The federal government has issued a sweeping proposed rule that could significantly reshape cybersecurity and compliance obligations for federal contractors that handle Controlled Unclassified Information (CUI). If finalized, the new Federal Acquisition Regulation (FAR) provisions would establish a governmentwide framework governing how contractors identify, safeguard, report, and manage CUI across civilian and defense contracts, while imposing substantial new compliance responsibilities that extend far beyond existing requirements such as the Department of Defense’s current cybersecurity rules. For contractors that do business with the federal government, the proposed rule signals an important shift toward more uniform and significantly more demanding CUI compliance obligations.

A Governmentwide CUI Framework Is Taking Shape

Historically, cybersecurity and information protection requirements related to sensitive government information have varied significantly across agencies. While defense contractors have long operated under frameworks such as Department of Defense cybersecurity requirements and NIST Special Publication 800-171, civilian agencies have often applied inconsistent standards.

The proposed FAR rule seeks to standardize those obligations by creating two new FAR provisions: FAR 52.240-6, titled “Notice of Controlled Unclassified Information Requirements,” and FAR 52.240-7, titled “Controlled Unclassified Information.” Together, these provisions would create a uniform baseline framework applicable across federal procurement, dramatically expanding the regulatory burden on contractors that receive, generate, store, process, or transmit CUI.

Contractors Would Face Expanded Cybersecurity Requirements

Perhaps the most significant aspect of the proposed rule is its expansion of mandatory cybersecurity controls. Under the proposal, contractors operating non-federal information systems that handle CUI would be required to comply with the latest version of NIST Special Publication 800-171 Revision 3 rather than the earlier versions many contractors currently rely upon. Contractors also would be required to apply government-specified organizational defined parameters, adding an additional layer of implementation complexity.

For certain critical programs or high-value assets, agencies also may require compliance with enhanced security requirements under NIST Special Publication 800-172, substantially increasing security expectations for contractors supporting sensitive federal programs.

Cloud service providers handling CUI also would face heightened requirements. Contractors utilizing cloud infrastructure would need to ensure providers maintain security protections equivalent to at least the Federal Risk and Authorization Management Program Moderate baseline.

These requirements could force many contractors to reassess their cybersecurity architecture, vendor relationships, and overall compliance posture.

Mandatory Disclosure of Security Gaps During Proposal Submission

The proposed FAR rule introduces a particularly significant change during the procurement process itself. If an offeror is not fully compliant with applicable CUI safeguarding requirements at the time it submits a proposal, the contractor would be required to affirmatively disclose all areas of noncompliance to the contracting officer as part of its offer. The contractor also would be required to submit a formal plan of action and milestones identifying how and when it intends to remediate those deficiencies. This requirement effectively creates a mandatory pre-award cybersecurity disclosure obligation that could directly affect proposal competitiveness and source selection decisions. Contractors that have delayed cybersecurity implementation efforts may suddenly find themselves at a significant disadvantage in future procurements.

New Reporting Obligations Within 72 Hours

The proposed rule establishes aggressive reporting requirements that would require contractors to act quickly when problems arise. Contractors would be required to notify the government within 72 hours whenever they discover unmarked or improperly marked information they believe constitutes CUI. Contractors also must report cybersecurity incidents involving CUI within 72 hours of discovery. For Department of Defense contracts, reporting would occur through the Defense Industrial Base reporting portal. For civilian agency contracts, contractors generally would report incidents through Cybersecurity and Infrastructure Security Agency reporting systems. The rule also requires contractors to preserve forensic evidence, reconstruct user activity timelines, investigate attack vectors, and cooperate with government investigators following any incident. These obligations go far beyond many contractors’ current incident response procedures and may require substantial updates to internal cybersecurity protocols.

Subcontractor Compliance Will Become More Critical

Prime contractors should pay close attention to the subcontract flow-down requirements contained in the proposal. The rule would require contractors to flow down CUI compliance obligations to subcontractors at all tiers whenever subcontractors may access covered CUI. This includes commercial products and commercial services, with limited exceptions. As a practical matter, prime contractors may need to revisit subcontract templates, supplier diligence procedures, and vendor oversight programs to ensure compliance throughout the supply chain. Cybersecurity compliance will increasingly become a subcontractor management issue as much as an internal security issue.

Contractors Must Properly Identify Their Own Sensitive Information

The proposed rule also addresses contractor-generated information. Contractors submitting proprietary business information, proposal information, pricing data, or contractor-attributional information to the government would be required to appropriately identify that information. The government would then determine whether the information qualifies for protection as CUI or receives other handling protections. This provision places greater responsibility on contractors to properly identify and protect sensitive business information exchanged during the procurement process.

Why Contractors Should Prepare Now

Although the rule remains in proposed form, contractors should not wait until final implementation to begin evaluating their compliance posture. The proposed framework suggests the federal government is moving toward far more aggressive and standardized regulation of sensitive government information across all agencies. For many contractors, particularly civilian contractors that have not historically operated under defense-sector cybersecurity frameworks, the new requirements could require substantial investments in cybersecurity infrastructure, policy development, employee training, vendor oversight, and incident response capabilities. Organizations that wait until these requirements begin appearing in solicitations may find themselves scrambling to close compliance gaps under tight deadlines.

Final Thoughts

This proposed FAR rule represents one of the most significant governmentwide cybersecurity procurement developments in recent years. For federal contractors, compliance with CUI safeguarding requirements is no longer evolving as a niche defense contracting issue. Instead, it is rapidly becoming a core enterprise compliance function that will affect eligibility for future federal contracting opportunities.

Contractors should begin reviewing their existing cybersecurity controls now, assess alignment with NIST Special Publication 800-171 Revision 3, evaluate subcontractor risk exposure, and prepare for a future in which CUI compliance becomes a standard requirement across the federal marketplace.

Early engagement with experienced government contracts counsel can help contractors navigate these emerging requirements and avoid costly compliance surprises once the rule becomes final.

If you have any questions about this noteworthy development or require assistance, please do not hesitate to contact Aron Beezley or Nathaniel Greeson.