Labor & Cybersecurity Β· Prescribed by FAR 4.1903

FAR 52.204-21 β€” Basic Safeguarding of Covered Contractor Information Systems

What It Is

FAR 52.204-21 sets a floor of basic cybersecurity hygiene for federal contractors. It requires contractors whose information systems process, store, or transmit Federal Contract Information (FCI) to apply 15 specified basic safeguarding requirements β€” controls such as limiting system access to authorized users, controlling who can run what, authenticating users, controlling physical access, monitoring and protecting network boundaries, using antimalware, and timely patching. These 15 controls are the baseline; defense work involving Controlled Unclassified Information (CUI) layers additional requirements (NIST SP 800-171 / DFARS 252.204-7012 and the CMMC framework) on top. The clause flows down to subcontractors whose systems handle FCI.

When It Applies

  • Contracts (including commercial) where a contractor information system processes, stores, or transmits Federal Contract Information β€” which is most contracts.
  • Flowed down to subcontractors whose information systems will handle FCI.
  • As the baseline beneath stricter requirements (DFARS 252.204-7012 / NIST SP 800-171 / CMMC) when the work involves Controlled Unclassified Information.

Key Provisions

ProvisionWhat It Means
15 basic safeguardsThe clause lists 15 specific controls β€” access limitation, authentication, boundary protection, antimalware, patching, physical access control, and more β€” that form the cybersecurity floor.
Federal Contract Information triggerIt applies whenever a contractor system processes, stores, or transmits FCI β€” information provided by or generated for the government under the contract and not intended for public release.
Flow-down to subsContractors must include the safeguarding requirements in subcontracts whose performance will involve covered contractor information systems handling FCI.
Baseline, not the ceilingFor CUI and defense work, NIST SP 800-171, DFARS 252.204-7012, and CMMC impose additional controls on top of these 15 basics.

What It Means for an SDVOSB

Cybersecurity compliance is increasingly a gate to award, and these 15 controls are the minimum every SDVOSB handling federal contract information must meet β€” across both civilian and defense work. Treat them as a foundation: stand them up now, document them, and flow them down to any subs whose systems will touch FCI. If you pursue DoD work involving CUI, you will need to build toward NIST SP 800-171 and CMMC on top of this baseline, so the basic safeguards are the on-ramp to that larger compliance roadmap rather than the destination.

Common Pitfalls

  • Assuming the 15 basic controls are enough for defense/CUI work, which requires NIST SP 800-171 and CMMC on top.
  • Not flowing the safeguarding requirements down to subcontractors whose systems will handle FCI.
  • Treating cybersecurity as optional β€” inadequate safeguarding is increasingly an award and compliance risk, not just an IT preference.

Frequently Asked

Does FAR 52.204-21 apply to small SDVOSB contractors?

Yes. FAR 52.204-21 applies to any contractor β€” regardless of size β€” whose information system processes, stores, or transmits Federal Contract Information, which covers most federal contracts. It requires implementing 15 basic cybersecurity safeguarding controls and flowing them down to subcontractors whose systems will handle FCI. There is no small-business exemption from the basic safeguarding requirements.

Is FAR 52.204-21 the same as CMMC or NIST 800-171?

No. FAR 52.204-21 is the governmentwide baseline β€” 15 basic safeguarding controls for systems handling Federal Contract Information. NIST SP 800-171, DFARS 252.204-7012, and the CMMC framework apply additional, more rigorous requirements when the work involves Controlled Unclassified Information, primarily on Department of Defense contracts. The 15 basics are the floor that everyone meets; CUI work builds substantially on top of them.

Primary Sources

Plain-English reference, not legal advice. Which clauses apply, and in which version, is set by the specific solicitation, and the FAR is periodically amended β€” always read the actual clause text in your solicitation and confirm its application with your contracting officer before relying on this.

Last updated Update cadence: Quarterly, plus on FAR amendment
Change log (1)
  1. LaunchedPublished the federal contract clauses reference covering the standard FAR Part 52 clauses an SDVOSB encounters in a set-aside contract β€” the SDVOSB set-aside clause (52.219-27), limitations on subcontracting (52.219-14), utilization of small business concerns (52.219-8), the reps-and-certs provisions (52.204-8 / 52.212-3), the commercial terms clauses (52.212-4 / 52.212-5), Changes (52.243-1), Termination for Convenience and Default (52.249-2 / 52.249-8), Prompt Payment and EFT payment (52.232-25 / 52.232-33), Service Contract Labor Standards (52.222-41), and basic cybersecurity safeguarding (52.204-21) β€” each with a key-provisions table, common pitfalls, an SDVOSB-specific angle, FAQPage, Legislation, Dataset, and BreadcrumbList structured data, primary-source FAR citations, and cross-links into the glossary, forms reference, contract types, regulation explainers, how-to guides, FAQ, and the limitations-on-subcontracting and price-to-win calculators.

Related Clauses

Forms It Touches

SF 1449 — Solicitation/Contract/Order for Commercial Products and Commercial Services→

Contract Types It Applies To

FFP

Put It Into Practice

How to Register Your SDVOSB in SAM.gov→

Terms Used on This Page

FARSBA

In the FAQ Knowledge Base

What data rights provisions apply to SDVOSB contracts?β†’
How does security clearance affect SDVOSB contracting?β†’
How does DoD use SDVOSB set-asides?β†’
← All Contract Clauses