Over 1,000 pages on FAR overhaul heads to formal rulemaking process

TL;DR

The Federal Acquisition Regulatory Council has published four proposed rules totaling over 1,000 pages to formally overhaul 20 sections of the FAR (Federal Acquisition Regulation) — the most significant rewrite in 40 years. The package would shift bid protests from GAO to agencies, create a unified "do not buy" list for security risks, require 72-hour cybersecurity incident reporting, mandate FedRAMP (Federal Risk and Authorization Management Program) Moderate for cloud storage of CUI (Controlled Unclassified Information), and bar agreements that prevent subcontractors from selling directly to the government. These proposals touch core procurement processes, contract terms, and cybersecurity obligations and will affect government contractors across the GovCon industry. The public comment period runs through July 23, 2026, after which the Council will proceed through formal rulemaking. Immediate implications include rapid updates to compliance matrices, capture strategies, subcontract terms, and incident-response workflows.

Key Points

• What happened: The FAR Council published four proposed rules (over 1,000 pages) to overhaul 20 FAR sections, including moving protests to agencies, a unified "do not buy" list, 72-hour incident reporting, FedRAMP Moderate for CUI, and prohibiting clauses that restrict subcontractors from selling directly to government.
• Who is affected: Government contractors across the GovCon industry; affected agencies pending source review.
• Timeline: Public comment period runs through July 23, 2026.
• What contractors should do NOW: Inventory contracts and subcontract relationships for restrictive clauses, update incident response and reporting processes to meet a 72-hour window, assess cloud services used for CUI against FedRAMP Moderate expectations, prepare compliance-matrix updates and bid/no-bid filters, and submit targeted public comments by the July 23, 2026 deadline.

Who Is Affected

Government contractors across the GovCon industry are broadly affected: prime contractors, subcontractors, capture and proposals teams, security/compliance functions, and program managers will all need to reassess policies and contracts. Specific NAICS codes, agencies, and contract vehicles pending source review.

Frequently Asked Questions

Q: Do these proposals change where bid protests are handled?

A: Yes. The Summary states the proposals move bid protests to agencies instead of GAO.

Q: Will contractors have to report cybersecurity incidents faster?

A: Yes. The Summary indicates a requirement for 72-hour cybersecurity incident reporting. Operational details and reporting channels are pending source review.

Q: Is FedRAMP Moderate required for all cloud services?

A: The Summary states FedRAMP Moderate would be required for cloud-stored CUI. Whether this extends to all cloud services or only those with CUI, and implementation timelines, are pending source review.

Definitions

• FAR: Federal Acquisition Regulation — the principal set of rules governing federal procurement referenced in the Title and Summary.
• Federal Acquisition Regulatory Council: The Council publishing the proposed FAR rule changes described in the Summary.
• GAO: Government Accountability Office — currently a forum for bid protests; the Summary states protests would move from GAO to agencies.
• CUI: Controlled Unclassified Information — information the Summary says would require FedRAMP Moderate if stored in the cloud.
• FedRAMP Moderate: A FedRAMP security baseline referenced in the Summary that would be required for cloud-stored CUI.
• "Do not buy" list: A unified list for security risks referenced in the Summary.
• 72-hour cybersecurity incident reporting: A proposed reporting timeline referenced in the Summary.

Intelligence Response

• Cabrillo Signals War Room — Already detected this event and delivered this briefing. Continuously monitors regulatory changes, contract vehicles, and policy shifts.
• Cabrillo Signals Match Engine — Automatically rescoring opportunity pipelines when events like this shift the competitive landscape.
• Cabrillo Signals Intelligence Hub — Tracks affected agencies, NAICS codes, and contract vehicles. Saved searches alert when follow-on solicitations appear on SAM.gov (System for Award Management).
• Proposal Studio (Proposal OS) — Use to update compliance matrices, bid/no-bid decision logic, and win-theme libraries to reflect 72-hour reporting and FedRAMP Moderate requirements.
• Proposal Studio Workflow Tracker — Use the 9-gate capture workflow to route compliance reviews, subcontract clause changes, and audit-ready documentation.

Recommended Cabrillo products to leverage now: Cabrillo Signals War Room, Cabrillo Signals Match Engine, Cabrillo Signals Intelligence Hub, Proposal Studio (Proposal OS), and Proposal Studio Workflow Tracker. Notify: Capture/BD Leads, Proposal Managers, Chief Security Officer (or security lead), Compliance/Contracting Officers, and Executive Leadership.

First 48-hour response playbook

• Hour 0–4: Ingest the War Room briefing; run a saved search in Intelligence Hub for your contracts and task orders; flag open proposals and live awards.
• Hour 4–12: Use Match Engine to rescore opportunity pipelines and Proposal Studio to insert 72-hour incident reporting and FedRAMP Moderate checks into compliance matrices; identify contracts with restrictive subcontract clauses.
• Hour 12–24: Convene Capture, Proposals, Security, and Contracts teams to assign remediation tasks; start drafting public comments where applicable to meet the July 23, 2026 deadline.
• Hour 24–48: Begin outreach to primes/subcontractors to negotiate clause changes, update incident response runbooks, and lock Proposal Studio Workflow Tracker gates for compliance reviews on affected pursuits.

Reference guides: Secure Operations Guide (/insights/secure-operations-guide); related guidance: CMMC (Cybersecurity Maturity Model Certification) Compliance Guide (/insights/cmmc-compliance-guide), CUI-Safe CRM Guide (/insights/cui-safe-crm-guide).