Skip to main content
Free · Independent · Sourced to primary authority

Government contractor cybersecurity, explained clearly and implemented practically.

Plain-language guidance on the cybersecurity requirements that attach to federal contracts — FAR 52.204-21, DFARS 252.204-7012, CMMC, CUI, NIST SP 800-171, FedRAMP, incident reporting, and the clauses that turn cybersecurity into procurement risk.

Start Here: The Baseline You Already Owe

Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.

See the Legal Baseline →

Recent Developments

June 2026Analysis

Bitdefender’s 2026 Cybersecurity Assessment Shows Why Contractor Cyber Governance Cannot Stop at CMMC

Bitdefender’s 2026 report highlights AI, breach reporting, cloud, BEC, and compliance gaps contractors should map to obligations.

Read more →
June 2026Analysis

NIST SP 800-18 Revision 2 Is a Planning Guide Contractors Should Not Ignore

NIST SP 800-18 Rev. 2 gives contractors a useful model for stronger security, privacy, and supply-chain planning.

Read more →
June 2026Compliance Guidance

Cybersecurity Flowdown: What Prime Contractors Owe Their Subcontractors

Prime contractors must flow cybersecurity clauses down to subcontractors that handle covered defense information — but the obligation goes beyond clause insertion. DFARS 252.204-7012(m) imposes a determination duty, an incident-notification requirement, and a CMMC verification obligation that many primes overlook.

Read more →
June 2026Rule Updates

The FAR Overhaul's Next Move: A New "Part 40" for Cybersecurity and a Rewritten CUI Clause

On June 23, 2026, the FAR Council proposed (FAR Case 2026-001) relocating safeguarding, CUI, and supply-chain clauses into a new FAR Part 40 and rewriting the CUI clause (FAR 52.240-7) to tie cloud use to FedRAMP Moderate, point to NIST SP 800-171 Rev. 3, and add a 72-hour conflict-notice rule. It is a proposed rule; comments are due July 23, 2026.

Read more →

Not Sure Where to Start?

GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.

Research

Original, source-anchored analysis on the harder questions — where requirements, contracts, data-handling, and enforcement intersect.

Browse the Reference Library