Skip to main content
govconCyber

Learn

Cybersecurity 101

A plain-English primer for government contractors who are new to cybersecurity. No prior technical background required — every acronym is defined the first time it shows up.

Why Cybersecurity Matters for Government Contractors

The federal government is the largest buyer of goods and services in the world, and the data that flows through its contracts — performance details, personnel records, technical drawings, system designs — is a constant target for foreign intelligence services and criminal groups. When that data is stolen from a contractor, the government treats it the same as if it had been stolen from a federal agency. The contractor carries the legal and financial responsibility.

This applies whether you are a defense prime, a small business selling office furniture, or a subcontractor three tiers down. If your contract generates or handles information for the government, you are inside the scope of federal cybersecurity rules. "We don't really do IT" is not a defense — the obligations attach to the data, not to your job title.

The stakes are practical: failing a cybersecurity review can cost you the award, get an existing contract terminated, or trigger a False Claims Act investigation if you certified compliance you didn't actually have. The good news is that the rules, once translated out of acronym-speak, are mostly common-sense hygiene applied consistently.

Core Concepts

The CIA Triad

Cybersecurity professionals organize almost every control around three goals, known as the CIA triad — short for Confidentiality, Integrity, and Availability. Confidentiality means only the right people can see the data. Integrity means the data hasn't been altered without authorization. Availability means the data and systems are there when authorized users need them. Every clause you'll read maps back to one of these three.

Federal Contract Information (FCI)

FCI is information provided by or generated for the government under a contract that is not intended for public release. Quote details, delivery schedules, internal performance reports, draft deliverables — that's FCI. Almost every federal contract creates some. Protecting FCI is the floor, covered by FAR clause 52.204-21.

Controlled Unclassified Information (CUI)

CUI is a step up. It's unclassified information the government has decided is sensitive enough to require specific safeguards — export-controlled technical data, personally identifiable information, law-enforcement records, critical infrastructure details. Contracts that involve CUI carry stricter clauses (most famously DFARS 252.204-7012 for defense work) and require the full NIST 800-171 control set.

The Threat Landscape

The realistic threats to a contractor are: phishing emails that steal credentials, ransomware that encrypts your file shares, business-email compromise that redirects payments, and slow, quiet intrusions by nation-state actors looking for technical data. Small and mid-sized contractors are not safer because they're small — they're targeted because they're seen as the soft path into a larger prime or program.

How Cybersecurity Is Regulated in Federal Contracting

Cybersecurity obligations for contractors come in layers. Each layer sits on top of the one before it, and your specific stack depends on what you sell, who you sell it to, and what data you touch. Work from the bottom up — you cannot skip a foundation and expect the contract clauses on top to hold.

Layer 1 — Federal statutes (the real baseline)

Before any contract clause enters the picture, federal law already applies to almost every business operating in interstate commerce. Statutes like the Federal Trade Commission Act (which treats lax data security as an unfair practice), the Computer Fraud and Abuse Act, breach-notification requirements, and sector laws such as HIPAA (health data), GLBA (financial data), and the SEC cyber-disclosure rules apply whether or not you ever bid on a contract. If you want to sell to the government, get your statutory house in order first — agencies expect it, and many contract reps and certs assume it.

Layer 2 — Industry standards and sector rules

On top of statutes sit industry-specific laws and recognized best practices for your line of work — PCI DSS for card data, NERC CIP for the bulk power system, ITAR and EAR for export-controlled technical data, and broader frameworks such as the NIST Cybersecurity Framework and ISO/IEC 27001. These are not contract clauses, but they shape what "reasonable security" looks like in your industry and often map directly into the controls a federal contract will later require.

Layer 3 — The FAR (contracting baseline)

The Federal Acquisition Regulation (FAR) is the government-wide rulebook for federal procurement. Its cybersecurity floor is FAR 52.204-21 ("Basic Safeguarding of Covered Contractor Information Systems") — fifteen basic requirements that apply to any system holding FCI. If your contract has a FAR clause and creates non-public information for the government, this applies. See the FAR baseline →

Layer 4 — Agency FAR supplements

Individual agencies extend the FAR with their own supplements that only apply when you hold a contract with that agency. The DFARS (Defense Federal Acquisition Regulation Supplement) governs Department of Defense work — DFARS 252.204-7012 requires NIST SP 800-171 compliance and 72-hour incident reporting for defense contractors handling CUI, and CMMC (Cybersecurity Maturity Model Certification) is the DoD program that verifies it through third-party assessments. DFARS and CMMC do not apply outside DoD work. Civilian agencies have their own supplements (HHSAR, DEAR, NFS, and others) with their own clauses. Browse agency supplements →

Layer 5 — Contract-specific requirements

Finally, individual contracts and task orders can add their own terms — a particular NIST SP 800-53 control baseline, a FedRAMP-authorized hosting requirement, specific incident-reporting timelines, or program-unique safeguards spelled out in the Statement of Work. Two contracts at the same agency can have very different cyber requirements. Always read the clauses in the contract in front of you. See frameworks →

Common Mistakes Contractors Make

  1. Assuming the clauses don't apply to them. "We're a small shop, we don't touch classified info" — but you almost certainly touch FCI, and that's enough to trigger FAR 52.204-21.
  2. Self-scoring NIST 800-171 generously. Many contractors submit a perfect or near-perfect Supplier Performance Risk System (SPRS) score without an honest assessment. That gap, once discovered, is the kind of misrepresentation the Civil Cyber-Fraud Initiative was built to pursue.
  3. Storing CUI in unapproved cloud tools. Standard consumer Microsoft 365 or Google Workspace tenants are not authorized for CUI. You need the government-community editions or an equivalent FedRAMP-authorized environment.
  4. Forgetting to flow requirements down to subcontractors. Most cybersecurity clauses require you to pass the same obligations to anyone you subcontract to. The prime is on the hook if a sub leaks.
  5. Treating compliance as a one-time project. The System Security Plan (SSP) and Plan of Action & Milestones (POA&M) are living documents. Auditors will ask when you last updated them.

References

This page summarizes authoritative federal sources. Consult the originals for binding text:

Where to Go Next

Glossary

Look up any acronym or term of art used across federal cyber law — CUI, FCI, FedRAMP, POA&M, and more.

The FAR Baseline

The 15 basic safeguarding requirements every federal contractor has to meet, explained clause by clause.

Find My Requirements

Answer a few questions about your contract and get the specific rules and frameworks that apply to your work.