Overview
If your company does business with any U.S. federal agency, FAR 52.204-21 is your first contractor-specific cybersecurity obligation — but it is not your first cybersecurity obligation. Long before you bid on a contract, a backdrop of generally-applicable federal and state law already requires your business to protect the data it holds. Those duties — the FTC Act, state breach-notification and data-security statutes, and sector rules like the GLBA Safeguards Rule or HIPAA Security Rule — apply to any company that handles data, contractor or not. We map them on The Legal Baseline page, and you should already meet them.
FAR 52.204-21 is the clause that gets added when you take federal money: the one cybersecurity requirement that applies government-wide, regardless of agency, contract size, or industry. It requires "basic safeguarding" of any Federal Contract Information (FCI) that lives on your systems.
Federal Contract Information (FCI): information provided by or generated for the Government under a contract that is not intended for public release. It is a broader, lower-sensitivity category than Controlled Unclassified Information (CUI).
The clause is included in nearly every federal contract except those solely for commercially available off-the-shelf (COTS) items. If FCI touches your network, you are expected to meet all 15 requirements below — on top of the general-business obligations you already carry.
The 15 Basic Safeguarding Requirements
FAR 52.204-21(b) lists fifteen safeguards drawn from a subset of NIST SP 800-171. In plain terms they require you to:
1. Limit system access to authorized users and devices. 2. Limit users to the transactions and functions their role requires (least privilege). 3. Verify and control connections to external systems. 4. Control information posted on publicly accessible systems. 5. Identify system users and processes. 6. Authenticate users before granting access. 7. Sanitize or destroy media containing FCI before disposal or reuse. 8. Limit physical access to systems and equipment. 9. Escort visitors and monitor physical activity. 10. Maintain audit logs of physical access. 11. Manage and control physical access devices. 12. Monitor, control, and protect communications at system boundaries. 13. Separate publicly accessible subnetworks from internal networks. 14. Identify, report, and correct system flaws in a timely way. 15. Provide protection from malicious code and keep it current.
Who Must Comply
Every prime contractor and subcontractor at any tier whose information systems handle FCI. There is no dollar threshold and no agency exception — it is the universal baseline *for federal contractors*. Contracts solely for COTS items are the primary carve-out.
Where It Sits in the Stack
FAR 52.204-21 is a floor for contractors, not the floor for your business. Picture the full stack from the ground up:
1. The legal baseline — the FTC Act, state breach-notification and data-security laws, and sector rules like the GLBA Safeguards Rule or HIPAA Security Rule. These bind any business that handles data, contractor or not. You should already meet them before you ever pursue a contract. See The Legal Baseline. 2. FAR 52.204-21 — the 15 basic FCI safeguards every federal contractor adds on top once it wins federal work. 3. CUI protections — when your work involves the more sensitive Controlled Unclassified Information (CUI), NIST SP 800-171 applies, and for the Department of Defense, CMMC verifies it.
So FAR 52.204-21 is the *starting point of your contractor obligations* — not the finish line, and not the start of your legal duty to secure data.
| Related requirement | Relationship |
|---|---|
| The Legal Baseline | Generally-applicable laws (FTC Act, state breach/data-security, GLBA, HIPAA) every business must already meet — the layer beneath this clause |
| NIST SP 800-171 | Source of the 15 safeguards; full standard applies when you handle CUI |
| DFARS 252.204-7012 | DoD clause adding CUI protections and incident reporting |
| CMMC 2.0 Level 1 | Verifies these 15 FCI safeguards via annual self-assessment |
| Proposed FAR CUI Rule | Would extend standardized CUI requirements government-wide |
What to Do Next
First, make sure you already meet the generally-applicable legal baseline — most of FAR 52.204-21's safeguards overlap with what those laws already expect. Then confirm whether FCI, CUI, or both flow through your contracts, map your environment to the 15 safeguards, and close any gaps. Use the Find My Requirements tool to see your full obligation set, and the Self-Assessment Checklists to work through the controls.
Sources
- FAR 52.204-21 (acquisition.gov / eCFR Title 48)
- NIST SP 800-171 (csrc.nist.gov)