Federal Acquisition Regulation Cybersecurity Clauses Workshop

What This Session Covers

Federal cybersecurity requirements embedded in acquisition clauses have grown significantly more complex, and a single missed obligation can jeopardize contract eligibility or trigger a cure notice. This four-hour workshop gives compliance and contracts professionals a structured, clause-by-clause walkthrough of the cybersecurity landscape spanning both the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement.

FAR Basic Safeguarding and Information Controls

The session opens with FAR 52.204-21, the baseline safeguarding rule for Federal Contract Information, examining each of its fifteen basic safeguarding requirements and the practical controls that satisfy them. Attendees will learn how to map existing security measures to clause language and identify gaps that auditors and contracting officers commonly flag.

Coverage then moves to FAR 52.204-25, which restricts the use of covered telecommunications equipment and services. Instructor Carl B. Johnson walks through how to identify covered equipment, what a reasonable inquiry looks like in practice, and how to structure the required representation. The session also addresses FAR 52.204-27, the prohibition on TikTok and covered applications on contractor devices used in performance, including scope questions that arise when employees use personal devices.

DFARS Cybersecurity Clauses for Defense Contractors

A substantial portion of the workshop is dedicated to the four interconnected DFARS clauses that govern Controlled Unclassified Information and cybersecurity posture for Department of Defense contractors:

• DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting: flow-down obligations, the 72-hour incident reporting requirement, and media preservation duties.
• DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements: what the self-assessment score means, how it must be calculated, and where it must be posted in the Supplier Performance Risk System (SPRS).
• DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements: government access rights during assessments and what contractors must have ready.
• DFARS 252.204-7021 — Cybersecurity Maturity Model Certification Requirements: the current CMMC implementation pathway and how it layers on top of the existing DFARS self-assessment regime.

Proposed FAR Case 2021-019: Government-Wide CUI Rule

The workshop closes with an analysis of the proposed government-wide rule under FAR Case 2021-019, which would extend Controlled Unclassified Information safeguarding requirements to all federal civilian agency contracts — not just DoD. Carl covers the key proposed obligations, how they compare to existing DFARS requirements, and what contractors should be doing now to prepare program documentation and gap assessments ahead of a final rule.

Throughout the session, discussion is grounded in the artifacts and workflows compliance teams actually use: System Security Plans, Plans of Action and Milestones, SPRS score documentation, supplier flow-down matrices, and representation language. For organizations building or maturing a broader program, our CMMC, CUI & DFARS Compliance services extend this work beyond the training room.

What You Will Leave With

• A clause-by-clause reference matrix mapping FAR and DFARS cybersecurity obligations to control categories and responsible owners.
• A gap-assessment checklist aligned to the fifteen FAR 52.204-21 safeguarding requirements.
• A SPRS score documentation checklist covering the evidence artifacts DFARS 252.204-7019 and 7020 assessments require.
• A flow-down decision tree for identifying which clauses must be passed to subcontractors and at what tier.
• Practical guidance on structuring the covered telecommunications reasonable-inquiry process under FAR 52.204-25.
• Awareness of the proposed FAR Case 2021-019 scope and a readiness checklist for civilian-agency contract portfolios.

Who Should Attend

This workshop is built for the people directly responsible for keeping a contractor's compliance posture current. Contracts managers and administrators who review solicitations and draft representations, compliance officers and program managers who own System Security Plans and POA&Ms, and IT security staff tasked with implementing the controls behind the clause language will all find the content immediately applicable. If your team holds or pursues DoD contracts, handles CUI, or bids on civilian federal work, this session addresses their daily risk decisions.

For budget approvers: your team members in any of these roles are currently navigating clause requirements that carry real contractual and reputational consequences if misread. Four hours of focused instruction — delivered by a practitioner, not a generalist — is a direct investment in fewer representation errors, faster proposal turnaround, and a defensible compliance posture. Organizations that want to assess their current standing before or after attending can explore our Federal & SLED Risk Assessments service.

Continue Building Your Program

This workshop is one component of a sound federal contractor compliance strategy. Organizations ready to translate clause knowledge into documented, audit-ready programs will find a natural next step in our Compliance Program Development service, where Cleared Systems works alongside your team to build the policies, procedures, and evidence libraries that stand up to government review.