The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

FAR 52.204-21 Explained: What the 15 Safeguards Actually Require

By The Defense Compliance Report Editorial Team · Last verified

This is independent editorial research by our team, not a formal review by a named CMMC Subject Matter Advisor. Confirm how the clause applies to your contract with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you act.

FAR 52.204-21 explained, in one sentence: it requires contractors to apply 15 basic safeguards to any contractor-owned or contractor-operated information system that stores, processes, or transmits Federal Contract Information (FCI)— the non-public information the government gives you, or that you generate, to deliver a product or service under a contract. It applies when the clause is in your instrument and FCI touches your systems, it flows down to subcontractors when FCI may reach their systems (excluding COTS), and it does not — by itself — require CMMC, GCC High, an SSP, or all 110 NIST SP 800-171 requirements.

Stay with that last point, because it’s costing contractors money right now. If someone handed you an old checklist with “17 controls,” you were working from a count that describes an assessment crosswalk — not the clause. There are 15 safeguards. We’ll show you the government’s own mapping table that proves it, and the one narrow place where 17 is technically correct.

The 60-second answer

Your questionThe direct answer
How many safeguards are there?15 numbered safeguards, at paragraphs (b)(1)(i) through (xv)
What do they protect?Contractor-owned or -operated systems that store, process, or transmit FCI
Who has to comply?Applicable primes and subcontractors whose systems may hold FCI
Is there a COTS exception?Yes — acquisitions exclusively for commercially available off-the-shelf (COTS) items are excluded
Does the clause alone require CMMC?No— CMMC is a separate contractual trigger
Is it now called 52.240-93?The codified clause is still 52.204-21; deviation-governed instruments may use 52.240-93 for the same 15-safeguard baseline
Does it set the CUI or Level 2 baseline?No. For DoD covered defense information, separate DFARS 252.204-7012, NIST SP 800-171 Rev. 2, and contractually required CMMC Level 2 terms may apply

Checked against the current FAR clause, 32 CFR Part 170, and the Revolutionary FAR Overhaul Part 40 deviation on July 17, 2026. Full inline citations and a primary-source list are below.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

We are not affiliated with the Cyber AB, the Department of War, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page is educational research, not legal, contractual, certification, or compliance advice. When applicability or scope is unclear, confirm it with your contracting officer, a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO), or a qualified federal-contracts attorney.


FAR 52.204-21 explained in plain English

FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” is a Federal Acquisition Regulation contract clause requiring 15 baseline security safeguards on any contractor-owned or -operated system that handles non-public Federal Contract Information. It sets minimum outcomes — not a required product, cloud, or policy binder — and it does not replace stricter CUI requirements found elsewhere in your contract.

It was published as a final rule in 2016 (81 FR 30446), last amended in November 2021 (86 FR 61032), and it currently appears under Federal Acquisition Circular (FAC) 2026-01. We read the current clause text on the eCFR and confirmed its status and version header on Acquisition.gov before publishing this page.

The title tells you almost everything if you unpack it:

  • Basic safeguardingmeans minimum, routine security outcomes — the floor, not the ceiling.
  • A covered contractor information system is a system you own or operate that stores, processes, or transmits FCI.
  • Federal Contract Informationis non-public information provided by or generated for the government under a contract to develop or deliver a product or service — with two carve-outs we’ll cover in a moment.

One honest caveat — then the good news

Here’s the flaw in this clause, and we’d rather say it plainly than let a vendor use it to scare you: the clause is short because it is not an implementation manual.It tells you the outcomes your covered systems must achieve. It does not tell you which products to buy, how many pages of policy to write, what your network diagram should look like, or how much evidence is “enough.” That ambiguity is genuinely frustrating the first time you read it.

Now the good news, and it’s the whole reason this page exists: that same ambiguity means you can implement proportionatesafeguards for an FCI-only problem instead of buying a full Controlled Unclassified Information (CUI) enclave you don’t need. Most Level 1 gaps come down to documentation and process — not six-figure technical builds. Read that twice if a vendor has been quoting you like you’re a Level 2 shop. The clause being outcome-based is not the same as the clause being expensive.

“Basic” also does not mean optional. When the clause is in your contract, these 15 safeguards are contractual obligations. The word “basic” distinguishes this floor from the far more demanding CUI requirements — it does not turn the clause into a suggestion.


Who does FAR 52.204-21 apply to?

FAR 52.204-21 applies based on your contract and your information flow — not your company size, revenue, or whether you call yourself a “defense contractor.” The practical test has three parts: the clause is in your instrument, FCI will enter systems you own or operate, and the work isn’t a COTS-only acquisition. If all three are true, you’re almost certainly covered.

Run the three-part test on every instrument, not on your general impression of your company:

  1. The clause test.Is 52.204-21 — or its deviation twin 52.240-93 — in the applicable solicitation, contract, order, or subcontract? Read the actual document, not a summary email.
  2. The information test.Will you receive or generate non-public information for government contract performance? If it’s genuinely public, or it’s simple payment-processing data, that specific information may not trigger the clause.
  3. The system test.Will that information live in or move through information systems you own or operate — email, endpoints, file shares, ERP, ticketing, or a cloud service you control?

Primes and subcontractors are not in the same position

If you’re a prime, you have two jobs: meet the safeguards on your own covered systems, and decide what to flow down. If you’re a subcontractor, read the exactflow-down you received. Do not assume your prime’s entire cybersecurity program automatically became your obligation — and do not assume it didn’t. The clause language, not the relationship, controls.

“Commercial” and “COTS” are not the same word

This trips up smart people. Commercial products and services are not categorically excluded from this clause. Only COTS items get the express exclusion in FAR Part 4.19 and in the flow-down paragraph. COTS is a defined subset of commercial products — an item of supply sold in substantial quantities in the commercial marketplace and offered to the government without modification. If you use “commercial” and “COTS” interchangeably in your scope analysis, you may over- or under-apply the clause.

Being a small business is not an exemption

Your headcount changes how hard implementation is. It does not change whether the clause applies. The applicability test is the clause plus the information flow — full stop.

Don’t import CMMC’s micro-purchase rule into the FAR clause

You’ll see pages claim FAR 52.204-21 only applies above the micro-purchase threshold. That’s borrowing a CMMC rule and stapling it to the wrong regulation. FAR 4.1902 applies the basic-safeguarding subpart to acquisitions — including commercial products and services other than COTS — when a contractor information system may contain FCI; it does not set a micro-purchase-threshold condition. The micro-purchase threshold lives in the CMMCapplicability rule, 32 CFR § 170.3(c) — a separate regulatory framework with its own coverage scope.

SituationInitial readWhat to check before you rely on it
Clause present, FCI enters your systemsLikely coveredMap the FCI boundary and test all 15 safeguards
Clause present, but only public info or payment data is involvedPossibly no covered systemConfirm the information really is public/transactional
COTS-only acquisitionFAR 4.19 exclusion may applyConfirm it’s genuinely limited to COTS
Commercial service touching non-public contract dataPossibly covered“Commercial” status alone doesn’t remove the clause
Subcontractor that never receives FCINo automatic system triggerDocument the information path and your prime’s flow-down
Only a vague “be CMMC compliant” email existsUnresolvedGet the actual clause and the required CMMC status in writing

What counts as Federal Contract Information under FAR 52.204-21?

Federal Contract Information (FCI) is information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service. The clause expressly excludes two things: information the government makes public, and simple transactional information needed to process payments. Almost everything else about your contract is fact-dependent — you classify it by content and context, not by the document’s title.

This is where the search usually starts. Someone read “FCI” and thought, “We don’t handle anything sensitive, so we’re fine.” That assumption can become an expensive mistake, because FCI shows up in ordinary places: the email thread with your contracting officer, delivery and purchase orders, performance reports, work instructions, schedules, and non-public status updates. If FCI touches your inbox, your endpoints, your file shares, or your cloud tools, those systems inherit the safeguarding baseline.

Here’s how information falls into three lanes. Treat the second and third lanes as examples to inspect— not a government-issued master list.

LaneExamplesThe rule
Expressly excluded by the definitionInformation the government publishes; simple data needed only to process a paymentDon’t call it FCI just because it involves a federal customer
Frequently qualifies as FCINon-public contract communications, performance records, internal deliverables, work instructions, schedules, status reports, non-public support ticketsConfirm it’s provided by or generated for the contract and isn’t meant for public release
Fact-dependent — inspect itProposals, invoices, purchase orders, accounting records, personnel lists, shipping data, meeting notes, emails, contract attachmentsJudge by content, source, intended release, and markings — never by the file name

The FCI Triage Test

When you’re staring at a document and can’t tell, run it through five questions. This is our editorial framework for spotting FCI quickly — it does not replace a contracting officer’s or attorney’s classification call, and it never produces a legal determination on its own.

  1. Was it provided by or generated for the government under the contract?
  2. Is it intended for public release? (If yes, it’s likely not FCI.)
  3. Is it only simple payment-processing information? (If yes, it’s likely excluded.)
  4. Does it enter a contractor-owned or -operated system?
  5. Does a marking, clause, or other authoritysuggest it’s actually CUI or another protected category?

If it clears 1 and 4, isn’t public, and isn’t just payment data, treat it as potential FCI and safeguard it. If question 5 lights up, stop and get an authoritative classification before you assume it’s “only” FCI.

FCI is not CUI — and the difference sets your whole path

This distinction decides whether you’re looking at a manageable baseline or a major program. Do not let anyone blur it.

QuestionFCICUI
What is it?Non-public info provided by or generated for contract performanceInformation requiring safeguarding or dissemination controls under law, regulation, or government-wide policy
Governing baselineFAR 52.204-21 (15 safeguards)For DoD covered defense information: DFARS 252.204-7012, 110 NIST SP 800-171 Rev. 2 requirements across 14 families, and the CMMC Level 2 path
Commonly associated CMMC levelLevel 1 when contractually requiredLevel 2 when contractually required
Number of baseline requirements15110, organized into 14 control families
Safe assumptionDon’t assume FCI is publicDon’t relabel CUI as ordinary data for convenience

Two clarifications keep you accurate here. DFARS 252.204-7012 is a DoD clause governing covered defense information; it is not the universal safeguarding clause for every agency’s CUI (civilian CUI is heading toward its own FAR rule). And NIST has issued Revision 3 of SP 800-171 for general use, but the current CMMC rule and DoD implementation still run on Revision 2— Revision 3 does not become the controlling CMMC version unless DoD amends the rule. So if you see a “withdrawn/superseded” banner on Rev. 2 at NIST, don’t assume the CMMC world has moved; it hasn’t. See our CMMC levels breakdown for how Level 1, 2, and 3 differ.

One note on scope vocabulary: the FAR clause defines a covered contractor information systemin terms of systems you own or operate. Separately, the DoD’s CMMC Level 1 Scoping Guide treats FCI held in physical formats — like paper — as part of the Level 1 scoping analysis. Same information, two documents, slightly different framing. Keep them straight.


Are there 15 or 17 FAR 52.204-21 requirements?

There are 15 numbered safeguards in FAR 52.204-21, and CMMC Level 1 has 15 security requirements. You’ll sometimes see “17,” and it isn’t entirely wrong — it’s the number of rows in the official CMMC assessment crosswalk, because one physical-protection safeguard, paragraph (b)(1)(ix), is displayed as three phrase-level rows mapped to NIST SP 800-171A objectives 3.10.3, 3.10.4, and 3.10.5. So: 15 safeguards, assessed through 17 mapped rows.

We want to be exact here, because this is the number vendors and stale blog posts most often botch. When we pulled the mapping table straight from 32 CFR § 170.15, the reason for the “17” was right there: the table splits FAR 52.204-21(b)(1)(ix) — a single safeguard containing three distinct phrases — into three separate rows. That’s the entire source of the number. It’s a crosswalk artifact, not a control count.

The countThe number
FAR 52.204-21 safeguards15
CMMC Level 1 security requirements15
Rows in the NIST SP 800-171A assessment mapping17
Reason for the gapParagraph (b)(1)(ix) → 3 rows

The one safeguard that splits into three:

FAR 52.204-21(b)(1)(ix) phraseMaps to NIST SP 800-171A objective
Escort visitors and monitor visitor activity3.10.3
Maintain audit logs of physical access3.10.4
Control and manage physical access devices3.10.5

If you remember one line from this page, make it this: 15 safeguards, assessed through 17 mapped rows. Anyone calling these “17 FAR controls” is counting assessment rows, not reading the clause.


What are the 15 FAR 52.204-21 safeguards? (The Clause-to-Evidence Matrix)

The 15 safeguards cover access control, identity, media disposal, physical protection, network boundaries, flaw remediation, malicious-code protection, and scanning. They are outcome requirements, not prescribed products — the clause tells you what to achieve, and it’s on you to decide how, prove it operates, and keep proportionate evidence.

Below is our FAR 52.204-21 Clause-to-Evidence Matrix. Two things make it different from the control lists you’ll find elsewhere. First, the FAR paragraph and the CMMC/NIST mapping columns come straight from the current clause and 32 CFR § 170.15 — those are the government’s words. Second, the last three columns — practical evidence, likely owner, and a common failure mode — are our editorial implementation framework, built by mapping the clause and the official assessment objectives to the evidence and owners that make each safeguard defensible. They are recommendations to help you operationalize the clause and illustrations of where teams tend to slip. They are not additional FAR requirements, and we’ve labeled them so no one mistakes our guidance for the regulation.

Duty and mappings: current FAR 52.204-21 and 32 CFR § 170.15. Evidence, owner, and failure columns: The Defense Compliance Report editorial framework. Verified July 17, 2026.

#FAR ¶ — the safeguard (plain English)CMMC L1 / NIST 800-171APractical evidence to consider (not prescribed by FAR)Likely ownerCommon failure mode
1(b)(1)(i) Allow only authorized users, processes, and devicesAC.L1-b.1.i / 3.1.1User and device inventory; account approvals; joiner-mover-leaver recordsIT/IAM + HRFormer employees, shared logins, or unmanaged devices keep access
2(ii) Limit authorized users to permitted transactions and functionsAC.L1-b.1.ii / 3.1.2Role matrix; group-membership export; app-permission reviewIT + app ownersA user can log in but has far more rights than the job needs
3(iii) Verify and control/limit connections to and use of external systemsAC.L1-b.1.iii / 3.1.20External-service inventory; BYOD/remote-access rules; approved connection settingsIT/securityPersonal email, personal cloud, or unvetted SaaS enters the workflow unnoticed
4(iv) Control information posted to or processed on publicly accessible systemsAC.L1-b.1.iv / 3.1.22Publication-approval process; website review; content-removal logProgram owner + comms + ITContract info lands on a public site, portal, repo, or shared link
5(v) Identify users, processes, and devicesIA.L1-b.1.v / 3.5.1Unique-account inventory; device IDs; service-account registerIT/IAMShared or generic identities make attribution impossible
6(vi) Authenticate identities before granting accessIA.L1-b.1.vi / 3.5.2Authentication configuration; password settings; access testIT/IAMDefault credentials, weak passwords, or shared accounts
7(vii) Sanitize or destroy media containing FCI before disposal or reuseMP.L1-b.1.vii / 3.8.3Disposal procedure; destruction certificates; device-wipe recordsIT + records/facilitiesDrives, printers, phones, or paper leave the building with recoverable FCI
8(viii) Limit physical access to systems, equipment, and operating environmentsPE.L1-b.1.viii / 3.10.1Badge/key list; secured-room access; workspace controlsFacilities + ITServer rooms or FCI work areas are reachable by unauthorized people
9(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devicesPE.L1-b.1.ix / 3.10.3, 3.10.4, 3.10.5Visitor records; escort process; access logs; badge/key inventoryFacilities/securityOne policy sentence is used to cover three operationally distinct duties
10(x) Monitor, control, and protect communications at external and key internal boundariesSC.L1-b.1.x / 3.13.1Network/data-flow diagram; firewall rules; boundary configurationNetwork/securityNo one can name the relevant external or internal boundaries
11(xi) Separate publicly accessible components from internal networksSC.L1-b.1.xi / 3.13.5DMZ or logical-separation diagram; segmentation configurationNetwork + web/app ownerPublic-facing services sit directly inside the internal environment
12(xii) Identify, report, and correct system and information flaws promptlySI.L1-b.1.xii / 3.14.1Patch process; vulnerability queue; remediation ticketsIT/securityPatches happen informally, with no ownership or aging visibility
13(xiii) Protect systems from malicious code at appropriate locationsSI.L1-b.1.xiii / 3.14.2Endpoint/email/server/gateway protection inventoryIT/securitySome asset classes or entry points have no malware protection
14(xiv) Update malicious-code protection when new releases are availableSI.L1-b.1.xiv / 3.14.4Update status; policy; failed-update alertsIT/securityProtection exists but signatures or agents are stale
15(xv) Run periodic scans and real-time scans of files from external sourcesSI.L1-b.1.xv / 3.14.5Scan schedule; scan results; on-access scanning configurationIT/security"Antivirus is installed" is treated as proof that recurring scans run

Notice the pattern the matrix exposes: most of these aren’t exotic tools. They’re discipline— knowing who has access, controlling how information leaves, patching on a schedule someone owns, and being able to show it. That’s why “we bought antivirus” is not a compliance answer, and why the physical-protection and media-disposal safeguards (7, 8, 9) get skipped by teams who think this clause is only about firewalls and endpoints.


What proof should you keep for FAR 52.204-21?

FAR 52.204-21 does not prescribe a specific System Security Plan (SSP), evidence binder, screenshot count, or retention period. Sensible evidence simply makes each safeguard repeatable and defensible. Separately, when CMMC Level 1 is contractually required, the assessment uses NIST SP 800-171A objectives and an examine-interview-test method — and 32 CFR § 170.15 requires the artifacts used as evidence to be retained for six years.

Keep three ideas apart, because conflating them is how people either over-document or under-prove:

ConceptWhat it means
Contractual safeguardThe outcome the clause requires
Implementation methodThe technical or procedural way you achieve it
EvidenceThe artifact, interview, or test showing it actually works

Good evidence comes in three flavors, and you generally want a mix:

  • Policy/procedure evidence— your account-management procedure, media-disposal procedure, visitor process, patch procedure.
  • Configuration/design evidence— group memberships, firewall config, authentication settings, a network diagram, malware-protection deployment.
  • Operational evidence— tickets, visitor logs, access reviews, destruction records, patch results, scan results.

The test that separates real evidence from theater: evidence has to prove operation, not intention.A policy that says “we patch systems” does not prove systems are patched. A screenshot from one workstation does not prove the process covers your whole FCI boundary. Assessors — and honest self-assessors — look for the difference.

One nuance to get precisely right: the DoD’s CMMC Level 1 Scoping Guide says there are no prescribed documentation requirements for categorizing assets at Level 1. That is a narrow point about scoping paperwork. Do not let it get rewritten into “CMMC Level 1 needs no evidence.” The assessment still checks whether every requirement is MET, and 32 CFR § 170.15 still requires six-year artifact retention. Those are different things.


Does FAR 52.204-21 require CMMC Level 1?

FAR 52.204-21 and CMMC Level 1 protect the same FCI baseline, but they’re triggered differently. The FAR clause is the safeguarding obligation. CMMC Level 1 is the DoD’s verification layer for those same 15 requirements — and when a contract requires Level 1 (Self) status, 32 CFR § 170.15 requires you to meet all 15 with no POA&Ms, self-assess annually, submit results in SPRS, affirm compliance, and retain artifacts for six years. Those additions come from the CMMC rule, not from the standalone FAR clause.

We read § 170.15 in full to confirm the specifics, because this is exactly where “the clause requires it” and “CMMC requires it” get carelessly merged. Here’s the clean comparison:

FeatureFAR 52.204-21CMMC Level 1 (Self)CMMC Level 2 / DFARS CUI path
InformationFCIFCICUI / covered defense information
Security baseline15 FAR safeguardsThe same 15 requirements110 NIST SP 800-171 Rev. 2 requirements
AssessmentNot specified by this clauseAnnual self-assessmentSelf or C3PAO, depending on the contract
SPRSNot statedCompliance result + affirmationApplicable CMMC status/affirmation mechanics
POA&MsClause is silentNot permittedLimited conditional-status rules may apply
C3PAO assessmentNoNoRequired for Level 2 certification assessments
Six-year artifact retentionNot statedYesApplies by assessment type
What triggers itThe clause itselfA CMMC status requirement in the contractCMMC/DFARS terms plus CUI handling

Two facts worth pinning down. First, under § 170.15, an Affirming Official— a senior-level representative within your organization with responsibility and authority for CMMC compliance — must submit the affirmation in SPRS, and you must have both achieved Level 1 (Self) and submitted that affirmation before awardof a contract or subcontract that requires Level 1 (Self). Second, the DoD’s Level 1 Assessment Guide notes that a third party can helpyou run a Level 1 self-assessment — but it remains a self-assessment. Getting outside help does not turn it into a certification.

Current CMMC status — read this before you plan anything

Current as of July 17, 2026: CMMC Phase 1 began November 10, 2025 and was originally scheduled to run through November 9, 2026. On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II— the phase that would have expanded third-party (C3PAO) assessment requirements beginning November 10, 2026 — and launched a 60-day program review. As of this writing, the DoD’s CMMC program materials describe implementation as paused in Phase 1, where Level 1 or Level 2 self-assessments apply. Phase 1 self-assessment requirements remain active, DFARS 252.204-7012 is unaffected, and no replacement Phase II start date has been published. Critically for this page: the suspension does not erase FAR 52.204-21 from any contract, does not suspend the 15 safeguards, and does not turn FCI into public information.

We’re flagging this because the temptation right now is to read “CMMC suspended” as “cybersecurity paused.” It isn’t. If your obligation is FCI and Level 1, the suspension changed almost nothing for you — Level 1 was always a self-assessment, and Phase 1 self-assessments are still in force. Read the obligations actually present in your governing instrument, not the headline.


Is FAR 52.204-21 now FAR 52.240-93?

Both numbers are currently valid for the same clause. The codified, government-wide FAR still contains 52.204-21, dated November 2021. Under the Revolutionary FAR Overhaul, the basic-safeguarding clause was moved to 52.240-93 with the same title and the same 15-safeguard baseline, and agencies that adopted the overhaul through a class deviation now use 52.240-93 in new instruments. So read and cite whichever number appears in your governing document.

This is the piece missing from nearly every competing page, and it’s a live source of confusion in the field. We confirmed it against the Revolutionary FAR Overhaul Part 40 deviation guide, which states plainly that new clause 52.240-93, Basic Safeguarding of Covered Contractor Information Systems, replaces 52.204-21, with the prescription moving from FAR 4.1903 to the new FAR 40.303-2. For DoD instruments, DoD Class Deviation 2026-O0025 directs contracting officers to use the revised FAR Part 40.

Here’s what’s actually going on:

  • The overhaul reorganized FAR Part 40 and consolidated safeguarding clauses at 52.240-90 through 52.240-93. Basic safeguarding landed at 52.240-93.
  • The clause keeps the same title and the same 15-safeguard baseline. The number and prescription location changed; the substantive obligation did not. (Don’t assume the two versions are word-for-word identical — the drafting was reorganized — but the 15 safeguards and the flow-down duty carry over.)
  • This happened through class deviations, not final rulemaking. A deviation applies to an agency only once that agency issues it — several already have.
  • CMMC Level 1 still references 52.204-21.So during this transition, both numbers point at the same set of requirements, and you’ll see them coexist.
QuestionThe correct answer
Does 52.204-21 still exist in the codified FAR?Yes — dated Nov 2021, under FAC 2026-01
Where is the clause numbered 52.240-93?In deviation-governed instruments, under the FAR Part 40 model
Where's the prescription?FAR 4.1903 (codified) → FAR 40.303-2 (deviation)
Same 15 safeguards and flow-down?Yes — same title and substantive baseline
Did the overhaul auto-amend the CFR for every agency?No — it works agency by agency, via class deviation
Which number controls my work?The one in your governing instrument and its applicable deviation

What to write in your own records: “The governing instrument cites FAR 52.204-21,” or “The governing instrument cites FAR 52.240-93 under the issuing agency’s FAR Overhaul class deviation.” What not to write: “52.204-21 no longer exists.”It does. Treating a renumbering as a repeal is one of the easiest — and most confident — ways to get this wrong.


How does FAR 52.204-21 flow down to subcontractors?

The prime must include the substance of the clause — including the flow-down paragraph itself — in subcontracts where the subcontractor may have FCI residing in or transiting its systems. It reaches subcontracts for commercial products and services but excludes COTS items. So the flow-down decision turns on the subcontract’s information path, not on the vendor’s label.

The clause’s paragraph (c) is explicit, and we read it directly: flow the substance down when the sub may have FCI in or moving through its systems, except for COTS acquisitions. That leaves two failure modes, in opposite directions:

  • Over-flowing— pushing the clause onto every supplier, including COTS vendors and businesses that never touch contract information. This creates friction and confusion for no compliance benefit.
  • Under-flowing— failing to flow it to a subcontractor who genuinely receives FCI, on the mistaken belief that “commercial” removes the requirement. It doesn’t.

The decision really runs on two axes: could FCI reside in or transit the sub’s systems? and is the subcontract genuinely limited to COTS?If FCI could be involved and it’s not COTS-only, flow it down. While you’re at it, check separately whether CUI, DFARS 252.204-7012, or a required CMMC status also need to flow.

Before you flow it down, a prime should determine what information the sub actually needs, whether it’s intended for public release, whether it will enter the sub’s systems, whether the subcontract is COTS-only, and whether separateCUI or CMMC clauses also apply. On the receiving end, a subcontractor should ask the prime: which exact clause number is being flowed, what information you’ll receive, whether any of it is CUI, what CMMC status (if any) is required, and whether reporting or cloud terms are also included.

Working through supplier flow-down? See our source-checked FAR and CMMC flow-down letter template.


What does FAR 52.204-21 NOT require by itself?

By itself, the clause does not require an SSP, MFA, an SPRS submission, GCC High, FedRAMP authorization, a C3PAO assessment, a POA&M, all 110 NIST SP 800-171 requirements, or 72-hour incident reporting. Any of those can still be required — by a separate clause, a required CMMC status, the type of information you handle, or a sound implementation decision. The safe formulation is always “not required by this clause alone.”

This table separates what FAR 52.204-21 actually requires from duties that come from other clauses. Read it before you spend anything.

Requirement or expectationRequired by FAR 52.204-21 itself?Where it actually comes from
The 15 basic safeguardsYesFAR 52.204-21
Annual Level 1 self-assessmentNoCMMC Level 1, when contractually invoked
SPRS compliance result and affirmationNo32 CFR § 170.15 and applicable CMMC terms
All 15 MET, no POA&MNoCMMC Level 1 — a status condition, not FAR text
Six-year artifact retentionNoCMMC Level 1 (§ 170.15)
A System Security Plan (SSP)No express standalone requirementOther frameworks; often prudent documentation regardless
Multi-factor authentication (MFA)No express standalone requirementThe clause requires authentication; it does not name MFA
C3PAO assessmentNoCMMC Level 2 certification
All 110 NIST SP 800-171 Rev. 2 requirementsNoCUI / DFARS 252.204-7012 / CMMC Level 2
GCC HighNoAn environment/data-specific decision, not a FAR mandate
FedRAMP Moderate (or equivalent) cloudNoA DFARS 252.204-7012 requirement when an external cloud stores, processes, or transmits covered defense information
72-hour DoD incident reportingNoDFARS 252.204-7012
Security-awareness trainingNot one of the 15Prudent practice or a separate framework

Three of these deserve a sentence of their own, because they’re the most common upsells:

  • Authentication is not automatically MFA.The clause says authenticate identities before access. It does not name a factor count or a technology. MFA may still be smart or required elsewhere — just don’t let anyone tell you the FAR clause itself mandates it.
  • FCI does not automatically require GCC High.GCC High is a real answer to certain CUI and environment questions. It is not a product FAR 52.204-21 requires. If a vendor jumps from “you have FCI” to “you need GCC High,” slow down and confirm your information type first.
  • FAR flaw handling is not DFARS incident reporting. Safeguard (xii) is a flaw-identification, reporting, and correction requirement. It is not the 72-hour cyber-incident report to DoD, which lives in DFARS 252.204-7012 and applies to covered defense information. Different clause, different trigger, different clock.

And one thing we will not manufacture: a universal penalty table. FAR 52.204-21 does not contain a fixed schedule of fines. Non-compliance can still create real contractual, payment, eligibility, representation, or termination exposure depending on the instrument and the facts — and knowingly false or reckless cybersecurity representations, claims, or attestations can draw False Claims Act exposure, which the U.S. Department of Justice has pursued through its Civil Cyber-Fraud Initiative. But an implementation gap does not automatically create liability, and the honest answer to “what happens if we fall short” is “it depends on your contract and the facts.” Take legal-exposure questions to qualified counsel.


How do you comply with FAR 52.204-21 without overbuilding?

Start with your contract and your information flow — not a product or a generic CMMC checklist. Identify the clause, find where FCI enters and moves, map those systems to the 15 safeguards, test whether each one operates, keep proportionate evidence, and only then check for separate CMMC, CUI, cloud, reporting, and flow-down terms.

The sequence matters, because doing it in the wrong order is how contractors buy a Level 2 environment for a Level 1 problem:

  1. Collect the governing instruments— solicitation, award, modifications, task/delivery orders, subcontract or PO, prime flow-down, and any agency deviation reference.
  2. Record the exact clause number and version— 52.204-21 or 52.240-93, the deviation notation, the clause date, and the issuing agency. Don’t normalize everything to one number.
  3. Separate your information types— public, simple payment data, potential FCI, marked or potential CUI, export-controlled, classified, or “unknown, needs clarification.”
  4. Map the FCI path— creation, receipt, access, processing, storage, transmission, printing, archiving, disposal, and any subcontract transfer.
  5. Define the covered systems, then the wider scope. The FAR clause is about the information systems you own or operate. Separately, note the people, facilities, external service providers, physical formats, and subcontractors relevant to implementing the safeguards or to any required CMMC assessment scope.
  6. Test all 15 safeguardsusing the clause and the matrix above — not a marketing checklist that quietly adds duties.
  7. Assign an owner and evidence to each safeguard, with an implementation summary, a test result, and a review date.
  8. Check for separate terms.Look for DFARS 252.204-7012 (covered defense information, cloud, and 72-hour reporting) and DFARS 252.204-7021 (the CMMC-status clause), plus any CUI markings and prime-specific requirements. Note that the FAR overhaul also relocated some DoD assessment provisions into the DFARS 240 series for deviation-governed instruments — so on a DoD contract, read the assessment clauses as written, not from memory.
  9. Resolve unknowns before you attest— escalate contract interpretation to your contracting officer, prime, counsel, or an RP/RPO. Never affirm compliance you can’t support.

If you strip every step down to one idea: scope first, prove second, buy last.The clause rewards proportionate, well-evidenced basics far more than it rewards expensive tooling you can’t map to a requirement. If you’re still unsure whether readiness help or a formal assessment comes first for your situation, our guidance on who to hire first walks through it.


What did The Defense Compliance Report actually verify?

On July 17, 2026, we cross-checked this page against the current codified FAR clause and FAC, the CMMC Level 1 rules in 32 CFR § 170.15 (including the 15-to-17 mapping table), the Level 1 scoping and assessment guides, the CMMC applicability rule in 32 CFR § 170.3, the Revolutionary FAR Overhaul Part 40 deviation that moves the clause to 52.240-93, DoD Class Deviation 2026-O0025, DFARS 252.204-7012, and the July 13, 2026 CMMC Phase II suspension notice. The evidence, owner, and failure columns and the decision frameworks are our editorial conclusions built on those sources — not additional government requirements.

What we verified against primary sources

  • The current 52.204-21 title, November 2021 date, definitions, all 15 safeguards, and the flow-down paragraph — read on the eCFR; status confirmed on Acquisition.gov.
  • FAR 4.1902/4.1903 applicability and prescription, and the COTS exclusion.
  • The exact CMMC Level 1 mapping in § 170.15: 15 requirements, 17 assessment rows, and the (b)(1)(ix) phrase split into 3.10.3, 3.10.4, and 3.10.5.
  • The Level 1 (Self) rules in § 170.15: MET-only with no POA&Ms, annual self-assessment, SPRS submission, affirmation before award, and six-year artifact retention.
  • The CMMC applicability and micro-purchase-threshold condition in § 170.3(c) — a CMMC rule, not a FAR 4.19 rule.
  • The move to 52.240-93 under FAR Part 40, prescription at 40.303-2, verified on Acquisition.gov and in DoD Class Deviation 2026-O0025.
  • DFARS 252.204-7012 as the separate source of the covered-defense-information safeguarding and 72-hour incident-reporting duties.
  • The July 13, 2026 Phase II suspension via the official Department of War release.

What we did not claim

  • That every federal contractor automatically handles FCI.
  • That every contract record is FCI.
  • That any single cloud or software product is required.
  • That an SSP or MFA is either prohibited or mandated by the clause alone.
  • That a specific artifact guarantees an assessment result.
  • That Phase II has a new start date.
  • That the 52.204-21 and 52.240-93 texts are word-for-word identical (the drafting was reorganized; the 15 safeguards carry over).
  • That any provider or government body endorses this page.

This page was written by The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance — using a current primary-source review plus our own clause-to-evidence crosswalk. We built it to help contractors separate the actual FCI baseline from the CMMC, CUI, vendor, and clause-number noise around it, before they spend money or make a compliance representation. See our editorial standards for how we source and our methodology for how the frameworks on this page are built.


What should you do next?

Your next step depends on your clause and your information path, not on a generic checklist. If you’re FCI-only, close and evidence the 15 safeguards. If you handle CUI or carry DFARS/CMMC terms, you’re looking at a separate Level 2 analysis. If the language is ambiguous, resolve it before you request quotes, change your environment, or attest.

Your situationYour next stepProvider-category intensity
52.204-21 or 52.240-93; FCI only; no separate CMMC termComplete the 15-safeguard matrix and evidence reviewUsually internal IT/security, or limited readiness help
A CMMC Level 1 status requirement appears in the instrumentPrepare the annual self-assessment, SPRS compliance result, affirmation, and six-year artifact retentionRPO or readiness help only where needed; no C3PAO required
DFARS 252.204-7012 or CUI is presentMove to the NIST SP 800-171 Rev. 2 / CMMC Level 2 pathRPO, CMMC-focused MSP/MSSP, enclave, or GRC support as needed
Both clause numbers appearFollow the governing instrument and applicable deviation; document the cross-referenceContract review before tooling
Your prime's flow-down is vagueRequest the exact information type, CMMC status, and clause basis in writingNeutral guidance first
You can't tell if records are FCI or CUIGet authoritative contract clarificationContracting officer/prime, plus counsel or an RP/RPO
Assessment-ready, and your instrument expressly requires Level 2 (C3PAO)Use assessment-path resources; route to a C3PAO only when the contract requires itC3PAO category only at this stage

The pattern across every row: resolve the clause and the data first; choose a provider second. That order protects your budget and your compliance posture at the same time.


FAR 52.204-21 frequently asked questions

These answers resolve the edge cases most likely to send you back to search — applicability, COTS, FCI versus CUI, the 15-versus-17 count, evidence, CMMC, SPRS, MFA, cloud, physical access, incident reporting, and flow-down. Each is short, conditional where it needs to be, and grounded in the primary sources listed at the end of this page.

Is FAR 52.204-21 mandatory?
It’s contractually binding when it’s incorporated in your instrument and applicable to your work. It does not bind a company that has no contract containing it — applicability follows the clause and the information flow.
Who does FAR 52.204-21 apply to?
Contractors and relevant subcontractors whose systems may store, process, or transmit FCI under an applicable instrument. Company size is not the test.
Does the micro-purchase threshold apply to FAR 52.204-21 or only to CMMC?
The micro-purchase threshold is a CMMC applicability condition, not a FAR 52.204-21 condition. 32 CFR § 170.3(c) applies CMMC Program requirements to DoD solicitations for FCI or CUI valued above the micro-purchase threshold (excluding COTS-only buys). FAR 4.1902 applies the basic-safeguarding subpart more broadly, to acquisitions other than COTS when a contractor system may contain FCI.
Does FAR 52.204-21 apply to COTS items?
FAR Part 4.19 and the flow-down paragraph exclude COTS items. But commercial products and services are not categorically excluded — “commercial” and “COTS” are not the same.
What is a covered contractor information system?
A system you own or operate that stores, processes, or transmits Federal Contract Information.
Is FCI the same as CUI?
No. Federal Contract Information (FCI) is governed by FAR 52.204-21’s 15 safeguards. For DoD covered defense information, CUI is governed by DFARS 252.204-7012, NIST SP 800-171 Rev. 2’s 110 requirements, and the CMMC Level 2 path. They are different obligations, and some information needs a fact-specific classification call.
Are there 15 or 17 requirements?
Fifteen safeguards. The official CMMC assessment crosswalk shows 17 rows because paragraph (b)(1)(ix) is displayed as three phrase-level rows mapped to NIST SP 800-171A objectives 3.10.3, 3.10.4, and 3.10.5. Fifteen safeguards, assessed through 17 rows.
Does FAR 52.204-21 require CMMC Level 1?
The 15 safeguards are the Level 1 baseline, but CMMC status, self-assessment, SPRS submission, and affirmation are separate contract and program requirements under 32 CFR § 170.15 — not text in the standalone FAR clause.
Does FAR 52.204-21 require an annual self-assessment?
Not by itself. Annual self-assessment is a CMMC Level 1 duty under 32 CFR § 170.15 when that status is contractually required.
Is a CMMC Level 1 SPRS result a numeric score?
No. FAR 52.204-21 alone does not create an SPRS submission. When Level 1 (Self) status is required, the organization submits its CMMC level, status date, assessment scope, associated CAGE code(s), and a compliance result in SPRS, followed by the required affirmation. That is not the conventional 110-point NIST SP 800-171 numeric score used in other DoD assessment paths.
Does FAR 52.204-21 require an SSP?
The clause does not expressly require one. An SSP or equivalent documentation can still be useful, and may be required by another framework.
Does FAR 52.204-21 require MFA?
It requires authentication before access, but does not name MFA. Check separate terms; don’t confuse the minimum text with best practice.
Does FAR 52.204-21 require GCC High?
No product or Microsoft environment is named. Environment fit depends on your information type and any additional requirements.
Does FAR 52.204-21 require FedRAMP Moderate?
Not by itself. The FedRAMP-equivalency expectation applies when an external cloud service stores, processes, or transmits covered defense information under a contract containing DFARS 252.204-7012.
Does FAR 52.204-21 require a C3PAO assessment?
No. A C3PAO (Certified Third-Party Assessment Organization) is relevant to CMMC Level 2 certification assessments, not Level 1 or the FAR clause.
Can a third party help with a Level 1 self-assessment?
Yes. The DoD’s Level 1 Assessment Guide notes that third-party assistance is allowed — but it remains a self-assessment, not a certification.
Is a POA&M allowed for Level 1?
No. Under 32 CFR § 170.15, achieving Level 1 (Self) status requires all requirements MET, with no Plans of Action and Milestones (POA&Ms). That rule belongs to CMMC, not to the standalone FAR clause.
Do I need to keep evidence for six years?
Six-year retention applies to artifacts used for a CMMC Level 1 assessment, per § 170.15. The FAR clause itself doesn’t state a retention period.
Do janitors and temporary workers have to be escorted?
The clause doesn’t give a universal rule for every cleaner, vendor, or maintenance worker. The right analysis: are they authorized, what protected systems or areas can they reach, and are your visitor, monitoring, and access-device controls implemented? Answer those rather than applying a blanket rule the clause doesn’t state.
Does FAR 52.204-21 require 72-hour incident reporting?
No. The 72-hour cyber-incident reporting requirement is in DFARS 252.204-7012 for covered defense information. FAR 52.204-21’s safeguard (b)(1)(xii) covers flaw identification, reporting, and correction — a different obligation.
Is FAR 52.204-21 obsolete now that 52.240-93 exists?
No. 52.204-21 remains in the codified FAR; 52.240-93 is the same clause under adopted agency deviations. Both numbers currently circulate.
Does the CMMC Phase II suspension eliminate FAR 52.204-21?
No. The July 13, 2026 suspension concerns CMMC Phase II third-party assessment implementation. Incorporated FAR obligations remain in effect, and CMMC Phase 1 self-assessment requirements remain active.
What happens if a contractor doesn't comply?
There’s no universal penalty in the clause. Consequences depend on your contract, your representations, materiality, the government’s response, and applicable law — including potential False Claims Act exposure for knowingly false or reckless cybersecurity representations, claims, or attestations. Take legal-exposure questions to qualified counsel.

Primary sources we read for this page

  • FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems (Nov 2021) — eCFR, 48 CFR 52.204-21; current under FAC 2026-01 (Acquisition.gov).
  • FAR Part 4.19(4.1902, 4.1903) — clause applicability, prescription, and COTS exclusion (Acquisition.gov).
  • 32 CFR § 170.15— CMMC Level 1 self-assessment and affirmation requirements, including the 15→17 mapping table and the (b)(1)(ix) phrase split (eCFR).
  • 32 CFR § 170.3— CMMC Program applicability and the micro-purchase-threshold condition (eCFR).
  • 32 CFR § 170.14— CMMC Level 1 security requirements (eCFR).
  • NIST SP 800-171 Rev. 2 and NIST SP 800-171A (Jun 2018)— the underlying requirements and assessment objectives (NIST CSRC).
  • DoD CMMC Level 1 Scoping Guide and Level 1 Assessment Guide (dodcio.defense.gov).
  • Revolutionary FAR Overhaul, FAR Part 40 deviation guide— move of 52.204-21 to 52.240-93, prescription at 40.303-2 (Acquisition.gov); DoD Class Deviation 2026-O0025 (acq.osd.mil).
  • DFARS 252.204-7012— Safeguarding Covered Defense Information and Cyber Incident Reporting (Acquisition.gov).
  • U.S. Department of War release, July 13, 2026— suspension of CMMC Phase II; Phase 1 self-assessment requirements remain (war.gov).

This page is educational research, not legal, contractual, certification, or compliance advice. The contract clause and your CUI handling set your requirements — not a checklist. Confirm applicability and scope with your contracting officer, a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO), or a qualified federal-contracts attorney. Have a correction? Tell us. Last verified .