Unified FAR Agenda Signals Tightening Cyber, Supply-Chain, and OCI Controls—What Contractors Should Expect in 2026

The September 22, 2025 Semiannual Regulatory Agenda for the Federal Acquisition Regulation (FAR) sets out a consequential slate of rulemakings that collectively sharpen the federal regime for cybersecurity, supply-chain integrity, and conflict-of-interest governance. Issued jointly by the Office of Federal Procurement Policy, DoD, GSA, and NASA and signed by William F. Clark, the agenda is expressly a planning document—dates are estimates, omissions carry no legal significance, and stakeholders are invited to track progress and participate in rulemaking. Even so, taken together these entries map where compliance expectations are likely headed in the next 6–12 months, and prudent contractors should begin aligning now.

At the center is the FAR’s Controlled Unclassified Information (CUI) rule, slated for finalization in December 2025. The rule applies the government-wide CUI program uniformly in federal contracts to strengthen protection and response to increasingly sophisticated threat activity targeting contractor systems and data; it follows a January 2025 NPRM and closed comment period in March. For contractors, this presages standardized clauses and enforcement around marking, handling, safeguarding, and flowdown—workstreams that will touch policy, training, and technical controls across prime and sub tiers.

Complementing CUI, the agenda places two additional cyber pillars on the runway. First, the incident-reporting rule, projected final in February 2026, would authorize broader threat-information sharing while requiring certain contractors to report cyber incidents and represent that all required reports are current, accurate, and complete. That combination of rapid reporting and attestations elevates the importance of incident-response playbooks, logging, evidence preservation, and governance over who certifies submissions. Second, a proposed rule on supply-chain software security—targeting use only of software produced with secure development practices and contractor attestations via a common form—is forecast for mid-2026. Even at NPRM stage, the direction is clear: agencies will demand verifiable secure-development artifacts, and vendors will need to inventory software components and development lifecycles to meet attest requirements.

On supply-chain integrity, the agenda advances two powerful tools. Implementation of the Federal Acquisition Supply Chain Security Act (FASCSA) orders is on track for a final rule in April 2026, enabling exclusion or removal of covered products, services, or sources from the federal supply chain through government-issued orders. That mechanism, anchored in the SECURE Technology Act and FASC rulemaking, compels contractors to design sourcing strategies that can pivot quickly when an exclusion or removal order lands—without disrupting performance. In parallel, the FAR will finalize two long-running Section 889 rules in May 2026: paragraph (a)(1)(A), the procurement ban on covered Chinese telecommunications and video-surveillance technologies, and paragraph (a)(1)(B), the enterprise-use prohibition that bars contracts with entities that use such equipment or services anywhere in their organization. The latter is especially significant because it reaches beyond contract performance to enterprise hygiene; contractors must ensure no covered technologies are used across corporate networks to remain eligible.

Finally, the FAR Council’s effort to prevent organizational conflicts of interest (OCI) is slated for a December 2025 final rule. The package updates definitions, guidance, and examples; creates new provisions and clauses; requires contractor disclosures relevant to potential OCI; and authorizes limitations on future contracting. The rule also instructs contracting officers to weigh professional standards and procedures that an offeror already follows to prevent OCI. For industry, the predictable implications are refreshed capture controls, internal firewalls, conflict-screening attestations, and proposal disclosures designed to withstand scrutiny under the new framework.

In sum, while the Unified Agenda is not binding, it is a reliable lens into imminent compliance trajectories. CUI uniformity, faster and more accountable incident reporting, software-supply-chain attestations, dynamic FASCSA exclusion tools, rigorous Section 889 enterprise hygiene, and a modernized OCI regime all point to higher baselines and more attest-backed accountability. Federal contractors who use the next two quarters to harden programs, update supplier attestations, map software artifacts, and refresh conflict-mitigation protocols will be better positioned when these rules codify.

Disclaimer: This summary is for general information only and does not constitute legal advice or create an attorney-client relationship. It is based solely on the cited Unified Agenda notice and may omit nuances in forthcoming proposed or final rules; consult counsel before acting.