A short Federal Acquisition Regulation clause that sets out 17 basic safeguarding practices for Federal Contract Information. If you're a small defense contractor handling FCI, this clause defines what compliance actually requires.
The Federal Acquisition Regulation — the FAR — is the body of rules governing how the United States government buys goods and services from contractors. It applies across every federal agency, not just the Department of Defense. When you bid on a federal contract, the FAR is the framework you're working under.
FAR 52.204-21 is one specific clause within the FAR. Its full title is "Basic Safeguarding of Covered Contractor Information Systems." It defines the minimum cybersecurity practices a contractor must implement when handling Federal Contract Information — anything not intended for public release that's provided by or generated for the government under a contract.
The clause is short — under three pages in the regulation itself. It lists 17 specific practices, each phrased as a one-sentence requirement. There's no extensive guidance, no technical specification document, no formal assessment methodology. It's just 17 things you must be doing.
The Department of Defense didn't invent Level 1's requirements from scratch. The 17 practices that define CMMC Level 1 are the same 17 practices that have been in FAR 52.204-21 since 2016. CMMC adds the certification rhythm — annual self-assessment, senior-official affirmation, SPRS submission — but the technical requirements are the FAR clause.
This means a few practical things. First, FAR 52.204-21 has been a contractual requirement for federal contractors for nearly a decade — the practices aren't new. Second, your CMMC Level 1 obligations are concrete and bounded: 17 specific things, each clearly described in the regulation itself. Third, unlike CMMC Level 2 (which is built on a separate 110-control NIST standard), Level 1 has no underlying technical specification document — the practices are defined in plain English in the FAR clause.
If your contract includes the FAR 52.204-21 clause, you're already obligated to implement these practices. CMMC Level 1 is, in effect, the DoD's mechanism for verifying that you actually are.
The 17 practices group into six thematic families. The grouping isn't from FAR 52.204-21 itself — the regulation just lists practices in order — but from the way DoD references them in the CMMC framework, using identifiers like AC.L1-3.1.1 (Access Control, Level 1, practice 3.1.1).
Notice how compact the practice families are. Whole categories from CMMC Level 2 — audit logging, configuration management, incident response, risk assessment, security training — aren't represented at Level 1. The FAR clause was designed as a basic safeguarding floor, not a comprehensive cybersecurity program.
Below is each FAR 52.204-21 (b)(1) practice, in the order it appears in the regulation, with a plain-English summary of what it actually requires. The full regulatory text is shorter than most software end-user agreements — but the implications run deeper than the wording suggests.
The two regulatory frameworks are related but operate on different scales. Understanding the difference helps you avoid being pulled into Level 2 obligations you don't actually have.
17 basic safeguarding practices. Self-assessed annually. Senior-official affirmation submitted in SPRS. The contractual foundation of CMMC Level 1.
110 detailed security requirements across 14 control families. Underlies CMMC Level 2. Requires a System Security Plan, POA&M for gaps, and (in most cases) third-party assessment by a C3PAO.
The DoD-specific clause that requires NIST 800-171 implementation. Includes additional requirements for cyber-incident reporting. Applies on top of the FAR clause when CUI is in scope.
If your DoD contract includes only FAR 52.204-21 (no DFARS 7012 clause and no CUI flow-down), you're a Level 1 shop. If your contract adds DFARS 7012 or specifies CUI handling, Level 2 applies.
For a small contractor, FAR 52.204-21 isn't a document you read once and file away. The 17 practices show up in three concrete artifacts you produce each year.
Your annual self-assessment is your honest evaluation of whether each of the 17 practices is implemented in your environment. Unlike Level 2, there's no formal assessment methodology document — but there's a clear binary outcome for each practice: it's either in place, or it isn't. Practices that aren't in place must be remediated before you can affirm.
Your senior-official affirmation is a signed statement from a person authorized to bind the company — typically the owner, president, or CEO. The signature confirms that all 17 practices are in place as of the affirmation date. This is the legally operative document; it's a representation to the United States Government and carries False Claims Act exposure if signed inaccurately.
Your SPRS submission records the affirmation in DoD's Supplier Performance Risk System. Primes can verify your status by querying SPRS directly. The SPRS entry doesn't include the underlying assessment evidence — that stays in your records — but it does record that the affirmation was made and when.
Unlike Level 2, there's no Plan of Action and Milestones at Level 1. POA&Ms are explicitly forbidden — you can't document gaps and continue operating while you remediate. Every practice must be in place before the affirmation can be signed. This is the most important difference between the two levels in day-to-day operation.
Take the guided Level 1 interview. Walk away with a self-assessment report mapped to all 17 practices, plus the affirmation paperwork ready for your senior official to sign.