← Custodia

DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

You won a DoD contract. Now the prime is asking about cybersecurity. Here's what's actually required, in plain English, for owners who aren't IT people — and the cheapest, fastest way to satisfy it without hiring a consultant.

By Custodia Compliance Team· Information security engineers, CustodiaMay 24, 20269 min read

You won a contract. Or you're a sub on someone else's contract. The prime contractor sent you a form full of acronyms — FAR, DFARS, FCI, SPRS, CMMC — and a deadline. You're not an IT person. You're an owner who builds things, ships things, runs a payroll, and now has to figure out what the Pentagon wants.

Take a breath. The actual requirement at the bottom of all the acronyms is small. This is the plain-English version, written for someone whose job is running a business, not configuring firewalls.

Congratulations, you won a contract

You signed (or are about to sign) a contract that includes two clauses. They're both standard and they're both in almost every DoD contract now:

  • FAR 52.204-21 — “Basic Safeguarding of Covered Contractor Information Systems.” The 15 cybersecurity things you have to do.
  • DFARS 252.204-7021 — “Cybersecurity Maturity Model Certification Requirements.” The clause that makes you say, in writing, every year, that you're doing the 15 things.

Together they create the program called CMMC Level 1. There's no auditor. No outside assessor. Nobody is coming to your office. You self-assess, you write it down, an owner signs it, you post a confirmation online. Then you do it again next year.

What's actually required, in English

The complete CMMC Level 1 obligation, in five sentences:

  1. Implement 15 basic security practices in your business (most you probably already do).
  2. Write down what you do, for each of the 15. (One page total is fine.)
  3. Confirm in a government website called SPRS that you do them.
  4. Have an owner (or another senior person) sign an affirmation saying so.
  5. Re-do all of the above once a year.

That's it. Not 110 controls. Not a six-month engagement. Not a $50,000 audit. The full thing fits on a single laptop screen when it's done.

What FCI means (and why it matters)

The whole program is built around protecting one thing: Federal Contract Information (FCI). That's a fancy term for “non-public information the government gave you to do the job.” A drawing. A statement of work marked for official use only. Internal emails from the contracting officer. Specifications. The contract itself.

If you touch any of that on your laptop or in your file shares, Level 1 applies. The level of protection has to be “reasonable for a small business” — strong passwords, locked offices, antivirus, basic backups. Not nation-state defenses.

The 15 things, in normal-person terms

  1. Only let employees who need it use the work systems. Don't share logins.
  2. People only get to do the things their job requires. Accounting can't edit project files; project leads can't edit payroll.
  3. If a vendor or contractor needs access, write it down before granting it.
  4. Don't put contract information on your public website.
  5. Everyone has a unique login. No shared accounts.
  6. Use strong passwords or, better, multi-factor authentication.
  7. Wipe old laptops/phones/USB drives before throwing them out.
  8. Lock the office (and the server closet, if you have one).
  9. Have visitors sign in and don't leave them alone in sensitive areas.
  10. Keep a basic visitor log.
  11. Have a firewall on your network. (Your router has one. Turn it on.)
  12. Keep public-facing systems (your website) separate from internal work systems.
  13. Patch your computers regularly. Turn on auto-updates.
  14. Run antivirus. Windows Defender counts. Keep it on.
  15. Pay attention to security alerts. If Microsoft or your IT person says “there's a problem, fix it,” fix it.

Compare that to how the government writes it. Then notice: you probably already do most of these things. The CMMC project is 90% writing them down. Detail on each requirement (with the official numbering) is in our detailed breakdown.

How to spend the day doing it

Block out one Friday. Bring coffee. Here's the agenda for a typical 5–20 person company:

  1. 9:00–9:30 — List every system that touches contract information. (Probably: M365 or Google Workspace, a shared drive, email, and maybe a project tool.)
  2. 9:30–11:30 — Walk through the 15 questions in a wizard or template. Mark each as “we do this” or “we don't.”
  3. 11:30–12:30 — Lunch. Make a short list of any “we don't” items. (Usually 0–3.)
  4. 12:30–3:00 — Fix the “we don'ts.” Most are 15-minute changes: turn on MFA, write a one-line policy, enable Windows auto-update.
  5. 3:00–4:00 — Generate your System Security Plan (one document, often auto-generated by a platform).
  6. 4:00–4:30 — Owner reads the SSP and signs the affirmation.
  7. 4:30–5:00 — Post the result in SPRS. (See the SPRS posting walkthrough.) Done.

If you're using a self-serve platform, that's the real timeline. If you're typing everything into a Word template from scratch, double or triple it. If you're paying a consultant, the consultant takes longer but you spend less time in the chair.

Who signs the affirmation

Someone senior in your company. Owner. President. CEO. A vice president with authority to bind the company. Not your office manager. Not your IT contractor. Not a part-time bookkeeper. The point is that someone with executive authority is putting their signature on the statement “we comply with these requirements,” because that signature is what makes the contract legally enforceable.

The single most important rule: that person has to actually read what they're signing.Not because it takes long — it doesn't, the affirmation is a short statement — but because if it's ever questioned, the defense is “I read it, I understood it, I signed in good faith.” That's a strong defense. “Someone handed me a form and I signed it” is not.

What it actually costs

  • DIY from free templates: $0 in cash, 30–60 hours of your time over a few weeks. Slowest but cheapest.
  • Self-serve platform (Custodia): about $300 for the year. 1–5 days of your time. Wizard, auto-generated SSP, affirmation packet.
  • Consultant: $5,000–$15,000 first year, $2,000–$5,000 annually after. They do most of the typing; you still have to answer the questions.

For a single-contract small business, the math almost always favors a self-serve platform. The consultant's value is scale (10+ contracts, complex environments). Detailed breakdown in CMMC Level 1 cost.

What to avoid

  • Don't buy a Level 2 product. If you handle FCI only, you don't need NIST 800-171's 110 controls. Vendors will sell you the bigger product anyway. Don't buy it.
  • Don't hire a C3PAO. They assess Level 2, not Level 1. Level 1 is self-assessed. If a consultant insists on bringing in a C3PAO, they're wrong or they're selling you up.
  • Don't over-scope. Don't apply the rules to every computer in the company. Apply them to the systems that touch contract information.
  • Don't sign the affirmation if any of the 15 isn't actually true. Fix it first. The affirmation is binary — “we comply” or “we don't.”
  • Don't skip the annual refresh. Put it on your calendar the day you sign. It's 12 months from today.

FAQ

I'm not an IT person. Do I really have to do this myself?

Yes — but it's much smaller than vendors will tell you. The 15 basic safeguarding requirements for DoD small business contracts are things like 'use strong passwords', 'lock the office', 'run antivirus'. Most of it your business already does. The work is writing it down. You don't need to become an IT person; you need to spend a few hours documenting what your office already practices.

Can I just hire someone to do all of this for me?

You can, and many small businesses do — typically $5,000–$15,000 for a first-year consultant engagement. The honest reality: most of what they're doing is asking you questions and typing your answers into a template. A self-serve platform does the same thing for $300/year. Hire a consultant if you genuinely don't have a few hours; use a platform if you do.

What does FCI mean? My contract keeps using that term.

FCI = Federal Contract Information. It's the non-public information the government gives you to perform a contract — drawings, statements of work, internal correspondence, technical data marked for official use only. Basically: anything from the contract that isn't already published on a public website. If you touch it, the basic safeguarding requirements apply.

Is this the same thing as SOC 2 or ISO 27001?

No. SOC 2 and ISO 27001 are commercial cybersecurity frameworks usually demanded by enterprise customers. CMMC Level 1 (the DoD basic requirement) is a much smaller, government-specific standard built on FAR 52.204-21. If you already have SOC 2, you're way past the Level 1 bar. If you don't, you don't need it for DoD work — Level 1 is much smaller.

What happens if I just ignore the cybersecurity clause in my contract?

Two things, both expensive. Short term: the prime contractor asks for your SPRS score, you can't produce one, and they move the subcontract to someone else. Long term: if you accept the contract and don't comply, you've made a false representation that can be pursued under the False Claims Act. Honest contractors who haven't started yet aren't in trouble — but the day you sign and don't follow through, the clock starts.

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
  3. CMMC Level 1
    The CMMC False Claims Act Risk: What's Real, What's Hype (2026)

    FCA exposure on CMMC is real — but not in the way most vendors describe it. Here's what actually triggers it at Level 1, and what doesn't.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)