Phone: (202) 296-5505 Email:

New Call-to-action

 Back to all posts

Top Five Cybersecurity Requirements for Government Contractors Blog Feature
Bradley Wyatt

By: Bradley Wyatt on September 16th, 2020

Print/Save as PDF

Top Five Cybersecurity Requirements for Government Contractors

Government Business Development | Government | 6 Min Read

The General Services Administration (GSA) is responsible for managing a myriad of IT security programs, which help government agencies implement IT policies that promote public safety and enhance resiliency of the government’s systems and networks. In order to do business with the federal government, or any branch of government for that matter, it is important to first understand the guiding principles and regulations set in place.

The FAR, better known as the Federal Acquisition Regulation, serves as the uniform policy and procedure for acquisition by all executive agencies. FAR was established in 1947 as a part of the Armed Services Procurement Regulation and was codified in Title 48 of the Code of Federal Regulations (CFR) in 1984 to create a uniform structure for many federal agencies. However, the FAR has recently been subject to significant changes to reflect and implement changes made by recent law.

Cybersecurity threats are ever-growing in today’s marketplace, and it's especially important for your organization to be aware of the emerging trends. Federal contractors, rather than executive agencies themselves, are often subject to attacks due to the access of federal information, data, and software. Just last month, a Customs and Border Protection subcontractor was subject to a hack that exposed traveler photos and license plates, resulting in unhappiness from the CBP, GSA, and United States Congress.

For your organization to avoid these attacks from nation states, organized crimes, hacktivists, malicious insiders, and motivated individuals, it is important to understand the critical cybersecurity requirements in place for federal contractors.

Specific Requirements for Contractors

In recent years, several federal agencies, including the Department of Defense (DoD) and NASA, have issued acquisition regulations that impose new cybersecurity requirements on contractors. The top five requirements that your organization should be familiar with are listed below:

1. Federal Information Security Modernization Act
2. FAR 52.204-21
3. DOD Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012
4. NIST 800-171
5. The emerging CMMC requirement for defense contractors 

Given the highly technical nature of each one of these regulations, policies, and emerging trends, it is important to review each one of these subjects in detail.

1. Federal Information Security Modernization Act

The Federal Information Security Modernization Act of 2014 was enacted to update the Federal Government’s cybersecurity practices. The main goal of FISMA was to:

  • Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems;
  • Amending and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices; and by
  • Requiring OMB to amend or revise OMB A-130 to "eliminate inefficient and wasteful reporting."

2. FAR 52.204-21

If you are a contractor in the federal marketplace, you should be especially familiar with FAR 52.204-21, which is the Basic Safeguarding of Covered Contractor Information Systems. The main objective of FAR 52.204-21 is to have contractors apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

3. DOD Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012

DFAR Clause 252.204.7012 is a very relevant form of cyber security requirement for federal contractors. Established under Executive Order 13556, DFARS 252.204-7012 requires contractors and subcontractors to:

  • Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network.
  • Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support.
  • Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
  • If requested, submit media and additional information to support damage assessment.
  • Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information.

4. NIST 800-171

NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. NIST 800-171 requires contractors to protect controlled unclassified information in nonfederal systems and organizations. For more information on NIST 800-171, please visit the following NIST Special Publication SP 800-171.

5. The emerging Cybersecurity Maturity Model Certification (CMMC) Requirement

The Cybersecurity Maturity Model Certification (CMMC) is a new set of cybersecurity standards the DoD is implementing to ensure a higher rate of compliance. Before CMMC, Defense Industrial Base (DIB) contractors were responsible for conducting their own security checks, but CMMC requires third-party assessments to ensure the requirements are being met.  

With CMMC, contractors in the DIB must have the maturity of their network's security evaluated on a five-tiered scale. It's important to note you don't necessarily have to meet all five tiers, defense contractors only need to meet tier 3 to fulfill their requirements since it closely aligns with the current DFARS 252.204-7012 requirements (mentioned in section 3 of this blog). 

CMMC 1.0 was released in January of 2020 and audits are expected to begin in 2021, so it's important you begin preparing now. Although this requirement mainly applies to defense contractors, other contract vehicles such as 8(a) STARS III are beginning to mandate CMMC, so it could soon become a qualification for all federal contractors. 

Contractors should make sure they are compliant with DFARS 252.204-7012To learn more about how you can meet the CMMC requirements, watch our webinar, "How to Succeed Under CMMC: Small Business Solution for Defense Contractors."

Cybersecurity Affects State and Local Governments Too

While many of the stated regulations and policies discussed are only relevant at the federal level, it is important for contractors to also understand the emerging cybersecurity requirements at the state and local level. Such as with the federal marketplace, state and local governments are increasingly placing cybersecurity requirements on their contractors.

A great example of a regulation at the state level would include the New York Department of Financial Services cybersecurity regulation which sought to regulate financial services firms. Countless other state and local governments are enacting new policies to enhance cybersecurity requirements for contractors.

Be Sure to Stay Up-to-Date on Cybersecurity Requirements

National security dictates federal buyers and contractors adopt better controls to protect against both cyber and supply chain threats. This is increasingly important today as the government is expanding and enhancing requirements for contractors. These compensatory security measures are used to help protect federal contractors and our federal government, resulting in increased public safety and data security. As a contractor, it is your role to understand the regulations and policies in place that serve as guidelines for best management practices. With cybersecurity threats increasingly posing harm to contractors, it is expected new regulations will continue to arise in the years to come.

New call-to-action


About Bradley Wyatt

Bradley Wyatt is a Lead Account Manager for Winvale’s Public Sector Partner Program where he currently manages a diverse portfolio of Information Technology, Hardware, Software, and Services Channel Distribution Partner Accounts to accelerate their sales within the Public Sector. Bradley is a native of Fredericksburg, Virginia and a graduate from James Madison University with his Bachelor’s of Science in Public Policy and Administration.