Over 1,000 pages on FAR overhaul heads to formal rulemaking process

Overview

The Federal Acquisition Regulatory Council is moving four proposed rules (over 1,000 pages) into formal rulemaking that would overhaul 20 sections of the FAR (Federal Acquisition Regulation) — the most significant update in 40 years. Proposed changes include moving bid protests to agencies instead of GAO, creating a unified "do not buy" list for security risks, requiring 72‑hour cybersecurity incident reporting, mandating FedRAMP (Federal Risk and Authorization Management Program) Moderate for cloud‑stored CUI (Controlled Unclassified Information), and prohibiting agreements that restrict subcontractors from selling directly to the government. The public comment period runs through July 23, 2026, so contractors have a limited window to shape the record. Because these changes touch protests, supply‑chain relationships, cloud security posture, and incident handling, they will materially affect capture, contracting, compliance, and program delivery across the GovCon industry. Action is needed now to inventory exposures, update incident and subcontracting processes, and prepare comments and implementation plans.

Immediate Actions (This Week)

• [ ] Start a targeted risk inventory: identify contracts, task orders, and prime/sub relationships that include clauses limiting subcontractor direct sales and flag agreements that may conflict with the proposed prohibition on restricting subcontractor direct sales to government.
• [ ] Inventory CUI and cloud storage: map where Controlled Unclassified Information (CUI) resides in cloud environments and record current FedRAMP status of those cloud services (FedRAMP Moderate is cited in the proposal).
• [ ] Update incident response trigger and escalation: ensure your IR plan, contracts team, and executive leadership know to prepare for a 72‑hour cybersecurity incident reporting requirement; identify who will collect evidence and notify customers/contracting officers under a compressed timeline.

Short-Term Actions (30 Days)

• [ ] Convene legal, contracts, cybersecurity, and capture leads to draft comment positions for the July 23, 2026 public comment period — prioritize operational impacts (incident reporting window, FedRAMP applicability, protest venue, subcontract flowdowns, and the "do not buy" list).
• [ ] Run a tabletop exercise for a 72‑hour incident scenario involving cloud‑hosted CUI to validate detection, evidence preservation, internal approvals, and external notification steps; capture process gaps and assign remediation owners.

Long-Term Actions (90+ Days)

• [ ] Amend subcontract templates and flowdown language to remove or mitigate clauses that could conflict with the proposed ban on restricting subcontractor direct sales; build standard playbooks for negotiating affected provisions with primes and subs.
• [ ] Build or update your cloud migration and procurement roadmap to achieve FedRAMP Moderate readiness where required for cloud‑stored CUI; include budget, timeline, and supplier assessment gates.

Compliance Checklist

• [ ] FedRAMP Moderate applicability: assess whether cloud services storing CUI will need FedRAMP Moderate authorization and create a remediation/migration plan for non‑compliant services.
• [ ] 72‑hour cybersecurity incident reporting: confirm detection, evidence collection, notification, and contractual reporting processes meet a 72‑hour timeline.
• [ ] "Do not buy" list exposure assessment: identify products, suppliers, or components that could be flagged by a unified security‑risk purchasing list and document alternative sourcing plans.
• [ ] Subcontract restriction review: catalog existing prime/sub agreements that include clauses limiting subcontractor direct sales and prepare amendment or negotiation strategies.

Resources

• Federal Acquisition Regulatory Council rulemaking and FAR proposed rule materials — monitor the Federal Register and the Federal Acquisition Regulatory Council publications for the official dockets and supporting materials.
• Public comment deadline: July 23, 2026 (as stated in the proposal summary).
• For internal guidance on secure operations and CUI handling, see the Secure Operations Guide (/insights/secure-operations-guide).
• For related guidance on CMMC (Cybersecurity Maturity Model Certification) and CUI‑aware client handling, see the CMMC Compliance Guide (/insights/cmmc-compliance-guide) and the CUI-Safe CRM Guide (/insights/cui-safe-crm-guide).

How Cabrillo Club Automates This

Cabrillo Signals War Room — Already detected this event and delivered this briefing within minutes. War Room continuously monitors Federal Acquisition Regulatory Council publications, FAR rulemaking activity, and related policy notices so your team is alerted immediately when rule text, dockets, or deadlines change. For this FAR overhaul it will maintain the running docket, capture the full text of all four proposed rules, and surface the July 23, 2026 comment window and any subsequent extensions or related notices.

Cabrillo Signals Match Engine — When the proposed FAR changes alter requirements or evaluation factors, the Match Engine automatically rescales your opportunity pipeline and proposals. It updates match scores, keyword relevance (e.g., FedRAMP Moderate, 72‑hour reporting, subcontracting restrictions), and agency alignment in real time so capture managers see which pursuits increase or decrease in competitiveness because of the rule changes.

Cabrillo Signals Intelligence Hub — The Intelligence Hub tracks affected agencies, NAICS codes, and contract vehicles related to this FAR update and lets you save searches for follow‑on solicitations and agency guidance. Configure saved searches and alerts to notify you when the Federal Acquisition Regulatory Council posts the official rulemaking docket, when agencies issue implementation guidance, or when solicitations referencing the new FAR sections appear on related procurement sites.

Proposal Studio (Proposal OS) — Proposal Studio generates the compliance matrices, one‑page summaries of how your team will meet new obligations (FedRAMP Moderate readiness, 72‑hour incident reporting), and first‑draft technical approaches using your past performance evidence. Its bid/no‑bid decision engine will factor in the revised protest venue, the unified "do not buy" risk, and flowdown impacts to produce prioritized pursuit recommendations and draft comment language for the rulemaking docket.

Proposal Studio Workflow Tracker — The 9‑gate capture workflow automatically routes the new compliance review items (cloud FedRAMP gaps, incident reporting SLAs, subcontract clause conflicts) to contracts, cybersecurity, and legal reviewers. It tracks supplier certifications, produces remediation task lists, and exports audit‑ready documentation packages showing how you assessed and responded to the FAR changes.

Explore these features in the platform to automate risk triage, rescore opportunities, and accelerate proposal updates. Contact your Cabrillo Club account team to enable saved searches and automated capture workflows for this FAR overhaul.

Relevant internal guidance:

• Secure Operations Guide (/insights/secure-operations-guide)
• CMMC Compliance Guide (/insights/cmmc-compliance-guide)
• CUI-Safe CRM Guide (/insights/cui-safe-crm-guide)