52.204-21 — Basic Safeguarding of Covered Contractor Information Systems
Researched by the BidStride Research Team
What This Clause Requires
Requires basic safeguarding of contractor information systems that process, store, or transmit Federal contract information (FCI). Implements 15 security requirements based on NIST SP 800-171.
Official Regulation Text
See 48 CFR 52.204-21 for the full regulatory text. This clause requires contractors to apply 15 basic safeguarding requirements to information systems that process, store, or transmit Federal Contract Information (FCI). It is the commercial equivalent of the DFARS 252.204-7012 requirement for non-defense contractors.
Compliance Checklist
- Implement 15 basic safeguarding requirements for systems processing FCI
- Limit access to authorized users
- Identify information systems processing FCI and apply controls
Flow-Down to Subcontractors
Flow-down required
This clause must be included in subcontracts with all subcontractors at all tiers where the subcontractor will perform work covered by this clause. Typically appears in contract Sections H, I.
Related Clauses
Frequently Asked Questions
FCI is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service. It does not include information provided by the Government to the public or simple transactional information like billing data.
The 15 requirements cover: access control (limit to authorized users), identification and authentication (unique credentials), configuration management (security settings), incident response (report breaches), media protection (sanitize before disposal), risk assessment, system and communications protection, and system and information integrity (malware protection, updates).
52.204-21 covers Federal Contract Information (FCI) in civilian agency contracts and requires only 15 controls. 252.204-7012 covers Controlled Defense Information (CDI) in DoD contracts and requires all 110 NIST SP 800-171 controls plus 72-hour incident reporting to DC3. Both may appear in the same contract.
No formal assessment or certification is required — unlike DFARS 252.204-7019/7020/7021 which require SPRS posting. However, you must be able to attest to compliance and may be asked to demonstrate it during contract administration or an audit.
This summary is for informational purposes only and reflects the BidStride Research Team's plain-English interpretation of the regulation. It is not legal advice and does not constitute an attorney-client relationship. Always consult the official Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS) text and qualified legal counsel for compliance decisions.