Federal Contract Information
Let’s jump in and learn:
What Is Considered Federal Contract Information?
Federal Contract Information (FCI) is data, not intended for public release, that are collected, created, transmitted, or received as part of a contract with a U.S. government agency to develop or deliver a product or service. Data that is not considered Federal Contract Information is provided by the government (e.g., on public websites) or simple transactional information. Any organization that handles Federal Contract Information is required to follow the regulations of the Federal Acquisition Regulation clause 52.204-21 (FAR 52.204-21).
| According to the Code of Federal Regulations, Federal Contract Information includes: “Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.” 48 CFR 4.1901 |
Cybersecurity Maturity Model Certification (CMMC) Level 1 is the minimum cybersecurity requirement for Federal Contract Information. While Federal Contract Information is not as sensitive as Controlled Unclassified Information (CUI), it must be protected wherever it is stored, including:
- Any systems that process or store email from government addresses
- Hard storage devices (e.g., USB drives, external hard drives)
- Workstations
- Manufacturing devices
- Messaging, conference, and other systems that are used to transmit data from the government
- Back-up and administrative systems
- Networks
Examples of Federal Contract Information are:
- Contract information
- Emails exchanged with the DoD or defense contractor(s)
- Organizational or programmatic charts
- Performance reports
- Process documentation
- Proposal responses
If an organization has a contract with a government agency and is not selling commercial-off-the-shelf (COTS) solutions or only selling products below the micro-purchase threshold, they are handling Federal Contract Information. As a rule of thumb, if an organization handles information generated by or for the government under a contract, it is highly likely they have Federal Contract Information and must meet safeguarding requirements.
Federal Contract Information requires, at a minimum, the implementation of 15 safeguarding and handling requirements that are prescribed to protect information systems, according to basic cyber hygiene standards.
1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
What Is the Difference Between Federal Contract Information and CUI?
The key difference between Federal Contract Information and Controlled Unclassified Information (CUI)is that while both types of data require specific protection, CUI is more sensitive than Federal Contract Information. Unlike Federal Contract Information, the loss or theft of CUI could result in a higher risk to national security.
Federal Contract Information is governed by FAR 52.204-21 and CMMC Level 1 controls. CUI is governed by NIST SP 800-171 Rev. 2 and NIST SP 800-172 cybersecurity controls, along with CMMC Level 2 and Level 3 requirements.
All CUI in possession of a government contractor is Federal Contract Information, but not all Federal Contract Information is CUI.
Image From the U.S. National Archives and Records Administration (NARA)
FCI vs. CUI Comparison Chart
| Comparison | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) |
| Classification/Categories | There is no classification system for Federal Contract Information | The National Archives creates CUI categories with no input from DoD or the Cyber AB |
| Compliance | FAR Clause 52.204-21, CMMC Level 1 | Protected by NIST SP 800-171 Rev. 2 and NIST SP 800-172, CMMC Levels 2 & 3 |
| Description | Federal Contract Information is any information included in or created for a government contract, but not meant for public release | Controlled Unclassified Information is information that requires safeguarding or dissemination controls required by law, regulation, or government-wide policy, but does not include classified or nuclear-related data |
| History | Established by the Federal Acquisition Regulation Clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems | Created by Executive Order 13556 after 9/11/2001 to create a streamlined method for information sharing and safeguarding |
| Mandated By | Federal Acquisition Regulations (FAR) | Executive Order 13556 |
| Marking | Information not marked as public or for public release | Information that is marked or identified as requiring protection |
| Types | All information not for public release is Federal Contract Information | CUI-Basic and CUI-Specified |
| Classification labeling | There is no classification system | The entity that creates the CUI labels it |
What Are the Three Types of Federal Contracts?
There are several types of federal government contracts. All federal government contracts include a FAR 52.204-21 clause to safeguard Federal Contract Information. These contracts also extend the Federal Contract Information protection obligations to any subcontractors.
Federal contracts are generally defined by the way they are priced. Three types of federal contracts based on price are fixed-price, cost-reimbursement, and time-and-materials.
1. Fixed-Price Federal Contracts
Federal agencies use fixed-price contracts when the contract risk is relatively low or defined within acceptable limits, and the contractor and the government can agree on a ceiling price. Often a fixed-price contract is written with an adjustable price level and a fixed ceiling price cost.
2. Cost-Reimbursement Federal Contracts
Cost-reimbursement contracts are sometimes referred to as cost-plus contracts. These are f contracts where an organization is paid for a set of expenses up to a set limit, plus an amount of additional payment to allow the company to make a profit. These types of contracts are usually used when uncertainties or contingencies cannot be accurately estimated upfront.
3. Time and Materials Contracts
Time and materials (T&M) contracts are used when it is impossible to accurately estimate or anticipate the extent or duration of the work provided. With time and materials contracts, the agency pays for services by the hour and the cost of materials.
Indefinite Delivery/Indefinite Quantity (IDIQ) Contracts
Another commonly used type of contract is the indefinite-delivery/indefinite-quantity (IDIQ) contract. These contracts are used on a fixed-price and cost-reimbursement basis when an agency wants to purchase a product or service but does not know how many items or hours are needed. IDIQ contracts are often used to supplement or change fixed-price or cost-reimbursement contracts.
Know the Rules for Handling Federal Contract Information
It is critical that organizations that work with Federal Contract Information understand the rules that govern its use and storage. Organizations handling Federal Contract Information that ignore or fail to comply with FAR 52.204-21 might face negative consequences, including:
- Legal and financial consequences:
Mishandling FCI may result in fines or even legal action from the government. - Loss of contract:
In extreme cases, an organization may lose its contract by failing to meet basic Federal Contract Information handling requirements. - Reputational damage:
Organizations that fail to protect Federal Contract Information can damage their chances of winning future contracts from other businesses or government agencies.
While meeting requirements for protecting Federal Contract Information might seem burdensome, these requirements reflect best practices for data security. Therefore, maintaining compliance with Federal Contract Information has the halo effect of improving an organization's overall security posture.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 14th November, 2024
