The Proposed FAR CUI Clause: What’s Changing, and Why It Matters Now
As of June 2026. The FAR CUI clause discussed here is a proposed rule in the public comment phase. It is not yet final and its details may change. This article is for general awareness and does not constitute legal advice.
For years, “CUI compliance” has been shorthand for one thing: the Department of Defense, NIST SP 800-171, and CMMC. That era is ending. A proposed update to the Federal Acquisition Regulation would extend formal CUI protection requirements across the federal government — and it does not simply copy the DoD model. It moves the bar.
Here’s what the proposed FAR CUI clause changes, where it diverges from the CMMC requirements contractors already know, and what the smart move is while the rule is still taking shape.
What the change is trying to accomplish
For years, CUI protection outside the Department of Defense has been handled inconsistently — some civilian agencies wrote their own contract language, others did little at all. The proposed FAR CUI clause is the federal government’s attempt to fix that: to establish one consistent, enforceable, government-wide standard for protecting CUI on contractor systems, rather than a patchwork that varies agency to agency.
The proposed rule pursues that goal through a handful of specific moves. It raises the security baseline (a transition to NIST SP 800-171 Revision 3), tightens how contractors may use the cloud, shifts responsibility for subcontractor flowdown onto contractors themselves, and — notably — relies on self-attestation rather than third-party certification. The comparison below previews those changes side by side against today’s DoD CMMC requirement; the sections that follow unpack each one.

CMMC CUI vs. the proposed FAR CUI clause, at a glance.
First, the status: this is a proposal, not a mandate
The proposed FAR CUI rule is currently in its public comment phase. Issued as part of the Revolutionary FAR Overhaul, it gives contractors an opportunity to submit feedback — citing “FAR Case 2026-001” — before the July 23, 2026 deadline, so that input can be considered as the final rule is developed.
That matters for two reasons. It means nothing here is locked in yet, so specifics can still shift. And it means contractors have a genuine window — both to weigh in on the rule, and to get ahead of where it’s clearly heading.
The direction is not ambiguous. This is the same trajectory we’ve watched play out across the federal landscape: CUI protection is moving from inconsistent, agency-by-agency handling toward a single, enforceable, government-wide standard.
What’s actually different from CMMC
If you’re a defense contractor, much of the proposed clause will feel familiar. But three differences deserve real attention, because they’re not cosmetic.
1. A jump to NIST SP 800-171 Revision 3
This is the headline change. The proposed rule would require contractors to protect CUI using the security requirements of NIST SP 800-171 Revision 3 — a key change from the original proposal and a deviation from the DoD standard, which currently requires controls consistent with Revision 2.
Rev 3 isn’t a minor version bump. It restructures requirements and, critically, introduces Organizationally Defined Parameters (ODPs) — specific values (think password lengths, timeout windows, review frequencies) that an organization sets for certain controls. Left unmanaged, ODPs could mean every agency defines “compliant” differently. The proposed rule addresses that by specifying government-defined ODPs rather than leaving them open to interpretation — with the intent that the FAR’s Rev 3 parameters align with the values DoD eventually codifies, so requirements converge across federal agencies over time rather than fragmenting.
The planning wrinkle is real: a company serving both defense and civilian customers could find itself measured against two editions of the same standard at once — CMMC against Rev 2, the FAR clause against Rev 3. That’s not an emergency, but it’s a mapping problem that rewards early attention.
2. A clearer, but still demanding, cloud bar
The proposed clause addresses cloud service providers directly. Contractors using a CSP to process, store, or transmit CUI would need that provider to either hold a current FedRAMP Moderate authorization, or to have implemented security controls equivalent to the FedRAMP Moderate baseline.
This closely mirrors the DoD approach, so it won’t surprise anyone already operating in the defense space. But “equivalent to the Moderate baseline” is a phrase that demands evidence, not assertion. If you’re relying on a commercial cloud today, the question to answer now is whether you can actually demonstrate that equivalence.
3. Flowdown scoping lands on the contractor
Here’s where the proposed FAR approach differs from a blanket, prescriptive flowdown. The mechanism itself is not optional: once a subcontractor will handle CUI, the prime is required to prepare a Standard Form (referred to in the draft as SF XXX) identifying that CUI and pass it down. What the contractor determines is scoping — which subcontractors actually touch CUI and therefore get looped in. The obligation is mandatory; the judgment is in applying it.
That scoping call carries weight. Mis-scope it — miss a subcontractor that genuinely handles CUI — and you’ve created a flowdown gap you’re accountable for. The form may be the government’s, but getting the boundary right, and proving you did, is on you.
The quieter shift: no third-party certification
One structural difference is worth calling out plainly. Unlike CMMC, the proposed FAR rule relies on disclosure in the offer and documentation provided on request — not a third-party certification.
It would be a mistake to read that as “easier.” Self-attestation means your security posture is asserted by you, in writing, in a federal offer — and can be examined later. The absence of a certification gate doesn’t lower the standard; it shifts where the scrutiny lands, and raises the cost of getting it wrong.
It would also be a mistake to read it as a way around CMMC. These are two different frameworks for two different contract universes: the proposed FAR CUI clause governs civilian-agency contracts, while CMMC governs DoD contracts. A defense contractor handling CUI still needs its CMMC certification — including a C3PAO assessment at Level 2 or DIBCAC at Level 3 where the contract requires it — regardless of the FAR rule’s self-attestation path. If you serve both customers, you answer to both models.
The Fortreum read
Step back from the line items and the pattern is clear: civilian CUI protection is converging toward the rigor the defense industrial base has lived with for years — and in the case of Rev 3, in some respects moving past it.
This is exactly the shift we’ve been built for. The organizations that will absorb this smoothly aren’t the ones scrambling to self-attest the week a clause appears in a solicitation. They’re the ones who treat compliance as a continuous capability — who already know where their CUI lives, can already demonstrate cloud equivalence, and already maintain an accurate, evidence-backed system security plan.
A few moves are worth making now, while the rule is still in comment:
- Find your CUI. Inventory where it lives across your systems and which external providers touch it. You can’t protect — or attest to — what you haven’t mapped.
- Pressure-test your cloud. Confirm whether the services handling your CUI meet the FedRAMP Moderate bar, and whether you can evidence equivalence if asked.
- Start the Rev 2 → Rev 3 gap analysis. If you serve both defense and civilian customers, understand where the two editions diverge before you’re asked to satisfy both.
- Get your SSP honest. Make sure it reflects actual practice, including the external providers it must name.
- Consider commenting. The window to shape FAR Case 2026-001 closes July 23, 2026.
The contractors who move now won’t be reacting to this rule. They’ll already be ready for it.
Talk to an accredited assessor
Fortreum is an authorized FedRAMP 3PAO and an accredited C3PAO for CMMC. If you want to understand where you stand against today’s requirements — and where the proposed FAR CUI clause could take them — our practitioners can help you build a clear, evidence-backed readiness picture.
Sources
National Law Review, RFO Rulemaking Gives Contractors a Second Opportunity to Comment on FAR CUI Rule — natlawreview.com
NIST, SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations — csrc.nist.gov/pubs/sp/800/171/r3/final
David Koran & Associates, The Proposed FAR CUI Rule: A Plain Language Brief for Management
Holland & Knight, FAR Council Proposes Compliance with NIST SP 800-171 for Non-Defense Contractors
Federal Register, FAR Case 2026-001 (proposed rule)
Subject-matter direction provided by Fortreum’s compliance practitioners. Regulatory specifics reflect the proposed rule as of June 2026 and are subject to change.
