Skip to main content
govconCyber

The Free Cybersecurity Law Reference for Government Contractors

Your plain-language map to the national procurement cybersecurity ecosystem.

Find My RequirementsExplore the Reference Library ↓

Start here: the baseline you already owe

Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.

See the legal baseline →

Recent Developments

June 2026Analysis

A New Senate Bill Wants to Drag Critical-Infrastructure Cyber Plans Into the AI Era — Including the Defense Industrial Base

A new Senate bill would force CISA to rewrite all 16 critical-infrastructure cyber plans — including the defense industrial base — for AI, deepfake, and quantum threats. It is a signal of where contractor requirements are heading.

Read more →
June 2026Compliance Guidance

CISA Reopened the CIRCIA Comment Window — and the Defense Industrial Base Has a Seat on June 18

CISA reopened CIRCIA stakeholder input with town halls June 15-18, 2026; the defense industrial base is scheduled June 18. The 72-hour reporting rule isn't final — its scope and burden are still open for comment.

Read more →
June 2026Rule Updates

CISA's New Patching Directive (BOD 26-04) Rewrites the Vulnerability Clock — and Contractors Should Read It Too

CISA's BOD 26-04 replaces BOD 19-02 and 22-01 with a risk-based patching model: fix the highest-risk, actively exploited, edge-facing flaws in three days. It binds agencies, but it reaches their contractors.

Read more →
June 2026Rule Updates

FedRAMP's 2026 Consolidated Rules Are Coming This Month: What Cloud Contractors Should Do Now

FedRAMP will publish its 2026 Consolidated Rules (CR26) by the end of June: one stable rulebook through 2028, plus a shift from change requests to change notifications for cloud providers.

Read more →
View all updates →

Not Sure Where to Start?

GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.

Find My Requirements

Answer a few questions about your contract type and data to get a plain-language summary of your obligations.

Get started →

New to Cyber Compliance?

Start with the fundamentals: what the key frameworks are, why they exist, and how they affect your contracts.

Read the basics →

Look Up a Term

Plain-language definitions for CUI, CMMC, DFARS, FedRAMP, and many other key terms.

Browse the glossary →

Browse the Reference Library

Federal Requirements

FAR, DFARS, frameworks, and agency-specific rules

State Requirements

State-level cyber laws affecting government contractors

Industries

Sector-specific obligations: defense, healthcare, finance, and more

Compliance Tools

Checklists, templates, and program-building guides

Enforcement

Actions, penalties, and False Claims Act case law

Learn

Cybersecurity 101 and a plain-language glossary

About GovConCyber

GovConCyber is a free, independent legal reference for government contractors. We translate complex federal cybersecurity requirements into plain English — without the billable hour. Content is reviewed for accuracy against the underlying statutes, regulations, and official guidance, and updated periodically as those rules evolve.

Learn more about this site →
Free to Use
No paywalls, no subscriptions, no ads.
Sourced to Primary Law
Every factual claim is cited to the underlying statute, regulation, or official agency document.
Updated Periodically
Pages are reviewed for accuracy and carry a visible 'Last reviewed' date — see the date on each page.