Plain-language guidance on the cybersecurity requirements that attach to federal contracts — FAR 52.204-21, DFARS 252.204-7012, CMMC, CUI, NIST SP 800-171, FedRAMP, incident reporting, and the clauses that turn cybersecurity into procurement risk.
Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.
On June 23, 2026, the FAR Council proposed (FAR Case 2026-001) relocating safeguarding, CUI, and supply-chain clauses into a new FAR Part 40 and rewriting the CUI clause (FAR 52.240-7) to tie cloud use to FedRAMP Moderate, point to NIST SP 800-171 Rev. 3, and add a 72-hour conflict-notice rule. It is a proposed rule; comments are due July 23, 2026.
Read more →Knowing that you hold Controlled Unclassified Information is only half the job. The federal rulebook also dictates how that information gets marked, shared, and eventually let go — and contractors are bound by those rules the moment a marked document lands in their inbox.
Read more →On May 13, 2026, NIST finalized a much bigger version of the enhanced-security publication behind CMMC Level 3. The headline number nearly tripled — but if you're chasing Level 3 today, the rules you're measured against did not change.
Read more →Two DFARS clauses that defense contractors have cited for years vanished on February 1, 2026. If you went looking for 252.204-7019 and couldn't find it, you're not imagining things — and the good news is that almost nothing about your actual obligations changed.
Read more →GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.
Answer a few questions about your contract type and data to get a plain-language summary of your obligations.
Get started →Start with the fundamentals: what the key frameworks are, why they exist, and how they affect your contracts.
Read the basics →Plain-language definitions for CUI, CMMC, DFARS, FedRAMP, and many other key terms.
Browse the glossary →Original, source-anchored analysis on the harder questions — where requirements, contracts, data-handling, and enforcement intersect.
The obligations that reach contractors outside the CMMC conversation — the FAR baseline, civilian-agency clauses, cloud, incident reporting, and enforcement.
How to identify, mark, handle, and flow down the categories of information federal contracts protect — CUI and beyond.
FAR, DFARS, frameworks, and agency-specific rules
State-level cyber laws affecting government contractors
Sector-specific obligations: defense, healthcare, finance, and more
Checklists, templates, and program-building guides
Original analysis — beyond CMMC, protected information, maps and trackers
Actions, penalties, and False Claims Act case law
Cybersecurity 101 and a plain-language glossary
GovConCyber is a free reference first. When you need that analysis applied — explained to a room, or mapped to your actual contracts — these are the ways to go further.
Plain-language sessions on CMMC, CUI, and the requirements beyond CMMC — for conferences, bar associations, APEX Accelerator programs, and internal briefings.
Explore speaking topics →The Compliance Roadmap Assessment™ — a structured readiness review that maps which requirements apply to your contracts and what to prioritize. Not a CMMC assessment or legal advice.
See how advisory works →