FAR rewrite leaves CUI confusion intact
Consolidating clauses helps buyers find the rules; it does not tell contractors when agencies have triggered them.
TL;DR
Government Executive says the Federal Acquisition Regulation rewrite has not solved contractors’ recurring problem with controlled unclassified information: inconsistent agency implementation and unclear triggering facts. The FAR overhaul may consolidate information security and supply-chain provisions, but Executive Order 13556, National Archives and Records Administration CUI rules, NIST SP 800-171 and Cybersecurity Maturity Model Certification still sit outside that cleanup. The affected reader is not the policy shop. It is the bidder pricing cyber work before the solicitation tells them what data they will actually touch.
The FAR rewrite can make acquisition text easier to find without fixing the part contractors keep tripping over. Government Executive’s point is straightforward: shortening or reorganizing the Federal Acquisition Regulation does not answer the operational CUI question, which is whether an agency has clearly identified controlled unclassified information early enough for a contractor to price, staff and secure the work.
That distinction matters because the official rewrite work is real. FAR Part 40 is being used as a consolidated home for information security and supply-chain security requirements, with agencies describing moved security provisions and a smaller set of clauses in their class-deviation materials. DHS, for example, says requirements formerly spread across FAR subparts 4.4, 4.19 through 4.23 and 25.7 are being moved into Part 40, and that more than a dozen provisions and clauses are being merged into four. https://www.acquisition.gov/sites/default/files/page_file_uploads/DHS_RFO_Deviation_Part-40.pdf
But consolidation is not classification, marking or scoping. The GovExec piece says contractors still face inconsistent agency guidance, varying interpretations and uncertainty over what qualifies as CUI. That is the expensive uncertainty. If a solicitation does not make the CUI boundary clear, the contractor is left guessing at NIST Special Publication 800-171 implementation cost, staffing, tool spend and proposal risk. Small businesses feel that first because uncertainty prices like a tax, even when no one calls it one.
CMMC does not erase the ambiguity either. The Defense Department’s CMMC materials tie the model to NIST SP 800-171 and address how CMMC levels appear in contracts, but the contractor still needs the government to tell it what information is CUI and whether the requirement flows down. https://dodcio.defense.gov/cmmc/FAQs/ The Monday work is therefore boring and necessary: read the reorganized FAR text, but keep pressing contracting officers for explicit CUI identification, marking, flowdown and system-boundary answers before treating “streamlined acquisition” as streamlined compliance.
Published ·Deep Fathom