If your business supports the Department of Defense, you’ve likely heard about CMMC, the Cybersecurity Maturity Model Certification. But before you even start talking about CMMC Levels or audits, there’s one foundational clause you need to understand:
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems.
It’s the starting point for CMMC Level 1, and even if you’re a subcontractor or a service provider who doesn’t touch sensitive data, this clause still applies to you.
In this post, we’ll explain:
- What is FAR 52.204-21?
- What it requires from your business
- How it connects to CMMC compliance
- What to do if you’re not yet meeting its requirements
What Is FAR 52.204-21?
If you’re wondering what FAR 52.204-21 really means for your business, it comes down to protecting sensitive but unclassified government information with basic cyber hygiene.
FAR 52.204-21 is a clause in the Federal Acquisition Regulation (FAR), the set of rules that govern how the U.S. federal government buys goods and services.
This specific clause mandates basic cybersecurity protections for Federal Contract Information (FCI) — which includes any information provided by or generated for the government under a contract that’s not intended for public release.
In Plain English:
If you’re a contractor or subcontractor with access to FCI — even if you’re just supplying materials or handling logistics — you must protect that information using 15 core security practices.
The 15 Security Requirements of FAR 52.204-21
Here’s a quick summary of what you need to implement:
| 1. Limit Access | Only authorized users can access systems |
| 2. Authenticate Users | Require secure logins (e.g. passwords) |
| 3. Limit Connections | Restrict external system connections |
| 4. Monitor Use | Audit/log user activity on systems |
| 5. Sanitize Media | Wipe or destroy before disposal |
| 6. Control Media | Physically protect systems & media |
| 7. Update Software | Install timely patches and updates |
| 8. Whitelist Software | Control which software runs |
| 9. Scan for Malware | Use antivirus/EDR tools regularly/td> |
| 10. Restrict Info Flow | Prevent unauthorized data transfer |
| 11. Monitor Physical Access | Lock access to facilities & systems |
| 12. Escort Visitors | Supervise non-employees in secure areas |
| 13. Dispose Devices Properly | Destroy media with FCI correctly |
| 14. Limit Portable Storage | Restrict USBs and mobile devices |
| 15. Train Staff | Provide basic security awareness training |
If you haven’t formally implemented all 15, your company is likely out of compliance, even without a CMMC mandate.
“These aren’t ‘nice to haves.’ They’re required cybersecurity safeguards — and the bare minimum expected of anyone doing business with the U.S. government.”
— Andrew Eckstrom, vCIO, Succurri
FAR 52.204-21 and CMMC: How They’re Connected
CMMC Level 1 is directly based on FAR clause 52.204-21. These core FAR 52.204-21 cybersecurity principles are designed to reduce risk and promote baseline security across the entire defense supply chain.
In fact, the 15 controls required under FAR 52.204-21 are the same 15 controls assessed at CMMC Level 1.
So if your business only handles Federal Contract Information (FCI) and no Controlled Unclassified Information (CUI), you’re likely aiming for Level 1 compliance, and that means you must meet these requirements today.
Failure to meet the FAR 52.204-21 requirements can lead to disqualification from government contracts.
Who Does This Apply To?
You might be thinking: “We’re not a prime defense contractor — does this still apply to us?”
In most cases, yes.
FAR 52.204-21 appears in virtually every federal contract that involves FCI. That includes:
- Logistics providers
- Manufacturers
- Repair & maintenance companies
- Janitorial or construction crews on base
- Software vendors with access to government systems
- Any subcontractor flowing down FCI from a prime
What Happens If You Don’t Comply?
There’s no official audit process tied directly to FAR 52.204-21… yet. But make no mistake — noncompliance can lead to serious problems, including:
- Disqualification from contract bids
- Termination of existing contracts
- Breach of contract liability
- Increased scrutiny in future CMMC audits
With CMMC Level 1 self-assessments becoming mandatory for new contracts starting in late 2025, the days of treating FAR 52.204-21 lightly are over.
How to Get Compliant (Fast)
Taking early action toward FAR 52.204 21 compliance will help your organization meet both current and future federal requirements. Here’s what we recommend to businesses looking to meet their FAR 52.204-21 obligations:
1. Perform a Security Gap Assessment
Compare your current IT practices to the 15 FAR controls. Where are the weaknesses?
2. Fix Low-Hanging Fruit Immediately
Implement multi-factor authentication, patch outdated systems, and remove unused user accounts.
3. Train Your Team
FAR compliance isn’t just a tech issue — it requires employee awareness and responsibility.
4. Document Your Controls
Even at Level 1, you need to affirm compliance annually. Good documentation gives you proof.
5. Create a Plan to Maintain Compliance
Set recurring internal reviews, regular software updates, and employee training schedules.
What About Self-Assessments?
Under CMMC 2.0, businesses that fall under Level 1 will be required to:
- Perform an annual self-assessment
- Complete a self-affirmation signed by a senior company official
- Upload their results to the Supplier Performance Risk System (SPRS)
If your business hasn’t started preparing for this yet, you’re already behind.
“FAR 52.204-21 is the foundation of CMMC. If you can’t meet these 15 controls, your business won’t just miss future contracts — it could lose the ones it already has.”
— Andrew Eckstrom, vCIO Succurri
Compliance may feel like a burden, but it’s really an opportunity to mature your security posture, protect your data, and build a competitive advantage in an increasingly regulated federal marketplace.
Why FAR 52.204-21 Is Your Compliance Starting Point
FAR 52.204 21 isn’t optional; it’s the mandatory foundation for anyone doing business with the Department of Defense. Whether you’re a prime contractor, subcontractor, or service provider, understanding FAR 52.204-21 requirements is essential to maintaining your contracts and preparing for upcoming CMMC 2.0 certification.
Meeting the FAR clause 52.204-21 controls doesn’t just keep you compliant; it strengthens your cybersecurity posture and positions your business as a trusted partner in the federal supply chain. With FAR 52.204-21 compliance becoming a baseline expectation, now is the time to act.
If you’re unsure where to start or how these 15 controls apply to your organization, Succurri can help. Our cybersecurity services guide businesses through the requirements, perform gap assessments, and support your journey to full compliance.
Schedule a readiness review with Succurri today and take the first step toward lasting security and contract eligibility.
