Basic Safeguarding of Covered Contractor Information Systems
Effective: June 15, 2016
FAR 52.204-21 requires every federal contractor that has Federal Contract Information (FCI) on its systems to implement 15 basic safeguarding requirements covering access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. It is the entire substantive content of CMMC Level 1.
Who must comply
Any contractor or subcontractor at any tier whose information system processes, stores, or transmits Federal Contract Information.
What it requires
- 01Limit information system access to authorized users, processes acting on behalf of authorized users, and devices.
- 02Limit information system access to the types of transactions and functions authorized users are permitted to execute.
- 03Verify and control / limit connections to and use of external information systems.
- 04Control information posted or processed on publicly accessible information systems.
- 05Identify information system users, processes acting on behalf of users, and devices.
- 06Authenticate the identities of those users, processes, or devices, as a prerequisite to allowing access.
- 07Sanitize or destroy information system media containing FCI before disposal or release for reuse.
- 08Limit physical access to organizational information systems, equipment, and respective operating environments to authorized individuals.
- 09Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devices.
- 10Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems.
- 11Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- 12Identify, report, and correct information and information system flaws in a timely manner.
- 13Provide protection from malicious code at appropriate locations within organizational information systems.
- 14Update malicious code protection mechanisms when new releases are available.
- 15Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Key points
- The clause itself contains 15 numbered requirements. CMMC renumbers them into 17 practice IDs (a few requirements are split into two practices), but the regulatory count is 15.
- Flow-down is mandatory: primes must include the clause in subcontracts at any tier where FCI will be handled.
- FAR 52.204-21 applies to all federal contracts (not just DoD) above the micro-purchase threshold, with limited exceptions for COTS items.
Related clauses
- FAR 4.1901Definitions — Federal Contract Information
FAR 4.1901 is the regulatory definition section that defines "Federal Contract Information" (FCI) for the entire federal acquisition system. It is the source contractors should cite when determining whether information they hold qualifies as FCI and therefore triggers FAR 52.204-21.
- FAR 4.1903Contract Clause — Requirement to Insert FAR 52.204-21
FAR 4.1903 directs contracting officers to insert the FAR 52.204-21 safeguarding clause into solicitations and contracts when the contractor or subcontractor at any tier may have Federal Contract Information residing in or transiting through its information system. This is the procedural mechanism by which FAR 52.204-21 lands in nearly every federal contract.
- DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7012 requires DoD contractors that handle Covered Defense Information (CDI) to implement the security requirements of NIST SP 800-171, report cyber incidents to DoD within 72 hours via the DIBNet portal, and use FedRAMP Moderate (or equivalent) cloud services for CDI. It has been the contractual basis for NIST 800-171 across the defense industrial base since 2017.
- DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements
DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.
- 32 CFR 170.15CMMC Level 1 Self-Assessment and Affirmation Requirements
32 CFR 170.15 sets the procedural requirements for CMMC Level 1: an annual self-assessment against the 15 safeguarding requirements of FAR 52.204-21, scored on a binary MET / NOT MET basis with no POA&Ms permitted, followed by an annual affirmation posted in SPRS by a senior official with authority to bind the organization.
Related terms
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)
Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors
The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.