For the first time, the FAR would require civilian-agency contractors to protect Controlled Unclassified Information. It sets the bar at NIST SP 800-171 Revision 3, not the Revision 2 that DoD requires. The rule is proposed, not final, and comments close July 23, 2026. Here is what it would change.

What the rule proposes

On June 23, 2026, the FAR Council published FAR Case 2026-001 as part of the Revolutionary FAR Overhaul. Inside it sits the most consequential cybersecurity change for civilian contractors in a decade: a new FAR Part 40 that would extend CUI safeguarding requirements across the whole federal government.

Until now, CUI protection has effectively meant one thing. DoD, DFARS 252.204-7012, and NIST 800-171 Rev 2. Civilian contractors faced a patchwork of agency-specific requirements with no FAR-level framework at all. This rule closes that gap, and it closes it at a higher bar than DoD currently enforces.

One thing to fix in your head before reading further: none of this is in effect. It is a proposed rule in its comment period. The final text can change, and the comment record is part of what changes it.

Who this hits, and how

Three groups, three different answers.

Civilian contracts only. This is new territory. CUI safeguarding has never been a FAR-level obligation for you. If the rule finalizes, you would implement NIST 800-171 Rev 3 on any system that handles CUI identified in your contract.

DoD contracts only. Nothing changes today. Your obligations still run through the DFARS cyber clauses and CMMC, both anchored to Rev 2.

Both. You would face Rev 3 on civilian work and Rev 2 on DoD work. Two versions of the same standard, at the same time, until the two align.

Rev 3 vs Rev 2: fewer requirements, more work

Here is the part that surprises people. Rev 3 has 97 security requirements. Rev 2 has 110. On paper, that reads like a 12% reduction in work.

It isn't. Rev 2's 110 requirements break down into 320 assessment objectives. Rev 3's 97 break down into 422. That is a 32% increase in what an assessor actually checks. Fewer requirements, more verification.

Three changes drive it:

Three new control families. Rev 3 adds Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR), taking the total from 14 families to 17. The additions pull 800-171 into closer alignment with NIST SP 800-53 Rev 5.

88 organization-defined parameters. Rev 3 embeds fill-in-the-blank values across 49 of its 97 requirements. Where Rev 2 said to scan for vulnerabilities "periodically," Rev 3 asks how often, precisely, and expects a documented answer. Under the proposed rule, the agency would specify its parameters on the new Standard Form.

The basic/derived split is gone. Rev 2 sorted requirements into basic and derived. Rev 3 treats all 97 uniformly and names NIST SP 800-53 as the single authoritative source.

Rev 3 also withdrew 27 requirements, though "withdrawn" rarely means gone. Most were absorbed into other requirements rather than dropped.

What you would actually have to do

Under the proposed clause at FAR 52.240-7, a contractor handling contract CUI would:

  • Implement Rev 3 on any non-federal system that handles it. If you operate a federal information system instead, the baseline is NIST SP 800-53 plus whatever the agency specifies, and any cloud service has to meet at least the FedRAMP Moderate baseline.

  • Report CUI incidents within 72 hours of discovery. DoD work reports through DIBNet, civilian work through CISA.

  • Flow the requirements down to subcontractors that will receive CUI, with subcontractors reporting directly to the Government.

  • Self-attest. The proposed rule relies on self-attestation, not third-party certification. There is no civilian equivalent of a C3PAO in this rule.

  • Read the Standard Form. A new form would identify, contract by contract, what CUI is involved and what handling applies.

Agencies could layer NIST SP 800-172 enhanced requirements on top for a critical program or high-value asset.

The split, and why it matters for a small firm

The rule opens a gap that the rulemaking record itself acknowledges. DoD requires Rev 2 through a class deviation. The FAR would require Rev 3. DoD has signaled it intends to move to Rev 3 through its own separate rulemaking, but until that lands, the two sides of the government would ask for different versions of the same standard.

For a large prime with segmented environments, that is an administrative nuisance. For a small firm running one network across both civilian and defense work, it is a real design problem. The ODPs are the sharp edge: the same control can carry different required values on different contracts, set by different agencies, on different forms.

The honest read on direction: Rev 3 is where this is going, on both sides. Building to Rev 2 today remains correct for DoD work, and the 110 controls are still what your SPRS score is calculated against. But if you handle CUI anywhere, Rev 3 is the version to start reading now.

Nothing is final: how to comment

Comments are due July 23, 2026, submitted through regulations.gov citing FAR Case 2026-001 (Docket No. FAR-2026-0001). The FAR Council has specifically asked for input on several open questions, including how the final rule should handle enhanced controls under NIST SP 800-172, cloud services and virtual desktop infrastructure, telecommunications providers that transmit CUI, and how agencies should oversee compliance.

That list is worth reading if you are a small firm. Several of those questions decide how much this costs you, and the comment record is the only place your answer counts.

Key Takeaways

  • The FAR would extend CUI safeguarding to civilian contractors for the first time, at NIST 800-171 Rev 3. It is a proposed rule. Nothing is in effect.

  • Rev 3 is not a lighter Rev 2. It has 97 requirements instead of 110, but 422 assessment objectives instead of 320, plus three new control families and 88 organization-defined parameters.

  • DoD still requires Rev 2. If you work both civilian and defense contracts and this finalizes, you would face both versions until the two align.

  • The obligations under the proposed clause: Rev 3 implementation, 72-hour incident reporting (DIBNet for DoD, CISA for civilian), subcontractor flow-down, self-attestation, and a new Standard Form identifying the CUI per contract.

  • Comments close July 23, 2026 via regulations.gov, citing FAR Case 2026-001.

FAQ

Do civilian contractors have to comply with NIST 800-171?
Not today. CUI safeguarding has been a defense-side obligation through DFARS 252.204-7012, while civilian agencies applied their own inconsistent requirements. FAR Case 2026-001 proposes to change that by requiring NIST 800-171 Rev 3 for any contractor system handling contract CUI, government-wide. The rule is proposed, not final.

Is the FAR rule Rev 2 or Rev 3?
Rev 3. This is the key divergence: DoD requires Rev 2 under a class deviation for DFARS 7012 and CMMC, while the proposed FAR rule would require Rev 3. DoD has said it intends to adopt Rev 3 through separate rulemaking, but until then the two sides would not match.

Is Rev 3 easier than Rev 2 because it has fewer requirements?
No. Rev 3 has 97 requirements against Rev 2's 110, but the number of assessment objectives rises from 320 to 422. It also adds three control families (Planning, System and Services Acquisition, Supply Chain Risk Management) and 88 organization-defined parameters that someone has to define and document.

Would the FAR rule require third-party certification like CMMC?
No. As proposed, it relies on self-attestation. There is no civilian C3PAO equivalent in this rule. That said, a self-attestation to the Government is still an affirmative declaration with False Claims Act exposure.

When does this take effect?
No effective date has been set. Comments close July 23, 2026, and the FAR Council would then issue a final rule, most likely later in 2026. The final text may differ from what was proposed.

What is an organization-defined parameter?
A fill-in-the-blank value inside a security requirement. Rev 2 might say to review logs "periodically"; Rev 3 asks for a specific frequency. Rev 3 contains 88 of them across 49 requirements. Under the proposed FAR rule, the agency would specify its values on the contract's Standard Form.

Proposed rules are where compliance costs get decided, and they move fast once the comment window closes. This one could reset the security baseline for every federal contractor who touches CUI, and it is one of twelve rules rewriting the FAR this year. Federal Cyber Brief tracks what's being bought, who can bid, and what's changing across federal IT and cyber contracting, and sends the parts that matter to your inbox each week. Primary sources only. No noise.

Sources

Federal Register 91 FR 37550 — FAR Case 2026-001, "Revolutionary Federal Acquisition Regulation Overhaul Parts 1, 2, 4, 33, 39, 40, and 53," Doc. 2026-12559, RIN 9000-AO86, published June 23, 2026. The new Part 40 and its three subparts; the CUI safeguarding framework; the proposed clause at 52.240-7; NIST SP 800-171 Rev 3 for non-federal systems; NIST SP 800-53 and FedRAMP Moderate for federal systems and cloud; 72-hour CUI incident reporting; subcontractor flow-down; the Standard Form; comment deadline July 23, 2026.

Regulations.gov — Docket No. FAR-2026-0001. Comment portal; the FAR Council's specific questions on NIST SP 800-172 enhanced controls, cloud and virtual desktop infrastructure, telecommunications providers transmitting CUI, and government oversight.

NIST SP 800-171 Revision 3 (csrc.nist.gov, May 14, 2024). 97 security requirements across 17 control families; the three new families (PL, SA, SR); 88 organization-defined parameters across 49 requirements; elimination of the basic/derived distinction; NIST SP 800-53 Rev 5 as single authoritative source; 27 withdrawn requirements.

NIST SP 800-171A Revision 3. 422 assessment objectives (against Rev 2's 320).

NIST SP 800-171 Revision 2 and NIST SP 800-171A Revision 2. The 110 requirements across 14 families; 320 assessment objectives. Remains the DoD standard via class deviation.

Executive Order 14275, "Restoring Common Sense to Federal Procurement" (April 2025). The overhaul's legal basis.

Keep Reading