself against the 110 controls, produce a System Security Plan (SSP), and document Plans of Action and Milestones (POA&Ms) for gaps.
- Check your cloud stack. If CUI sits in commercial SaaS, confirm the provider can meet the safeguarding requirements — FedRAMP-authorized services are the safe harbor.
- Draft an incident-response procedure. Name the reporting official, the internal escalation path, and the evidence-preservation steps so a reporting clock never catches you flat-footed.
- Map your subcontractors. List every sub whose work could touch CUI and confirm your subcontract templates can carry the flowdown.
When I reviewed contractor incident reports as a Contracting Officer, the difference between a manageable event and a contract-threatening one was almost always documentation prepared in advance. The firms with a current SSP and a named reporting official resolved incidents in days. The firms that started writing their security plan after the incident spent months under agency scrutiny.
How does this rule interact with CMMC?
They are complementary, not duplicative. CMMC is DoD's verification mechanism — a third-party assessment that proves you actually implemented NIST SP 800-171. The FAR CUI rule sets the government-wide safeguarding obligation itself. Civilian agencies get the requirement now and could adopt CMMC-style verification later.
Practically: if you are already on a CMMC Level 2 path for DoD work, your investment transfers directly — the same 110 controls satisfy the proposed FAR baseline. If you are a civilian-only contractor, treat this rule as your early warning. The government's direction of travel is one standard for handling CUI and increasingly rigorous proof that you meet it. Congress is even weighing help for the smallest firms — a Senate proposal would fund CMMC Level 2 assessments for some small defense contractors — which tells you assessment costs are recognized as a real barrier, not an excuse.
Should you submit a comment before July 23?
Yes, if the rule's costs or ambiguities would hit your firm. Proposed rules genuinely change between proposal and final — but only in response to specific, documented comments filed through regulations.gov before the deadline. Generic objections accomplish nothing; cost data and concrete scenarios do.
Comments worth making, based on where I saw CUI friction from the government side:
- Small-business implementation cost. If a full NIST SP 800-171 implementation would cost your firm a material percentage of annual revenue, say so with numbers. Cost data is the single most persuasive input in rulemaking.
- Ambiguous CUI identification. If you have received contracts where the agency itself could not tell you what was CUI, describe the scenario and ask the rule to put the identification burden squarely on the government.
- Timeline realism. If the incident-reporting window is impractical for a firm without a 24/7 security operations center, propose an alternative with justification.
- Flowdown mechanics. If your subcontractors are commodity suppliers who never see CUI, ask for clear flowdown boundaries so the clause does not cascade needlessly.
What should GSA Schedule holders do specifically?
Expect the CUI clause to arrive in your contract through a future MAS refresh and mass modification — the same mechanism that delivered the TDR mandate and Refresh 32 changes. Position your Schedule now: confirm your catalog's data handling, get your SSP current, and price the compliance cost into your labor rates before the clause makes it non-negotiable.
Across our 70+ proven GSA contract awards, the pattern with every new compliance wave — TDR, the AI clause, now CUI — is the same: contractors who prepare during the proposed-rule stage absorb the change as paperwork, and contractors who wait absorb it as lost orders while their systems catch up. Order-level competitions increasingly ask for security posture even where the clause is not yet mandatory; a current NIST SP 800-171 self-assessment score is becoming a de facto discriminator. If you want help getting your Schedule compliance-ready before the mass mod lands, our team covers exactly this on our GSA Schedule maintenance page.
What Is the Bottom Line?
- Comments close July 23, 2026. File specific, cost-backed comments at regulations.gov if the rule would burden your firm.
- NIST SP 800-171 is becoming the government-wide CUI baseline. Civilian contractors inherit what DoD contractors have lived with since 2017.
- Agencies must identify CUI up front. The standard identification form shifts the guessing burden off contractors.
- Start the self-assessment now. An SSP, POA&Ms, and a named incident-reporting official take months to build and days to demand.
- GSA Schedule holders: expect a mass mod. Prepare during the comment period, not after the clause lands in a refresh.
Frequently Asked Questions
What counts as Controlled Unclassified Information (CUI)?
CUI is information the government creates or possesses that requires safeguarding under law, regulation, or government-wide policy but is not classified. Categories are defined in the National Archives' CUI Registry and include controlled technical information, procurement-sensitive data, personnel records, and certain financial and legal information.
When do comments on the proposed FAR CUI rule close?
July 23, 2026. Submit comments through regulations.gov, referencing the FAR CUI rulemaking docket. Specific scenarios and cost data carry far more weight than general objections.
Does the rule apply to small businesses?
Yes. The safeguarding obligation follows the data, not the firm's size. Small businesses handling CUI must meet the same NIST SP 800-171 baseline, which is why implementation-cost comments from small firms are especially valuable during the comment period.
I only hold civilian-agency contracts. Does CMMC apply to me now?
No. CMMC remains a DoD verification program. The FAR CUI rule sets the safeguarding requirement government-wide, but civilian agencies have not yet adopted third-party certification. Implementing NIST SP 800-171 now prepares you for both.
How does CUI reach a GSA Schedule contract?
Through solicitation provisions and clauses added by MAS refreshes and mass modifications, then at the order level when an agency designates CUI in a task or delivery order. Expect ordering agencies to evaluate security posture even before the clause is universal.
What happens if a contractor mishandles CUI?
Consequences range from mandatory incident reporting and remediation to negative CPARS ratings, termination for default, and False Claims Act exposure if the contractor misrepresented its compliance. Documented, good-faith implementation is the strongest protection.
Is FedRAMP required for storing CUI in the cloud?
The safe answer: if CUI resides in a cloud service, use a FedRAMP-authorized offering or one that demonstrably meets equivalent controls. DoD practice under DFARS 252.204-7012 requires FedRAMP Moderate or equivalent, and the FAR rule points the same direction.