Posts

Showing posts with the label CUI

FAR Council Begins Rulemaking to Implement FAR Overhaul, Proposing Revisions to 20 FAR Parts

What: The Federal Acquisition Regulatory Council (FAR Council) issued the first four proposed rules to implement Executive Order (EO) 14275, Restoring Common Sense to Federal Procurement, covering 20 parts of the Federal Acquisition Regulation (FAR), including the related clauses and forms in Parts 52 and 53. (The proposed rules can be found here , here , here , and here .) The FAR Council intends to issue a total of 12 proposed rules that collectively will revise the entire FAR. This formal notice-and-comment rulemaking represents Phase Two of the “ Revolutionary FAR Overhaul ” (RFO) process that began in 2025, when the FAR Council issued a series of model class deviations to the FAR that virtually all federal agencies have adopted. The proposed rules incorporate and build on general changes from the RFO class deviations, such as reorganizing the FAR Parts to follow the phases of the acquisition process, revising text to use plain language, and relocating examples of best practices a...

They’re Here! The Cybersecurity Maturity Model Certification Requirements for DoD Solicitations and Contracts Are Live. What Does This Mean for Your Organization?

  This alert serves to remind contractors of the much-ballyhooed Cybersecurity Maturity Model Certification (CMMC) and updates our previous articles on   the Department of Defense’s (DoD) proposed CMMC Program rule   and   DoD’s issuance of a new final rule , codified at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 (contract clause) and 252.204-7025 (solicitation provision). The new DFARS rule implements the CMMC Program’s requirements into DoD contracts over the course of a three-year phase-in period. This week, as of November 10, 2025, Phase 1 of this rule’s rollout has finally become effective, with significant implications for defense contractors. As discussed in our prior articles, the new CMMC rule will apply to defense contracts involving contractor information systems handling federal contract information (FCI) or controlled unclassified information (CUI) only . There is a significant exception for contracts solely for the acquisiti...

DoD Finalizes Cybersecurity Maturity Model Certification Rule: What Defense Contractors Need to Know

Image
On September 10, 2025, the U.S. Department of Defense (DoD) published a  final rule  that will shake up cybersecurity compliance for DoD contractors. T he new rule formally incorporates the Cybersecurity Maturity Model Certification (CMMC) program into nearly all DoD contracts through the Defense Federal Acquisition Regulation Supplement (DFARS) . This move has far-reaching implications for employers across the defense industrial base. Quick Hits Beginning November 2025, the DoD will issue contracts requiring contractors to comply with CMMC cybersecurity standards and conduct third-party or self-assessments, depending on the sensitivity of the information they handle. In addition to achieving and maintaining the CMMC level specified in each solicitation or contract, the final rule will require contractors to flow down the appropriate requirements to subcontractors, and to document and publish the results of assessments. While the rule will be phased in over three years, emplo...

Federal Contractors Handling Sensitive Government Information

  On Oct. 21, the new Federal Acquisition Regulation (“FAR”) rule (the “CUI Rule”) aligning requirements for federal contractors to properly safeguard Controlled Unclassified Information (“CUI”) as outlined in Executive Order 13556 (the “Executive Order”) completed regulatory review. The CUI Rule’s language has not yet been released, but once it is published on the Federal Register, we expect it to introduce some manner of mandate directing compliance with NIST SP 800-171. The CUI Rule demonstrates the Federal Government’s commitment to aligning the government contracting space with the evolving national security climate. Current and interested federal contractors will need to update their cybersecurity practices, policies, and procedures to meet the NIST SP 800-171 and the Executive Order’s standards. This will require new training programs for their workforce and management, implementation of new audit processes and audit logging requirements, and implementation of continuous ne...