Two Rule Changes You Need to Follow
By Ed Minyard, CBCP, CISM, CCP(pending), CMMC-RP
CISO, ResponseForce1 LLC
If you hold federal contracts — DoD, GSA, or otherwise — two significant regulatory developments deserve your attention right now. One has been in the news. One was issued without any public notice at all. Between them, they are rewriting the compliance baseline for any contractor that touches Controlled Unclassified Information.
Here’s what’s happening:
The FAR CUI Rule: Government-Wide, Still Proposed, Moving Forward
On January 15, 2025, the FAR Council — DoD, GSA, and NASA acting jointly — published a proposed rule that would extend NIST SP 800-171 requirements to every federal contractor handling CUI, regardless of agency. This is not a DoD-specific rule. If finalized, it covers the entire executive branch contracting ecosystem.
The rule has been 14 years in the making, tracing back to Executive Order 13556 in 2010. The public comment period closed March 17, 2025. Fewer than 30 comments were filed — a remarkably low number given the scope of what’s proposed. The FAR Council has to adjudicate each one before the final rule issues, and a small comment volume can actually accelerate that process.
As of this writing, the rule has not been finalized. The Trump administration’s January 2025 regulatory freeze created uncertainty about timing. But the cybersecurity trajectory is clear and bipartisan — CMMC 1.0 was a first-term Trump initiative — and the rule is expected to proceed in some form.
What the proposed rule would require:
- NIST SP 800-171 Rev. 2 compliance for all contractors with CUI in non-federal systems
- A new standard form (SF XXX) that contracting officers use to identify which contracts involve CUI and what categories apply — ending the chronic ambiguity about what information is actually covered
- An 8-hour incident reporting window for suspected or confirmed CUI incidents, flowing down to subcontractors
- Actual FedRAMP Moderate authorization for cloud services — the equivalency loophole is gone
- Financial liability for contractors determined to be at fault for a CUI incident
- The 8-hour reporting requirement drew the most pushback in public comments, and rightly so. DFARS 252.204-7012 requires 72 hours. CIRCIA requires 72 hours. Eight hours for a suspected incident — before you even know what happened — is operationally unrealistic for most contractors, especially small businesses. Expect this to be revised in the final rule, but don’t count on it being eliminated.
- The SF XXX standardized form is actually good news for contractors who have spent years trying to figure out which of their information qualifies as CUI. That ambiguity has been a genuine compliance problem. A uniform identification mechanism is long overdue.
What contractors should do now: If you handle CUI for any federal agency and you’re not already working toward NIST 800-171 compliance, the proposed rule is your signal to start. Waiting for finalization is not a strategy — the compliance work takes 6-12 months regardless of which rule triggers the requirement.
The GSA Framework: Already Active, Already Binding
This is the one that concerns me more from a practitioner standpoint.
On January 5, 2026, GSA issued CIO-IT Security-21-112, Revision 1 — a procedural guide establishing how Controlled Unclassified Information must be protected in nonfederal contractor systems. No press release. No awareness campaign. No public comment period. No formal rulemaking. It was issued as internal agency guidance, and contracting officers can apply it immediately to new contracts involving CUI.
Contractors who assumed that significant cybersecurity requirements come with notice-and-comment rulemaking learned otherwise.
What makes this framework different from CMMC:
First, the control set is newer. CMMC Level 2 maps to NIST SP 800-171 Revision 2. The GSA framework is built on Revision 3, supplemented by selected controls from NIST SP 800-172 (draft) and privacy controls from NIST SP 800-53 Rev. 5. Organizations that are CMMC-compliant have a strong foundation, but Rev. 3 introduces additional requirements — particularly around supply chain risk management and privacy — that Rev. 2 doesn’t address.
Second, there is no phased rollout. CMMC gives contractors a runway — Phase 1 started November 2025, full implementation extends to 2028. GSA gives you nothing. If a contract involves CUI and the contracting officer incorporates the framework, the full requirements apply from award.
Third, it’s not a pass/fail certification. GSA applies Risk Management Framework logic — system-by-system authorization decisions based on documentation review, assessment results, and ongoing deliverables. That actually makes CMMC look straightforward by comparison. There is no C3PAO equivalent handing you a certification. GSA’s security team makes a determination on your specific system.
The showstopper requirements — controls that block authorization entirely if not implemented — include MFA for all access, FIPS-validated encryption for CUI at rest and in transit, vulnerability scanning with remediation of critical and high findings, and elimination of all end-of-life components. No POA&Ms. No compensating controls. No risk acceptance. Either you have them or you don’t proceed.
The assessor capacity problem is real. Assessment must be performed by a FedRAMP-accredited 3PAO or a GSA-approved assessor. The pool of qualified assessors is limited, and scheduling lead times are growing. If you wait until a contract requires this, you may not find an available assessor in time.
One more practical implication: Because DHS procures substantial IT and cybersecurity support through GSA vehicles — Alliant, OASIS, STARS III — GSA’s framework effectively extends to DHS contractors even though DHS has not issued its own requirements. If you’re doing DHS work through a GSA vehicle, you’re covered.
The Convergence Problem
Here’s the situation contractors are actually facing: DoD is enforcing CMMC against NIST 800-171 Rev. 2. GSA is enforcing CIO-IT Security-21-112 against NIST 800-171 Rev. 3. The proposed FAR CUI rule, when finalized, will extend 800-171 requirements government-wide. And DoD has signaled it will eventually adopt Rev. 3 as well.
Contractors serving multiple agencies need to satisfy multiple frameworks simultaneously, with different control sets, different assessment methodologies, different documentation formats, and different reporting timelines. The technical controls overlap substantially. The differences are real enough to require separate attention.
The practical answer is to build your compliance program around NIST 800-171 as the common foundation and treat the agency-specific differences as layers on top — not as separate compliance exercises. Organizations that approach this right will be positioned for whichever finalized rule arrives next. Organizations that treat each framework as a separate project will spend a lot of money doing duplicative work.
What to Watch
The FAR CUI Rule final version is the next major development. When it issues, the 8-hour reporting requirement will be the first thing to check — if it survives unchanged, incident response programs across the industry will need serious rework. The SF XXX form structure will also matter; how contracting officers actually use it to identify CUI will determine how many contractors fall under the rule’s scope.
On the GSA side, watch for the assessor approval process to develop further. The framework currently leaves open how many assessors will be approved and how quickly. That supply constraint will be the practical limiting factor for compliance timelines, regardless of what the framework requires on paper.
The proposed FAR CUI Rule is tracked at the Federal Register under FAR Case 2017-016.
Edward Minyard is Chief Information Security Officer at ResponseForce1 LLC, a CMMC Level 2 certified MSSP, He advises defense and federal contractors on CMMC, NIST 800-171, and cybersecurity compliance program development. His book on federal CUI compliance is forthcoming.