The answer in 50 words
FAR 52.204-21is the federal clause “Basic Safeguarding of Covered Contractor Information Systems.” It requires any contractor handling Federal Contract Information (FCI) to implement 15 basic safeguarding requirements. Effective since June 2016, it flows down to subcontractors — and its 15 requirements are exactly what CMMC Level 1 verifies.
What FAR 52.204-21 actually is
FAR 52.204-21 is a clause in the Federal Acquisition Regulation titled “Basic Safeguarding of Covered Contractor Information Systems.” It sets the floor for cybersecurity across nearly all federal contracting: if your information systems process, store, or transmit Federal Contract Information (FCI), you must implement 15 basic safeguarding requirements.
The clause was published as a final rule on May 16, 2016 and took effect June 15, 2016. In other words, these requirements are not new and CMMC did not invent them — they have been a contractual obligation for nearly a decade. Read the authoritative text at acquisition.gov/far/52.204-21.
Who FAR 52.204-21 applies to
The clause applies to any contractor or subcontractor whose information systems handle Federal Contract Information (FCI) — non-public information provided by or generated for the government under a contract that is not intended for public release. It is mandatory in solicitations and contracts whenever a contractor may have FCI on its systems.
It does not apply when the only information involved is already public, or is limited to simple transactional information needed to process payments. If your data is more sensitive — marked Controlled Unclassified Information (CUI) — then DFARS 252.204-7012 and NIST SP 800-171 also apply, and you are looking at CMMC Level 2 rather than Level 1. Not sure which kind of data you handle? Start with What Is FCI?
The 15 basic safeguarding requirements
FAR 52.204-21(b)(1)(i)–(xv) lists 15 requirements across six security families. Here they are in plain English, with the regulatory sub-paragraph for each:
Access Control
(i)Limit system access to authorized users, processes acting for users, and devices.(ii)Limit system access to the types of transactions and functions authorized users are permitted to execute.(iii)Verify and control or limit connections to — and use of — external information systems.(iv)Control information posted or processed on publicly accessible information systems.
Identification & Authentication
(v)Identify information-system users, processes acting for users, and devices.(vi)Authenticate (or verify) the identities of those users, processes, and devices before allowing access.
Media Protection
(vii)Sanitize or destroy system media containing FCI before disposal or release for reuse.
Physical Protection
(viii)Limit physical access to systems, equipment, and operating environments to authorized individuals.(ix)Escort visitors and monitor visitor activity, maintain audit logs of physical access, and control and manage physical access devices.
System & Communications Protection
(x)Monitor, control, and protect communications at external boundaries and key internal boundaries.(xi)Implement subnetworks for publicly accessible system components, separated from internal networks.
System & Information Integrity
(xii)Identify, report, and correct system flaws in a timely manner.(xiii)Provide protection from malicious code at appropriate locations within the system.(xiv)Update malicious-code protection mechanisms when new releases are available.(xv)Perform periodic scans of the system and real-time scans of files from external sources as they are downloaded, opened, or executed.
Each requirement is unpacked — with the exact evidence that satisfies it — in the full CMMC Level 1 requirements walkthrough.
How the clause flows down to subcontractors
FAR 52.204-21(c) requires a prime contractor to include the substance of the clause in every subcontract in which the subcontractor may have FCI on its systems. That flow-down applies at all tiers — so a second- or third-tier subcontractor can be obligated to meet the 15 requirements even without a direct relationship with the government. If a prime has asked you to confirm your safeguarding posture, this is why.
FAR 52.204-21 vs DFARS 252.204-7012 vs NIST 800-171 vs CMMC
| Authority | Protects | Scope |
|---|---|---|
| FAR 52.204-21 | FCI | 15 basic safeguards (all federal contractors) |
| DFARS 252.204-7012 | CUI | Invokes NIST 800-171 for DoD CUI |
| NIST SP 800-171 | CUI | 110 controls (superset of the 15) |
| CMMC | FCI (L1) / CUI (L2) | Verification layer over the above |
The short version: FAR 52.204-21 is the baseline rule for FCI; NIST 800-171 (via DFARS 7012) is the heavier rule for CUI; and CMMC is the program that verifies contractors actually follow whichever applies. See FAR vs NIST vs CMMC and CMMC vs NIST 800-171 for the long version.
How FAR 52.204-21 maps to CMMC Level 1
CMMC Level 1 is the verification mechanism for FAR 52.204-21.The safeguarding requirements are the same 15 — CMMC Level 1 simply adds accountability on top: an annual self-assessment, a senior official's affirmation, and posting that affirmation in the Supplier Performance Risk System (SPRS). There is no numeric score at Level 1; the result is binary, MET or NOT MET.
If you already meet FAR 52.204-21, you are most of the way to a defensible CMMC Level 1 affirmation. The remaining work is documenting it in a System Security Plan and walking the self-assessment. The complete walkthrough lives on the CMMC Level 1 guide.
How to comply with FAR 52.204-21
- Step 1Confirm the clause applies to you
Check your contract or solicitation for FAR 52.204-21. If you handle Federal Contract Information (FCI) on your systems, the clause applies — even as a lower-tier subcontractor through flow-down.
Deep dive → - Step 2Identify your FCI and draw the boundary
List every device, account, cloud tenant, and location that stores, processes, or transmits FCI. For most small contractors this is one Microsoft 365 or Google Workspace tenant, a handful of endpoints, and one office.
Deep dive → - Step 3Implement the 15 safeguarding requirements
Turn on MFA, restrict admin rights, install endpoint anti-malware, configure boundary protection, sanitize media before disposal, lock the office and escort visitors, and patch promptly. Most of this is configuration of tools you already pay for.
Deep dive → - Step 4Document it in a System Security Plan (SSP)
Write down, requirement by requirement, how your environment satisfies each of the 15 safeguards. The SSP is the artifact a prime, contracting officer, or assessor will ask to see.
Deep dive → - Step 5Self-assess and affirm in SPRS (for CMMC Level 1)
If your contract carries the CMMC requirement, complete the annual Level 1 self-assessment, have a senior official affirm the result, and post the affirmation in SPRS through PIEE.
Deep dive →
FAR 52.204-21: Frequently Asked Questions
What is FAR 52.204-21?
FAR 52.204-21 is the Federal Acquisition Regulation clause titled “Basic Safeguarding of Covered Contractor Information Systems.” It requires any contractor that processes, stores, or transmits Federal Contract Information (FCI) on its information systems to implement 15 basic cybersecurity safeguarding requirements. It has been mandatory in applicable federal contracts since it took effect in June 2016.
How many requirements are in FAR 52.204-21?
Fifteen. The safeguarding requirements are listed at FAR 52.204-21(b)(1)(i) through (xv) and span six security families: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. These same 15 requirements are what CMMC Level 1 verifies.
Who does FAR 52.204-21 apply to?
Any contractor or subcontractor whose information systems process, store, or transmit Federal Contract Information (FCI). The clause is mandatory in solicitations and contracts when the contractor may have FCI on its systems, and it flows down to subcontractors at all tiers that handle FCI. It does not apply if the only information involved is already public or is simple transactional information like payment processing.
What is the difference between FAR 52.204-21 and NIST 800-171?
FAR 52.204-21 protects Federal Contract Information (FCI) with 15 basic safeguards and applies to nearly all federal contractors. NIST SP 800-171 protects the more sensitive Controlled Unclassified Information (CUI) with 110 controls and is invoked by DFARS 252.204-7012 for DoD contracts that involve CUI. The 15 FAR requirements are a subset of the NIST 800-171 control set.
How does FAR 52.204-21 relate to CMMC Level 1?
CMMC Level 1 is the verification mechanism for FAR 52.204-21. The 15 safeguarding requirements are identical; CMMC Level 1 adds a yearly self-assessment, a senior-official affirmation, and posting that affirmation in the Supplier Performance Risk System (SPRS). In short: FAR 52.204-21 is the rule, CMMC Level 1 is how the Department of Defense confirms you follow it.
Does FAR 52.204-21 flow down to subcontractors?
Yes. FAR 52.204-21(c) requires the prime contractor to include the substance of the clause in all subcontracts in which the subcontractor may have FCI on its information systems. Flow-down applies at all tiers, so a sub two or three levels removed from the agency can still be obligated to meet the 15 requirements.
When did FAR 52.204-21 take effect?
The clause was published as a final rule on May 16, 2016 and took effect June 15, 2016. The 15 basic safeguarding requirements have therefore been a federal contracting obligation for nearly a decade — CMMC did not create them, it added verification on top of them.
What happens if I don't comply with FAR 52.204-21?
Because the clause is a material term of the contract, failing to implement the 15 safeguards can be a breach of contract and, where a contractor falsely represents compliance, can create False Claims Act exposure (31 U.S.C. § 3729). For DoD contracts subject to CMMC, a missing or false SPRS affirmation can also make you ineligible for award.
Primary sources
- FAR 52.204-21 — full clause text (acquisition.gov)
- CMMC Assessment Guide — Level 1 (v2.13) — per-requirement objectives and evidence.
- CMMC Scoping Guide — Level 1 (v2.13) — how to define your FCI boundary.
- Full regulations hub — FAR, DFARS, 32 CFR Part 170, NIST 800-171 primary sources.
Meet FAR 52.204-21 and get CMMC Level 1 done in a week
Custodia walks you through all 15 safeguarding requirements, drafts your System Security Plan and affirmation memo, and gets you ready to post in SPRS — inside a 7-day free trial. No credit card.