Contract Clause — Requirement to Insert FAR 52.204-21
FAR 4.1903 directs contracting officers to insert the FAR 52.204-21 safeguarding clause into solicitations and contracts when the contractor or subcontractor at any tier may have Federal Contract Information residing in or transiting through its information system. This is the procedural mechanism by which FAR 52.204-21 lands in nearly every federal contract.
Who must comply
Federal contracting officers — but contractors should know it, because it explains why the FAR 52.204-21 clause appears in their award documents.
What it requires
- 01Contracting officers must insert FAR 52.204-21 into solicitations and contracts whenever the contractor may have FCI on its information system.
- 02The clause must be flowed down to subcontracts at all tiers in which the subcontractor may have FCI.
- 03The requirement is broad and presumed — the default expectation is that the clause is in the contract unless the procurement clearly does not involve FCI.
Related clauses
- FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems
FAR 52.204-21 requires every federal contractor that has Federal Contract Information (FCI) on its systems to implement 15 basic safeguarding requirements covering access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. It is the entire substantive content of CMMC Level 1.
- FAR 4.1901Definitions — Federal Contract Information
FAR 4.1901 is the regulatory definition section that defines "Federal Contract Information" (FCI) for the entire federal acquisition system. It is the source contractors should cite when determining whether information they hold qualifies as FCI and therefore triggers FAR 52.204-21.