FAR overhaul pushes CUI, FedRAMP clauses into rulemaking
This is not one procurement cleanup; it is three contractor security programs being rewritten on the same track.
TL;DR
FedScoop reports that four proposed Federal Acquisition Regulation rules, totaling more than 1,000 pages, are set for Federal Register publication and would revise 20 FAR sections for the first major update in 40 years. Primes, subs and contractors would face 72-hour cyber incident reporting, controlled unclassified information safeguarding changes, and at least a [FedRAMP Moderate](https://www.deepfathom.ai/glossary#fedramp-moderate) baseline when CUI sits in the cloud. Comments run through July 23, but the final schedule and phase-in remain unresolved.
FedScoop reports that four proposed FAR rules are moving into formal rulemaking, converting more than a year of council rewrites and agency deviations into the harder terrain of codified procurement clauses. The package would touch 20 FAR sections and more than 1,000 pages, including Part 4 on administrative and information matters, Part 39 on information and communication technology, Part 40 on information security and supply chain security, and Part 52 on solicitation provisions and contract clauses.
For contractors, the security pieces are not decorative. One rule would require cybersecurity incidents to be reported within 72 hours. The same rule would change how contractors handle controlled unclassified information, including a uniform process for communicating what information must be managed and safeguarded, and where a CUI incident must be reported. If CUI is held in the cloud, the contractor would have to use services meeting at least the [FedRAMP Moderate](https://www.deepfathom.ai/glossary#fedramp-moderate) baseline.
The breadth matters more than the page count. A prime can usually absorb a new clause by sending work to legal, contracts or security and letting the queue sort itself out. This package does not behave like that. Incident disclosure pulls in the security operations center and outside counsel. CUI handling reaches program teams, subcontract flowdowns and document systems. FedRAMP Moderate affects cloud architecture and vendor selection. The software resale restriction reaches procurement strategy and subcontract terms. The same contractors will have to run those workstreams in parallel.
There are other procurement changes in the package, including regular regulatory reviews and sunsets, a higher threshold for public announcement of significant contract awards from $4.5 million to $5.5 million, a dynamic webpage for emergency procurement regulations, and a proposed shift of bid protests toward the agencies involved rather than the Government Accountability Office. Those are not small edits. But for security and compliance teams, the Monday problem is simpler: map where CUI is stored, identify cloud services below FedRAMP Moderate, test whether 72-hour incident reporting is operationally real, and check subcontract language before the rule is final.
The open item is timing. Public comment runs until July 23, according to FedScoop. The story does not identify an implementation date, phase-in period or final-rule schedule. That makes this a planning trigger, not a compliance deadline, which is still useful if contractors treat it as architecture work rather than another clause to read after award.
Published ·Deep Fathom