All articles
Regulatory Update

The FAR's New CUI Rule: What Changed in the June 2026 Overhaul Version

A-Frame Solutions July 2026 6 min read

The short answer: Buried in the FAR Overhaul's June 23, 2026 proposed rules (91 FR 37550) is a full rewrite of the government-wide Controlled Unclassified Information (CUI) rule. It supersedes the January 2025 standalone proposal, relocates CUI protection into the expanded FAR Part 40, raises the security baseline to NIST SP 800-171 Rev. 3, extends incident reporting from 8 hours to 72 hours, and introduces new clauses 52.240-6 and 52.240-7. Comments are due July 23, 2026.

Most of the coverage of the Revolutionary FAR Overhaul's first proposed-rule batch has focused on the big structural story — 20 FAR parts reorganized, plain-language rewrites, the five-year sunset mechanism for non-statutory requirements. (We covered that batch, and how to comment, here.)

But for contractors — especially civilian-agency contractors who have never lived under DFARS cybersecurity clauses — the most consequential piece of the batch may be the one getting the least attention: the FAR Council used the overhaul to reissue the government-wide CUI rule, and it changed in ways that matter.

A Quick Refresher: Why a FAR CUI Rule At All

Controlled Unclassified Information is the broad category of sensitive-but-not-classified information the government creates or shares — think procurement-sensitive data, certain personnel and health information, controlled technical information. DoD contractors have safeguarded CUI for years under DFARS 252.204-7012, which requires NIST SP 800-171 protections and 72-hour cyber incident reporting.

Civilian agencies never had an equivalent government-wide clause — each agency improvised. The FAR CUI rule, first proposed in January 2025, was written to close that gap: one uniform framework, applicable across the federal enterprise. The June 2026 version keeps that mission but re-architects the rule.

What Changed From the January 2025 Version

  • New home: FAR Part 40. The January 2025 proposal lived in FAR Part 4 (administrative matters). The rewrite moves CUI into the expanded Part 40 — Information Security and Supply Chain Security — alongside the other security prohibitions, which is where the overhaul consolidates security policy generally.
  • Higher baseline: NIST SP 800-171 Rev. 3. The earlier proposal pointed at Rev. 2 — the same baseline DFARS uses today. The new version requires Rev. 3, the current edition of the standard. That is a real compliance delta, not a citation update: Rev. 3 restructures control families and adds organization-defined parameters.
  • Longer reporting window: 72 hours. The January version's 8-hour incident-reporting requirement drew heavy criticism as unworkable. The rewrite extends it to 72 hours — consistent with the DFARS timeline defense contractors already know.
  • Dropped provisions. The proposed clause addressing unidentified CUI (the January draft's 52.204-YY) is gone, and so is the express financial-liability language that had contractors worried about open-ended damages exposure.
  • New implementing clauses. The rule is carried by new FAR clauses 52.240-6 and 52.240-7, plus a standard form (designated "SF XXX" in the proposal) that tells the contractor exactly what CUI the contract involves and which protections apply — putting the identification burden on the government, not the contractor.
  • Flow-down. Safeguarding requirements flow down to subcontractors at every tier that will access covered CUI.

Who Should Care Most

Civilian-agency contractors. If you sell to GSA, VA, DHS, HHS, or any other non-DoD agency and your work touches CUI, this rule would bring you NIST SP 800-171-class obligations for the first time. The lead time to implement Rev. 3 controls — assessment, remediation, documentation — is measured in months, not weeks. Waiting for the final rule to start is how contractors end up non-compliant on day one.

DoD contractors get a different message: convergence. A uniform FAR framework, a 72-hour clock that matches the DFARS one, and a common NIST baseline mean the civilian and defense regimes are being pulled toward each other. If you already comply with DFARS 252.204-7012 and are tracking CMMC, you are most of the way there — but note the Rev. 2 → Rev. 3 gap applies to you too as the standards converge.

Contracting officers should watch the clause mechanics: once finalized, the Part 40 clauses (52.240-6, 52.240-7) and the CUI form become new mandatory members of the clause matrix for covered acquisitions — one more thing the solicitation has to get right, in both the legacy-FAR and overhaul regimes now running in parallel (we walked through that two-regime problem here).

What to Do Before July 23

One caution in the other direction: this is a proposed rule. Clause numbers, the form, and the details can and probably will shift before finalization. Prepare, but don't hard-code.

Frequently asked questions

What is the new FAR CUI rule?

A proposed FAR rule, published June 23, 2026 (91 FR 37550) as part of the Revolutionary FAR Overhaul, creating a government-wide framework for safeguarding Controlled Unclassified Information. It supersedes the January 2025 standalone proposal, moves the requirements into FAR Part 40, and extends NIST SP 800-171-based obligations to civilian-agency contractors — not just DoD.

What changed from the January 2025 CUI proposed rule?

Four big shifts: relocation from Part 4 to the expanded Part 40; a higher security baseline (NIST SP 800-171 Rev. 3 instead of Rev. 2); incident reporting extended from 8 hours to 72 hours; and the removal of the unidentified-CUI clause and express financial-liability language.

Is the rule final? When do contractors have to comply?

No — it's proposed. Comments are due July 23, 2026, and obligations only attach once a final rule issues and the clauses appear in your contracts. But NIST 800-171 Rev. 3 compliance takes months of lead time, so contractors handling CUI should start gap assessments now.

Does it apply to non-DoD contractors?

Yes — that's the point. DoD contractors already safeguard CUI under DFARS 252.204-7012; this rule extends a uniform framework to civilian-agency contracts, bringing 800-171-class obligations to contractors at GSA, VA, DHS, and beyond for the first time.

Which clauses implement it?

New FAR clauses 52.240-6 and 52.240-7, plus a standard CUI form (designated SF XXX in the proposal) identifying the CUI in each contract. Once finalized, these Part 40 clauses will start appearing in clause matrices for covered acquisitions — ArcClause will pick them up as they land.

Keep your clause matrix current through the overhaul — free.

ArcClause builds a complete FAR + agency-supplement clause matrix for your acquisition — legacy FAR and FAR Overhaul aware, with the prescription behind every row. No login, no credit card.

Try ArcClause Free → Talk to a former CO