Skip to main content
Rule Updates

The Federal Cyber Rulemaking Stack: Five Rules Landing July–September 2026

CMMC Rev. 3, CIRCIA, two FAR Council rules, and a DFARS 252.204-7012 update are all targeted to hit milestones between July and September 2026 — the most concentrated stretch of federal cybersecurity rulemaking activity contractors will see this year.

Brandon Hancock, J.D., CMMC-RPPublished July 10, 2026Updated July 10, 20267 min read

Five separate rulemakings, five separate agencies, one landing window. If you track them one at a time, you will keep getting surprised.

Between July and September 2026, five federal cybersecurity rulemakings are scheduled to reach a milestone — a final rule, an interim final rule, or a notice of proposed rulemaking — and no single page on this site (or anywhere else we've found) puts all five on one timeline. Individually, each is a moderate-sized compliance event. Together, they represent the most concentrated stretch of federal cybersecurity rulemaking activity most government contractors will see this year. This page is the anchor: what each rule is, where it actually stands (per the 2026 Unified Agenda), and how they connect.

The Stack, at a Glance

RuleRINAgencyStageUnified Agenda Target
CMMC Rev. 2→Rev. 3 transition0790-AM01DoDInterim Final Rule07/00/2026
CIRCIA reporting rule1670-AA04CISAFinal Rule09/00/2026
FAR 2021-019 (unclassified system cyber standards)9000-AO35FAR CouncilFinal Rule09/00/2026
FAR 2021-017 (cyber threat/incident reporting)9000-AO34FAR CouncilFinal Rule09/00/2026
DFARS 252.204-7012 update0750-AM24DoDNPRM08/00/2026

All five dates come directly from the 2026 Unified Agenda (reginfo.gov). Two caveats up front, because they matter for everything below: Unified Agenda target dates are agency estimates, not deadlines with legal force, and they slip routinely — the CMMC Rev. 3 rule alone has already moved once. And a "Final Rule" or "Interim Final Rule" listing means the rule is not yet in effect; nothing in this stack is a live obligation until it actually publishes.

What Each Rule Actually Does

CMMC Rev. 3 transition (RIN 0790-AM01). This interim final rule would set the deadline and transition period for moving CMMC compliance from NIST SP 800-171 Revision 2 to Revision 3. It is a new entry in the Unified Agenda — first published there in the 2026 cycle — which cuts against recent trade-press coverage suggesting the Rev. 3 transition was still years off. Current Level 1/Level 2 assessment requirements are unaffected until the rule actually publishes. Full breakdown: DoD Puts a Date on the CMMC Rev. 3 Transition.

CIRCIA reporting rule (RIN 1670-AA04). The Cyber Incident Reporting for Critical Infrastructure Act rule would require covered entities — a group that includes many contractors in the 16 critical-infrastructure sectors — to report significant cyber incidents within 72 hours and ransom payments within 24 hours. Two dates matter here and they are not the same thing: CIRCIA's statutory deadline was October 4, 2025, and it has already passed without a final rule. The September 2026 date is CISA's own revised administrative target under the Unified Agenda, not a new statutory deadline. Details: CIRCIA's Reporting Clocks Are Coming.

FAR 2021-019 (RIN 9000-AO35). A FAR Council rulemaking establishing cybersecurity standards for unclassified federal information systems — the FAR-side counterpart to DoD-specific rules like DFARS 7012. Targeted for a final rule in September 2026. A dedicated deep dive will follow once the final rule actually publishes; this page will link to it.

FAR 2021-017 (RIN 9000-AO34). A companion FAR Council rulemaking on cyber threat and incident reporting for civilian-agency contractors, designated "Economically Significant" in the Unified Agenda — a formal marker that its compliance costs cross a substantial federal threshold. Also targeted for September 2026. Same treatment: a standalone deep dive once it publishes.

DFARS 252.204-7012 update (RIN 0750-AM24). DoD's own clause — the one that pulls NIST SP 800-171 into defense contracts, sets the 72-hour DoD incident-reporting clock, and requires flow-down to subcontractors — is itself due for an update, currently at the NPRM (proposed rule) stage with an August 2026 target. Background on the current version: DFARS 252.204-7012: What Contractors Need to Know in 2026.

Why the Clustering Matters

None of these five rules is procedurally connected to the others — different statutes, different agencies, different comment dockets. But the practical effect for a contractor is the same regardless of the legal theory behind each one: overlapping reporting clocks, overlapping documentation expectations, and overlapping deadlines landing in the same 90-day window. A contractor that tracks CMMC in one place, CIRCIA in another, and the FAR/DFARS clauses in a third is likely to miss the interaction effects — for example, an incident that triggers a DFARS 7012 report, a CIRCIA report, and (once FAR 2021-017 is final) a FAR report, each on its own clock, to its own portal, on its own timeline.

The practical takeaway is the same one this site keeps repeating across CIRCIA, the FAR CUI rule, and CMMC's Rev. 3 transition: federal cybersecurity regulation is converging on documented, evidence-based, data-specific obligations, and the agencies writing these rules are not coordinating their calendars. You have to do that part yourself.

What to Do Now

1. Build one master timeline, not five. Track all five RINs in a single place — a spreadsheet, a calendar, or this page — rather than monitoring each agency's docket separately. 2. Map your reporting clocks now, before any of these rules are final. If you already report under DFARS 7012, identify where a CIRCIA obligation or a future FAR 2021-017 obligation would layer on top, and who owns each clock. 3. Don't treat "proposed" or "interim final" as "in effect." Every rule in this stack is pre-final or newly effective; confirm current obligations against the version of each clause actually in your contract today. 4. Revisit this page in September 2026. Three of the five targets cluster in that month — the highest-probability window for multiple rules to move at once.

Key Takeaways

  • Five federal cybersecurity rulemakings — CMMC Rev. 3 (RIN 0790-AM01), CIRCIA (RIN 1670-AA04), FAR 2021-019 (RIN 9000-AO35), FAR 2021-017 (RIN 9000-AO34), and the DFARS 252.204-7012 update (RIN 0750-AM24) — are targeted to hit milestones between July and September 2026, per the 2026 Unified Agenda.
  • These are five unrelated rulemakings from three different rulemaking bodies (DoD twice, CISA, and the FAR Council twice), not one coordinated regulatory package — but the overlapping timing means contractors face compounding reporting and documentation obligations regardless of the legal theory behind each rule.
  • None of these five rules is currently in effect; all remain either proposed, interim, or newly finalized, and Unified Agenda target dates slip routinely — track the underlying dockets, not just this summary.

Sources

  • Office of Information and Regulatory Affairs, Unified Agenda, RIN 0790-AM01 (CMMC Rev. 2→Rev. 3 transition), accessed July 10, 2026, https://www.reginfo.gov/public/do/eAgendaViewRule?RIN=0790-AM01&pubId=202510.
  • Office of Information and Regulatory Affairs, Unified Agenda, RIN 1670-AA04 (CIRCIA reporting rule), accessed July 10, 2026, https://www.reginfo.gov/public/do/eAgendaViewRule?RIN=1670-AA04&pubId=202510.
  • Office of Information and Regulatory Affairs, Unified Agenda, RIN 9000-AO35 (FAR 2021-019), accessed July 10, 2026, https://www.reginfo.gov/public/do/eAgendaViewRule?RIN=9000-AO35&pubId=202510.
  • Office of Information and Regulatory Affairs, Unified Agenda, RIN 9000-AO34 (FAR 2021-017), accessed July 10, 2026, https://www.reginfo.gov/public/do/eAgendaViewRule?RIN=9000-AO34&pubId=202510.
  • Office of Information and Regulatory Affairs, Unified Agenda, RIN 0750-AM24 (DFARS 252.204-7012 update), accessed July 10, 2026, https://www.reginfo.gov/public/do/eAgendaViewRule?RIN=0750-AM24&pubId=202510.

Informational only, not legal advice; Unified Agenda entries are agency estimates, not final rules — verify current obligations against the Federal Register and your actual contract clauses.

Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?