Skip to main content
Free · Independent · Sourced to primary authority

Government contractor cybersecurity, explained clearly and implemented practically.

Plain-language guidance on the cybersecurity requirements that attach to federal contracts — FAR 52.204-21, DFARS 252.204-7012, CMMC, CUI, NIST SP 800-171, FedRAMP, incident reporting, and the clauses that turn cybersecurity into procurement risk.

Start Here: The Baseline You Already Owe

Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.

See the Legal Baseline →

Recent Developments

July 2026Rule Updates

The FAR CUI Rule Is Back for Comment — What Changed and Why the 72-Hour Clock Matters

On June 23, 2026, the FAR Council reissued its proposed FAR CUI rule under a new docket, FAR Case 2026-001, reopening it for public comment through July 23, 2026. Here is what changed since the January 2025 draft — a longer incident-reporting window, a shift toward NIST SP 800-171 Rev. 3, a deleted clause, and a new conflict-of-law notice — and what a contractor should do with a proposed rule versus a final one.

Read more →
June 2026Analysis

NIST SP 800-18 Revision 2 Is a Planning Guide Contractors Should Not Ignore

NIST SP 800-18 Rev. 2 gives contractors a useful model for stronger security, privacy, and supply-chain planning.

Read more →
June 2026Analysis

Bitdefender’s 2026 Cybersecurity Assessment Shows Why Contractor Cyber Governance Cannot Stop at CMMC

Bitdefender’s 2026 report highlights AI, breach reporting, cloud, BEC, and compliance gaps contractors should map to obligations.

Read more →
June 2026Compliance Guidance

Cybersecurity Flowdown: What Prime Contractors Owe Their Subcontractors

Prime contractors must flow cybersecurity clauses down to subcontractors that handle covered defense information — but the obligation goes beyond clause insertion. DFARS 252.204-7012(m) imposes a determination duty, an incident-notification requirement, and a CMMC verification obligation that many primes overlook.

Read more →

Not Sure Where to Start?

GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.

Research

Original, source-anchored analysis on the harder questions — where requirements, contracts, data-handling, and enforcement intersect.

Browse the Reference Library