Skip to main content
govconCyber
Compliance Guidance

FAR 52.204-21: The 15 Basic Safeguards Every Federal Contractor Has to Meet

FAR 52.204-21 is the one cybersecurity clause that applies government-wide, no matter the agency, contract size, or industry. If Federal Contract Information touches your network, you owe all fifteen safeguards.

Brandon Hancock, J.D., CMMC-RPPublished June 8, 2026Updated June 8, 20265 min read

If your company does business with any U.S. federal agency, FAR 52.204-21 is your first contractor-specific cybersecurity obligation — but it is not your first cybersecurity obligation. Long before you bid, a backdrop of generally-applicable law already requires your business to protect the data it holds: the FTC Act, state breach-notification and data-security statutes, and sector rules like the GLBA Safeguards Rule and the HIPAA Security Rule. FAR 52.204-21 is what gets *added* when you take federal money — the single cybersecurity requirement that applies across the entire government.

What the Clause Covers

FAR 52.204-21 requires "basic safeguarding" of Federal Contract Information (FCI) — information provided by or generated for the Government under a contract that is not intended for public release. FCI is a broader, lower-sensitivity category than Controlled Unclassified Information (CUI); think of it as the everyday non-public information that flows through almost any contract.

The clause is included in nearly every federal contract, with the main carve-out being acquisitions solely for commercially available off-the-shelf (COTS) items. There is no dollar threshold. If FCI lives on your systems, the expectation is simple: meet all fifteen requirements.

The 15 Requirements, in Plain English

FAR 52.204-21(b) lists fifteen safeguards drawn from a subset of NIST SP 800-171. In plain terms, you must:

1. Limit system access to authorized users and devices. 2. Limit users to the transactions and functions their role requires (least privilege). 3. Verify and control connections to external systems. 4. Control information posted on publicly accessible systems. 5. Identify system users and processes. 6. Authenticate users before granting access. 7. Sanitize or destroy media containing FCI before disposal or reuse. 8. Limit physical access to systems and equipment. 9. Escort visitors and monitor physical activity. 10. Maintain audit logs of physical access. 11. Manage and control physical access devices. 12. Monitor, control, and protect communications at system boundaries. 13. Separate publicly accessible subnetworks from internal networks. 14. Identify, report, and correct system flaws in a timely way. 15. Provide protection from malicious code and keep it current.

None of these are exotic. Most overlap with ordinary IT hygiene and with the general-business security duties you should already carry. The compliance work is usually proving you do them, not inventing them.

Who Must Comply — and How It Flows Down

Every prime contractor and subcontractor at any tier whose information systems handle FCI is covered. When the clause is in a contract, it applies broadly across agencies and flows down to covered subcontractors at every tier — again, the principal exception being subcontracts solely for COTS items. The obligation arises from clause inclusion and contract scope, not from contractor status alone, so read your clauses: if 52.204-21 is in the award, the fifteen safeguards are in your scope.

Where It Sits in the Stack

FAR 52.204-21 is a floor for *contractors*, not the floor for your *business*. Picture the stack from the ground up: the legal baseline (FTC Act, state breach/data-security laws, GLBA, HIPAA) binds any business that handles data; FAR 52.204-21 adds the fifteen basic FCI safeguards once you win federal work; and when your work involves the more sensitive CUI, the full NIST SP 800-171 standard applies — verified, for the Department of Defense, through CMMC. CMMC Level 1 verifies exactly these fifteen safeguards via annual self-assessment, so getting 52.204-21 right is also the groundwork for DoD compliance.

Key Takeaways

  • FAR 52.204-21 is government-wide. It applies to every federal contractor and subcontractor whose systems handle FCI, with no dollar threshold and only a narrow COTS carve-out.
  • There are exactly 15 safeguards, drawn from NIST SP 800-171 — mostly basic access control, physical security, boundary protection, and malware defense.
  • It's a starting point, not the finish line. Meet your generally-applicable legal duties first, then layer 52.204-21 on top; if you touch CUI, expect NIST 800-171 and (for DoD) CMMC to follow.

Confirm whether FCI, CUI, or both flow through your contracts on the FAR Cybersecurity Baseline page, see how the standards connect on Frameworks, and map your environment with Find My Requirements and the Self-Assessment Checklists.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Compliance GuidanceCISA Reopened the CIRCIA Comment Window — and the Defense Industrial Base Has a Seat on June 18CISA reopened CIRCIA stakeholder input with town halls June 15-18, 2026; the defense industrial base is scheduled June 18. The 72-hour reporting rule isn't final — its scope and burden are still open for comment.June 14, 2026 · 5 min readCompliance GuidanceDoD's Cyber-Harmonization Deadline Has Passed: What NDAA Section 866 Means for Defense ContractorsNDAA Section 866 required DoD to harmonize and trim defense-industrial-base cyber requirements by June 1, 2026. Relief will roll out gradually, but the security bar stays in place.June 9, 2026 · 6 min readCompliance GuidanceThe CISA Cross-Sector Cybersecurity Performance Goals: A Plain-English Baseline for ContractorsCISA's CPGs aren't a regulation, and they won't appear in a contract clause. But they are the clearest free checklist of "what good looks like" for a small contractor — and a smart way to prepare for the binding standards that will.June 8, 2026 · 6 min read