The Revolutionary FAR Overhaul is the federal government's effort to rewrite its entire procurement rulebook — and on June 23, 2026, it moved from policy to proposed law. The FAR Council published its first four proposed rules, with public comments due July 23. Nothing is final yet, but the direction is set. Here is what it means for a small IT or cyber contractor.
What the FAR Overhaul is
The Federal Acquisition Regulation (FAR) is the rulebook every federal agency uses to buy goods and services. The Revolutionary FAR Overhaul — launched by Executive Order 14275 ("Restoring Common Sense to Federal Procurement," April 2025) and steered by OMB Memorandum M-25-26 — aims to strip it back to what statute requires, rewrite it in plain language, and remove decades of accumulated non-statutory rules.
The mechanism is a series of twelve proposed rules that together will revise the FAR in its entirety. The stated goal is a leaner, faster, more navigable rulebook — and, explicitly, a lower barrier to entry: the proposed rules note the steep decline over the past two decades in the number of companies willing to do business with the government. For a small firm, that intent matters: less administrative drag is the whole point.
What just happened on June 23, 2026
The FAR Council issued the first four of those twelve proposed rules, which together touch 20 FAR parts:
FAR Case 2026-001 — Parts 1, 2, 4, 33, 39, 40, 52, 53 (the package that matters most for IT and cyber work)
FAR Case 2026-002 — Parts 6, 7, 10, 18, 26, 37, 41
FAR Case 2026-005 — Parts 5, 24, 29
FAR Case 2026-007 — Parts 3, 49
Comments on all four are due July 23, 2026 — a 30-day window, the statutory minimum, which signals the Council intends to finalize quickly, most likely within 2026. One point to hold onto: these are proposed rules, not final ones. Nothing here is in effect, and nothing changes your obligations today.
What's confirmed now for IT and cyber contractors
Almost everything relevant to a cyber-focused firm sits in FAR Case 2026-001. Four changes are worth your attention.
A new FAR Part 40 consolidates the security rules. The proposed rule creates Part 40, "Information Security and Supply Chain Security," and relocates into it the security requirements, prohibitions, and exclusions that are currently scattered across FAR Part 4. That includes supply-chain risk processing (FASCSA orders), the Section 889 prohibition on certain telecommunications and video-surveillance equipment, and information-safeguarding requirements — including those tied to Controlled Unclassified Information. The practical effect for now is consolidation, not repeal: the security obligations you already meet don't vanish; they move to one place and get harmonized.
FAR Part 39 is retitled and trimmed. Part 39 becomes "Acquisition of Information and Communication Technology." The proposed rule deletes duplicative provisions — including FAR 39.105 (Privacy) and the clause at 52.239-1 (Privacy or Security Safeguards) — folds in the NICE Workforce Framework for Cybersecurity, and adds guidance on Position, Navigation, and Timing services. If you sell IT or cyber services, this is the part that governs how that work is bought.
SAM.gov registration gets lighter. The Part 4 changes eliminate roughly half of the information previously required to register an entity on SAM.gov — a deliberate move to reduce burden and bring new entrants into the market.
The automatic sunset is gone — replaced by review. The earlier class deviation made all non-statutory FAR language expire automatically after four years. That concept is removed. Under the proposed FAR 1.109, non-statutory provisions instead remain in effect until the FAR Council removes them through formal rulemaking, subject to periodic review. Rules no longer disappear on a timer; they have to be actively retired.
The rest of the batch, briefly
Outside Case 2026-001, the changes are less IT-specific but worth knowing as context:
Sole-source approval authority rises (Case 2026-002): DoD, NASA, and Coast Guard contracting officers can approve sole-source awards up to $10 million, aligned with the FY2026 NDAA; other agencies remain at $900,000.
Protests and disputes change (Part 33, Case 2026-001): the proposed rule revises agency-level and GAO protest procedures.
Public award announcements become optional (Case 2026-005): the rule makes public announcement of awards over $5.5 million permissive rather than mandatory — which, if finalized, makes tracking competitors' wins harder.
Closeout and termination accelerate (Case 2026-007): shorter settlement deadlines and a risk-based approach to termination audits.
What is not changing: your CMMC obligations
This is the reassurance to internalize: the FAR Overhaul does not touch CMMC. Your cybersecurity-certification obligations are governed by 32 CFR Part 170 and the DFARS — not the FAR parts in this batch — and none of the June 23 proposed rules alter them. The Phase 2 deadline of November 10, 2026 still stands. If you have not completed a gap assessment, posted an SPRS score, or started preparing for an assessment, those remain your most immediate priorities, regardless of what happens with the FAR.
One detail worth tracking, not acting on: the FAR's basic safeguarding clause for federal contract information (FAR 52.204-21 — the FCI baseline that CMMC Level 1 maps to) is among the Part 4 items proposed to move into the new Part 40. That is a relocation to watch when the rule finalizes, not a change to what you must do today.
What's still coming — and why Part 19 matters most
Only 4 of the 12 rules are out. The single most consequential piece for small businesses — FAR Part 19, small-business set-asides — is not in this batch. It is slated for a later package. Until it publishes, the set-aside framework you operate under is unchanged: 8(a), SDVOSB, HUBZone, WOSB, and the Rule of Two all stand as they are. When the Part 19 rule lands, it will be the development to watch, and we will cover it in full.
What to do now
Treat these as proposals, not law. Nothing is in effect. Do not change your compliance program off a proposed rule.
Comment by July 23 if you have concerns. If the Part 39, Part 40, or Part 4 changes affect how you operate, submit a comment through regulations.gov citing FAR Case 2026-001. The comment record can shape the final text.
Map your clauses. Review which FAR provisions are written into your current contracts, so you can see quickly what a finalized rule would change.
Keep your CMMC work moving. The overhaul gives you no reason to pause your assessment preparation.
Watch for the Part 19 package. That is the rule that will reshape the set-aside landscape for firms like yours.
Key Takeaways
On June 23, 2026, the FAR Council proposed the first 4 of 12 rules in the Revolutionary FAR Overhaul (EO 14275). Comments are due July 23, 2026, and they are proposals — nothing is in effect.
The IT/cyber-relevant changes are in FAR Case 2026-001: a new Part 40 consolidating security and supply-chain rules from Part 4, a trimmed and retitled Part 39, lighter SAM.gov registration, and the removal of the automatic 4-year sunset.
Your CMMC obligations are unchanged. They live under 32 CFR Part 170 and the DFARS; the November 10, 2026 Phase 2 deadline stands.
FAR Part 19 (set-asides) is not in this batch. The set-aside framework is unchanged until a later package publishes — and that will be the most consequential rule for small businesses.
If the proposed changes affect you, comment by July 23 via regulations.gov, citing FAR Case 2026-001.
FAQ
Is the FAR Overhaul in effect now? No. The rules published on June 23, 2026 are proposed rules. They invite public comment (due July 23, 2026) and do not change any contractor obligation until the FAR Council issues final rules — widely expected later in 2026, though no effective date is stated.
Does the FAR Overhaul change my CMMC requirements? No. CMMC is governed by 32 CFR Part 170 and the DFARS, not the FAR parts in this batch. None of the June 23 proposed rules alter CMMC, and the Phase 2 deadline of November 10, 2026 remains in place.
What is the new FAR Part 40? Part 40, "Information Security and Supply Chain Security," is a new part proposed in FAR Case 2026-001. It consolidates security requirements, prohibitions, and exclusions — supply-chain risk, the Section 889 telecom prohibition, and information safeguarding including CUI — that are currently spread across FAR Part 4.
Will the FAR Overhaul change small-business set-asides? Eventually, possibly — but not yet. FAR Part 19, which governs set-asides, is not in this first batch of proposed rules. It is expected in a later package. Until then, the set-aside framework is unchanged.
How do I comment on the proposed rules? Submit comments through regulations.gov on or before July 23, 2026, citing the relevant FAR Case number (for the IT/cyber changes, that is FAR Case 2026-001, Docket No. FAR-2026-0001).
SOURCES
All primary. Verified as of June 27, 2026.
Federal Register 91 FR 37550 (FAR Case 2026-001, "Revolutionary Federal Acquisition Regulation Overhaul Parts 1, 2, 4, 33, 39, 40, and 53"), Doc. 2026-12559, RIN 9000-AO86, published June 23, 2026. The creation of Part 40 and relocation of security requirements from Part 4; Part 39 retitling and deletions (39.105, 52.239-1), NICE Framework, PNT; Part 1 regulatory-sunset change; Part 4 / SAM.gov registration changes; comment deadline July 23, 2026.
Federal Register, FAR Cases 2026-002, 2026-005, and 2026-007 (June 23, 2026). The remaining three rules in the first batch (Parts 5–7, 10, 18, 24, 26, 29, 37, 41, 3, 49); sole-source approval-authority increase; permissive public announcement of awards over $5.5M (Case 2026-005, FAR 5.302).
Regulations.gov — Docket No. FAR-2026-0001. Comment portal for FAR Case 2026-001.
Executive Order 14275, "Restoring Common Sense to Federal Procurement" (April 2025); OMB Memorandum M-25-26. The overhaul's legal basis and roadmap.
U.S. Small Business Administration, Office of Advocacy notice (June 25, 2026). Summary of the four proposed rules and the parts each covers.
32 CFR Part 170 (CMMC Program). Confirms CMMC obligations and the Phase 2 (Nov. 10, 2026) deadline are unaffected by the FAR Overhaul.
