alt
Mor Cohen-Tal June 25, 2026

FAR Overhaul 2026: What It Means for AI Procurement Governance

Post image

On June 23, 2026, the FAR Council published the largest federal procurement rewrite in decades: four simultaneous proposed rules spanning more than 1,000 pages across 20 FAR parts. For companies that sell to, buy from, or partner with US government agencies, the compliance landscape just shifted. And for anyone deploying AI-enabled products into federal ecosystems, the shift is seismic.

Mor Cohen-Tal
By Mor Cohen-Tal, Co-Founder & CTO, Opstream
Co-Founder and CTO of Opstream, previously Cloud CTO at Turbonomic (acq. IBM for nearly $2B) and holds 8 patents in cloud and AI infrastructure.
View LinkedIn profile →

Key Takeaways

The FAR overhaul expands Part 39 from “IT” to “ICT,” explicitly covering AI/ML platforms, IoT, edge devices, and 5G
OMB M-25-22 requires American-made AI preference, data protection, IP retention, and anti-vendor lock-in
New FAR Part 40 mandates 72-hour cybersecurity incident reporting and FedRAMP Moderate baseline for cloud services
Companies selling AI to government need structured vendor intake, risk scoring, and audit trails today
Public comment closes July 23, 2026, but agencies are already implementing changes via class deviations issued in June 2025

What Is the Revolutionary FAR Overhaul and Why Does It Matter?

The Federal Acquisition Regulation hasn’t seen a revision of this scale in its 40-year history. Issued under Executive Order 14275, “Restoring Common Sense to Federal Procurement,” the overhaul touches virtually every stage of how the US government buys goods and services.

The FAR Council (DoD, GSA, NASA, and OFPP) published four proposed rules simultaneously, covering Parts 1 through 53. The scope includes a plain-language rewrite, a four-year sunset provision on all non-statutory FAR provisions, and a simplified acquisition threshold raised to $9 million. Every non-statutory rule that isn’t renewed within four years expires automatically.

This is technically a proposed rule, not a final one. The public comment period closes on July 23, 2026. But here’s what makes this different from typical rulemaking: agencies have already been implementing many of these changes through class deviations since June 2025. The formal rulemaking is catching up to operational reality, not the other way around.

For procurement and compliance teams at companies in the federal supply chain, the signal is clear. The direction is set. Waiting for the final rule to start preparing is a mistake.

How Do the New FAR Rules Change AI and Technology Procurement?

The most consequential change for technology vendors sits in FAR Part 39, which has been expanded from “Information Technology” to “Information and Communication Technology (ICT).” That single word change, “communication,” brings an entirely new category of products under federal acquisition governance.

Part 39 now explicitly covers AI and machine learning platforms, edge computing devices, 5G infrastructure, IoT sensors, and operational technologies. If your company sells any AI-enabled product or service to a federal agency, you are now squarely within Part 39’s scope.

The rule also makes modular contracting mandatory. All ICT work must be broken into components delivered within 18 months of solicitation. For vendors accustomed to multi-year contracts with vague deliverables, this is a structural shift toward shorter cycles, tighter documentation, and continuous compliance validation.

Running parallel to the FAR overhaul, OMB Memorandum M-25-22 (issued April 2025) sets the current procurement framework for AI specifically. It requires agencies to prioritize American-made AI products, prohibits vendors from using non-public agency data to train commercial AI models without explicit consent, and mandates that agencies retain IP rights to code and models produced under contract.

GSA is also preparing a separate AI-specific acquisition reform rule, expected in draft by mid-2026, that would prioritize firm fixed-price contracts for AI and direct OEM relationships. The regulatory surface area for AI vendors is expanding fast.

“By 2029, 75% of new managed AI service contracts will explicitly mandate liability, explainability standards, and model drift monitoring rights.”

Gartner, “5 Steps to Prepare for the Coming Services Contract Renegotiation Supercycle,” Brett Sparks, Anurag Bora, May 25, 2026.

What Gartner is projecting for 2029, federal regulators are already codifying today. The gap between commercial AI governance norms and government procurement requirements is closing faster than most vendors expected.

What New FAR Compliance Requirements Should You Prepare For?

The overhaul consolidates some requirements and adds others. The net effect for AI and technology vendors is a more concentrated, but no less demanding, compliance burden.

New FAR Part 40 is an entirely new section consolidating information and supply chain security requirements. It introduces a federal “do not buy” list (Kaspersky and TikTok are explicitly named), mandates 72-hour cybersecurity incident reporting for all contractors, and requires FedRAMP Moderate baseline for any cloud service storing controlled unclassified information.

On the documentation side, SAM.gov entity-level representations have been consolidated from six clauses to two. Paper documentation procedures are eliminated. Pre-award survey guidance and brand-name-or-equal documentation requirements are deleted. In theory, this simplifies vendor paperwork.

In practice, the simplification on one side is offset by new requirements on the other. Contractors must now maintain accurate Voluntary Product Accessibility Templates (VPATs) for all ICT products. OMB M-25-22 adds data portability, licensing transparency, and anti-vendor lock-in provisions to every AI solicitation. And the modular contracting mandate means compliance documentation cycles compress from years to months.

1,000+
Pages of proposed rules
20
FAR parts revised
72hr
Incident reporting mandate
18mo
Modular delivery cycles

“By 2028, 45% of financial services and healthcare organizations will face regulatory enforcement actions due to AI agent identity gaps that make audit accountability unresolvable.”

Gartner, “4-Step Playbook to Unlock Agentic AI in Regulated Industries,” Alex Coqueiro, June 1, 2026.

That prediction targets financial services and healthcare, but the audit accountability gap it describes maps directly to federal procurement. If your AI vendor documentation can’t trace who approved what, when, and why, the new FAR requirements will expose it.

This trend isn’t limited to the federal space. A 2026 analysis of US IT compliance requirements found that vendor oversight and third-party risk are now explicitly named as mandatory elements of cybersecurity compliance programs across industries. Compliance teams, not just procurement departments, are driving demand for structured vendor governance. The FAR overhaul is the most visible expression of a broader shift: the companies arriving at procurement governance tooling today are increasingly coming from a compliance audit angle, not a workflow efficiency angle.

FREE WHITEPAPER

Stand Up an AI Committee That Actually Works

Your AI vendors are multiplying faster than your governance can keep up. Get the five-step playbook for structured intake, automated risk scoring, and a single decision registry.

Read the Whitepaper

Why Does AI Vendor Governance Close the FAR Compliance Gap?

The FAR overhaul and OMB M-25-22 don’t just add new rules. They formalize a governance expectation that most organizations haven’t operationalized: every AI vendor entering your ecosystem should pass through a structured review before it touches production data, integrates with critical systems, or generates outputs that inform decisions.

In our AI committee whitepaper, we lay out a five-step pipeline that maps directly to the compliance requirements the new FAR rules impose:

1. Structured intake captures vendor information at the point of request, not after the contract is signed. This aligns with Part 39’s modular acquisition approach, where each component needs documented justification before solicitation.

2. Automated data collection pulls security certifications, compliance documentation, and product specifications into a single file before any committee meeting. Part 40’s FedRAMP, cybersecurity, and supply chain security requirements demand exactly this kind of pre-decision documentation.

3. AI risk scoring triages vendors by risk level so your committee’s time goes to the cases that need human judgment, not rubber-stamping low-risk renewals. OMB M-25-22’s emphasis on performance-based contracting and transparency makes this kind of structured assessment a practical necessity.

4. Committee review with the right reviewers routes each case to the people with relevant authority: security for FedRAMP questions, legal for IP and data rights, technical leads for integration risk. The new FAR rules require accountability at each decision point, and you can’t demonstrate accountability if your review process is ad hoc email threads.

5. A single decision registry creates the audit trail that ties every vendor approval back to the evidence, the reviewers, and the rationale. When 72-hour incident reporting kicks in under Part 40, this registry is what tells you which vendors are affected, what data they access, and who approved them.

“Set clear AI governance rules: Define allowed AI use, lock down data rights and ownership, require transparency and accountability including periodic benchmarking.”

Gartner, “5 Steps to Prepare for the Coming Services Contract Renegotiation Supercycle,” Brett Sparks, Anurag Bora, May 25, 2026.

This isn’t theoretical. It’s the same set of capabilities that federal agencies are now required to implement. The only question is whether your organization builds this governance infrastructure proactively, or scrambles to assemble it after a compliance gap surfaces in a live solicitation.

What Steps Should Your Organization Take Before the Comment Period Closes?

The comment period closes July 23, 2026. Even if the final rule takes months to formalize, agencies are already operating under class deviations that mirror these proposed changes. Here is what procurement, compliance, and technology leaders should do now:

Audit your AI vendor inventory. Identify every AI-enabled product and service in your technology stack. Map each one to the new Part 39 ICT definitions. If a vendor touches federal data, federal systems, or federal decision-making, it falls under the new scope.

Stand up or formalize an AI committee. If your organization doesn’t have a structured process for reviewing AI vendors before they enter your ecosystem, build one now. Our whitepaper provides the operational framework.

Map your documentation to the new requirements. Part 40’s 72-hour incident reporting, FedRAMP Moderate baseline, and supply chain security provisions all require documentation that most organizations don’t currently collect at intake. Close that gap before the rules take effect.

Review your AI contracts for M-25-22 compliance. Check for data portability provisions, IP retention clauses, and anti-vendor lock-in language. If your existing contracts don’t address American-made AI preference and prohibitions on training commercial models with agency data, they will need updating.

Submit public comments if the rules affect your business. The comment period is a 30-day window to shape the final rule. If the modular contracting mandate or Part 39 ICT definitions create unintended burdens for your product category, this is the time to make that case on the record.

The organizations that treat regulatory change as a catalyst for better governance will outperform those that treat it as a compliance checkbox. The FAR overhaul is the catalyst. Your AI committee is the governance.

“79% of CFOs recognize the urgent need to transform traditional workflows in response to mounting technological and regulatory demands.”

Gartner, “2026 Finance Technology Bullseye Report,” Mike Helsel, Matt Monopoli, Irmina Melarkode, May 11, 2026.

Frequently Asked Questions

When does the FAR overhaul take effect?

The rules published on June 23, 2026, are proposed rules, not final regulations. The public comment period closes July 23, 2026. A final rule will follow after the FAR Council adjudicates comments. However, agencies have been implementing many of these changes through class deviations since June 2025, so the operational impact is already being felt.

Does this affect companies that are not government contractors?

Yes, if you sell AI-enabled products or services to federal agencies, or if you are a subcontractor in a federal supply chain. The Part 39 ICT expansion and OMB M-25-22 requirements flow down through prime contractor obligations. If a prime contractor buys your AI product and deploys it in a federal context, you are part of the compliance chain.

What is the difference between OMB M-24-18 and M-25-22?

M-24-18 (September 2024, Biden administration) was prescriptive, referencing the NIST AI Risk Management Framework, requiring training logs and red-teaming results, and defining “rights-impacting” and “safety-impacting” AI categories. M-25-22 (April 2025, current administration) replaced it with a “pro-innovation” framing, adding an American-made AI preference and dropping algorithmic discrimination requirements. Both versions retain data protection, IP retention, and anti-vendor lock-in provisions.

Ready to operationalize your AI vendor governance?

See how Opstream helps procurement, compliance, and technology teams build structured AI governance workflows with automated risk scoring, committee routing, and complete audit trails.

Book a Demo

References

1. Federal Register, “Federal Acquisition Regulation: Revolutionary Federal Acquisition Regulation Overhaul Parts 1, 2, 4, 33, 39, 40, and 53,” FAR Case 2026-001, June 23, 2026. federalregister.gov
2. Office of Management and Budget, “Driving Efficient Acquisition of Artificial Intelligence in Government,” OMB M-25-22, April 3, 2025. whitehouse.gov
3. Acquisition.gov, “Revolutionary FAR Overhaul.” acquisition.gov
4. FedScoop, “Over 1,000 Pages on FAR Overhaul Heads to Formal Rulemaking Process.” fedscoop.com
5. Wiley, “Decoding the FAR Overhaul.” wiley.law
6. Wiley, “Trump Administration Revamps Guidance on Federal Use and Procurement of AI.” wiley.law
7. Nextgov/FCW, “GSA Preparing AI-Specific Acquisition Reform Rule.” nextgov.com
8. Precision Federal, “EO 14110 Federal AI Executive Order Status for Contractors.” precisionfederal.com

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

About the Author

Mor Cohen-Tal
Mor Cohen-Tal
Co-Founder & CTO, Opstream

Mor Cohen-Tal is a visionary technology leader and the Co-Founder and Chief Technology Officer of Opstream, an intelligent procurement orchestration platform that is transforming the way companies buy. With a career marked by a relentless pursuit of innovation, Mor has earned 8 patents for her groundbreaking work. Notably, Mor was the Cloud CTO at Turbonomic, where she spearheaded the company’s successful transition from a datacenter-focused business to a cloud-centric model. Turbonomic was acquired by IBM for nearly $2B in 2021. Mor holds an M.Eng from Cornell University and a B.Sc from the Hebrew University.

Connect on LinkedIn →

Want to see how it works?

Book a demo with our team or reach out at support@opstream.ai