Skip to main content
Free · Independent · Sourced to primary authority

Government contractor cybersecurity, explained clearly and implemented practically.

Plain-language guidance on the cybersecurity requirements that attach to federal contracts — FAR 52.204-21, DFARS 252.204-7012, CMMC, CUI, NIST SP 800-171, FedRAMP, incident reporting, and the clauses that turn cybersecurity into procurement risk.

Start Here: The Baseline You Already Owe

Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.

See the Legal Baseline →

Recent Developments

July 2026Case Law

A Missing Cybersecurity Narrative Ended a SEWP VI Bid: The InnoVet Protest

In InnoVet Technologies, LLC (GAO, June 16, 2026), NASA eliminated a small business from the SEWP VI competition — a 10-year GWAC that ultimately produced 2,115 awards — not because its security was weak, but because its proposals omitted a required narrative describing the offeror's own cybersecurity supply chain risk management. GAO denied the protest. The lesson for contractors: on many federal procurements, the cybersecurity write-up is a pass/fail gate for award eligibility, and a checklist attestation is not a substitute for the narrative the solicitation asks for.

Read more →
July 2026Analysis

GAO Warns DOD Hasn't Planned for a CMMC Assessor Shortage — What That Means for Your Certification Timeline

The Government Accountability Office found DoD's CMMC rollout plan strong on six of seven strategic elements but incomplete on one: it has not documented how it will handle key external risks — chief among them the possibility that the private sector won't have enough certified C3PAO assessors to meet demand. With CMMC Phase 2 starting November 10, 2026, that unmanaged assessor-capacity gap is a direct scheduling risk for defense contractors. (GAO-26-107955; DoD concurred with GAO's recommendation.)

Read more →
July 2026Rule Updates

FedRAMP's Consolidated Rules for 2026 Are Live: The Dates Cloud Contractors Need to Calendar

FedRAMP's Consolidated Rules for 2026 launched June 25, 2026, replacing the Low/Moderate/High impact-level framing with a Class A/B/C/D structure and setting hard pipeline and Rev5 sunset dates. Here is what changed since our June preview and what to calendar now.

Read more →
July 2026Rule Updates

The FAR CUI Rule Is Back for Comment — What Changed and Why the 72-Hour Clock Matters

On June 23, 2026, the FAR Council reissued its proposed FAR CUI rule under a new docket, FAR Case 2026-001, reopening it for public comment through July 23, 2026. Here is what changed since the January 2025 draft — a longer incident-reporting window, a shift toward NIST SP 800-171 Rev. 3, a deleted clause, and a new conflict-of-law notice — and what a contractor should do with a proposed rule versus a final one.

Read more →

Not Sure Where to Start?

GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.

Research

Original, source-anchored analysis on the harder questions — where requirements, contracts, data-handling, and enforcement intersect.

Browse the Reference Library