FAR 52.204-21
Also known as: Basic Safeguarding of Covered Contractor Information Systems, FAR 52.204-21(b)(1)
FAR 52.204-21 is the Federal Acquisition Regulation clause that requires federal contractors to apply 15 basic safeguarding requirements to systems that process, store, or transmit Federal Contract Information (FCI). It is the regulatory basis for CMMC Level 1 — the 15 Level 1 practices are drawn directly from paragraph (b)(1) of this clause.
In more detail
FAR 52.204-21 has been in effect since 2016 and applies to nearly all federal contracts above the micro-purchase threshold, not just DoD. It establishes a minimum floor of cybersecurity practices for any contractor that comes into possession of non-public information generated for or under a government contract.
Paragraph (b)(1) lists 15 distinct safeguarding requirements: limiting system access to authorized users, identifying and authenticating those users, sanitizing media, controlling physical access, monitoring boundary communications, running antivirus, and applying security updates, among others.
Inside CMMC, FAR 52.204-21(b)(1) is renumbered into 17 CMMC practice IDs (a few requirements split into two practices each). The official requirement count from the rule itself is 15.
Related terms
- Federal Contract Information
Federal Contract Information (FCI) is non-public information provided by or generated for the federal government under a contract to develop or deliver a product or service. It is the information type protected under FAR 52.204-21 and is the trigger for CMMC Level 1.
- CMMC Level 1
CMMC Level 1 is the lowest of the three CMMC certification tiers, covering contractors who handle Federal Contract Information (FCI) but not CUI. It requires implementing the 15 safeguarding requirements in FAR 52.204-21(b)(1), an annual self-assessment, and an annual senior-official affirmation posted in SPRS.
- DFARS 252.204-7021
DFARS 252.204-7021 is the contract clause that makes a CMMC certification or self-assessment a material condition of award and continued performance on covered DoD contracts. It took effect November 10, 2025 as part of the 48 CFR final rule, and triggers the annual senior-official affirmation requirement under 32 CFR 170.22.
- Safeguarding Requirement
A safeguarding requirement is one of the 15 specific security practices enumerated in FAR 52.204-21(b)(1) that contractors must apply to Covered Contractor Information Systems. The 15 safeguarding requirements are the entire substantive content of CMMC Level 1.
Read more in the Library
- CMMC Level 1: All 15 FAR Safeguarding Requirements Explained in Plain English (2026 Guide)
Every CMMC Level 1 safeguarding requirement, in language a non-cybersecurity founder can act on — what each control means, what evidence satisfies it, and where teams trip up.
- CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors
The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.