On June 23, 2026, the Federal Acquisition Regulatory Council (“FAR Council”) issued proposed rules covering several parts of the Federal Acquisition Regulation (“FAR”). The proposed rules mark the beginning of the long-awaited notice-and-comment phase of the Revolutionary FAR Overhaul (“RFO”). This blog post, focusing on FAR Part 40, provides an overview of the proposed changes to the regulations and the associated contract clauses in FAR Part 52, including the inclusion of requirements around the handling of Controlled Unclassified Information (“CUI”).
Developments Before the Proposed Rule
Despite its broad title, the current version of FAR Part 40, “Information Security and Supply Chain Security,” only contains requirements relating to the American Security Drone Act of 2023. Other security-related supply chain restrictions, including those implementing Section 889 of the FY19 NDAA, and the Federal Acquisition Supply Chain Security Act (“FASCSA”), are referenced in FAR Part 40, but the substantive requirements appear elsewhere in the FAR. Similarly, on the information security side, the current version of the FAR includes requirements for the safeguarding of Federal Contract Information in Part 4, rather than in FAR Part 40.
Further, the current version of the FAR does not presently include any specific requirements for the protection of CUI. Contractor obligations regarding CUI have instead largely been implemented by individual agencies, including, for example, by the Department of War (“DoW”) in the Defense Federal Acquisition Regulation Supplement. Before the RFO process began, the FAR Council issued a proposed rule in January 2025 to standardize contractor obligations to safeguard CUI (“January 2025 proposed rule”).
When the FAR Council published the RFO model deviations last year, the Part 40 text included major structural changes. Notably, the deviation text consolidated the various supply chain security requirements that were previously in Parts 4, 25, and 40 into a single subpart under Part 40. The deviation text also signaled a consolidation of information security requirements, by moving the requirements for classified information under FAR Subpart 4.4 to Part 40.
Proposed Rule for Part 40
We explain key changes below in each of the subparts: Processing Supply Chain Risk Information (Subpart 40.1), Security Prohibitions and Exclusions (Subpart 40.2); and Safeguarding Information (Subpart 40.3).
Subpart 40.1 Processing Supply Chain Risk Information
The proposed Subpart 40.1 now contains the current regulations found under Subpart 4.23, which requires interagency sharing of supply chain risk information.
Subpart 40.2 Security Prohibitions and Exclusions
As noted, the proposed rule now consolidates supply chain security restrictions under Parts 4, 25, and 40 into one clause under Subpart 40.2. The clause categorizes the restrictions based on the nature of their operation:
- Prohibitions on providing or using specific products or services in performance of a contract (52.240-3(b)),
- Prohibition on unmanned aircraft systems manufactured or assembled by American Security Drone Act-covered foreign entities. (52.240-3(c)),
- Prohibition on using or providing specific products or services or conducting certain transactions regardless of connection to contract (52.240-3(d)), and
- Government exclusion and removal orders and covered procurement actions under FASCSA (52.240-3(e) and (f)).
In the current FAR, the standard that contractors must follow to determine whether prohibited products or services are being used in their supply chains depends on the restriction, and the requirements for reporting instances of non-compliance also vary. The proposed rule addresses these inconsistencies by imposing a uniform reasonable inquiry requirement across all prohibitions and a 72-hour reporting timeframe for all supply chain security restrictions. “Reasonable inquiry”, as referred to in the proposed rule, essentially adopting the standard that was in the regulations addressing Section 889’s use prohibition, requires the offeror or the contractor to “look[] at any information in the Offeror’s possession that is accessible but does not need to include an internal or third-party audit.”
Notably, the proposed rule also makes substantive updates to the Section 889 prohibitions and exceptions, as well as implementation of the FASCSA.
Regarding the Section 889 prohibitions, the uniform reasonable inquiry standard discussed above means the inquiry requirements have also been harmonized within Section 889 prohibitions. Currently, although contractors must conduct a reasonable inquiry before certifying that they do not use covered telecommunications equipment or services (or any equipment, system, or service that uses covered telecommunications equipment or services), contractors are not required to conduct a reasonable inquiry before representing that they will not provide covered telecommunications equipment or services to the government in the performance of a government contract. The proposed rule, however, conditions both certifications on a reasonable inquiry.
In addition, the proposed rule provides limited clarification on the meaning of “use” in the prohibition against a contractor’s use of any equipment, systems, or services that uses covered telecommunications equipment or services as a substantial or essential component of any system. Under the proposed rule, commercial sales, maintenance, testing services, warranty services, and employee’s use of personal equipment are expressly exempt from “use of covered telecommunications equipment or services.”
Regarding the FASCSA, the proposed rule would finalize regulations that prohibit providing or using any products or services in performance of a government contract that are prohibited by agency-specific exclusion actions, or “covered procurement actions.” Covered procurement actions will be identified in the solicitation or posted on SAM.gov. Additional information about FASCSA requirements is available on a prior blog post here.
Subpart 40.3 Safeguarding Information
As is the case in prior subparts discussed above, proposed updates serve to merge and consolidate regulations found in multiple FAR parts and subparts in order to “harmonize” inconsistencies and standardize guidance across various parts. Subpart 40.3 was previously reserved, and now focuses on policies and procedures for safeguarding CUI and covered federal information. We highlight updates to CUI-related requirements, including consolidated CUI handling and safeguarding, and reporting of incidents here.
Implementation of Requirements
A new solicitation provision, FAR 52.240-6, Notice of Controlled Unclassified Information Requirements, contract clause, FAR 52.240-7, Controlled Unclassified Information, and the Standard Form XXX (“SF XXX”), Controlled Unclassified Information Requirements, will serve to implement the relevant CUI requirements for procurements where the handling of CUI will be required, with the exception of commercially available off-the-shelf (“COTS”) items.
Definitions
Both the definitions for CUI and CUI incidents under the proposed rule provide for a clarified and narrowed scope.
- The definition for CUI aligns closely with the definition for CUI outlined in 32 CFR part 2002, consistent with the January 2025 proposed rule. This definition provides that CUI “is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” The currently proposed rule adds the following exclusions: (1) information a contractor possesses and maintains in its own systems that did not come from a government agency; (2) federally-funded basic and applied research at specified academic institutions; and (3) information a contractor creates or possesses that a law, regulation, or government policy does not specifically require the contractor to handle using safeguarding or dissemination controls.
- The proposed rule also clarifies that even if data provided by the government is not marked as CUI, a contractor cannot use the data for its own purposes, unless the information is in the public domain or was lawfully made available to the contractor by someone other than the government.
- A CUI incident under the proposed rule is defined as an “unauthorized disclosure, improper modification, improper destruction of CUI, in any form or medium, or unauthorized access to the information system on which the CUI resides.” Notably, the definition excludes improper handling of CUI (e.g., unmarked or mismarked CUI) (unless that improper handling has resulted in an unauthorized disclosure, improper modification, or improper destruction of CUI), and “suspected” incidents are also no longer part of the definition, a divergence from the January 2025 proposed rule.
Standard Form
The proposed rule also implements a new form, as yet unnumbered and only referred to as the SF XXX, which the agency must complete and incorporate into the contract when CUI is involved in the performance of the contract, and is used to standardize the process for identifying and sharing CUI-related requirements with contractors, such as safeguarding requirements and where a CUI incident must be reported.
We previously wrote about the SF XXX as proposed in January 2025 here. The proposed rule includes certain updates to the required inputs in the SF XXX since the January 2025 proposed rule. These include: whether the contractor is expected to handle CUI under the contract (part A), whether CUI will be located within a Federally-controlled facility or non-Federally-controlled facility (parts B and C), the type of CUI being handled and relevant marking responsibilities (part C), and whether enhanced security requirements under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-172 apply (part D). In line with the focus on consistency and standardization, the proposed rule also provides that in the event of a conflict with another law or regulation, contractors must notify the contracting officer within 72 hours of determining that they are not able to comply with any of the requirements due to a conflict (part F). Contractors under the proposed rule would also be required to notify the agency if it identifies unmarked or mismarked CUI within 72 hours—an update from the 8 hours previously proposed under the January 2025 proposed rule.
CUI Incident Reporting: When, Where, and What to Report
Importantly, under the proposed rule, the timeline for CUI incident reporting has also been updated to 72 hours to align with other incident reporting requirements, e.g., DFARS 252.204-7012 and under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (which we previously wrote about here). Previously, under the 2025 proposed rule, the timeline required that contractors report incidents within 8 hours of discovery.
The proposed rule clarifies that DoW incident reporting should be submitted to the DIBnet online portal, all non-DoW related CUI incident reporting should be submitted to the CISA online portal, and the contractor must also notify the contracting officer that an incident report was submitted. Subcontractors must report CUI incidents directly to the government and provide notification to the contracting officer and the next higher-tier contractor, if applicable under FAR 52.240-7(e)(2). FedRAMP authorized cloud computing service providers (“CSPs”) only need to report an incident relating to a FedRAMP cloud service offering through FedRAMP Incident Communication Procedures.
The contractor must submit as many of the applicable data elements that are available at the time, and if the first report does not contain all of the applicable data elements or some of the information changes after the investigation is substantially complete, the contractor must submit a subsequent report containing the updated or new information in accordance with FAR 52.240-7(e)(2).
Security Requirements for Information Systems Handling CUI
The proposed rule provides that contractors operating information systems that access, use, process, store, maintain, or transmit CUI identified in the contract, must:
- When operating a federal information system, comply with agency-identified security requirements from NIST SP 800-53 and any requirements identified in the SF XXX (and if using cloud computing services, comply with agency-specific requirements, but at a minimum FedRAMP Moderate baseline); and
- When operating a non-federal information system, comply with security requirements of NIST SP 800-171 Revision 3, “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations,” those specified by the agency in the SF XXX, and NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information, identified by the agency for a critical program or high-value asset (and if using a CSP, ensure it meets FedRAMP Moderate baseline security requirements). Of note, the January 2025 proposed rule imposed requirements for NIST SP 800-171 Revision 2, rather than Revision 3, and so this update could have a potentially significant impact on contractors with information systems handling CUI who have been subject to Revision 2. This provision in the proposed rule also likely signals that DoW will be moving its Cybersecurity Maturity Model Certification program to move from Revision 2 and 3.
The proposed rule also provides some additional guidance on scope. For example, (1) endpoints (such as laptops), hosting a virtual desktop infrastructure client configured to prevent any processing, storage, or transmission of CUI beyond the keyboard/video/mouse sent to the virtual desktop infrastructure client, and (2) commercial communications networks that transmit government and non-government information using the same equipment, protocols, and methodologies, without regard to the source or recipient of the information are both outside of the scope of these requirements.
Conclusion
Overall, the revisions to the FAR represent both the shifting and consolidation of various requirements, while also making revisions to existing requirements and proposed additions of new obligations that warrant close review by contractors. Certain revisions appear to provide potentially more leniency to contractors, for example, narrowing the definition of a CUI incident and extending reporting timeline requirements. Other requirements, for example, the requirement that contractors operating a non-federal information system comply with security requirements of NIST SP 800-171 Revision 3 may require contractors to assess how existing compliance programs address such requirements and may need to potentially uplift certain controls. Comments on the proposed rule are due by July 23, 2026.