In the government contractor zeitgeist, DoD’s CMMC looms large in the cybersecurity space—especially because DoD released the final rule for CMMC implementation last year and recently rolled out the final rule for the CMMC FAR clause (which will apply the CMMC to certain DoD contracts). But CMMC doesn’t bring significant new requirements to the table. It builds on pre-existing FAR and FAR supplement requirements, some of which apply beyond DoD contracts. These clauses demand fastidious attention.
The starting point
If you know nothing about FAR cybersecurity requirements, I have a special introduction to make. Meet your new friend: FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). Don’t be shy . . . you’re going to see this new pal often. Your friendship will blossom in any contract where a “contractor or subcontractor at any tier may have Federal contract information residing in or transiting through its information system.”
So, what’s “Federal contract information?” Well, it’s information, not for public consumption, that is provided by or generated for the Government under a contract for a product or service. The type of information attaches to many contracts.
What does the clause require? It obligates the contractor (or subcontractor) to protect its information system that processes, stores, and transmits Federal contract information. Specifically, it requires 15 basic cybersecurity hygiene tasks. Here’s a sampling:
- Letting only authorized users, processes, and devices access the system
- Verifying and control connections to external systems
- Authenticating user identities
- Sanitizing and destroying media containing Federal contract information before disposal of devices
- Limiting physical access of systems to only authorized users
- Identifying and reporting systems flaws in a timely manner
- Providing protection from malicious code
You can read more in the clause itself. But the gist is straightforward: a contractor (and subcontractor) must take basic precautions to secure Federal contract information. Ignore this granddaddy clause at your peril!
FAR supplements
Multiple agencies have added other cybersecurity-related provisions in their FAR supplements. We won’t go into them here. But here are some whose acquaintance you might like to make:
- DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
- DFARS 252.204-7019 (Notice of NISTSP 800-171 DoD Assessment Requirements)
- DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)
- HSAR 3052.204-71 (Contractor employee access)
- HSAR 3052.204-72 (Safeguarding of controlled unclassified information)
- HSAR 3052.204-73 (Notification and credit monitoring requirements for Personally Identifiable Information Incidents)
- VAAR 852.204-71 (Information and Information Systems Security)
- VAAR 852.211-76 (Liquidated Damages – Reimbursement for Data Breach Costs)
- NFS 1852.204-76 (Security requirements for unclassified information technology resources)
You may have noticed that DoD already uses NIST SP 800-171 as an assessment standard. More on that below.
CMMC Framework
For DoD contracts, CMMC certainly sets up a new compliance framework. But it does so using components that many contractors must already comply with. For example, a CMMC Level 1 contract requires a contractor (and subcontractor) to comply with the . . . 15 requirements . . . in . . . you got it . . . FAR 52.204-21. That’s right, Level 1 status under CMMC is annual certification of a self-assessment that affirms complete compliance with those basic requirements.
Similarly, CMMC also uses NIST SP 800-171 requirements (already applicable under DFARS 252.204-7020) as the backbone for Level 2 status. There, the contractor (or subcontractor) must, either through a self-assessment or through a third party inspection, meet the 110 requirements in NIST SP 800-171 (Revision 2).
For Level 3 status, the contractor (or subcontractor) must achieve Level 2 status and also comply with 24 additional requirements derived from NIST SP 800-172.
Below is a handy synopsis of CMMC taken from the final rule:
CMMC clause coming to a DoD contract near you
Soon, contractors will begin to see a new clause cropping up in DoD contracts: DFARS 252.204-7025 (Notice of Cybersecurity Maturity Model Certification Requirements). This clause will inform offerors which CMMC level is required for the solicitation (i.e., one of the levels above). The clause also advises that an offeror will not be eligible for a contract or task order if the contractor does not have (1) the current CMMC status entered in the Supplier Performance Risk System at the appropriate level, and (2) a current affirmation of continuous compliance with the security requirements identified at 32 C.F.R part 170 in the Supplier Performance Risk System.
DFARS 252.204-7025 won’t likely appear in every DoD contract after the recent rule’s effective date (November 1, 2025). Rather, the rule provides a three-year roll out period during which DoD has discretion to apply the CMMC requirements. After that period, the clause will apply to all contractors who process, store, or transmit Federal contract information or Controlled Unclassified Information (terms which are defined in the revisions at DFARS 252.204-7021).
Close out
CMMC is the talk of the cybersecurity town. But in many ways, it’s merely a repackaging of existing cybersecurity requirements. And while CMMC will rule DoD contracts going forward, non-DoD contractors cannot afford to ignore FAR 52.204-21 and other cybersecurity and data protection requirements in the FAR supplements. Noncompliance exposes contractors (and subcontractors) to considerable risk. I’ll talk about penalties in a separate post.
Understanding the Basics: FAR Cybersecurity Requirements and CMMC was last modified: October 1st, 2025 by