Skip to main content
background

FAR (Federal Acquisition Regulation)

The Federal Acquisition Regulation (FAR) is the principal set of rules governing how all federal executive branch agencies purchase goods and services with appropriated funds. For defense contractors, the FAR establishes baseline procurement requirements that are then extended by the Defense Federal Acquisition Regulation Supplement (DFARS). FAR clause 52.204-21 is particularly significant, as it defines the 15 basic safeguarding requirements for Federal Contract Information (FCI) that form the foundation of CMMC Level 1.

  • glossary
  • What Is the Federal Acquisition Regulation?

What Is the Federal Acquisition Regulation?

The FAR is a comprehensive body of regulations that standardizes the federal government’s acquisition process. Jointly issued by the Department of Defense, the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA), the FAR is codified in Title 48 of the Code of Federal Regulations (CFR). It covers the entire procurement lifecycle, from solicitation and contract formation through contract administration and closeout.

FAR vs. DFARS

The FAR applies to all federal agency procurements, while DFARS adds DoD-specific requirements on top of the FAR. When a defense contractor reviews a solicitation, they encounter both FAR and DFARS clauses. The FAR provides the general framework (competition requirements, contract types, intellectual property rules), while DFARS layers on defense-specific obligations including cybersecurity requirements, supply chain security, and CUI protection.

FAR 52.204-21: Basic Safeguarding Requirements

FAR clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) is the most cybersecurity-relevant FAR provision for defense contractors. It requires contractors to apply 15 basic security controls to any system that processes, stores, or transmits Federal Contract Information (FCI). These controls cover areas like access restriction, information disposal, incident reporting, and malicious code protection. CMMC Level 1 maps directly to these same 15 requirements, formalizing the assessment process with an annual self-assessment.

The FAR Council and Rulemaking Process

Changes to the FAR go through a formal rulemaking process overseen by the FAR Council, with regulatory review by the Office of Information and Regulatory Affairs (OIRA) within the Office of Management and Budget (OMB). This process includes proposed rules, public comment periods, and final rules — the same pathway that the CMMC acquisition rule followed. Defense contractors should monitor FAR case developments that may introduce new cybersecurity, supply chain, or reporting requirements.

Key FAR Parts for Defense Contractors

Beyond cybersecurity, several FAR parts are essential for defense contractors to understand: Part 4 (Administrative Matters) covers contractor registration and reporting, Part 9 (Contractor Qualifications) addresses responsibility determinations, Part 15 (Contracting by Negotiation) governs competitive proposals, Part 31 (Contract Cost Principles) defines allowable costs, and Part 42 (Contract Administration) covers post-award management. Each of these parts may be supplemented by corresponding DFARS sections with additional DoD-specific requirements.