The Federal Acquisition Regulatory Council published a proposed FAR overhaul rule on June 23, 2026, and several of the changes land directly on business technology decisions. The proposal touches Controlled Unclassified Information, cloud-service controls, subcontractor flow-downs, security prohibitions, and 72-hour reporting timelines.
For a small or midsize business that sells to the federal government, supports a prime contractor, or stores government-related information for a customer, this is not only a legal or contracting update. It is a practical test of whether the business knows where sensitive contract data lives and which vendors are involved.
The Business Decision Is Bigger Than the Contract Clause
The proposed rule would update FAR language around CUI handling and says that, when a contractor uses a cloud service provider to store, process, or transmit identified CUI, the provider must meet security requirements equivalent to the FedRAMP Moderate baseline. It also discusses NIST SP 800-171 Revision 3 and the use of NIST SP 800-172 enhanced controls when an agency identifies them for critical programs or high-value assets.
That creates a straightforward ownership question: who is actually responsible for proving that the systems in use match the contract requirement? In many businesses, the answer is split across the owner, contract manager, MSP, cloud provider, software vendor, and subcontractor. That split is where assumptions get expensive.
A business may believe CUI is only in one shared folder, while employees also store related files in email, a project-management system, a file-sync tool, backups, or a vendor portal. A contract may require a control level that the business has not matched to its actual cloud services. A subcontractor may receive sensitive information without a clear flow-down or reporting process.
Questions To Put In Front Of The IT Provider
Owners do not need to become FAR specialists to ask better questions. They do need answers that are specific enough to support a contract decision.
- Where does CUI live? Ask for a current list of systems that store, process, transmit, back up, or archive contract-related sensitive information.
- Which cloud services are in scope? Confirm whether email, file sharing, backup, ticketing, remote support, line-of-business apps, and vendor portals are included.
- What evidence supports the cloud-control claim? Do not accept a broad statement that a platform is secure. Ask what service, plan, configuration, and responsibility model apply.
- How will subcontractors receive requirements? If sensitive contract information is shared downstream, ask how the requirement is documented and tracked.
- Who owns 72-hour reporting? The proposal discusses standardizing several reporting windows to 72 hours from discovery. Ask who decides when discovery occurred and who contacts the contracting officer.
- What happens when requirements conflict? The proposal includes a 72-hour notification concept when a contractor determines it cannot comply because of another law or regulation. Ask who reviews that situation before it becomes a missed obligation.
A Practical Next Step
The useful move is a short CUI and cloud-control review before the next federal bid, renewal, subcontract, or audit request. Start with the contract language, identify the systems that touch the data, compare those systems to the required controls, and document the gaps in plain English.
This review should not be a binder-building exercise. It should produce decisions: which systems remain approved, which vendors need written evidence, which workflows need to change, which subcontractors need clearer terms, and which risks need owner approval.
The proposed rule is still in the comment stage, with comments due July 23, 2026. That makes now a good time to prepare rather than wait for a rushed contract review later. Cloud and CUI controls are easier to fix when they are still on the desk, not when a deadline is already in the hallway.
Sources and further reading
