Skip to main content
govconCyber — Federal Cybersecurity Law Reference
Free · Independent · Sourced to primary authority

Government contractor cybersecurity, explained clearly and implemented practically.

Plain-language guidance on the cybersecurity requirements that attach to federal contracts — FAR 52.204-21, DFARS 252.204-7012, CMMC, CUI, NIST SP 800-171, FedRAMP, incident reporting, and the clauses that turn cybersecurity into procurement risk.

Find My RequirementsNew to this? Start with the basics →

Start Here: The Baseline You Already Owe

Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.

See the Legal Baseline →

Recent Developments

June 2026Case Law

Aero Turbine Pays $1.75M to Settle FCA Cybersecurity Case — and Gets Credit for Self-Disclosing

Aero Turbine Inc. and its private equity owner Gallant Capital Partners agreed to pay $1.75 million to resolve False Claims Act allegations over NIST SP 800-171 failures and unauthorized sharing of sensitive defense files with an Egyptian software firm. The DOJ explicitly credited voluntary self-disclosure, cooperation, and remediation — the clearest statement yet of a self-disclosure credit framework for Civil Cyber-Fraud Initiative cases.

Read more →
June 2026Case Law

Illumina Pays $9.8M to Settle FCA Cybersecurity Allegations: When the Product Itself Is the Compliance Problem

The DOJ resolved False Claims Act allegations against Illumina Inc. for $9.8 million after the company sold federal agencies genomic sequencing systems with embedded cybersecurity vulnerabilities while falsely representing those systems complied with NIST and ISO standards. It is the first major Civil Cyber-Fraud Initiative settlement targeting product cybersecurity rather than operational IT compliance.

Read more →
June 2026Compliance Guidance

Cybersecurity Flowdown: What Prime Contractors Owe Their Subcontractors

Prime contractors must flow cybersecurity clauses down to subcontractors that handle covered defense information — but the obligation goes beyond clause insertion. DFARS 252.204-7012(m) imposes a determination duty, an incident-notification requirement, and a CMMC verification obligation that many primes overlook.

Read more →
June 2026Rule Updates

The FAR Overhaul's Next Move: A New "Part 40" for Cybersecurity and a Rewritten CUI Clause

On June 23, 2026, the FAR Council proposed (FAR Case 2026-001) relocating safeguarding, CUI, and supply-chain clauses into a new FAR Part 40 and rewriting the CUI clause (FAR 52.240-7) to tie cloud use to FedRAMP Moderate, point to NIST SP 800-171 Rev. 3, and add a 72-hour conflict-notice rule. It is a proposed rule; comments are due July 23, 2026.

Read more →
View all updates →

Not Sure Where to Start?

GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.

Find My Requirements

Answer a few questions about your contract type and data to get a plain-language summary of your obligations.

Get started →

New to Cyber Compliance?

Start with the fundamentals: what the key frameworks are, why they exist, and how they affect your contracts.

Read the basics →

Look Up a Term

Plain-language definitions for CUI, CMMC, DFARS, FedRAMP, and many other key terms.

Browse the glossary →

Research

Original, source-anchored analysis on the harder questions — where requirements, contracts, data-handling, and enforcement intersect.

Cybersecurity Requirements Beyond CMMC

The obligations that reach contractors outside the CMMC conversation — the FAR baseline, civilian-agency clauses, cloud, incident reporting, and enforcement.

Protected Information in Practice

How to identify, mark, handle, and flow down the categories of information federal contracts protect — CUI and beyond.

The Requirements Map →CMMC Phase-In Tracker →CIRCIA Watch →All Research →

Browse the Reference Library

Federal Requirements

FAR, DFARS, frameworks, and agency-specific rules

State Requirements

State-level cyber laws affecting government contractors

Industries

Sector-specific obligations: defense, healthcare, finance, and more

Compliance Resources

Requirement triage, roadmaps, educational self-checks, and reference aids for planning compliance work.

Research

Original analysis — beyond CMMC, protected information, maps and trackers

Enforcement

Actions, penalties, and False Claims Act case law

Learn

Cybersecurity 101 and a plain-language glossary

Work with GovConCyber

Bring the analysis to your team or audience

GovConCyber is a free reference first. When you need that analysis applied — explained to a room, or mapped to your actual contracts — these are the ways to go further.

Speaking

Plain-language sessions on CMMC, CUI, and the requirements beyond CMMC — for conferences, bar associations, APEX Accelerator programs, and internal briefings.

Explore speaking topics →

Advisory

The Compliance Roadmap Assessment™ — a structured readiness review that maps which requirements apply to your contracts and what to prioritize. Not a CMMC assessment or legal advice.

See how advisory works →