Levels
5 min read

FAR 52.204-21: The 15 Basic Safeguarding Requirements

If you handle Federal Contract Information, FAR 52.204-21 is your starting point. It defines the 15 basic safeguarding requirements behind CMMC Level 1.

Who it applies to

FAR clause 52.204-21 applies to contractors that have Federal Contract Information on their systems. FCI is information provided by or generated for the government under a contract that is not intended for public release. If you only ever handle FCI — not CUI — Level 1 is your floor.

What the 15 requirements cover

The 15 basic safeguarding requirements (FAR 52.204-21(b)(1)) are foundational cyber hygiene, and they map to six of the same areas you'll see in NIST SP 800-171 — Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, and System & Information Integrity:

  • Access control (4): limit system access to authorized users, processes, and devices; limit them to permitted transactions and functions; verify and control connections to external systems; and control information posted on publicly accessible systems.
  • Identification & authentication (2): identify users, processes, and devices, and authenticate their identities before granting access.
  • Media protection (1): sanitize or destroy media containing FCI before disposal or release for reuse.
  • Physical protection (2): limit physical access to systems and facilities, and escort visitors, log physical access, and control physical access devices.
  • System & communications protection (2): monitor and protect communications at external and key internal boundaries, and put publicly accessible components on a separate subnetwork.
  • System & information integrity (4): identify, report, and correct flaws in a timely manner; protect against malicious code and keep that protection updated; and run periodic plus real-time scans.

How the Level 1 self-assessment works

Level 1 is entered as a pass/fail compliance self-assessment — there is no SPRS point score like Level 2. If you meet every requirement, the result is a Final Level 1 Self-Assessment. If any requirement isn't met, the result is No CMMC Status. A Final Level 1 self-assessment is current for one year from the assessment date, after which it expires and must be redone.

Key takeaways

  • FAR 52.204-21 = 15 basic safeguarding requirements for FCI handlers.
  • They span 6 areas: Access Control, I&A, Media, Physical, System & Comms, and System & Info Integrity.
  • It's the basis for CMMC Level 1.
  • Level 1 is pass/fail — no SPRS point score.
  • A Final Level 1 self-assessment is valid for 1 year.

Know your score before you submit

Run a full 110-requirement self-assessment free — no account required to see your score.

Start free assessment
Run the free Level 1 self-check DFARS / FAR clause reference

Sources

SentryNexus is a preparation and self-assessment tool. It does not connect to or submit anything to SPRS, and it is informational support only — not legal or compliance certification advice.

Related guides

CMMC Level 1 vs Level 2: Which Do You Need?Conditional vs Final CMMC Status & Validity Windows