Top Cybersecurity Requirements for Government Contractors

Cybersecurity scams are on the rise, and they aren't as simple as the infamous gift cards for your boss gimmick. Bad actors have become more skilled in their phishing and hacking, making it more important than ever to have a strong cybersecurity posture. As a government contractor, you inevitably deal with sensitive government information, data, and software, so there are certain government regulations you have to follow to defend against compromising your network. 

Keeping compliant with the Federal Acquisition Regulation (FAR) and related requirements will help you mitigate the risk of cyberattacks and prevent leakage of sensitive government information. The Trump Administration has made some major changes to cybersecurity regulations under the Revolutionary FAR Overhaul (RFO) and other related Executive Orders (EO), so the regulations you have followed in the past may have changed recently, and you may need a refresher. Here are the top cybersecurity requirements you should keep in mind as a federal government contractor. 

Top Cybersecurity Requirements for Contractors

In recent years, several federal agencies including the Department of Defense (DoD) have issued regulations that impose new cybersecurity requirements on contractors. The top requirements that your organization should be familiar with are listed below:

• FAR 52.204-21
• NIST 800-171
• DoD Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012
• Federal Information Security Modernization Act (FISMA)
• Cybersecurity Maturity Model Certification (CMMC) 

Given the highly technical nature of each one of these regulations, policies, and emerging trends, it’s important to review each one of these in detail.

FAR 52.204-21—Basic Safeguarding of Covered Contractor Information Systems

If you are a contractor in the federal marketplace, you should be especially familiar with FAR 52.204-21, which is the Basic Safeguarding of Covered Contractor Information Systems. At a minimum, GSA Schedule contractors are required to meet 15 basic security controls outlined in FAR 52.204-21 and the procedures to protect their covered contractor information systems.

These requirements and procedures shall include, at a minimum, the following security controls:

1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

It's important to note FAR 52.204-21 only handles the basic safeguarding of controls, and contractors handling Controlled Unclassified Information (CUI) or higher-risk information will need to abide by other regulations, which are rapidly changing in this environment. While there have been no major changes to this clause in the Revolutionary FAR Overhaul (RFO), it's important to keep an eye on changes to related clauses like NIST SP 800-171, which we'll discuss below. 

NIST 800-171

NIST SP 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. NIST 800-171 requires contractors to protect controlled unclassified information in nonfederal systems and organizations.

Last year, the DoD issued a class deviation directing Contracting Officers to insert a version of DFARS 7012 requiring contractors to meet NIST SP 800-171 revision 2. This removed any ambiguity and spelled out that contactors are expected to implement Revision 2, even if the solicitation references an older one. 

This year, the DoD published a memo on NIST SP 800-171 Rev 3. While DFARS clause 7012 currently references NIST SP 800-171 Rev 2 (by deviation), the DoD has signaled that Rev 3 will become the reference standard, and contractors should prepare for an update soon. 

As mentioned above, the FAR Council published a new rule for Controlled Unclassified Information (CUI) that if finalized, contractors will be required to comply with NIST 800-171 in addition to DFARS 252.204-7012. 

For more information on NIST 800-171, please visit the latest revision on the NIST website. 

Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012

DFARS clause 252.204.7012 is emerging as a very relevant form of cybersecurity requirement for federal contractors. Established under Executive Order 13556, DFARS 252.204-7012 requires contractors and subcontractors to:

• Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network.
• Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support.
• Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
• If requested, submit media and additional information to support damage assessment
• Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information.

As I said in the NIST SP 800-171 section above, the DoD issued a class deviation last year, which specifies that contractors must comply with NIST SP 800-171 Revision 2 under DFARS 252.204.7012. Revision 3 is expected to be finalized soon. 

The Federal Information Security Modernization Act (FISMA)

The Federal Information Security Modernization (FISMA) Act of 2014 was created to establish a framework for the federal government’s cybersecurity practices, especially as it relates to the Executive Branch. FISMA applies to all federal agencies and government contractors if they operate federal systems, like providing a cloud-based platform. The main goal of FISMA is to:

• Codify Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems.
• Amend and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices.
• Require OMB to amend or revise OMB A-130 to "eliminate inefficient and wasteful reporting.

Contractors can maintain compliance with FISMA in-house following the Assessment Procedures defined in the National Institute of Standards and Technology (NIST) section 800-53, or they can work with a third party Managed Security Services Provider (MSSP).

FISMA oversight has shifted in the past 365 days. Late last year, a bill was created to amend FISMA to clarify roles and responsibilities, codify the use of zero-trust architectures, penetration testing, vulnerability disclosure policies, and to formalize oversight and incident reporting. Even though FISMA remains in place as amended in 2014, the FY 2025 OMB guidance (M-25-04) tightens how agencies assess and report on information security, and we expect to see future changes that impact contractors. 

Cybersecurity Maturity Model Certification (CMMC)

It's important to note that the current NIST SP 800-171 framework was used to create the building blocks for the Cybersecurity Maturity Model Certification (CMMC) program. CMMC was created as a way to verify contractors in the Defense Industrial Base (DIB) are meeting NIST guidelines for protecting Federal Classified Information (FCI) and CUI. 

Depending on the nature of the business your organization may be seeking, agencies or Contracting Officers may require a certain level of CMMC prior to awarding a contract. Right now, CMMC applies to businesses in the Defense Industrial Base (DIB), but agencies may start requiring it in future contract vehicles or solicitations.

The DoD has made major strides in CMMC progress in the past year, so it's time to get serious about this regulation if you haven't already. The final CMMC rule was published in September 2025, and the clause will become mandatory in DoD solicitations/contracts on November 10, 2025. 

Keeping Up with Your GSA Schedule 

Following cybersecurity requirements is just the beginning to successfully managing your GSA Schedule. GSA Schedule maintenance can be a lot to keep up with from sales reporting, to modifications, and Contractor Assessment Visits (CAVs), but it's rewarding to have a successful contract that performs well in this booming marketplace. Need help with your contract? If you would like to learn more about staying on top of your GSA Schedule, or need help identifying ways you can optimize your offerings, Winvale is here to help!