CUI protection is about to stop being a defense-only problem.

For years, protecting Controlled Unclassified Information to the NIST 800-171 standard has mostly meant one audience: defense contractors, and the CMMC program built to enforce it. The proposed FAR CUI rule changes who’s on the hook. It would extend NIST SP 800-171 to every federal contractor that handles CUI, civilian agencies included, and once the clause lands in your contracts there’s no phase-in period to catch up.

What the FAR CUI rule actually does

The FAR Council published an updated proposed rule on 23 June 2026, with a comment period running to 23 July 2026, and it’s expected to be finalized before the end of 2026. It would require any contractor whose contract identifies CUI to implement NIST SP 800-171 Revision 3, and a limited set of contractors tied to critical programs or high-value assets would also face the enhanced controls of NIST SP 800-172. The headline here is the scope. This is no longer a Department of Defense requirement. It’s a whole-of-government one.

Why “we have CMMC handled” is not the same thing

If you already work with the DoD, CMMC has you thinking about NIST 800-171 through third-party assessment. The FAR CUI rule is the civilian counterpart, and it reaches contractors who have never touched CMMC because they sell to agencies outside defense. The control backbone is the same, but the audience is far larger, and a lot of the newly-covered contractors are starting from a standing stop. One difference cuts the other way. Where CMMC verifies you through a third-party assessor, the FAR CUI rule leans on self-attestation. That sounds lighter, but it just moves the burden of proof onto you, and a false attestation about your own security is not a small thing to sign. If you sell to any federal agency and touch CUI, the same obligations are coming for you. The DoD-specific view is in why CMMC wants you to test your incident response.

The part that is about your people, not your GRC tool

Most of NIST 800-171 is technical implementation, and a policy binder covers the paperwork. But two of its requirements are about human readiness, and those are the ones a document can’t fake. You have to train your people on their security roles, and you have to test your incident response capability, not just plan it. When a real CUI incident hits, the only question that matters is whether your team can actually run the response, inside the reporting deadlines, without opening the runbook for the first time.

What readiness looks like

It looks like the team running the incident, not narrating a plan. That’s what Malware & Monsters does. It’s a tabletop incident response game where the scenario changes because of what the team decides, so you’re exercising the capability the standard asks you to test, and building the instinct a real CUI incident will demand. There’s a nice overlap worth naming here: a tabletop exercise is one of the artifacts these rules expect you to be able to produce. Running the game both builds the capability and gives you the evidence that you tested it. It has been run with security teams across Europe and North America.

The FAR CUI rule isn’t final yet, but the direction is set and there’s no phase-in waiting for you. The contractors who are ready when the clause appears will be the ones who trained and tested before they had to. If your obligations sit on the European side of the Atlantic instead, the same readiness logic runs through EU cyber regulation training.

Frequently asked questions

What is the FAR CUI rule?

It is a proposed Federal Acquisition Regulation rule, updated on 23 June 2026, that would require federal contractors whose contracts involve Controlled Unclassified Information to implement NIST SP 800-171 Revision 3. The comment period runs to 23 July 2026 and it is expected to be finalized before the end of 2026.

Does the FAR CUI rule apply to non-defense contractors?

Yes, that is the change. It would extend the NIST 800-171 requirement from defense contractors to all federal contractors that handle CUI, across civilian agencies too.

When does it take effect?

It is still a proposed rule, expected to be finalized before the end of 2026. Notably, there is no phase-in: once the clause is inserted into a contract, compliance is required from that point.

How is the FAR CUI rule different from CMMC?

CMMC is the DoD-specific program that verifies NIST 800-171 compliance through a third-party assessment. The FAR CUI rule applies the same standard across the whole federal government but relies on contractor self-attestation rather than an external assessor. Same control backbone, different audience, different proof.

Want to put this in front of your team?

I run these as games your board and your responders actually take part in, not another slideshow. Tell me where your team is and what they need to practise, and we will set it up.

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.