Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

Proposed FAR Part 40 Rule: Consolidation of Supply Chain Security and Information Security Requirements and New Changes to the Rules

By Susan B. Cassidy, Ashden Fein, Ryan Burnette, Darby Rourick, Krissy Chapman & Eunsun Cho on July 13, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

On June 23, 2026, the Federal Acquisition Regulatory Council (“FAR Council”) issued proposed rules covering several parts of the Federal Acquisition Regulation (“FAR”).  The proposed rules mark the beginning of the long-awaited notice-and-comment phase of the Revolutionary FAR Overhaul (“RFO”).  This blog post, focusing on FAR Part 40, provides an overview of the proposed changes to the regulations and the associated contract clauses in FAR Part 52, including the inclusion of requirements around the handling of Controlled Unclassified Information (“CUI”).

Developments Before the Proposed Rule

Despite its broad title, the current version of FAR Part 40, “Information Security and Supply Chain Security,” only contains requirements relating to the American Security Drone Act of 2023.  Other security-related supply chain restrictions, including those implementing Section 889 of the FY19 NDAA, and the Federal Acquisition Supply Chain Security Act (“FASCSA”), are referenced in FAR Part 40, but the substantive requirements appear elsewhere in the FAR.  Similarly, on the information security side, the current version of the FAR includes requirements for the safeguarding of Federal Contract Information in Part 4, rather than in FAR Part 40. 

Further, the current version of the FAR does not presently include any specific requirements for the protection of CUI.  Contractor obligations regarding CUI have instead largely been implemented by individual agencies, including, for example, by the Department of War (“DoW”) in the Defense Federal Acquisition Regulation Supplement.  Before the RFO process began, the FAR Council issued a proposed rule in January 2025 to standardize contractor obligations to safeguard CUI (“January 2025 proposed rule”).

When the FAR Council published the RFO model deviations last year, the Part 40 text included major structural changes.  Notably, the deviation text consolidated the various supply chain security requirements that were previously in Parts 4, 25, and 40 into a single subpart under Part 40.  The deviation text also signaled a consolidation of information security requirements, by moving the requirements for classified information under FAR Subpart 4.4 to Part 40.  

Proposed Rule for Part 40

We explain key changes below in each of the subparts: Processing Supply Chain Risk Information (Subpart 40.1), Security Prohibitions and Exclusions (Subpart 40.2); and Safeguarding Information (Subpart 40.3).  

Subpart 40.1 Processing Supply Chain Risk Information

The proposed Subpart 40.1 now contains the current regulations found under Subpart 4.23, which requires interagency sharing of supply chain risk information.

Subpart 40.2 Security Prohibitions and Exclusions

As noted, the proposed rule now consolidates supply chain security restrictions under Parts 4, 25, and 40 into one clause under Subpart 40.2.  The clause categorizes the restrictions based on the nature of their operation:

  1. Prohibitions on providing or using specific products or services in performance of a contract (52.240-3(b)),
  2. Prohibition on unmanned aircraft systems manufactured or assembled by American Security Drone Act-covered foreign entities. (52.240-3(c)),
  3. Prohibition on using or providing specific products or services or conducting certain transactions regardless of connection to contract (52.240-3(d)), and
  4. Government exclusion and removal orders and covered procurement actions under FASCSA (52.240-3(e) and (f)).

In the current FAR, the standard that contractors must follow to determine whether prohibited products or services are being used in their supply chains depends on the restriction, and the requirements for reporting instances of non-compliance also vary.  The proposed rule addresses these inconsistencies by imposing a uniform reasonable inquiry requirement across all prohibitions and a 72-hour reporting timeframe for all supply chain security restrictions.  “Reasonable inquiry”, as referred to in the proposed rule, essentially adopting the standard that was in the regulations addressing Section 889’s use prohibition, requires the offeror or the contractor to “look[] at any information in the Offeror’s possession that is accessible but does not need to include an internal or third-party audit.”

Notably, the proposed rule also makes substantive updates to the Section 889 prohibitions and exceptions, as well as implementation of the FASCSA.

Regarding the Section 889 prohibitions, the uniform reasonable inquiry standard discussed above means the inquiry requirements have also been harmonized within Section 889 prohibitions.  Currently, although contractors must conduct a reasonable inquiry before certifying that they do not use covered telecommunications equipment or services (or any equipment, system, or service that uses covered telecommunications equipment or services), contractors are not required to conduct a reasonable inquiry before representing that they will not provide covered telecommunications equipment or services to the government in the performance of a government contract.  The proposed rule, however, conditions both certifications on a reasonable inquiry. 

In addition, the proposed rule provides limited clarification on the meaning of “use” in the prohibition against a contractor’s use of any equipment, systems, or services that uses covered telecommunications equipment or services as a substantial or essential component of any system.  Under the proposed rule, commercial sales, maintenance, testing services, warranty services, and employee’s use of personal equipment are expressly exempt from “use of covered telecommunications equipment or services.” 

Regarding the FASCSA, the proposed rule would finalize regulations that prohibit providing or using any products or services in performance of a government contract that are prohibited by agency-specific exclusion actions, or “covered procurement actions.”  Covered procurement actions will be identified in the solicitation or posted on SAM.gov.  Additional information about FASCSA requirements is available on a prior blog post here.

Subpart 40.3 Safeguarding Information

As is the case in prior subparts discussed above, proposed updates serve to merge and consolidate regulations found in multiple FAR parts and subparts in order to “harmonize” inconsistencies and standardize guidance across various parts.  Subpart 40.3 was previously reserved, and now focuses on policies and procedures for safeguarding CUI and covered federal information.  We highlight updates to CUI-related requirements, including consolidated CUI handling and safeguarding, and reporting of incidents here.  

Implementation of Requirements

A new solicitation provision, FAR 52.240-6, Notice of Controlled Unclassified Information Requirements, contract clause, FAR 52.240-7, Controlled Unclassified Information, and the Standard Form XXX (“SF XXX”), Controlled Unclassified Information Requirements, will serve to implement the relevant CUI requirements for procurements where the handling of CUI will be required, with the exception of commercially available off-the-shelf (“COTS”) items.

Definitions

Both the definitions for CUI and CUI incidents under the proposed rule provide for a clarified and narrowed scope. 

  • The definition for CUI aligns closely with the definition for CUI outlined in 32 CFR part 2002, consistent with the January 2025 proposed rule.  This definition provides that CUI “is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”  The currently proposed rule adds the following exclusions: (1) information a contractor possesses and maintains in its own systems that did not come from a government agency; (2) federally-funded basic and applied research at specified academic institutions; and  (3) information a contractor creates or possesses that a law, regulation, or government policy does not specifically require the contractor to handle using safeguarding or dissemination controls.
  • The proposed rule also clarifies that even if data provided by the government is not marked as CUI, a contractor cannot use the data for its own purposes, unless the information is in the public domain or was lawfully made available to the contractor by someone other than the government.
  • A CUI incident under the proposed rule is defined as an “unauthorized disclosure, improper modification, improper destruction of CUI, in any form or medium, or unauthorized access to the information system on which the CUI resides.”  Notably, the definition excludes improper handling of CUI (e.g., unmarked or mismarked CUI) (unless that improper handling has resulted in an unauthorized disclosure, improper modification, or improper destruction of CUI), and “suspected” incidents are also no longer part of the definition, a divergence from the January 2025 proposed rule.

Standard Form

The proposed rule also implements a new form, as yet unnumbered and only referred to as the SF XXX, which the agency must complete and incorporate into the contract when CUI is involved in the performance of the contract, and is used to standardize the process for identifying and sharing CUI-related requirements with contractors, such as safeguarding requirements and where a CUI incident must be reported. 

We previously wrote about the SF XXX as proposed in January 2025 here.  The proposed rule includes certain updates to the required inputs in the SF XXX since the January 2025 proposed rule.  These include: whether the contractor is expected to handle CUI under the contract (part A), whether CUI will be located within a Federally-controlled facility or non-Federally-controlled facility (parts B and C), the type of CUI being handled and relevant marking responsibilities (part C), and whether enhanced security requirements under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-172 apply (part D).  In line with the focus on consistency and standardization, the proposed rule also provides that in the event of a conflict with another law or regulation, contractors must notify the contracting officer within 72 hours of determining that they are not able to comply with any of the requirements due to a conflict (part F).  Contractors under the proposed rule would also be required to notify the agency if it identifies unmarked or mismarked CUI within 72 hours—an update from the 8 hours previously proposed under the January 2025 proposed rule.

CUI Incident Reporting: When, Where, and What to Report

Importantly, under the proposed rule, the timeline for CUI incident reporting has also been updated to 72 hours to align with other incident reporting requirements, e.g., DFARS 252.204-7012 and under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (which we previously wrote about here).  Previously, under the 2025 proposed rule, the timeline required that contractors report incidents within 8 hours of discovery. 

The proposed rule clarifies that DoW incident reporting should be submitted to the DIBnet online portal, all non-DoW related CUI incident reporting should be submitted to the CISA online portal, and the contractor must also notify the contracting officer that an incident report was submitted.  Subcontractors must report CUI incidents directly to the government and provide notification to the contracting officer and the next higher-tier contractor, if applicable under FAR 52.240-7(e)(2).  FedRAMP authorized cloud computing service providers (“CSPs”) only need to report an incident relating to a FedRAMP cloud service offering through FedRAMP Incident Communication Procedures.

The contractor must submit as many of the applicable data elements that are available at the time, and if the first report does not contain all of the applicable data elements or some of the information changes after the investigation is substantially complete, the contractor must submit a subsequent report containing the updated or new information in accordance with FAR 52.240-7(e)(2).

Security Requirements for Information Systems Handling CUI

The proposed rule provides that contractors operating information systems that access, use, process, store, maintain, or transmit CUI identified in the contract, must:

  • When operating a federal information system, comply with agency-identified security requirements from NIST SP 800-53 and any requirements identified in the SF XXX (and if using cloud computing services, comply with agency-specific requirements, but at a minimum FedRAMP Moderate baseline); and
  • When operating a non-federal information system, comply with security requirements of NIST SP 800-171 Revision 3, “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations,” those specified by the agency in the SF XXX, and NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information, identified by the agency for a critical program or high-value asset (and if using a CSP, ensure it meets FedRAMP Moderate baseline security requirements).  Of note, the January 2025 proposed rule imposed requirements for NIST SP 800-171 Revision 2, rather than Revision 3, and so this update could have a potentially significant impact on contractors with information systems handling CUI who have been subject to Revision 2.  This provision in the proposed rule also likely signals that DoW will be moving its Cybersecurity Maturity Model Certification program to move from Revision 2 and 3.

The proposed rule also provides some additional guidance on scope.  For example, (1) endpoints (such as laptops), hosting a virtual desktop infrastructure client configured to prevent any processing, storage, or transmission of CUI beyond the keyboard/video/mouse sent to the virtual desktop infrastructure client, and (2) commercial communications networks that transmit government and non-government information using the same equipment, protocols, and methodologies, without regard to the source or recipient of the information are both outside of the scope of these requirements.

Conclusion

Overall, the revisions to the FAR represent both the shifting and consolidation of various requirements, while also making revisions to existing requirements and proposed additions of new obligations that warrant close review by contractors.  Certain revisions appear to provide potentially more leniency to contractors, for example, narrowing the definition of a CUI incident and extending reporting timeline requirements.  Other requirements, for example, the requirement that contractors operating a non-federal information system comply with security requirements of NIST SP 800-171 Revision 3 may require contractors to assess how existing compliance programs address such requirements and may need to potentially uplift certain controls.  Comments on the proposed rule are due by July 23, 2026.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply…

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Read more about Susan B. CassidyEmail
Show more Show less
Photo of Ashden Fein Ashden Fein

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.

Read more about Ryan BurnetteEmail
Show more Show less
Photo of Darby Rourick Darby Rourick

Darby Rourick is a government contracts lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. She has particular experience in federal cybersecurity and information technology supply chain issues. Darby has an active investigations…

Darby Rourick is a government contracts lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. She has particular experience in federal cybersecurity and information technology supply chain issues. Darby has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. She also counsels clients on cybersecurity incident response; compliance with federal cybersecurity laws, regulations, and standards; supplier and subcontractor security issues; and cybersecurity related investigations.

Darby has particular regulatory experience with:

Government cybersecurity supply chain issues like the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements; and
Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI)

She also assist clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

Procurement fraud and FAR mandatory disclosure requirements;
Allegations of violations of cybersecurity regulation;
Cyber incidents and data spills; and 
Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

Read more about Darby RourickEmail
Show more Show less
Photo of Krissy Chapman Krissy Chapman

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal…

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal investigations, and regulatory compliance.

Prior to joining the firm, Krissy served as a consultant in both the private and public sectors, advising clients across a range of industries, including transportation and infrastructure, life sciences and healthcare, and national security.

Read more about Krissy ChapmanEmail
Show more Show less
Photo of Eunsun Cho Eunsun Cho

Eunsun Cho is an associate in the Government Contracts Practice Group. She assists clients on a range of regulatory and compliance issues.

Eunsun also maintains an active pro bono practice.

Email
  • Posted in:
    Government Contracts
  • Blog:
    Inside Government Contracts
  • Organization:
    Covington & Burling LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
Library at LexBlog
  • About LexBlog
  • The Field We Built
  • Library at LexBlog
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo