Skip to main content
Free · Independent · Sourced to primary authority

Government contractor cybersecurity, explained clearly and implemented practically.

Plain-language guidance on the cybersecurity requirements that attach to federal contracts — FAR 52.204-21, DFARS 252.204-7012, CMMC, CUI, NIST SP 800-171, FedRAMP, incident reporting, and the clauses that turn cybersecurity into procurement risk.

Start Here: The Baseline You Already Owe

Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.

See the Legal Baseline →

Recent Developments

July 2026Rule Updates

CMMC Phase 2 Suspended: What the Department of War's July 2026 Reversal Means for Contractors

The Department of War suspended CMMC Phase 2 certification requirements on July 13, 2026, launching a 60-day reform review while Phase 1 self-assessments and DFARS 252.204-7012 remain in force.

Read more →
July 2026Rule Updates

Post-Quantum Cryptography Reaches the FAR: What Executive Order 14412 Puts on Contractors

Executive Order 14412 (June 22, 2026) directs the FAR Council to propose a rule requiring covered contractors to meet NIST FIPS — including post-quantum cryptography algorithms — by December 31, 2030, plus a second rule extending vulnerability disclosure programs to cryptographic weaknesses. Nothing is a contract requirement yet, but the migration is longer than the rulemaking.

Read more →
July 2026Rule Updates

HIPAA's Cybersecurity Overhaul Slips to Mid-2027 - What It Signals Beyond Health Care

HHS/OCR's HIPAA Security Rule overhaul just slipped from May 2026 to July 2027. It's not a CMMC or DFARS rule, but it's another data point in the same federal cyber-regulation pattern contractors are already tracking.

Read more →
July 2026Rule Updates

The Federal Cyber Rulemaking Stack: Five Rules Landing July–September 2026

CMMC Rev. 3, CIRCIA, two FAR Council rules, and a DFARS 252.204-7012 update are all targeted to hit milestones between July and September 2026 — the most concentrated stretch of federal cybersecurity rulemaking activity contractors will see this year.

Read more →

Not Sure Where to Start?

GovConCyber is a free legal reference — not a law firm. We cover the federal cybersecurity rules that apply to government contractors: what they require, who they apply to, and what you need to do. Start here if you're new to the site.

Research

Original, source-anchored analysis on the harder questions — where requirements, contracts, data-handling, and enforcement intersect.

Browse the Reference Library