FAR 52.204-21 Compliance Services

Comprehensive services to help you quickly and affordably meet FAR 52.204-21 requirements

Schedule An Appointment

What is FAR 52.204-21?

FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” is a contract clause to the Federal Acquisition Regulation (FAR) that applies to all federal contracts, not just those with the DoD. It lays out a set of 15 cybersecurity controls for safeguarding contractor information systems that store, process or transmit federal contract information (FCI). FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” Every organization that does business with the federal government (including subcontractors who have access to FCI) is required to comply with these controls. These 15 controls form the basis for CMMC Level 1 requirements.
  1. Limit information system access to authorized users
  2. Limit information system to the types of transactions and functions that authorized users are permitted to execute
  3. Verify and control/limit connections to and use of external information systems
  4. Control information posted or processed on publicly accessible information systems
  5. Identify information system users, processes acting on behalf of users, or devices
  6. Verify the identities of those users, processes, or devices as a prerequisite to allowing access to organization information systems
  7. Sanitize or destroy information system media containing FCI before disposal or release for reuse
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devices
  10. Monitor, control, and protect organizational communications
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
  12. Identify, report, and correct information and information system flaws in a timely manner
  13. Provide protection from malicious code at appropriate locations within organizational information systems
  14. Update malicious code protection mechanisms when new releases become available
  15. Perform periodic scans of the information system and real-time scans of files from external sources

Achieving FAR 52.204-21 Compliance?

Achieving FAR 52.204-21 compliance can be quite a challenge for many contractors. It requires a deep understanding of your networks and systems, security processes, and procedures. The right cybersecurity compliance partner can help you implement the most comprehensive solution for your business by partnering with you to develop policies, implement technology, document your practices, assess business risk, and put into place the cyber program management needed to ensure you meet compliance and properly protect your business.

Comprehensive FAR 52.204-21 Compliance Programs

Tesseract Managed Cybersecurity Programs combine a variety of services into a single, cost-effective, comprehensive program to help you achieve and maintain FAR 52.204-21 compliance and develop a strong cyber defense for your organization. Tesseract delivers the resources of a Managed Security Service Provider (MSSP), Managed Service Provider (MSP), Managed Defense & Response (MDR), Compliance Consulting Services (vCISO), and Compliance Management Software all in one, proven, affordable solution.