On June 23, 2026, the Federal Acquisition Regulatory Council issued a proposed rule that, if finalized, will affect how federal contractors and subcontractors must handle Controlled Unclassified Information (CUI) and report CUI incidents. Comments are due by July 23, 2026.

Key Provisions

• The proposed rule includes definitions of CUI and CUI incident.
  • Controlled unclassified information is defined as “information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” This is the same broad definition provided in the National Archives and Records Administration (NARA) regulations at 32 CFR Part 2002. Notably, CUI expressly does not include (i) information not created by or for an executive branch agency or an entity acting as an agency; (ii) federally-funded basic and applied research at colleges, universities and laboratories in accordance with National Security Decision Directive 189; or (iii) information a contractor creates or possesses that a law, regulation or Governmentwide policy does not specifically require it be handled using safeguarding or dissemination controls.
  • CUI incident means the “unauthorized disclosure, improper modification, improper destruction of CUI, in any form or medium, or unauthorized access to the information system on which the CUI resides. Improper handling of CUI (e.g., unmarked or mismarked CUI) is not a CUI incident unless the improper handling has resulted in unauthorized disclosure, improper modification, or improper destruction of CUI.” For defense contracts, cyber incident is defined in DFARS 252.204-7012 as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”
• In general, for CUI incidents, the proposed rule requires reporting within 72 hours of discovery. CUI incidents involving a FedRAMP authorized cloud computing service may be reported in accordance with FedRAMP Incident Communication Procedures. This timeline tracks DFARS 252.204-7012, which requires contractors to report cyber incidents within 72 hours of discovery.
• Subcontractors must report incidents directly to the government, in addition to reporting to higher tier contractors and contracting officers.
• The rule proposes to remove the requirement for specific training that mandated a one-size-fits-all approach for how contractors must train employees and, instead, provides flexibility in training employees on handling CUI.
• Contractors must implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 3 and NIST SP 800-172, when incorporated in a contract and otherwise applicable.
• The proposed rule clarifies that if a contractor uses a cloud computing service provider to store, process or transmit CUI, the cloud service provider must meet security requirements equivalent to FedRAMP moderate. DFARS 252.204-7012 includes the same requirement for contractors using external cloud service providers to store, process or transmit any covered defense information.

False Claims Act Implications

Finalization of the rule will standardize CUI handling and incident-reporting requirements, increasing consistency across agencies and thereby strengthening the government’s enforcement ability in an area that is already a Department of Justice (DOJ) focus. Under the False Claims Act (FCA), DOJ has recovered over $80 million in cybersecurity-related settlements since October 2021, and its enforcement shows no signs of abating. On June 18, 2026, DOJ announced an FCA settlement with LOGZONE to resolve allegations that the company allegedly failed to implement required NIST SP 800-171 controls on Navy contracts. In its press release announcing the settlement, DOJ noted that the Defense Contract Management Agency uncovered LOGZONE’s alleged compliance issues during an assessment of the company’s implementation of NIST SP 800-171 security controls.

Key Takeaways

• CUI compliance and reporting are becoming more standardized and, thus, more easily enforceable. The rule introduces uniform definitions and reporting requirements, dictating government-wide expectations for safeguarding CUI.
• Incident reporting obligations will be strict and time-sensitive. Most CUI incidents must be reported within 72 hours, with subcontractors reporting directly to the government, increasing visibility and enforcement risk across the supply chain. Even with mandatory reporting, parties may be able to claim credit in a subsequent FCA resolution, under DOJ guidelines regarding cooperation, self-disclosure, and remediation in FCA settlements.
• DOJ enforcement risk remains. The proposed rule arrives in the context of DOJ’s continued use of the FCA to address contractor cybersecurity noncompliance, particularly where contractors fail to implement required NIST controls, and its now longstanding pledge to pursue failures to timely report cybersecurity incidents.
• Contractors and subcontractors should act now. Even before finalization, companies should assess whether they handle or generate CUI; evaluate current compliance against NIST 800‑171 controls; ensure the required flow down of obligations to subcontractors; and review their incident response and reporting protocols.
• Engage Counsel for Privileged Review. If potential incidents are reported or identified, companies should work with legal counsel to evaluate reporting obligations, assess litigation risk under privilege, and consider appropriate mitigation and remediation.