FCI Security
Let’s jump in and learn:
- What Is CMMC Federal Contract Information (FCI)?
- What Is CMMC Controlled Unclassified Information (CUI)?
- Understanding the Difference Between FCI and CUI
- CUI and FCI Compliance
- CMMC Level Requirements for CUI and FCI
- What Is FCI in CMMC and How Does it Affect Scope?
- Does FCI identify Scope for CMMC Levels 1 and 2?
- Provide FCI Security to Meet CMMC Requirements
What Is CMMC Federal Contract Information (FCI)?
Federal contract information, from 48 Code of Federal Regulations (CFR) 52.204-21, is information that is not intended for public release. FCI is provided by the Department of Defense (DoD) or created under a contract to develop or deliver a product or provide a service to the DoD. Not included under the FCI umbrella is information that’s provided by the DoD to the public (e.g., on public websites) or simple transactional information (e.g., information to process payments).
Any organization that has a current DoD contract must ensure FCI security on all systems that touch FCI. That includes:
- Any client workstations, laptops, or other devices that access or store FCI data through email, files, messaging, or other means
- Any manufacturing devices that use or store FCI data
- Any systems that process or store email from government addresses
- Any systems that store files that are received from the DoD
- Back-up and administrative systems that manage and store FCI
- Hard storage of FCI data such as USB thumb drives and DVDs
- Workstations and laptops
- Manufacturing devices
- Messaging, conference, and other systems that are used to transmit data from the Government
- Networks used by the above systems
To ensure FCI security, organizations that work with the DoD need to develop and maintain policies for the proper disposal of any media that contains FCI (e.g., CDs, USB drives, paper documents). These policies must also address FCI that is stored on users’ mobile devices and mobile applications. They must also have systems in place for:
- Access control
- Identification and authentication
- Media protection
- Physical protection
- System and communications protection
- System and information integrity
According to the Committee on National Security Systems Instruction (CNSSI), that information includes “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual,” regarding protected information around a contract (FAR 4.1901). |
Some examples of content that would fall under FCI security requirements are:
- Contract information
- Contract performance reports
- Emails exchanged with a DoD or defense contractor
- Organizational or programmatic charts
- Process documentation
- RFP, RFI, or RFQ responses to the DoD for a new contract or re-bid that could include detailed processes, past performance, and contract information from existing or contracts from the recent past
What Is CMMC Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI), from 32 CFR 2002.4, is information the DoD creates or possesses or that an external organization creates or possesses for or on behalf of the Government. It is important to note that while considered sensitive data, CUI does not include classified information.
CUI is a safeguarding system for protecting unclassified, but sensitive, information. It is not a classification scheme, per se. Therefore, information cannot be “classified as CUI”; rather, that type of information is “designated as CUI.” In some cases, CUI designations replace For Official Use Only (FOUO) and Sensitive but Unclassified (SBU) designations and markings.
CUI Basic and CUI Specified
CUI requires special safeguards for it to be disseminated or for a contractor to access it. There are two specifications under the control of that information which determine the safeguarding level: CUI Basic and CUI Specified.
CUI Basic refers to when information requires protection, but the government does not direct the specific safeguard that is required. When information requires particular safeguards or controls to ensure the data’s protection and those rules are provided, the information is considered CUI Specified.
Anyone can create CUI as long as it is generated for, or on behalf of, an Executive Branch agency (e.g., DoD) under a contract, and it falls into one of the CUI categories. CUI is not considered corporate intellectual property unless created for or included in requirements related to a government contract.
When created specifically for the DoD, this includes information and material related to or associated with the following categories:
- A company’s products, business, or activities, including but not limited to financial information
- Client lists
- Computer programs
- Data or statements
- Existing and future product designs and performance specifications
- Marketing plans or techniques
- Processes
- Product research and development
- Schematics
- Trade secrets
Examples of CUI include:
- Catalog-item identifications
- Data sets
- Engineering drawings
- Executable code and source code
- Information systems vulnerability information
- Manuals
- Personally Identifiable Information (PII), which could relate to a contractor’s employees, government employees, or employees of a third party
- Process sheets
- Research and engineering data
- Specifications
- Standards
- Studies and analysis
- Technical orders
- Technical reports
Understanding the Difference Between FCI and CUI
When considering FCI security, it is important to understand the differences between FCI and CUI. FCI is information not intended for public release that is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. On the other hand, CUI is any information created by or for a government agency or possessed by them that requires special safeguards and dissemination controls.
The DoD defines FCI and CUI as follows: Federal Contract Information (FCI) – “FCI is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.” Controlled Unclassified Information (CUI) – “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” |
FCI vs. CUI
The chart below is a comparison between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI):
Comparison Area | FCI | CUI |
Compliance Standard | 52.204-21 | NIST SP 800-171 Rev. 2 |
Mandated By | Federal Acquisition Regulations | Executive Order 13556 |
Marking | Information not marked as public or for public release | Information that is marked or identified as requiring protection |
Types | No classification system | CUI Basic and CUI Specified |
Who Labels It? | FCI needs safeguarding; there is no classification system | Entity that creates the CUI labels CUI; Authorized Holders with a lawful government purpose mark CUI |
CUI and FCI Compliance
The rule governing the protection of FCI is FAR 52.204-21 (Basic Safeguarding of Covered Contractors Information Systems). CUI is protected by rules set forth in NIST SP 800-171 Rev. 2 (Protecting Controlled Unclassified Information in Non-federal Systems and Organizations).
CMMC Level Requirements for CUI and FCI
CMMC Level 1 contains guidelines that direct how DoD contractors must handle FCI to meet compliance requirements. CUI is protected with controls that are included in CMMC levels 2 and 3.
FCI and CUI Mandates:
FCI protections are mandated in accordance with FAR 52.204-21, while CUI protections are mandated by Executive Order 13556.
What Is FCI in CMMC and How Does it Affect Scope?
In CMMC, FCI security is primarily covered in the Level 1 section. It is a much broader dataset than CUI. While FCI is not as sensitive as CUI, FCI security is considered very important in CMMC. CMMC requirements associate Level 1 maturity with all practices and processes that are required to facilitate FCI security. CMMC FCI security requirements fall into two categories:
1. Policy-based requirements
2. Information system requirements
Steps to Scoping Effectively
Scoping varies for every organization, depending on its size and technical infrastructure. Regardless of size, it is important to remember that FCI security must cover every system, application, or device at an organization that touches FCI. In fact, anything that can impact FCI security is considered in-scope and is thus subject to compliance.
Below are a few considerations for the scoping process:
Know your organization
Understanding how the organization works is critical. It is of particular importance to have a firm grasp on the functions that may handle FCI. Gathering that information is not always a straightforward exercise. It is done by taking time to interview people and teams, understand their day-to-day business activities, and determining how they store, process, and transmit FCI. Regardless of how tedious and complex this process may seem, it must be done to facilitate FCI security.
Build an asset inventory
Taking time to develop a comprehensive asset inventory helps keep track of what assets (e.g., servers, laptops, printers) exist on the organization’s network and whether they handle FCI. When creating the inventory, it is important to collect meta-level details, such as:
- Data classification
- Documentation
- Firmware
- Hardware
- Owner(s)
- Physical location(s)
- Resource administrator(s)
- Software
- Users
Categorize your systems, applications, and services
As the asset inventory is being developed, the systems, applications, and services should be categorized. This streamlines the process of determining what needs to be in scope and helps to identify any gaps or deficiencies. It also simplifies the creation of the network diagram. Following are some of the categories that you should consider using:
FCI operational tools
These systems, services, and applications are used to store, transmit, or process FCI (e.g., laptops, databases, cloud services).
Segmentation systems
These systems are used to provide segmentation functions and prevent FCI contamination, such as network firewalls and hypervisors.
FCI security systems
The systems are used to provide FCI security, such as Active Directory, intrusion detection systems, and multi-factor authentication (MFA) tools.
Connected devices
These systems have the capability to communicate with systems, applications, or services within the environment where FCI is present, including with directly connected and indirectly connected devices (e.g., name resolution, web redirection servers, IoT, and OT devices).
Out-of-scope systems
These systems are completely isolated from FCI.
Enterprise-wide systems
These systems address all of the cyber and physical security programs.
Third-party service providers
This category covers FCI security in the broader supply chain.
Subcontractors
These third-party organizations are part of the execution of the DoD contract when the subcontractor may create, access, receive, store, or transmit regulated data (i.e., FCI).
Create a network diagram
A network diagram visually represents the organization’s connected environment, showing systems, applications, and services. It should include each item and show how the asset is connected to the others. With a visual representation of the environment, it is easier to identify gaps and develop plans for remediation. In addition, it serves as an integral part of the organization’s System Security Plan (SSP), clearly showing the parts of the environment that are in scope and out of scope.
Does FCI identify Scope for CMMC Levels 1 and 2?
Yes, FCI identifies scope for CMMC Levels 1 and 2 as it is meant to close a logic gap related to the scope of the CMMC assessment. Because CMMC defines FCI as the data being protected by Level 1 and CUI as the data being protected by Levels 2 and 3, the scope of a CMMC compliance assessment is clearer.
CMMC Level 1 Scoping and FCI Security
For CMMC Level 1 scoping, the organization must specify the scope of the assessment and understand the FCI assets that are in-scope, based on what they process, store, and transmit. The following areas should be considered as part of Level 1 scoping.
- External service providers (ESPs)
- Facilities
- Network appliances
- People
- Satellite offices and other facilities
- Technology
This demonstrates the organization’s understanding of FCI security and its compliance with:
- Identifying system users, processes acting on behalf of users, or devices
- Monitoring, controlling, and protection of the organization’s communications
- Verifying and controlling connections to, and the use of, external information systems
CMMC Level 2 Scoping and CUI/ FCI Security
Level 2 scoping divides the assessment scope into the following four categories:
1. CUI assets
These are the assets that store, process, or transmit CUI.
2. Security protection assets
These are the assets that provide CUI and FCI security functions and capabilities within the prime contractor’s or subcontractor’s security assessment scope.
3. Contractor risk managed assets
These are assets that can, but are not intended to process, store, or transmit CUI
4. Specialized assets that can be categorized as:
- Government property
- Internet of Things (IoT) devices
- Operational technology (OT)
- Restricted information systems
- Test equipment
Provide FCI Security to Meet CMMC Requirements
The main purpose of CMMC is to confirm that proper FCI security protection is in place to protect FCI data, as well as CUI, when it is shared, stored, and managed by DoD prime contractors’ and subcontractors’ on information systems. Any organization working with the DoD and handling FCI and CUI must adhere to the CMMC guidelines.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 7th November, 2024