Over 1,000 pages on FAR overhaul heads to formal rulemaking process

Executive Summary

Affected segments pending source review. The Federal Acquisition Regulatory Council is moving four proposed FAR (Federal Acquisition Regulation) rules (over 1,000 pages) into formal rulemaking to overhaul 20 FAR sections. The Summary highlights large procedural and compliance shifts: bid protests would be handled at agencies instead of GAO, a unified "do not buy" list for security risks would be implemented, contractors would face a 72-hour cybersecurity incident reporting requirement, FedRAMP (Federal Risk and Authorization Management Program) Moderate would be required for cloud-stored CUI (Controlled Unclassified Information), and clauses that prevent subcontractors from selling directly to the government would be prohibited. The public comment period runs through July 23, 2026.

These changes — described in the Summary as the most significant update in decades and labeled CRITICAL — will affect procurement timelines, legal strategy, compliance programs, subcontractor relationships, and cloud/CUI controls across the GovCon industry. Contractors should act now to review impact on their proposals, contract clauses, cybersecurity posture, and supply-chain agreements, and prepare comments for the rulemaking record before the July 23, 2026 deadline.

Impact Matrix

GovCon industry

• Risk Level: Critical
• Opportunity: Transition to new procurement rules creates demand for compliance advisory, proposal rework services, and incident-response capabilities. Specific opportunities TBD pending solicitation language.
• Timeline: Public comment period runs through July 23, 2026.
• Action Required:
• Inventory contracts and proposal processes to identify places affected by protest-process changes and the new "do not buy" regime.
• Update enterprise compliance and legal playbooks to anticipate agency-handled protests.
• Prepare coordinated organizational comment(s) to the proposed rules before July 23, 2026.
• Competitive Edge: Firms that quickly map internal policies to the proposed FAR changes, document gaps, and publish compliant templates or service offerings will win faster with risk-averse buyers and partners.

Subcontractors

• Risk Level: High
• Opportunity: Prohibition on agreements that restrict subcontractors from selling directly to government can open new direct-win channels and change teaming dynamics; Specific opportunities TBD pending solicitation language.
• Timeline: Public comment period runs through July 23, 2026.
• Action Required:
• Review and revise flow-downs and prime–sub contracts that limit direct sales or impose restrictive exclusivity.
• Engage primes and legal counsel to renegotiate or draft compliant subcontract language now.
• Track how prime contractors respond to the proposed prohibition and adjust marketing/sales strategies accordingly.
• Competitive Edge: Subcontractors that repaper contracts proactively and build direct-government marketing capabilities can capture newly permissible direct opportunities and shorten sales cycles.

Contractors with cloud-stored CUI

• Risk Level: Critical
• Opportunity: Mandating FedRAMP Moderate for cloud-stored CUI raises demand for FedRAMP-moderate compliant cloud services, migration support, and continuous monitoring offerings. Specific opportunities TBD pending solicitation language.
• Timeline: Public comment period runs through July 23, 2026.
• Action Required:
• Assess current CUI handling and hosting arrangements; identify cloud deployments that will need FedRAMP Moderate compliance.
• Budget and plan for FedRAMP Moderate authorization or migration to authorized providers; update incident-response plans to meet 72-hour reporting.
• Coordinate with subcontractors and cloud providers to confirm their FedRAMP posture and contractual responsibilities.
• Competitive Edge: Providers or integrators that can demonstrate FedRAMP Moderate-ready environments, fast-migration pathways, or turnkey compliance programs will be preferred by buyers constrained by the new requirement.

Cross-Segment Implications

• The move of protests to agencies and a unified "do not buy" list will change how primes, subs, and cloud providers manage reputational and security risk across contracts — decisions in one segment (for example, a subcontractor’s security incident) can trigger downstream procurement consequences for primes and other subs.
• The FedRAMP Moderate mandate for cloud-stored CUI and the 72-hour reporting requirement create an operational dependency between cloud-hosting arrangements and incident-response capabilities; primes and subs must align on reporting chains and remediation responsibilities.
• Prohibiting restrictive subcontractor-sale agreements reshapes teaming strategies and may increase direct-seller competition, affecting pricing, proposal staffing, and partner selection across the GovCon industry.