Skip to main content
govconCyber — Federal Cybersecurity Law Reference
Rule Updates

The FAR Overhaul's Next Move: A New "Part 40" for Cybersecurity and a Rewritten CUI Clause

On June 23, 2026, the FAR Council proposed (FAR Case 2026-001) relocating safeguarding, CUI, and supply-chain clauses into a new FAR Part 40 and rewriting the CUI clause (FAR 52.240-7) to tie cloud use to FedRAMP Moderate, point to NIST SP 800-171 Rev. 3, and add a 72-hour conflict-notice rule. It is a proposed rule; comments are due July 23, 2026.

Brandon Hancock, J.D., CMMC-RPPublished June 23, 2026Updated June 23, 20266 min read

The Federal Acquisition Regulatory Council has published a proposed rule (FAR Case 2026-001) that would relocate and rewrite the core cybersecurity obligations contractors live by, consolidating them into a brand-new FAR Part 40 titled "Information Security and Supply Chain Security." Released June 23, 2026 as part of the Revolutionary FAR Overhaul's second, formal-rulemaking phase (directed by OMB Memorandum M-25-26), the rule touches FAR Parts 1, 2, 4, 33, 39, 40, and 53. For contractors, the parts that matter are the cybersecurity ones — and they are moving. Comments are due July 23, 2026 under docket FAR-2026-001 on Regulations.gov.

A New Home: FAR Part 40

The rule proposes to move security requirements, prohibitions, exclusions, and their related provisions and clauses out of FAR Part 4 and into a new FAR Part 40, organized into three subparts: 40.1 — Processing Supply Chain Risk Information, 40.2 — Security Prohibitions and Exclusions, and 40.3 — Safeguarding Information. If finalized, the clause references you cite in templates, compliance checklists, and subcontract flow-downs will change — even where the underlying obligation does not. This is structural reorganization first, but it carries real substance inside the new clauses.

The Rewritten CUI Clause — FAR 52.240-7

The proposal replaces the existing FAR CUI approach with a new clause at FAR 52.240-7, Controlled Unclassified Information, implementing the National Archives and Records Administration (NARA) CUI Program in the FAR. Several proposed changes are worth flagging now:

  • Cloud services tie to FedRAMP Moderate. If a contractor uses a cloud service provider to store, process, or transmit CUI, the provider would need to meet security requirements equivalent to the FedRAMP Moderate baseline.
  • NIST SP 800-171 Revision 3, harmonized. The clause would point to standardized organization-defined parameters for NIST SP 800-171 Rev. 3, aligned to the values codified in 32 C.F.R. Part 170 (the same harmonization track as CMMC) — the stated goal being one standardized CUI-protection approach across agencies.
  • NIST SP 800-172 only when designated. Enhanced controls from NIST SP 800-172 would apply only when an agency identifies a critical program or high-value asset, aligned to 32 C.F.R. § 170.14.
  • A 72-hour conflict-notice rule. A new paragraph would require a contractor to notify the contracting officer within 72 hours of determining it cannot comply with a clause requirement because of a conflict with another law or regulation.
  • Reporting timelines aligned. Reporting of unmarked or mismarked CUI would extend to 72 hours from discovery, aligning with DFARS 252.204-7012 and CIRCIA timeframes.
  • Liability language removed. The proposal removes the clause language specifying contractor liability for CUI incidents, and strikes the prescriptive requirement to separately identify contractor proprietary information.

Supply-Chain Prohibitions, Consolidated — FAR 52.240-3

The rule would also fold today's scattered supply-chain bans into a single clause, FAR 52.240-3, Security Prohibitions and Exclusions (with a companion representation at FAR 52.240-2). That one clause would absorb the Section 889 covered-telecommunications prohibition, the Kaspersky ban, the ByteDance/TikTok prohibition, Federal Acquisition Supply Chain Security Act (FASCSA) orders, the American Security Drone Act restrictions, and the Sudan/Iran restrictions — and would implement Section 203 of FASCSA (Pub. L. 115-390; 41 U.S.C. § 4713). The proposal also clarifies that certain activities — commercial sales, maintenance, testing, warranty services, and an employee's use of personal equipment — are not, individually, "use" of covered telecommunications equipment.

Why It Matters — and What to Do

This is a proposed rule, not a final one. Nothing here changes your obligations today, and the details can shift before a final rule issues. But the direction is clear: the government is consolidating contractor cybersecurity, CUI, and supply-chain requirements into one place (Part 40) and harmonizing CUI protection to the NIST SP 800-171 Rev. 3 / 32 C.F.R. Part 170 baseline that also underpins CMMC.

Practically, contractors should map where their current FAR Part 4 and Section 889 clause citations would move; flag the FedRAMP Moderate cloud expectation and the Rev. 3 organization-defined parameters for systems handling CUI; and — because the comment window closes July 23, 2026 — consider whether any of these proposals (the 72-hour conflict notice, the flow-down flexibility, the removed liability language) warrant a written comment while the rule is still being shaped.

Key Takeaways

  • FAR Case 2026-001 (proposed June 23, 2026) would create a new FAR Part 40, "Information Security and Supply Chain Security," relocating safeguarding, CUI, and supply-chain clauses out of Part 4. Comments are due July 23, 2026.
  • A rewritten CUI clause (FAR 52.240-7) would tie cloud use to FedRAMP Moderate, point to NIST SP 800-171 Rev. 3 organization-defined parameters, reserve NIST SP 800-172 for agency-designated critical programs, and add a 72-hour conflict-notice obligation.
  • It is a proposal — obligations are unchanged for now, but clause citations and CUI handling expectations are poised to shift; contractors should track the move and weigh commenting before the window closes.

For context on how these requirements fit together, see how the standards stack up on Frameworks, the statutes behind them on Federal Statutes, the earlier reshuffle in Where Did DFARS 7019 and 7020 Go?, and what governs your specific contracts via Find My Requirements. To turn this into action, start with Build a Program.

---

Source: Federal Register — Federal Acquisition Regulation: Revolutionary Federal Acquisition Regulation Overhaul, Parts 1, 2, 4, 33, 39, 40, and 53 (FAR Case 2026-001), Doc. 2026-12559, June 23, 2026. Further reading (secondary): docket FAR-2026-001 on Regulations.gov. Informational only, not legal advice; this is a proposed rule and may change before any final rule — verify all citations against the rule text and your solicitation.

Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Rule UpdatesWhere Did DFARS 7019 and 7020 Go? The FAR Overhaul's Quiet Cybersecurity ReshuffleTwo DFARS clauses that defense contractors have cited for years vanished on February 1, 2026. If you went looking for 252.204-7019 and couldn't find it, you're not imagining things — and the good news is that almost nothing about your actual obligations changed.June 17, 2026 · 5 min readRule UpdatesNIST Just Finalized 800-172 Rev 3 — Here's Why CMMC Level 3 Contractors Shouldn't Panic YetOn May 13, 2026, NIST finalized a much bigger version of the enhanced-security publication behind CMMC Level 3. The headline number nearly tripled — but if you're chasing Level 3 today, the rules you're measured against did not change.June 17, 2026 · 6 min readRule UpdatesCISA's New Patching Directive (BOD 26-04) Rewrites the Vulnerability Clock — and Contractors Should Read It TooCISA's BOD 26-04 replaces BOD 19-02 and 22-01 with a risk-based patching model: fix the highest-risk, actively exploited, edge-facing flaws in three days. It binds agencies, but it reaches their contractors.June 14, 2026 · 6 min read