← All articles Compliance

The Proposed FAR CUI Rule: What Contractors Must Review Before the July 23 Comment Deadline

The FAR overhaul's proposed Controlled Unclassified Information (CUI) rule creates a single, government-wide framework for how contractors identify, safeguard, and report CUI — replacing today's agency-by-agency patchwork. Public comments close July 23, 2026. If you hold or pursue any federal contract that touches sensitive government data, this rule will reshape your compliance obligations.

I spent eighteen years in federal acquisition as a Contracting Specialist and Contracting Officer at GSA, IRS, DoD, and DOI, and CUI was one of the most inconsistently handled requirements I saw on both sides of the desk. Agencies marked documents differently, flowed down different clauses, and expected different safeguards. This rule is the government's attempt to end that. Here is what it actually changes and what to do before the comment window closes.

What is the proposed FAR CUI rule and where did it come from?

The rule implements the CUI Program — established by Executive Order 13556 and codified at 32 CFR Part 2002 — directly into the Federal Acquisition Regulation. It standardizes CUI identification, marking, safeguarding, incident reporting, and flowdown across all civilian and defense contracts, closing the gap that left non-DoD contractors without uniform requirements.

Until now, only the Department of Defense had a mature contractual CUI regime through DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC) program. Civilian agencies improvised. The proposed rule ends the improvisation:

Who does the proposed CUI rule affect?

Every contractor whose contract performance involves CUI — regardless of agency, contract type, or business size. GSA Schedule holders, civilian-agency service providers, and commercial-item sellers who never dealt with DFARS cyber clauses are the biggest group of newly affected firms.

Contractor profileTodayUnder the proposed rule
DoD contractor with DFARS 252.204-7012NIST SP 800-171, 72-hour incident reporting, CMMC pathLargely aligned already — expect harmonized definitions and forms
Civilian-agency contractor (GSA, HHS, DHS, etc.)Inconsistent agency-specific clauses, often silent on CUINew: standard identification form, NIST SP 800-171 safeguarding, uniform reporting
Commercial products / COTS sellerMinimal exposureLimited — but check whether order-level data (e.g., delivery schedules to secure sites) is designated CUI
Subcontractor at any tierFlowdown varies by primeMandatory flowdown whenever performance touches CUI

From the Contracting Officer seat, the firms that struggled most with new cybersecurity clauses were never the IT companies — they were professional-services firms holding personnel files, financial data, or agency program documents without realizing that material was CUI. If your staff handles government-furnished information of any kind, assume this rule reaches you.

What compliance evidence should you assemble now?

Do not wait for the final rule. The safeguarding baseline — NIST SP 800-171 — is already knowable, and the assessment, documentation, and subcontract mapping take months. Firms that start after award of a CUI-designated contract will be racing their own performance clock.

  1. Inventory where government data lives. Map every system, cloud tenant, and third-party tool that stores or transmits information received from an agency.
  2. Run a NIST SP 800-171 self-assessment. Score yourself against the 110 controls, produce a System Security Plan (SSP), and document Plans of Action and Milestones (POA&Ms) for gaps.
  3. Check your cloud stack. If CUI sits in commercial SaaS, confirm the provider can meet the safeguarding requirements — FedRAMP-authorized services are the safe harbor.
  4. Draft an incident-response procedure. Name the reporting official, the internal escalation path, and the evidence-preservation steps so a reporting clock never catches you flat-footed.
  5. Map your subcontractors. List every sub whose work could touch CUI and confirm your subcontract templates can carry the flowdown.

When I reviewed contractor incident reports as a Contracting Officer, the difference between a manageable event and a contract-threatening one was almost always documentation prepared in advance. The firms with a current SSP and a named reporting official resolved incidents in days. The firms that started writing their security plan after the incident spent months under agency scrutiny.

How does this rule interact with CMMC?

They are complementary, not duplicative. CMMC is DoD's verification mechanism — a third-party assessment that proves you actually implemented NIST SP 800-171. The FAR CUI rule sets the government-wide safeguarding obligation itself. Civilian agencies get the requirement now and could adopt CMMC-style verification later.

Practically: if you are already on a CMMC Level 2 path for DoD work, your investment transfers directly — the same 110 controls satisfy the proposed FAR baseline. If you are a civilian-only contractor, treat this rule as your early warning. The government's direction of travel is one standard for handling CUI and increasingly rigorous proof that you meet it. Congress is even weighing help for the smallest firms — a Senate proposal would fund CMMC Level 2 assessments for some small defense contractors — which tells you assessment costs are recognized as a real barrier, not an excuse.

Should you submit a comment before July 23?

Yes, if the rule's costs or ambiguities would hit your firm. Proposed rules genuinely change between proposal and final — but only in response to specific, documented comments filed through regulations.gov before the deadline. Generic objections accomplish nothing; cost data and concrete scenarios do.

Comments worth making, based on where I saw CUI friction from the government side:

What should GSA Schedule holders do specifically?

Expect the CUI clause to arrive in your contract through a future MAS refresh and mass modification — the same mechanism that delivered the TDR mandate and Refresh 32 changes. Position your Schedule now: confirm your catalog's data handling, get your SSP current, and price the compliance cost into your labor rates before the clause makes it non-negotiable.

Across our 70+ proven GSA contract awards, the pattern with every new compliance wave — TDR, the AI clause, now CUI — is the same: contractors who prepare during the proposed-rule stage absorb the change as paperwork, and contractors who wait absorb it as lost orders while their systems catch up. Order-level competitions increasingly ask for security posture even where the clause is not yet mandatory; a current NIST SP 800-171 self-assessment score is becoming a de facto discriminator. If you want help getting your Schedule compliance-ready before the mass mod lands, our team covers exactly this on our GSA Schedule maintenance page.

What Is the Bottom Line?

Frequently Asked Questions

What counts as Controlled Unclassified Information (CUI)?

CUI is information the government creates or possesses that requires safeguarding under law, regulation, or government-wide policy but is not classified. Categories are defined in the National Archives' CUI Registry and include controlled technical information, procurement-sensitive data, personnel records, and certain financial and legal information.

When do comments on the proposed FAR CUI rule close?

July 23, 2026. Submit comments through regulations.gov, referencing the FAR CUI rulemaking docket. Specific scenarios and cost data carry far more weight than general objections.

Does the rule apply to small businesses?

Yes. The safeguarding obligation follows the data, not the firm's size. Small businesses handling CUI must meet the same NIST SP 800-171 baseline, which is why implementation-cost comments from small firms are especially valuable during the comment period.

I only hold civilian-agency contracts. Does CMMC apply to me now?

No. CMMC remains a DoD verification program. The FAR CUI rule sets the safeguarding requirement government-wide, but civilian agencies have not yet adopted third-party certification. Implementing NIST SP 800-171 now prepares you for both.

How does CUI reach a GSA Schedule contract?

Through solicitation provisions and clauses added by MAS refreshes and mass modifications, then at the order level when an agency designates CUI in a task or delivery order. Expect ordering agencies to evaluate security posture even before the clause is universal.

What happens if a contractor mishandles CUI?

Consequences range from mandatory incident reporting and remediation to negative CPARS ratings, termination for default, and False Claims Act exposure if the contractor misrepresented its compliance. Documented, good-faith implementation is the strongest protection.

Is FedRAMP required for storing CUI in the cloud?

The safe answer: if CUI resides in a cloud service, use a FedRAMP-authorized offering or one that demonstrably meets equivalent controls. DoD practice under DFARS 252.204-7012 requires FedRAMP Moderate or equivalent, and the FAR rule points the same direction.

Work With a Former CO Who's Been There

Navigating GSA Schedule strategy doesn't have to be a guessing game. Book a free strategy call with Pedro and let's talk about where you stand.

Book a Free Consultation →