FAR 52.204-21—Basic Safeguarding of Covered Contractor Information Systems.
Plain-English Summary
FAR 52.204-21 establishes the minimum, baseline cybersecurity protections a contractor must apply to any covered contractor information system that processes, stores, or transmits Federal contract information (FCI). This clause defines the key terms that determine when it applies, including covered contractor information system, Federal contract information, information, information system, and safeguarding. It then sets out 15 basic safeguarding controls covering access control, transaction/function limitations, external system connections, public-facing systems, user/device identification and authentication, media sanitization, physical security, visitor control, communications protection, subnetworks for public components, flaw remediation, malicious code protection, malware updates, and scanning. The clause also makes clear that these requirements are only a floor: contractors must still comply with any other agency-specific safeguarding requirements and any other Federal safeguarding rules for controlled unclassified information (CUI). Finally, it requires flowdown of the clause to certain subcontractors where FCI may reside in or transit through their systems, including many subcontracts for commercial products or services. In practice, this clause is important because it creates a government-wide minimum cybersecurity standard for contractor systems handling FCI, and it is often the first compliance checkpoint for contractors that do not yet have a more specialized cybersecurity regime in place.
Key Rules
Applies to FCI systems
The clause applies only to information systems owned or operated by a contractor that process, store, or transmit Federal contract information. If the system does not handle FCI, the clause’s safeguarding controls do not apply to that system.
FCI has a narrow meaning
Federal contract information is nonpublic information provided by or generated for the Government under a contract to develop or deliver a product or service, but it excludes public information and simple transactional information needed only to process payments. Correctly identifying FCI is essential because it determines the scope of the required protections.
Minimum safeguarding controls
Contractors must implement at least the 15 listed basic safeguards, which cover logical access, authentication, external connections, public systems, media sanitization, physical access, communications security, vulnerability handling, malware protection, and scanning. These are minimum controls, not a complete cybersecurity program.
Access must be limited
Systems must restrict access to authorized users, authorized processes, and authorized devices, and must limit users to the transactions and functions they are permitted to perform. This is a core access-control requirement intended to reduce unauthorized use and privilege creep.
External and public exposure must be controlled
Contractors must verify and control connections to external information systems, control information posted or processed on publicly accessible systems, and use subnetworks for public-facing components that are separated from internal networks. This reduces the risk that public or third-party connections will expose FCI.
Identity, authentication, and physical security are required
The clause requires identification and authentication of users, processes, and devices, along with physical access controls such as limiting entry, escorting visitors, maintaining physical access logs, and controlling physical access devices. Both cyber and physical protections are part of basic safeguarding.
Media, malware, and flaw management are required
Contractors must sanitize or destroy media containing FCI before disposal or reuse, protect against malicious code, update malware defenses when new releases are available, and perform periodic and real-time scans. They must also identify, report, and correct system flaws in a timely manner.
Other rules still apply
This clause does not replace other safeguarding obligations imposed by agencies or other Federal requirements, including rules related to CUI under Executive Order 13556. Contractors may need to comply with more stringent or additional requirements depending on the contract and the type of information involved.
Flowdown to subcontractors
The contractor must include the substance of the clause, including the subcontract flowdown paragraph, in applicable subcontracts where the subcontractor may have FCI in or transiting through its systems. This applies even to many subcontracts for commercial products or commercial services, except commercially available off-the-shelf items.
Responsibilities
Contracting Officer
Insert the clause when prescribed by FAR 4.1903 and ensure the contract includes the required safeguarding obligation for covered contractor information systems.
Contractor
Identify covered contractor information systems, determine where FCI is processed, stored, or transmitted, and implement and maintain all 15 basic safeguarding controls. The contractor must also comply with any additional agency-specific or other Federal safeguarding requirements and flow the clause down to covered subcontractors.
Subcontractor
When the clause is flowed down, protect any covered contractor information system that handles FCI and comply with the same basic safeguarding requirements and any incorporated flowdown obligations.
Agency/Department
Impose any additional safeguarding requirements applicable to its programs or information types and ensure those requirements are coordinated with the baseline protections in this clause.
Information Security/IT Personnel
Implement technical and administrative controls such as access restrictions, authentication, malware protection, scanning, logging, media sanitization, and network segmentation, and support timely flaw remediation and incident-related response actions.
Practical Implications
Contractors must first map where FCI exists; if they misclassify information, they may either over-secure unnecessarily or, more dangerously, leave a covered system unprotected.
The clause is a minimum baseline, so passing a checklist for these 15 controls does not end the compliance analysis if the contract also brings in CUI or agency-specific cybersecurity clauses.
Flowdown is easy to miss in commercial-item supply chains; contractors should review subcontracts to determine whether FCI may reside in or transit through the subcontractor’s systems.
Physical security matters as much as cyber controls here, so visitor logs, badge controls, and media disposal procedures should be treated as compliance items, not just facilities issues.
Common gaps include weak authentication, unmanaged external connections, outdated malware tools, incomplete scanning, and failure to sanitize drives or other media before reuse or disposal.
Official Regulatory Text
As prescribed in 4.1903 , insert the following clause: Basic Safeguarding of Covered Contractor Information Systems (Nov 2021) (a) Definitions . As used in this clause— Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. Information means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009). Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information ( 44 U.S.C. 3502 ). Safeguarding means measures or controls that are prescribed to protect information systems. (b) Safeguarding requirements and procedures. (1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls: (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (iii) Verify and control/limit connections to and use of external information systems. (iv) Control information posted or processed on publicly accessible information systems. (v) Identify information system users, processes acting on behalf of users, or devices. (vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. (x) Monitor, control, and protect organizational communications ( i.e ., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (xii) Identify, report, and correct information and information system flaws in a timely manner. (xiii) Provide protection from malicious code at appropriate locations within organizational information systems. (xiv) Update malicious code protection mechanisms when new releases are available. (xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. (2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556. (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial products or commercial services, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system. (End of clause)