Skip to main content
govconCyber

GovConCyber

Federal cybersecurity requirements

Every federal contractor inherits a common baseline of cybersecurity obligations the moment a contract is signed. On top of that baseline, additional rules layer on based on the agency you sell to, the type of data you handle, and the technical frameworks your contract cites. This hub maps those layers so you can see — at a glance — what applies to your work.

Not sure which apply to you? Use the Find My Requirements tool →

Start here: the baseline you already owe

Before any FAR or DFARS clause applies, federal and state law already requires your business to secure data and report breaches — the FTC Act, all-50-state breach laws, and rules like GLBA and HIPAA. The contractor requirements build on top of that legal baseline. Make sure you meet it first.

See the legal baseline

Applicability at a glance

A starting reference, not a legal opinion. Most contracts add wrinkles — read the clauses incorporated into your award for the definitive list.

Contractor typeFAR BaselineDFARS 7012NIST 800-171CMMCAgency SupplementFedRAMP
All Federal ContractorsRequiredNot RequiredNot RequiredNot RequiredConditionalConditional
DoD ContractorsRequiredConditionalConditionalConditionalRequiredConditional
DoD Contractors handling CUIRequiredRequiredRequiredRequiredRequiredConditional
DoD CMMC-scopedRequiredRequiredRequiredRequiredRequiredConditional
Civilian AgencyRequiredNot RequiredConditionalNot RequiredConditionalConditional
HealthcareRequiredNot RequiredConditionalNot RequiredRequiredConditional
Required — applies in nearly all casesConditional — applies when specific clauses, data types, or services are in scopeNot Required — generally out of scope

Explore the requirements

FAR Baseline

The 15 basic safeguarding requirements in FAR 52.204-21 that apply to any contractor system holding Federal Contract Information. Start here — it's the floor every federal vendor must meet.

Open

By Framework

The technical playbooks federal clauses point to — NIST SP 800-171, NIST SP 800-53, the NIST CSF, CMMC, and FedRAMP. Use this when you need to understand what a clause actually requires you to implement.

Open

By Agency

Agency supplements that add their own cyber clauses on top of the FAR — DFARS for DoD, HHSAR for HHS, NFS for NASA, and others. Use this if you know which agency is buying your work.

Open

Federal Statutes

The underlying laws — FISMA, the CUI Executive Order, the FedRAMP Authorization Act, and the False Claims Act as applied to cyber — that give every clause its teeth. Useful when you need to trace a requirement back to its source.

Open

Not sure which apply to you? Answer a few short questions and we'll show you the specific clauses and frameworks tied to your contract.

Use the Find My Requirements tool