The Federal Acquisition Regulation Is Getting Its Biggest Rewrite in Decades — What Grant Recipients and Contractors Need to Know

For 40 years, the Federal Acquisition Regulation has been the rulebook that governs every dollar the U.S. government spends on contracts. At over 2,000 pages and 53 parts, it dictates everything from how a small business prices a proposal to what cybersecurity controls a contractor must implement on a laptop. And right now, in the most ambitious regulatory overhaul since the FAR was consolidated in 1984, the whole thing is being rewritten.

Executive Order 14275, signed in April 2025, directed agencies to "streamline acquisition regulations" and "reduce barriers to entry" for companies seeking government work. By December 2025, the Department of War — the renamed Department of Defense — had released 31 class deviations to the Defense Federal Acquisition Regulation Supplement. Those deviations took effect February 1, 2026. Another set of major threshold changes hits June 30. And the cascade isn't done — additional deviations are rolling out through the rest of the year.

If you hold federal contracts, subcontracts, or SBIR awards — or if you're a grant recipient that also does contract work — the changes in progress will affect how you price proposals, structure your accounting systems, and comply with cybersecurity requirements. Here's what matters.

The Threshold Changes Are the Headline

The FY2026 National Defense Authorization Act didn't just authorize defense programs. It quietly raised some of the most consequential compliance thresholds in federal contracting, and those changes are now being implemented through the FAR rewrite.

Cost or Pricing Data (TINA) threshold: $2 million to $10 million. Previously, any contract action above $2 million triggered Truth in Negotiations Act requirements — meaning contractors had to open their books and submit certified cost or pricing data to the government. That threshold is now $10 million for defense contracts effective June 30, 2026. For a small business with a $5 million SBIR Phase III contract, this eliminates one of the most burdensome compliance requirements in federal contracting.

Cost Accounting Standards (CAS) per-contract trigger: $2.5 million to $35 million. CAS compliance requires contractors to maintain consistent accounting systems that meet specific federal standards. The per-contract trigger has jumped by an order of magnitude. A company with a single $15 million contract no longer needs CAS compliance for that award.

Full CAS coverage: $50 million to $100 million. Companies don't trigger full CAS coverage — which requires a formal Disclosure Statement and subjects you to CAS audits — until their total CAS-covered contracts hit $100 million, up from $50 million.

The combined effect is that thousands of small and mid-size contractors who spent tens of thousands annually on CAS compliance systems, TINA data preparation, and related accounting overhead can now redirect those resources. For SBIR companies transitioning to Phase III production contracts, the relief is particularly significant — Phase III is where CAS and TINA compliance historically blindsided small businesses that hadn't budgeted for it.

Clause Renumbering Will Break Your Templates

Here's the less exciting but equally disruptive change: the FAR rewrite is renumbering clauses. FAR 52.204-21, the basic safeguarding clause for controlled unclassified information that virtually every contractor references, is becoming FAR 52.240-93. Similar renumbering is happening across the cybersecurity-related clauses.

This matters because every proposal template, compliance matrix, system security plan, and contract administration document your company uses references these clause numbers. If you submit a proposal in August 2026 that still references FAR 52.204-21, you'll look like you haven't been paying attention — and proposal evaluators notice.

The fix is straightforward but time-consuming: audit every template, every compliance document, and every subcontract flow-down clause your company uses. Cross-reference against the new numbering. Update everything. Do it now, while the changes are rolling out incrementally, rather than scrambling when a solicitation drops with the new numbering and you have 30 days to respond.

Cybersecurity Restructuring Affects Nearly Everyone

The clause renumbering is part of a broader restructuring of cybersecurity requirements. The government is consolidating and clarifying cybersecurity provisions that had accumulated piecemeal over the past decade — NIST 800-171 compliance, CMMC certification, CUI marking, incident reporting, and supply chain risk management requirements.

For contractors, this restructuring creates a window to reassess your cybersecurity compliance posture. If you've been operating under the assumption that your existing System Security Plan and Plan of Action & Milestones are sufficient, the clause restructuring is a natural checkpoint to verify that your documentation maps correctly to the new regulatory architecture.

For SBIR companies in particular, cybersecurity compliance has been one of the most misunderstood requirements in the program. Phase I awardees often don't handle controlled unclassified information and may not trigger cybersecurity requirements. But Phase II and Phase III awardees frequently do — and the consequences of non-compliance have shifted from theoretical to real as CMMC enforcement ramps up in 2026.

The "Loser Pays" Bid Protest Provision

Buried in the FAR rewrite is a provision that hasn't gotten enough attention: a 5% payment withholding mechanism for unsuccessful GAO bid protests filed by incumbent contractors. The intent is to discourage frivolous protests that delay contract awards and cost the government money. The practical effect is that incumbents now face financial risk when they protest a contract award.

This changes the calculus for small businesses competing against entrenched incumbents. Historically, a losing incumbent could file a GAO protest, tie up the award for 100 days, and impose costs on the winning offeror with essentially no downside. The 5% withholding provision introduces that downside. For small businesses that have lost awards to protest-driven delays, this is a meaningful structural change.

What Stays the Same

The FAR rewrite doesn't change the fundamental architecture of federal contracting. SAM.gov registration requirements remain intact. NAICS codes, size standards, small business set-aside programs, 8(a) certification, HUBZone preferences, and service-disabled veteran-owned small business programs all continue to operate. The Federal Supply Schedules aren't going away. Competition requirements still apply.

What's changing is the compliance overhead layered on top of those fundamentals — and the changes overwhelmingly reduce burden for small and mid-size companies.

For Grant Recipients Who Also Hold Contracts

If your organization operates on both sides of the federal funding equation — grants and contracts — the FAR rewrite intersects with other regulatory changes already in motion. The revised 2 CFR 200 Uniform Guidance, which took effect in October 2024, governs your grant compliance. The FAR rewrite governs your contract compliance. And if you hold SBIR awards, you live in both worlds simultaneously.

The intersection point is cost accounting. Many universities and research institutions negotiate a single indirect cost rate that they apply to both grants and contracts. If the CAS threshold changes affect whether your contracts require CAS compliance, that could create a disconnect between your grant-side and contract-side accounting — especially if you've been maintaining CAS-compliant systems partly because of contracts that no longer trigger the requirement.

This is worth a conversation with your contracting officer and your grants management office before June 30. Understanding whether the threshold changes affect your specific portfolio can save significant administrative overhead.

What to Do Right Now

Audit your clause references. Pull every active proposal template, compliance matrix, and subcontract flow-down document. Identify which FAR and DFARS clause numbers you reference. Check those against the new numbering scheme published in the December 2025 class deviations.

Recalculate your CAS exposure. If your largest CAS-covered contract is below $35 million, you may no longer trigger CAS requirements on a per-contract basis. If your total CAS-covered contracts are below $100 million, you may drop out of full CAS coverage entirely. Model the financial impact of eliminating CAS compliance overhead.

Review your TINA exposure. If you've been submitting certified cost or pricing data on contracts between $2 million and $10 million, those requirements go away for defense contracts awarded after June 30. Factor that into your proposal pricing strategy for upcoming competitions.

Participate in Phase 2 feedback. The government is actively crowdsourcing input on the next round of FAR changes. If there are specific provisions that create disproportionate burden for your company, this is a rare window to influence the outcome.

The regulatory environment for federal contractors is shifting faster than it has in a generation. The direction — toward reduced compliance burden and lower barriers to entry for small businesses — is welcome. But only companies that update their systems, templates, and strategies to reflect the new rules will capture the benefit.

Granted tracks federal funding opportunities across grants, contracts, and SBIR awards, so you can see the full landscape of available funding — and the compliance requirements attached to each — in one place.