A community resource for the acquisition workforce not a .gov website
part52.dev Federal Acquisition Clause Monitor
FAR Clause ACTIVE

52.204-21

Basic Safeguarding of Covered Contractor Information Systems.
View on acquisition.gov · View on eCFR.gov
Effective Date
NOV 2021
Active Deviations
1
Versions
2 (since 2021-11-04)
RFO
RFO Removes This Clause

The Revolutionary FAR Overhaul marks this clause as [Reserved]. The clause content below is as it appears in the most recent eCFR data, which has not yet incorporated the RFO. For contracts using the RFO model, this clause is removed.

View RFO reservation
RFO
Superseded Under RFO

This clause (52.204-21) has been renumbered to 52.240-93 under the Revolutionary FAR Overhaul (the RFO FAR Overhaul). For contracts using the RFO model, use the replacement clause.

View FAR overhaul reference
DEV
This clause is modified by 1 active class deviation
  • 2026-O0028 — DFARS RFO Implementation (Part 12)
    Add clause 52.204-21
View per-deviation details → 
52.204-21 Basic Safeguarding of Covered Contractor Information Systems.

As prescribed in 4.1903, insert the following clause:

Basic Safeguarding of Covered Contractor Information Systems (NOV 2021)

(a)
Definitions.
As used in this clause—

Covered contractor information system
means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.

Federal contract information
means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.

Information
means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).

Information system
means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).

Safeguarding
means measures or controls that are prescribed to protect information systems.

(b)
Safeguarding requirements and procedures.
(1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) Verify and control/limit connections to and use of external information systems.

(iv) Control information posted or processed on publicly accessible information systems.

(v) Identify information system users, processes acting on behalf of users, or devices.

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Monitor, control, and protect organizational communications (
i.e.,
information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

(xiv) Update malicious code protection mechanisms when new releases are available.

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

(2)
Other requirements.
This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.

(c)
Subcontracts.
The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial products or commercial services, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.

(End of clause)

[81 FR 30446, May 16, 2016, as amended at 86 FR 61032, Nov. 4, 2021]
RFO
Prescription superseded under the RFO

The prescription shown below is from the codified eCFR. Under the RFO, the prescribing section may have been revised, relocated or reserved. See the deviation memorandum for the current prescription authority.

View deviation: 2026-O0028 →

R-DFARS Prescription Source

This clause is prescribed in the R-DFARS by the following deviation:

  • 2026-O0028 — DFARS RFO Implementation (Part 12) (DFARS Part 212)
    Add clause 52.204-21
4.1903
The contracting officer shall insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.
Prescription data sourced from eCFR as of 2026-06-10 03:16 UTC. Cross-references within the prescription are not resolved automatically.

Regulatory Stack

The layers of regulation that govern this clause, from the FAR prescription through agency-specific supplements and any active deviations.

RFO RFO Version Overhauled clause text
The Revolutionary FAR Overhaul publishes a revised version of this clause. See the RFO Version tab for the controlling authority under the RFO model.

Search on acquisition.gov

R-DFARS R-DFARS Prescription Per Deviation 2026-O0028 (DFARS Part 212)
2026-O0028: DFARS RFO Implementation (Part 12) — DFARS Part 212

View Deviation 2026-O0028 →

FAR FAR Prescription ⚠ May be superseded by RFO 4.1903
The contracting officer shall insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.

View on acquisition.gov · View on eCFR.gov

Version History

Version history is sourced from the codified eCFR. Changes published only as class deviations or by the Revolutionary FAR Overhaul do not appear here until they are incorporated into the eCFR. For RFO-driven changes see the RFO Version tab and any active deviations cited above.

2 versions tracked from 2021-11-04 to 2021-12-06.
DEC 2021 December 6, 2021 CURRENT
Removed in this version
Added in this version
Unchanged
NOV 2021 (previous)
DEC 2021 (current)
4 added, 1 removed
(c)
(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system. (End of clause)
(c)
(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial products or commercial services, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system. (End of clause)
NOV 2021 November 4, 2021 SUBSTANTIVE
Earliest version available from the eCFR

RFO Version

Comparison of the codified eCFR text against the Revolutionary FAR Overhaul revision. Highlights show additions (green) and deletions (red, struck through).

Clause Text

RFO marks this clause as Reserved. The Revolutionary FAR Overhaul removed this clause under the overhauled FAR model. The eCFR text on the Current Text tab remains in force for contracts not using the RFO model.
Applied to DoD contracts via Class Deviation 2026-O0028 (effective 2026-02-01) .

Prescription

RFO prescription not available. See the eCFR prescription on the Prescription tab.

Source: acquisition.gov RFO Part 52

Active Class Deviations

2026-O0028
DFARS RFO Implementation (Part 12) Add clause 52.204-21
MODIFIED

Related Clauses

Referenced by

52.213-4 52.244-6
Use with AI assistant
Copy a link and prompt for use with Gemini or another AI assistant.