Plain-language guidance on the cybersecurity requirements that attach to federal contracts — FAR 52.204-21, DFARS 252.204-7012, CMMC, CUI, NIST SP 800-171, FedRAMP, incident reporting, and the clauses that turn cybersecurity into procurement risk.
Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.
Prime contractors must flow cybersecurity clauses down to subcontractors that handle covered defense information — but the obligation goes beyond clause insertion. DFARS 252.204-7012(m) imposes a determination duty, an incident-notification requirement, and a CMMC verification obligation that many primes overlook.
Read more →On June 23, 2026, the FAR Council proposed (FAR Case 2026-001) relocating safeguarding, CUI, and supply-chain clauses into a new FAR Part 40 and rewriting the CUI clause (FAR 52.240-7) to tie cloud use to FedRAMP Moderate, point to NIST SP 800-171 Rev. 3, and add a 72-hour conflict-notice rule. It is a proposed rule; comments are due July 23, 2026.
Read more →Knowing that you hold Controlled Unclassified Information is only half the job. The federal rulebook also dictates how that information gets marked, shared, and eventually let go — and contractors are bound by those rules the moment a marked document lands in their inbox.
Read more →The Supplier Performance Risk System score isn't going anywhere — but the clauses that used to demand it just did. Here's how the number is built, and what changed on February 1, 2026.
Read more →GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.
Answer a few questions about your contract type and data to get a plain-language summary of your obligations.
Get started →Start with the fundamentals: what the key frameworks are, why they exist, and how they affect your contracts.
Read the basics →Plain-language definitions for CUI, CMMC, DFARS, FedRAMP, and many other key terms.
Browse the glossary →Original, source-anchored analysis on the harder questions — where requirements, contracts, data-handling, and enforcement intersect.
The obligations that reach contractors outside the CMMC conversation — the FAR baseline, civilian-agency clauses, cloud, incident reporting, and enforcement.
How to identify, mark, handle, and flow down the categories of information federal contracts protect — CUI and beyond.
FAR, DFARS, frameworks, and agency-specific rules
State-level cyber laws affecting government contractors
Sector-specific obligations: defense, healthcare, finance, and more
Requirement triage, roadmaps, educational self-checks, and reference aids for planning compliance work.
Original analysis — beyond CMMC, protected information, maps and trackers
Actions, penalties, and False Claims Act case law
Cybersecurity 101 and a plain-language glossary
GovConCyber is a free reference first. When you need that analysis applied — explained to a room, or mapped to your actual contracts — these are the ways to go further.
Plain-language sessions on CMMC, CUI, and the requirements beyond CMMC — for conferences, bar associations, APEX Accelerator programs, and internal briefings.
Explore speaking topics →The Compliance Roadmap Assessment™ — a structured readiness review that maps which requirements apply to your contracts and what to prioritize. Not a CMMC assessment or legal advice.
See how advisory works →