Beyond DoD: How the FAR CUI Rule Could Bring CMMC-Level Protection to Every Federal Contract
CMMC only applies to DoD contractors. But a proposed FAR rule would require any company with a federal contract that touches controlled unclassified information to implement the same NIST 800-171 controls. If it clears the rulemaking process, the contractor universe that needs cybersecurity compliance will multiply overnight.
Why This Matters Now
The FAR CUI rule is still in the rulemaking process. It is not yet in effect. But contractors who already handle CUI for civilian agencies should understand what is coming and use this window to get ahead of it, not wait for a contract clause to force the conversation.
Where CUI Requirements Stand Today
Right now, the only contractors with a hard legal obligation to implement NIST 800-171 and pursue CMMC certification are those in the DoD supply chain. The authority comes from DFARS 252.204-7021, which went into full effect with Phase 2 in June 2025.
But CUI is not a DoD-only problem. Executive Order 13556, signed in 2010, established a governmentwide CUI program. The National Archives and Records Administration (NARA) manages the CUI Registry, which covers 125-plus categories across every federal agency. Engineering data, health research, law enforcement records, financial information, transportation plans, critical infrastructure details. All of it is CUI when it ends up in a contractor's hands.
The protection requirement under 32 CFR Part 2002 has existed for years. What has been missing is a FAR clause to enforce it with teeth. Agencies have been handling CUI protection inconsistently, with some inserting their own contract language and others doing nothing at all.
The proposed FAR CUI rule is the attempt to fix that inconsistency.
What the FAR CUI Rule Actually Proposes
The FAR Council, which includes DoD, GSA, and NASA, published a proposed rule that would add new CUI protection clauses to the Federal Acquisition Regulation. The core of it: any contractor that handles CUI on behalf of a federal agency must implement NIST SP 800-171 controls.
That is the same 110-practice standard that CMMC Level 2 is built on. The proposed rule would also require contractors to:
- Maintain a system security plan (SSP) documenting their environment
- Report cybersecurity incidents to the federal agency within a defined window
- Flow down the requirements to subcontractors who also handle CUI
- Self-attest to their compliance at contract award and annually
The self-attestation model is a key difference from CMMC. Under CMMC Level 2, most contractors must bring in a certified third-party assessor (C3PAO). The FAR CUI rule, as proposed, would allow self-certification initially, similar to how DoD handled CMMC before Phase 2 enforcement began.
Whether third-party assessments eventually become required depends on how the final rule lands and how agencies choose to implement it. Given what happened with CMMC, betting on self-attestation staying permanently would be a mistake.
Which Contractors Get Pulled In
The scope is broad. Any company with a federal contract that generates, receives, stores, or transmits CUI would fall under the rule. That covers a much wider population than just defense contractors.
Examples of what would be in scope:
- HHS and NIH contractors handling health research data, clinical trial information, or grant-related financial records
- USDA contractors working with agricultural program data, supply chain information, or rural development plans
- DOE contractors managing energy infrastructure data or nuclear information that falls outside classified categories
- DHS contractors handling law enforcement sensitive, immigration, or critical infrastructure records
- DOT contractors with access to transportation security plans or critical infrastructure designs
- GSA schedule holders who provide IT or professional services to agencies and touch CUI in the process
Companies that have stayed focused on civilian agency contracts specifically because they wanted to avoid CMMC should plan for that distinction to disappear.
How It Compares to CMMC
| Factor | CMMC Level 2 | FAR CUI Rule (Proposed) |
|---|---|---|
| Applies to | DoD contractors with CUI/CDI | All federal contractors with CUI |
| Technical standard | NIST SP 800-171 Rev 2 (110 practices) | NIST SP 800-171 (110 practices) |
| Assessment model | Third-party C3PAO for most | Self-attestation (initially) |
| Flow-down requirement | Yes, to subcontractors | Yes, to subcontractors |
| Incident reporting | Yes, 72-hour window to DoD | Yes, to the contracting agency |
| SSP required | Yes | Yes |
| Enforcement status | In effect since June 2025 | Proposed, not yet final |
| Score/tracking | SPRS score required | Not yet defined |
The underlying technical requirement is essentially the same. Both point to NIST 800-171. The difference is in enforcement mechanism and who has to comply. If you have already built your CMMC program, you are in a much better position than a civilian-agency-only contractor who has never touched 800-171.
If you are a DoD contractor, the FAR CUI rule matters for a different reason. Many companies in the defense supply chain also hold civilian agency contracts. When the rule finalizes, those contracts become subject to the same requirements. A single compliance program that covers both is far more efficient than managing two separate tracks.
Current Status and What Comes Next
The FAR CUI rule is still working through the federal rulemaking process. The proposed rule was published for public comment, comments were submitted, and the FAR Council is reviewing them before issuing a final rule. No final rule has been published as of May 2026.
Federal rulemaking does not move fast. From proposed rule to final rule typically takes one to three years. Add implementation time after that, and a contractor subject to the rule probably has a window before hard enforcement. But the comment period is closed. The direction is set.
The political environment matters here too. Administrations change, regulatory priorities shift. But the underlying need, protecting federal data from adversaries who target contractors as a softer entry point, is not going away. The documented threat activity against federal contractors is what drove these requirements in the first place.
Contractors who wait for the final rule to start preparing will face the same crunch that DoD contractors faced in 2024 and 2025. The window to get ahead of it exists right now.
What to Do Before This Rule Lands
You don't need to wait for the final rule to start. NIST 800-171 is a published standard. If you handle CUI from any federal agency, implementing these controls is the right thing to do regardless of whether there's a contract clause requiring it yet.
Four things to do now:
Identify where your CUI lives
Map every system, application, and file share that touches federal data. You cannot protect what you have not found. CUI scattered across personal drives and unmanaged email accounts is the most common gap we see in gap assessments.
Determine which NARA categories apply to you
Not all CUI is the same. Check the NARA CUI Registry and identify which categories apply to your contracts. This shapes which specific protections your SSP needs to address.
Run a gap assessment against NIST 800-171
If you have never scored yourself against all 110 practices, do it now. The gap assessment tells you how far you are from compliance and what the remediation effort looks like before a contract clause makes it mandatory.
Build a single compliance program that covers both DoD and civilian work
If you hold both DoD and civilian agency contracts, do not build separate programs. NIST 800-171 is the common baseline. A single documented environment, single SSP, and single POA&M covers both. It is more work upfront and less work indefinitely.
The FAR CUI rule is not a surprise. It has been in development for years. Contractors who treat it as an unexpected burden missed the window to get ahead of it. The ones who treat it as confirmation that NIST 800-171 is the federal standard, full stop, will handle the transition without a fire drill.
If you handle CUI and you have not run a formal gap assessment against NIST 800-171, that is where to start. It tells you what you have, what you are missing, and what it takes to close the gaps before a contract clause forces the issue.