Federal acquisition rewrite leaves cybersecurity confusion unresolved

The federal government’s Revolutionary FAR Overhaul represents one of the most significant efforts to reshape federal acquisition in decades. Supporters see an opportunity to streamline procurement, reduce regulatory complexity and lower barriers to doing business with the federal government. Critics worry that important requirements could get lost in the process.

For contractors concerned about cybersecurity and controlled unclassified information, however, an important question is not whether the FAR becomes shorter, nor is it whether acquisition becomes faster.

The question is whether this overhaul will finally force government agencies to address one of the most persistent challenges facing contractors today: the inconsistent implementation of controlled unclassified information requirements.

That may sound like an odd question to ask about a procurement regulation. After all, the FAR overhaul does not rewrite the underlying controlled unclassified information framework. But that is precisely the point. The FAR rewrite does not eliminate the government’s controlled unclassified information program. Executive Order 13556 remains in effect. National Archives and Records Administration regulations remain in effect. National Institute of Standards and Technology Special Publication 800-171 remains in effect. Cybersecurity Maturity Model Certification requirements remain in effect. Agencies will continue to have obligations to identify, mark and protect sensitive information.

The same rules are still there.

The challenge is that many contractors continue to struggle to determine when those rules apply.

At ClearanceJobs, reporting and industry conversations have consistently highlighted confusion surrounding controlled unclassified information implementation. Security professionals, contractors and acquisition stakeholders frequently point to inconsistent agency guidance, varying interpretations of requirements and uncertainty surrounding what information actually qualifies as controlled unclassified information. The recent State of the Facility Security Officer report found that controlled unclassified information, not personnel security clearances, facility clearances or processing timelines, was the top source of frustration for security professionals. While government has invested significant effort into developing policies and compliance frameworks, implementation across agencies remains uneven, and industry partners expected to enact the rules remain confused.

The National Institute of Standards and Technology itself has recognized the challenge. Recent guidance has attempted to provide greater clarity around identifying and managing controlled unclassified information, acknowledging concerns from both government and industry that organizations continue to interpret requirements differently. Yet despite years of guidance, training and policy development, contractors often find themselves navigating a patchwork of agency-specific practices and expectations.

This is not simply a cybersecurity issue.

It is an acquisition issue.

When contractors cannot determine whether they will be handling controlled unclassified information, they struggle to accurately estimate cybersecurity costs, staffing requirements, technology investments and proposal pricing. Small businesses face particular challenges because uncertainty creates risk and risk often discourages participation.

The government has spent years trying to expand competition, attract innovative companies and reduce barriers to entry. Yet uncertainty surrounding controlled unclassified information frequently has the opposite effect. Contractors are left trying to interpret cybersecurity obligations that may not be clearly defined until well into the acquisition process. In some cases, organizations discover significant compliance requirements only after contract award. In others, they implement costly controls out of caution because no one can provide a definitive answer about whether information qualifies as controlled unclassified information.

That uncertainty is becoming increasingly consequential as the government ramps up cybersecurity enforcement.

A recent Justice Department settlement with Alabama-based defense contractor LOGZONE offers a glimpse of what many contractors may expect moving forward. The company agreed to pay more than $500,000 to resolve allegations that it failed to implement required National Institute of Standards and Technology Special Publication 800-171 cybersecurity controls while performing Navy contracts, despite certifying compliance with contract requirements. According to the government, the deficiencies left sensitive defense information vulnerable to compromise.

The settlement is notable because it occurred before full implementation of the Cybersecurity Maturity Model Certification program. The certification program is built on the same National Institute of Standards and Technology Special Publication 800-171 requirements cited in the case, and the Pentagon has made clear that contractors will increasingly be expected to demonstrate, not simply attest to, their cybersecurity compliance.

The message from government is clear: cybersecurity requirements matter and contractors will be held accountable when they fail to meet them. But that reality makes consistent controlled unclassified information implementation even more important.

The government cannot simultaneously increase enforcement while tolerating inconsistent identification, marking and communication of controlled unclassified information requirements across agencies. Contractors should absolutely be responsible for protecting sensitive information. They should absolutely be accountable for false certifications and inadequate security controls.

Yet accountability works best when expectations are clear.

As enforcement actions become more common and Cybersecurity Maturity Model Certification requirements spread across the defense industrial base, the stakes surrounding controlled unclassified information identification will only increase. Contractors need certainty about what information requires protection, what obligations apply and when those obligations begin. Otherwise, organizations will continue to spend valuable resources navigating ambiguity rather than improving security.

Because the FAR overhaul is fundamentally an exercise in simplification, it offers an opportunity to focus less on creating new cybersecurity requirements and more on ensuring agencies consistently communicate the requirements that already exist.

Government should also strengthen accountability for identification and marking practices. Contractors bear responsibility for protecting information once they receive it. But they cannot protect information that government has failed to properly identify.

The proposed FAR controlled unclassified information rule attempts to address that gap through a standardized form that places responsibility on agencies to identify the controlled unclassified information involved in contract performance. In fact, the proposal’s signature feature is a standard mechanism for identifying and communicating controlled unclassified information requirements to contractors before performance begins. The existence of that form is itself evidence that government recognizes a longstanding problem: contractors often do not know what controlled unclassified information they are expected to protect.

The current system often creates a paradox. Agencies require contractors to implement increasingly rigorous cybersecurity controls while simultaneously providing inconsistent guidance regarding the information those controls are intended to protect.

More requirements will not solve that problem. Better implementation will.

The acquisition community has spent years discussing cybersecurity as a compliance challenge. The FAR rewrite provides an opportunity to recognize that it is also an acquisition challenge.

When requirements are unclear, companies cannot accurately estimate costs. They cannot determine the appropriate security architecture. They cannot assess staffing needs. Small businesses, in particular, may decide the uncertainty simply is not worth the risk.

The government does not need another controlled unclassified information rule. It already has plenty of them. The FAR rewrite will not alter the underlying authorities governing controlled unclassified information, but it does create an opportunity to emphasize a lesson contractors have been repeating for years: implementation matters as much as policy. Clear identification, consistent marking and transparent communication of controlled unclassified information requirements would do more to improve cybersecurity outcomes than another layer of regulation.

For more than a decade, industry has struggled with inconsistent markings, varying agency interpretations and uncertainty about where responsibility for identifying controlled unclassified information truly begins. Contractors have repeatedly asked for greater clarity, consistency and predictability, not more regulation.

If acquisition leaders want a more competitive industrial base, stronger cybersecurity and broader participation from innovative companies, they should start by solving one of the simplest questions contractors still struggle to answer: “Is this controlled unclassified information?”

For too many companies, the answer remains surprisingly unclear. A FAR rule cannot fix that. But agencies committed to clearer implementation can.