Skip to main content
govconCyber — Federal Cybersecurity Law Reference

The Free Cybersecurity Law Reference for Government Contractors

Your plain-language map to the national procurement cybersecurity ecosystem.

Find My RequirementsExplore the Reference Library ↓
LearnCompliance ToolsFederal RequirementsState RequirementsIndustry RequirementsEnforcement

Recent Developments

June 2026Compliance Guidance

Reading the Banner: How CUI Marking and Handling Actually Work Under 32 CFR Part 2002

Knowing that you hold Controlled Unclassified Information is only half the job. The federal rulebook also dictates how that information gets marked, shared, and eventually let go — and contractors are bound by those rules the moment a marked document lands in their inbox.

Read more →
June 2026Rule Updates

Where Did DFARS 7019 and 7020 Go? The FAR Overhaul's Quiet Cybersecurity Reshuffle

Two DFARS clauses that defense contractors have cited for years vanished on February 1, 2026. If you went looking for 252.204-7019 and couldn't find it, you're not imagining things — and the good news is that almost nothing about your actual obligations changed.

Read more →
June 2026Rule Updates

NIST Just Finalized 800-172 Rev 3 — Here's Why CMMC Level 3 Contractors Shouldn't Panic Yet

On May 13, 2026, NIST finalized a much bigger version of the enhanced-security publication behind CMMC Level 3. The headline number nearly tripled — but if you're chasing Level 3 today, the rules you're measured against did not change.

Read more →
June 2026Rule Updates

CISA's New Patching Directive (BOD 26-04) Rewrites the Vulnerability Clock — and Contractors Should Read It Too

CISA's BOD 26-04 replaces BOD 19-02 and 22-01 with a risk-based patching model: fix the highest-risk, actively exploited, edge-facing flaws in three days. It binds agencies, but it reaches their contractors.

Read more →
View all updates →

Not Sure Where to Start?

GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.

Start with the baseline you already oweBefore any FAR or DFARS clause applies, federal and state law already require you to secure data and report breaches. Meet that legal baseline first. See the legal baseline →

Find My Requirements

Answer a few questions about your contract type and data to get a plain-language summary of your obligations.

Get started →

New to Cyber Compliance?

Start with the fundamentals: what the key frameworks are, why they exist, and how they affect your contracts.

Read the basics →

Look Up a Term

Plain-language definitions for CUI, CMMC, DFARS, FedRAMP, and many other key terms.

Browse the glossary →

Browse the Reference Library

Federal Requirements

FAR, DFARS, frameworks, and agency-specific rules

State Requirements

State-level cyber laws affecting government contractors

Industries

Sector-specific obligations: defense, healthcare, finance, and more

Compliance Tools

Checklists, templates, and program-building guides

Enforcement

Actions, penalties, and False Claims Act case law

Learn

Cybersecurity 101 and a plain-language glossary

About GovConCyber

GovConCyber is a free, independent legal reference for government contractors. We translate complex federal cybersecurity requirements into plain English — without the billable hour. Content is reviewed for accuracy against the underlying statutes, regulations, and official guidance, and updated regularly as those rules evolve.

Learn more about this site →
Free to Use
No paywalls, no subscriptions, no ads.
Sourced to Primary Law
Every factual claim is cited to the underlying statute, regulation, or official agency document.
Updated Regularly
Pages are reviewed for accuracy and carry a visible 'Last reviewed' date — see the date on each page.