While Controlled Unclassified Information (CUI) tends to get all the attention, the Cybersecurity Maturity Model Certification (CMMC) also aims to protect Federal Contract Information (FCI). Read on to learn more about FCI and CUI, including their differences and how to safeguard them according to CMMC.
What Is FCI?
The term Federal Contract Information refers to information not intended for public release, that is provided by or generated for the U.S. government under a contract to develop or deliver a product or service to the government.
FCI does not include information provided by the U.S. government to the public (such as on public websites, for example) or simple transactional information necessary to process payments.
What Is CUI?
Controlled Unclassified Information (CUI) is defined as information that is not classified but still requires safeguarding or dissemination controls according to and consistent with applicable laws, regulations, and government policies.
The laws, regulations, and government-wide policies regarding CUI include:
- Executive Order 13556 “Controlled Unclassified Information”: Establishes a program for managing CUI and designates the National Archives and Records Administration (NARA) as the executive agent to implement the Order and ensure compliance.
- 32 CFR Part 2002 “Controlled Unclassified Information”: issued by the Information Security Oversight Office (ISOO) to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI.
Some examples of CUI include information related to critical infrastructure, international agreements, as well as procurement and acquisition information.
To learn more about CUI, read our previous post, “What Is Controlled Unclassified Information (CUI), Exactly?”
CUI vs FCI
Both CUI and FCI include information created or collected by or for the government, as well as information received from the government.
As we saw earlier, FCI is any information that is not intended for public release that is provided by the federal government under a contract to develop or deliver a product or service.
On the other hand, CUI is information that requires safeguarding and may also be subject to certain dissemination controls.
To put it simply, all CUI in possession of a defense contractor is FCI, but not all FCI is CUI.
CUI, FCI, and CMMC
While the difference between CUI and FCI is clear, situations aren’t always black-and-white, as many contractors handle both CUI and FCI.
In general, CMMC Level 1 provides the basic safeguarding requirements for FCI, while CMMC Level 2 encompasses the security requirements for CUI.
Below are some common scenarios that occur when you deal with both CUI and FCI (which is the case for most defense contractors).
FCI and CUI Within the Same CMMC Assessment Scope
If you process, store, or transmit both FCI and CUI within the same CMMC assessment scope, you can obtain a single CMMC certification. Since in this example you are processing, storing, or transmitting CUI, CMMC Level 2 would be the minimum certification level needed (remember: CMMC Level 1 is for safeguarding FCI).
FCI and CUI Within Different CMMC Assessment Scopes
Now, there are situations where a contractor processes, stores, or transmits FCI within one CMMC assessment scope, but processes, stores, and transmits CUI within another assessment scope.
In that case, you may choose to carry out two CMMC activities. You can perform a CMMC Level 1 self-assessment for the boundary containing FCI, but obtain a CMMC Level 2 certification for the boundary where all CUI is to be processed, stored, or transmitted.
Need To Achieve CMMC Compliance? We Are Here To Help
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
