Submitted by on
Home> Guides> CMMC> FCI Security

Home > FCI Security

FCI Security

Share this Page

What Is CMMC Federal Contract Information (FCI)?

Federal contract information, from 48 Code of Federal Regulations (CFR) 52.204-21, is information that is not intended for public release. FCI is provided by the Department of Defense (DoD) or created under a contract to develop or deliver a product or provide a service to the DoD. Not included under the FCI umbrella is information that’s provided by the DoD to the public (e.g., on public websites) or simple transactional information (e.g., information to process payments).

Any organization that has a current DoD contract must ensure FCI security on all systems that touch FCI. That includes:

  • Any client workstations, laptops, or other devices that access or store FCI data through email, files, messaging, or other means 
  • Any manufacturing devices that use or store FCI data 
  • Any systems that process or store email from government addresses  
  • Any systems that store files that are received from the DoD
  • Back-up and administrative systems that manage and store FCI 
  • Hard storage of FCI data such as USB thumb drives, and DVDs 
  • Workstations and laptops
  • Manufacturing devices
  • Messaging, conference, and other systems that are used to transmit data from the Government 
  • Networks used by the above systems
Any organization that works with the DoD and manages FCI and CUI must adhere to the CMMC 2.0 guidelines.

To ensure FCI security, organizations that work with the DoD need to develop and maintain policies for the proper disposal of any media that contains FCI (e.g., CDs, USB drives, paper documents ). These policies must also address FCI that is stored on users’ mobile devices and mobile applications. They must also have systems in place for:

  • Access control
  • Identification and authentication
  • Media protection
  • Physical protection
  • System and communications protection
  • System and information integrity 
According to the Committee on National Security Systems Instruction (CNSSI), that information includes “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual,” regarding protected information around a contract (FAR 4.1901).

Some examples of content that would fall under FCI security requirements are:

  • Contract information
  • Contract performance reports
  • Emails exchanged with a DoD or defense contractor
  • Organizational or programmatic charts
  • Process documentation
  • RFP, RFI, or RFQ responses to the DoD for a new contract or rebid that could include detailed processes, past performance, and contract information from existing or contracts from the recent past

What Is CMMC Controlled Unclassified Information (CUI)?

Controlled Unclassified Information, from 32 CFR 2002.4, is information the DoD creates or possesses or that an external organization creates or possesses for or on behalf of the Government. It is important to note that while considered sensitive data, CUI does not include classified information. 

CUI is a safeguarding system for protecting unclassified, but sensitive, information. It is not a classification scheme, per se. Therefore, information cannot be “classified as CUI”; rather, that type of information is “designated as CUI.” In some cases, CUI designations replace For Official Use Only (FOUO) and Sensitive but Unclassified (SBU) designations and markings.

CUI Basic and CUI Specified 

CUI requires special safeguards for it to be disseminated or for a contractor to access it. There are two specifications under the control of that information which determine the safeguarding level: CUI Basic and CUI Specified.

CUI Basic refers to when information requires protection, but the government does not direct the specific safeguard that is required. When information requires particular safeguards or controls to ensure the data’s protection and those rules are provided, the information is considered CUI Specified.  

Anyone can create CUI as long as it is generated for, or on behalf of, an Executive Branch agency (e.g., DoD) under a contract, and it falls into one of the CUI categories. CUI is not considered corporate intellectual property unless created for or included in requirements related to a government contract.

When created specifically for the DoD, this includes information and material related to or associated with the following categories: 

  • A company’s products, business, or activities, including but not limited to financial information
  • Client lists
  • Computer programs
  • Data or statements
  • Existing and future product designs and performance specifications
  • Marketing plans or techniques
  • Processes
  • Product research and development
  • Schematics
  • Trade secrets

Examples of CUI include:

  • Catalog-item identifications
  • Data sets
  • Engineering drawings
  • Executable code and source code
  • Information systems vulnerability information
  • Manuals
  • Personally Identifiable Information (PII), which could relate to a contractor’s employees, government employees, or employees of a third party 
  • Process sheets
  • Research and engineering data
  • Specifications
  • Standards
  • Studies and analysis
  • Technical orders
  • Technical reports

Understanding the Difference Between FCI and CUI

When considering FCI security, it is important to understand the differences between FCI and CUI. FCI is information not intended for public release that is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. On the other hand, CUI is any information created by or for a government agency or possessed by them that requires special safeguards and dissemination controls.  

The DoD defines FCI and CUI as follows:

Federal Contract Information (FCI) – “FCI is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”

Controlled Unclassified Information (CUI) – “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

FCI vs. CUI

The chart below is a comparison between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI):

Comparison AreaFCICUI
Compliance52.204-21NIST SP 800-171
Mandated ByFederal Acquisition RegulationsExecutive Order 13556
MarkingInformation not marked as public or for public releaseInformation that is marked or identified as requiring protection
TypesNo classification systemCUI Basic and CUI Specified
Who Labels It?FCI needs safeguarding; there is no classification systemEntity that creates the CUI labels CUI; Authorized Holders with a lawful government purpose mark CUI

CUI and FCI Compliance

The rule governing the protection of FCI is FAR 52.204-21 (Basic Safeguarding of Covered Contractors Information Systems). CUI is protected by rules set forth in NIST SP 800-171 (Protecting Controlled Unclassified Information in Non-federal Systems and Organizations).

CMMC Level Requirements for CUI and FCI

CMMC 2.0 Level 1 contains guidelines that direct how DoD contractors must handle FCI to meet compliance requirements. CUI is covered with controls that are included in CMMC levels 2 and 3.

FCI and CUI Mandates:

FCI protections are mandated in accordance with FAR 52.204-21, while CUI protections are mandated by Executive Order 13556.

What Is FCI in CMMC and How Does it Affect Scope?

In CMMC 2.0, FCI security is primarily covered in the Level 1 section. It is a much broader dataset than CUI. While FCI is not as sensitive as CUI, FCI security is considered very important in CMMC 2.0. It associates Level 1 maturity with all practices and processes that are required to facilitate FCI security. CMMC 2.0 FCI security requirements fall into two categories:

1. Policy-based requirements 

2. Information system requirements

Steps to Scoping Effectively

Scoping varies for every organization depending on its size and technical infrastructure. Regardless of size, it is important to remember that FCI security must cover every system, application, or device at an organization that touches FCI. In fact, anything that can impact FCI security is considered in-scope and is thus subject to compliance. 

Below are a few considerations for the scoping process:

Know your organization

Understanding how the organization works is critical. It is of particular importance to have a firm grasp on the functions that may handle FCI. Gathering that information is not always a straightforward exercise. It is done by taking time to interview people and teams, understand their day-to-day business activities, and determining how they store, process, and transmit FCI. Regardless of how tedious and complex this process may seem, it must be done to facilitate FCI security.

Build an asset inventory

Taking time to develop a comprehensive asset inventory helps keep track of what assets (e.g., servers, laptops, printers) exist on the organization’s network and whether they handle FCI. When creating the inventory, it is important to collect meta details, such as: 

  • Data classification
  • Documentation
  • Firmware
  • Hardware
  • Owner(s)
  • Physical location(s) 
  • Resource administrator(s) 
  • Software
  • Users

Categorize your systems, applications, and services

As the asset inventory is being developed, the systems, applications, and services should be categorized. This streamlines the process of determining what needs to be in scope and helps to identify any gaps or deficiencies. It also simplifies the creation of the network diagram. Following are some of the categories that you should consider using:

FCI operational tools 
These systems, services, and applications are used to store, transmit, or process FCI (e.g., laptops, databases, cloud services).

Segmentation systems
These systems are used to provide segmentation functions and prevent FCI contamination, such as network firewalls and hypervisors.

FCI security systems
The systems are used to provide FCI security, such as Active Directory, intrusion detection systems, and multi-factor authentication tools.

Connected devices
These systems have the capability to communicate with systems, applications, or services within the environment where FCI is present, including with directly connected and indirectly connected devices (e.g., name resolution, web redirection servers, IoT, and OT devices).

Out-of-scope systems
These systems are completely isolated from FCI.

Enterprise-wide systems
These systems address all of the cyber and physical security programs.

Third-party service providers
This category covers FCI security in the supply chain.

Subcontractors
These third-party organizations are part of the execution of the DoD contract when the subcontractor may create, access, receive, store, or transmit regulated data (i.e., FCI).

Create a network diagram
A network diagram visually represents the organization’s connected environment, showing systems, applications, and services. It should include each item and show how it is connected to the others. With a visual representation of the environment, it is easier to identify gaps and develop plans for remediation. In addition, it serves as an integral part of the organization’s System Security Plan (SSP), clearly showing the parts of the environment that are in scope and out of scope.

Does FCI identify Scope for CMMC Levels 1 and 2?

Yes, FCI identifies scope for CMMC 2.0 levels 1 and 2 as it is meant to close a logic gap related to the scope of the CMMC 2.0 audit. Because CMMC 2.0 defines FCI as the data being protected by Level 1 and Level 2, the scope of a CMMC 2.0 compliance audit is more clear.

CMMC Level 1 Scoping and FCI Security

For CMMC 2.0 Level 1 scoping, the organization must specify the scope of the assessment and understand the FCI assets that are in-scope, based on what they process, store, and transmit. The following areas should be considered as part of Level 1 scoping.

  • External service providers (ESPs)
  • Facilities
  • Network appliances
  • People 
  • Satellite offices and other facilities 
  • Technology

This demonstrates the organization’s understanding of FCI security and its compliance with:

  • Identifying system users, processes acting on behalf of users, or devices 
  • Monitoring, controlling, and protection of the organization’s communications 
  • Verifying and controlling connections to, and the use of, external information systems

CMMC Level 2 Scoping and FCI Security

Level 2 scoping divides the assessment scope into the following four categories:

1. CUI assets 
These are the assets that store, process, or transmit CUI.  

2. Security protection assets
These are the assets that provide CUI and FCI security functions and capabilities within the prime contractor or subcontractor’s security assessment scope.

3. Contractor risk managed assets
These are assets that can, but are not intended to process, store, or transmit CUI

4. Specialized assets that can be categorized as:
Government property
Internet of Things (IoT) devices
Operational technology (OT)
Restricted information systems 
Test equipment

Provide FCI Security to Meet CMMC Requirements

The main purpose of CMMC 2.0 is to confirm that proper FCI security protection is in place to protect this data, as well as CUI, when it is shared, stored, and managed by prime contractors and subcontractors of the DoD on non-federal contractor information systems. Any organization working with the DoD and handling FCI and CUI must adhere to the CMMC 2.0 guidelines.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 28th November, 2022

Share this Page