Skip to main content
Free · Independent · Sourced to primary authority

Government contractor cybersecurity, explained clearly and implemented practically.

Plain-language guidance on the cybersecurity requirements that attach to federal contracts — FAR 52.204-21, DFARS 252.204-7012, CMMC, CUI, NIST SP 800-171, FedRAMP, incident reporting, and the clauses that turn cybersecurity into procurement risk.

Start Here: The Baseline You Already Owe

Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.

See the Legal Baseline →

Recent Developments

June 2026Case Law

Aero Turbine Pays $1.75M to Settle FCA Cybersecurity Case — and Gets Credit for Self-Disclosing

Aero Turbine Inc. and its private equity owner Gallant Capital Partners agreed to pay $1.75 million to resolve False Claims Act allegations over NIST SP 800-171 failures and unauthorized sharing of sensitive defense files with an Egyptian software firm. The DOJ explicitly credited voluntary self-disclosure, cooperation, and remediation — the clearest statement yet of a self-disclosure credit framework for Civil Cyber-Fraud Initiative cases.

Read more →
June 2026Case Law

Illumina Pays $9.8M to Settle FCA Cybersecurity Allegations: When the Product Itself Is the Compliance Problem

The DOJ resolved False Claims Act allegations against Illumina Inc. for $9.8 million after the company sold federal agencies genomic sequencing systems with embedded cybersecurity vulnerabilities while falsely representing those systems complied with NIST and ISO standards. It is the first major Civil Cyber-Fraud Initiative settlement targeting product cybersecurity rather than operational IT compliance.

Read more →
June 2026Compliance Guidance

Cybersecurity Flowdown: What Prime Contractors Owe Their Subcontractors

Prime contractors must flow cybersecurity clauses down to subcontractors that handle covered defense information — but the obligation goes beyond clause insertion. DFARS 252.204-7012(m) imposes a determination duty, an incident-notification requirement, and a CMMC verification obligation that many primes overlook.

Read more →
June 2026Rule Updates

The FAR Overhaul's Next Move: A New "Part 40" for Cybersecurity and a Rewritten CUI Clause

On June 23, 2026, the FAR Council proposed (FAR Case 2026-001) relocating safeguarding, CUI, and supply-chain clauses into a new FAR Part 40 and rewriting the CUI clause (FAR 52.240-7) to tie cloud use to FedRAMP Moderate, point to NIST SP 800-171 Rev. 3, and add a 72-hour conflict-notice rule. It is a proposed rule; comments are due July 23, 2026.

Read more →

Not Sure Where to Start?

GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.

Research

Original, source-anchored analysis on the harder questions — where requirements, contracts, data-handling, and enforcement intersect.

Browse the Reference Library