Reference Library

Industry overlays

Every federal contractor faces the FAR 52.204-21 baseline. These pages explain the sector-specific cybersecurity rules that layer on top of it — what they require, who enforces them, and how they interact with your federal contract clauses.

Find My Requirements →Start with the FAR baseline

Most rigorous

Defense

The defense industrial base operates under the strictest cybersecurity regime in federal contracting. DFARS 7012, NIST 800-171, SPRS, and the phased rollout of CMMC 2.0.

CMMC 2.0DFARS 252.204-7012NIST SP 800-171SPRS scoringC3PAO assessments

Explore Defense

Healthcare

Covered entities and HHS contractors sit under HIPAA's Security Rule, HHS 405(d) recognized practices, and federal contract clauses requiring HITRUST or HIPAA attestations.

HIPAA Security RulePHI safeguardsHHS 405(d)Business Associate Agreements

Explore Healthcare

Financial Services

Banking, insurance, and capital markets navigate the GLBA Safeguards Rule, the SEC cyber disclosure rules, NY DFS Part 500, and a thicket of state financial regulators.

GLBA Safeguards RuleSEC Item 106NY DFS Part 500FFIEC guidance

Explore Financial Services

Education

K-12 districts, higher education institutions, and EdTech vendors operate under FERPA, GLBA (for Title IV institutions), and a growing set of state student-data privacy laws.

FERPAGLBA for higher edState student-data lawsCOPPA

Explore Education

Energy & Utilities

Bulk electric system operators live under NERC CIP. Pipelines fall under TSA Security Directives. Water utilities navigate EPA and AWIA requirements.

NERC CIPTSA pipeline SDsEPA / AWIACISA sector guidance

Explore Energy & Utilities

Not sure which sector rules apply to you?

The Find My Requirements tool walks through your contract type, agency, data categories, and industry to produce a plain-language summary of the cybersecurity obligations most likely to apply.

Start the tool →