Reference

Cybersecurity & Information Safeguarding for SDVOSBs

Cybersecurity is where the smallest firms feel the biggest cost — a CMMC assessment or an honest NIST SP 800-171 remediation can outrun the margin on a first contract, and a missing or overstated SPRS score can make an SDVOSB ineligible for a DoD award before its proposal is even read. These plain-English pages take one requirement at a time — the basic safeguarding of Federal Contract Information, the Section 889 covered-telecom prohibition, the DoD safeguarding of Covered Defense Information and its 72-hour incident report, the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score, the CMMC program and its three levels, Controlled Unclassified Information, and the emerging governmentwide FAR CUI rule. Each has an at-a-glance card, its controlling FAR/DFARS/CFR authority, when it applies, how to comply, and the SDVOSB-specific angle — from the cost-vs-moat calculus of certification to flowing requirements down to a similarly situated subcontractor.

Last updated Update cadence: Quarterly, plus on FAR/DFARS amendment, a new NIST SP 800-171 revision, or CMMC phase-in changes

Compiled from: Federal Acquisition Regulation (Title 48 CFR, Subparts 4.19 & 4.21 and clauses 52.204-21 / -24 / -25 / -26) · DFARS 252.204-7012 / -7019 / -7020 / -7021 and NIST SP 800-171 (protecting CUI in nonfederal systems) · 32 CFR Part 170 (CMMC program), 32 CFR Part 2002 and EO 13556 (Controlled Unclassified Information)

Change log (1)
  1. LaunchedPublished the federal contract cybersecurity & information safeguarding requirements reference covering the obligations an SDVOSB takes on across a federal (especially DoD) set-aside — basic safeguarding of Federal Contract Information (FAR 52.204-21), the Section 889 covered-telecom prohibition (FAR 52.204-25), the DoD safeguarding of Covered Defense Information and 72-hour cyber-incident reporting (DFARS 252.204-7012), the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score (DFARS 252.204-7019 / -7020), the CMMC program and its three levels (DFARS 252.204-7021 / 32 CFR Part 170), Controlled Unclassified Information marking and handling (32 CFR Part 2002 / EO 13556), and the emerging governmentwide FAR CUI rule — each with an at-a-glance quick-facts card, a when-it-applies list, a key-features table, an SDVOSB-specific angle, a how-to-comply checklist, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source FAR/DFARS/CFR/NIST citations, and cross-links into the glossary, contracting systems (SPRS, SAM.gov), clauses, forms, contract types, how-to guides, FAQ, and the price-to-win and win-probability calculators.

Baseline Safeguarding (All Contracts)

FCI Safeguarding
Basic Safeguarding of Covered Contractor Information SystemsThe governmentwide floor for protecting Federal Contract Information (FCI). FAR 52.204-21 requires a contractor to apply 15 basic security controls to any information system that stores, processes, or transmits FCI, and it flows down to subcontractors. It is the minimum every federal contractor must meet.
Section 889
Section 889 Prohibition on Covered Telecommunications EquipmentThe statutory ban, implemented in FAR, on the government buying or using certain Chinese-made telecommunications and video-surveillance equipment (and on contractors using it). Contractors must represent their status in SAM.gov, and Part B prohibits using covered equipment anywhere in the company's operations.

DoD Safeguarding & NIST SP 800-171

DFARS 7012
Safeguarding Covered Defense Information & Cyber Incident ReportingThe core DoD cybersecurity clause. DFARS 252.204-7012 requires contractors that handle Covered Defense Information (CDI) to implement NIST SP 800-171, report cyber incidents to DoD within 72 hours, meet cloud and forensic-preservation requirements, and flow the clause down to subcontractors.
NIST SP 800-171
NIST SP 800-171 Security Requirements (SSP & POA&M)The National Institute of Standards and Technology publication that defines the security requirements for protecting Controlled Unclassified Information on non-federal (contractor) systems. It is the technical standard DFARS 252.204-7012 and CMMC Level 2 require, documented through a System Security Plan and a Plan of Action & Milestones.
SPRS Score
NIST SP 800-171 DoD Assessment & the SPRS ScoreThe DoD requirement that a contractor perform a NIST SP 800-171 self-assessment and post a summary-level score to the Supplier Performance Risk System (SPRS) before it can receive an award or option. It's the interim mechanism DoD uses to verify safeguarding until CMMC is fully phased in.

Cybersecurity Maturity Model Certification

CMMC
Cybersecurity Maturity Model Certification (CMMC) ProgramThe DoD program that verifies contractor cybersecurity through three levels tied to the sensitivity of the information handled — Level 1 (FCI, annual self-assessment), Level 2 (CUI, usually a third-party assessment), and Level 3 (highest, government-led). It moves DoD from self-attestation toward verified certification as a condition of award.

Controlled Unclassified Information

CUI
Controlled Unclassified Information (CUI) Marking & HandlingThe governmentwide program that standardizes how sensitive-but-unclassified information is identified, marked, safeguarded, and disposed of. CUI replaced a patchwork of agency labels (FOUO, SBU, etc.) with a single registry of categories, and it is the information the DoD safeguarding and CMMC requirements exist to protect.
FAR CUI Rule
The Governmentwide FAR CUI Safeguarding Rule (Emerging)The forthcoming Federal Acquisition Regulation rule that would extend standardized CUI identification, marking, and safeguarding to contracts across all federal agencies — not just DoD. It would create a governmentwide baseline (expected to rely on NIST SP 800-171) so civilian-agency contractors face consistent CUI requirements.

Don’t let the compliance cost decide the bid for you

The SDVOSBs that win DoD work figure out whether a contract is FCI-only or CUI before they bid, scope a small CUI enclave to keep certification affordable, and post an honest SPRS score early. Model the cost of the work and the competition before you commit.

Open the Price-to-Win CalculatorSubscribe to the Brief →