Basic Safeguarding of Covered Contractor Information Systems
Also known as: Basic safeguarding clause, FAR 52.204-21, Federal Contract Information (FCI) safeguarding
What you do here: Implement the 15 basic safeguards on any system that stores, processes, or transmits Federal Contract Information
At a Glance
- Who it applies to
- Every contractor (and subcontractor) whose systems handle Federal Contract Information β nearly all federal contracts above the micro-purchase threshold
- What it obligates
- 15 basic safeguarding requirements (access control, authentication, media handling, boundary protection, patching, etc.)
- Governing authority
- FAR 52.204-21, prescribed by FAR 4.1903
- Flow-down
- Yes β you must include the clause in subcontracts where the sub's systems will handle FCI
- The stakes
- It's the minimum baseline; failing to meet it is a contract-compliance and responsibility problem, not just an IT gap
What It Is
FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, is the governmentwide floor for cybersecurity on federal contracts. It protects a category called Federal Contract Information (FCI) β information provided by or generated for the government under a contract to develop or deliver a product or service, that is not intended for public release (it does not include information the government has released publicly, like on a public website). The clause requires you to apply 15 specific basic safeguarding requirements to any 'covered contractor information system' β any system you own or operate that stores, processes, or transmits FCI. The 15 controls are deliberately basic and map to a subset of the NIST SP 800-171 family: limiting system access to authorized users, controlling who can run what, verifying identities before granting access, sanitizing or destroying media before disposal, limiting physical access, monitoring and controlling the boundaries of your network, using subnetworks for publicly accessible components, identifying and correcting flaws in a timely way, providing protection from malicious code and updating it, and performing periodic scans. Two things make this clause the anchor of the whole safeguarding regime. First, it is nearly universal β it goes in essentially every contract other than those solely for commercially available off-the-shelf (COTS) items, so almost every SDVOSB is subject to it. Second, it is a floor, not a ceiling: a DoD contract handling more sensitive Controlled Unclassified Information layers DFARS 252.204-7012, NIST SP 800-171, and CMMC on top of these 15 basics. In plain terms: if you do federal work, you must meet these 15 controls, and you must make your subcontractors meet them too.
When It Applies
- On essentially every federal contract above the micro-purchase threshold whose performance involves FCI β not just IT contracts.
- When you store, process, or transmit any non-public information the government provided or you generated to perform the contract.
- As a flow-down: you must include FAR 52.204-21 in subcontracts where the subcontractor's systems will handle FCI.
- As the baseline that DoD's DFARS 252.204-7012 / NIST SP 800-171 / CMMC requirements build on top of for more sensitive data.
Key Features
| Feature | What It Means |
|---|---|
| Protects Federal Contract Information (FCI) | It covers non-public information provided by or generated for the government under a contract β broader than most contractors assume, and not limited to IT work. |
| 15 basic safeguarding requirements | A fixed list of foundational controls β access control, authentication, media sanitization, boundary protection, flaw remediation, malicious-code protection, and periodic scanning. |
| Nearly universal | It goes in almost every contract except those solely for commercially available off-the-shelf (COTS) items β most SDVOSBs are subject to it. |
| Flows down to subcontractors | You must include the clause in subcontracts whose performance involves FCI on the sub's systems; you can't outrun the requirement by subcontracting the work. |
| A floor, not a ceiling | It's the minimum. DoD's CUI-safeguarding regime (DFARS 7012, NIST SP 800-171, CMMC) stacks additional, stricter requirements on top of these basics. |
The SDVOSB Angle
For a small SDVOSB, FAR 52.204-21 is the requirement most likely to be quietly overlooked because it isn't labeled 'cybersecurity' in the solicitation and applies even to non-IT work. Don't ignore it: the 15 controls are foundational, achievable without an enterprise budget, and they double as the on-ramp to the harder DoD requirements β every dollar you spend meeting them counts toward NIST SP 800-171 and CMMC Level 1. Two moves: first, inventory where FCI actually lives in your business (email, shared drives, a laptop, a cloud folder) and apply the 15 controls there; second, remember the flow-down β if a similarly situated subcontractor's systems will touch FCI, the clause has to be in their subcontract and they have to meet it, and their gap is your compliance problem as the prime. Meeting this baseline cleanly is also a low-cost past-performance and responsibility signal in a small-business field where many competitors treat it as an afterthought.
How to Comply
- Identify every system β laptop, server, email, cloud drive β that stores, processes, or transmits FCI.
- Implement the 15 basic safeguarding requirements on those systems; document what you did.
- Restrict access to authorized users, enforce authentication, and control removable media.
- Keep systems patched, run anti-malware, and perform periodic scans.
- Flow FAR 52.204-21 down into subcontracts where the sub's systems will handle FCI, and confirm the sub complies.
Watch Out For
- Assuming the clause only applies to IT contracts β it applies to any contract where your systems handle FCI.
- Thinking a cloud email/office subscription automatically satisfies it β you still have to configure and document the 15 controls.
- Forgetting the flow-down β a subcontractor handling FCI without the clause is a prime-level compliance gap.
- Treating it as the ceiling β for DoD CUI work, the much stricter DFARS 7012 / 800-171 / CMMC requirements also apply.
Run the Numbers
Frequently Asked
What is FAR 52.204-21?
FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, is the governmentwide clause that requires federal contractors to apply 15 basic security controls to any information system that stores, processes, or transmits Federal Contract Information (FCI). It is the minimum cybersecurity baseline for federal contracting, it goes in nearly every contract except those solely for commercially available off-the-shelf items, and it flows down to subcontractors whose systems will handle FCI.
What is Federal Contract Information (FCI)?
Federal Contract Information (FCI) is information provided by or generated for the government under a contract to develop or deliver a product or service to the government, that is not intended for public release. It does not include information the government has already made public (for example on a public website) or simple transactional information like that needed to process payments. Most federal contract performance generates some FCI, which is why the FAR 52.204-21 safeguarding clause is nearly universal.
How is FCI different from CUI?
FCI is the broad category of non-public federal contract information protected by the 15 basic controls in FAR 52.204-21. Controlled Unclassified Information (CUI) is a narrower, more sensitive category the government specifically marks for protection under a governmentwide program. On DoD contracts, CUI (called Covered Defense Information under the DFARS) triggers the much stricter DFARS 252.204-7012 clause, the full NIST SP 800-171 control set, and β as it phases in β CMMC. FCI safeguarding is the floor; CUI safeguarding is the higher, contract-specific layer on top of it.
Primary Sources
- FAR 52.204-21 β Basic Safeguarding of Covered Contractor Information Systems
- FAR 4.1903 β Contract clause (safeguarding)
- FAR Subpart 4.19 β Basic Safeguarding of Covered Contractor Information Systems
Plain-English reference, not legal advice. Cybersecurity and information-safeguarding rules are fact-specific and change often β the FAR, DFARS, NIST publications, and the CMMC program rule are amended and phased in over time. Always read the current FAR/DFARS text and the safeguarding clauses in your specific contract, check the version of NIST SP 800-171 your contract requires, confirm the SPRS and CMMC requirements with the contracting officer, and consult qualified counsel or a cybersecurity professional before relying on a compliance position or making a certification.
Change log (1)
- LaunchedPublished the federal contract cybersecurity & information safeguarding requirements reference covering the obligations an SDVOSB takes on across a federal (especially DoD) set-aside β basic safeguarding of Federal Contract Information (FAR 52.204-21), the Section 889 covered-telecom prohibition (FAR 52.204-25), the DoD safeguarding of Covered Defense Information and 72-hour cyber-incident reporting (DFARS 252.204-7012), the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score (DFARS 252.204-7019 / -7020), the CMMC program and its three levels (DFARS 252.204-7021 / 32 CFR Part 170), Controlled Unclassified Information marking and handling (32 CFR Part 2002 / EO 13556), and the emerging governmentwide FAR CUI rule β each with an at-a-glance quick-facts card, a when-it-applies list, a key-features table, an SDVOSB-specific angle, a how-to-comply checklist, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source FAR/DFARS/CFR/NIST citations, and cross-links into the glossary, contracting systems (SPRS, SAM.gov), clauses, forms, contract types, how-to guides, FAQ, and the price-to-win and win-probability calculators.