Skip to main content
govconCyber — Federal Cybersecurity Law Reference

Research

The GovConCyber Requirements Map

A single map of how the pieces fit — statutes, regulations, clauses, frameworks, data types, obligations, and enforcement — so you can see why one change ripples into the others.

On this page
  1. How to Read This Map
  2. Reading It By Data Type
  3. Why Changes Ripple
  4. Use the Map
  5. Source Notes

Takeaway: Government contractor cybersecurity is not a list; it is a stack of connected layers. This map shows how authority flows down into your contract and out into your obligations — and why a change in one layer moves the others.

How to Read This Map

Think in layers, from the source of an obligation down to its consequences. Each layer constrains the next:

1. Statute / Executive Order — the underlying legal authority (e.g., FISMA, the FAR/DFARS enabling statutes, executive orders on cybersecurity). 2. Regulation — how agencies implement the statute (the FAR and the DFARS). 3. Contract clause — the specific clause incorporated into your contract (FAR 52.204-21, DFARS 252.204-7012, 252.204-7019/7020/7021). 4. Framework / standard — the technical baseline a clause points to (NIST SP 800-171, CMMC, FedRAMP). 5. Data type — what you hold determines which of the above apply (FCI, CUI, covered defense information, export-controlled technical data). 6. Obligation — the practical duty: safeguard, assess, report, mark, flow down, certify, preserve evidence. 7. Enforcement — what happens if the obligation and your representation diverge (eligibility loss, negative past performance, False Claims Act exposure, suspension/debarment).

Reading It By Data Type

Because the data type drives everything else, that is usually where to start:

  • FCI → FAR 52.204-21 → 15 basic safeguards → all federal contractors.
  • CUI → DFARS 252.204-7012 + NIST SP 800-171 (110 controls) → SPRS score (7019/7020) → CMMC verification (7021) for DoD.
  • Export-controlled technical data → ITAR/EAR stack on top of the cybersecurity terms.

Why Changes Ripple

A change at one layer moves the others. When CMMC (a verification layer) phased in, it did not change NIST SP 800-171 (the standard) — but it changed the consequence of not meeting it, turning a posture problem into an eligibility problem. When NIST issues a new revision, the clause that references it controls whether the new revision actually applies yet. Tracking the layer a change lives in tells you who it affects and how fast.

Use the Map

Source Notes

Built from the primary authorities mapped above: FAR 52.204-21; DFARS 252.204-7012/-7019/-7020/-7021; NIST SP 800-171; 32 CFR Part 170 (CMMC) and Part 2002 (CUI); and FedRAMP. Status summarized as of the review date and subject to change. Educational analysis, not legal advice.

Was this page helpful?