FCI and CUI: What You Need to Know to Protect Your Business
FCI and CUI
Update: The Department of Defense (DoD) published the final rule for the CMMC program on October 11, 2024, streamlining the process and reducing the number of assessment levels from five to three. This rule aligns the program with the cybersecurity requirements described in Federal Acquisition Regulation part 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2 and -172
CMMC Experts
We have two industry experts on CMMC here with us today:
Rick Krick is the Software Project Manager here at Core and has been keeping up with all the changes and updates to CMMC to share those with you.
Renee Ferry is the Customer Success Manager here at Core and has been keeping up with all the changes and updates to CMMC to share those with you.
Understanding the Differences Between FCI and CUI
Government contractors often deal with sensitive information. This includes Federal Contracting Information (FCI) and Controlled Unclassified Information (CUI). But what do these terms mean? How do they relate to cybersecurity, and why is CMMC compliance important?
Understanding the differences between FCI and CUI, along with your obligations under the CMMC framework, can help you safeguard your company’s data and maintain government contracts. This page includes the essentials to help you stay compliant and ahead of cybersecurity threats.
What Are FCI and CUI?
Federal Contracting Information (FCI)
FCI refers to unclassified information generated or provided during government contracts. It’s not intended for public release and is often tied to contract-related documentation.
Examples of FCI include:
-
- Contract performance reports
- Organizational or programmatic charts
- Process documentation
- Proposal response
- Past performance
- Contract information
Being compliant with CMMC Level 1 is required for handling FCI. This involves implementing 17 basic cybersecurity controls to protect sensitive information from unauthorized access.
FCI + CUI: What is it and How to Protect it
Description: CMMC was developed in order to protect certain information and data related to DoD programs and contracts. The CMMC certification Level (1, 2, or 3) required is determined by what type of defense-related information your company handles. It is vital that you understand the information to be controlled and protected and, also what steps you must take to meet CMMC requirements.
Controlled Unclassified Information (CUI)
CUI, on the other hand, is more sensitive. It pertains to unclassified data that still requires safeguarding due to potential national security risks. This aligns with CMMC Level 2, which mandates a higher standard of security comprising 110 cybersecurity controls.
Examples of CUI include:
-
- Information Systems Vulnerability Information
- Personally Identifiable Information (PII)
- Research and Engineering Data
- Export-controlled information
- Engineering drawings
- Specifications
- Standards
- Process sheets
CUI can exist across various formats—electronic files, emails, and even printed documents. This means both digital systems and physical copies must be protected appropriately.
The Importance of Identifying FCI and CUI
Knowing whether your company handles FCI, CUI, or both is the first step toward compliance.
Here’s why:
-
- FCI compliance has a narrower scope (17 controls), making it simpler to achieve.
- CUI compliance demands a comprehensive strategy (all 110 controls).
Not sure where to start? Check relevant contract clauses. The FAR Clause 52.204-21 typically indicates FCI, while DFARS Clause 252.204-7012 suggests CUI is involved. If in doubt, treat all sensitive information as CUI to stay on the safe side.
Compliance Frameworks You Need to Know
NIST SP 800-171
This framework outlines the controls needed to protect CUI. It has been the gold standard for cybersecurity compliance since 2017.
Complying with NIST 800-171 involves:
-
- Conducting a self-assessment to identify gaps
- Logging your compliance score in the federal SPRS database
- Developing a Plan of Action and Milestones (POA&M) for addressing weaknesses
CMMC Certification (Cybersecurity Maturity Model Certification)
While NIST SP 800-171 is the current standard, CMMC certification formalizes the process. CMMC introduces a third-party audit system to certify compliance.
Certification requirements will depend on the type of information you handle:
Level 1: Basic security measures for companies working with FCI only
Level 2: Advanced practices for companies handling CUI
Despite delays in the final rollout, companies are encouraged to prepare for CMMC by aligning with NIST SP 800-171 guidelines now.
Common Misconceptions
There’s a lot of confusion surrounding FCI, CUI, and compliance.
Let’s clear things up:
-
- FCI and CUI are not the same. FCI requires fewer controls and is less sensitive than CUI.
- CUI is not classified information. While sensitive, it remains unclassified.
- Compliance is not optional. Non-compliance can cost you contracts and harm your reputation.
- It’s not just about computer systems. Printed documents, emails, and even verbal discussions containing CUI must be protected.
CMMC certification isn’t available yet. Be wary of businesses promising to “certify” you at this stage.
Understanding Federal Regulations for Protecting FCI and CUI
In today’s data-driven environment, safeguarding sensitive information is paramount. Federal regulations mandate stringent measures to ensure the protection of two critical categories of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Let’s explore these requirements and their implications.
Protecting Federal Contract Information (FCI)
Federal Contract Information (FCI) refers to information not intended for public release and provided or generated under a federal contract. It’s crucial to protect FCI to prevent unauthorized access, use, or disclosure.
Governing Regulation
The protection of FCI is mandated by Federal Acquisition Regulation (FAR) clause 52.204-21. This regulation requires contractors to implement specific security controls, ensuring robust safeguards against potential breaches.
Consequences of Mishandling FCI
Failing to protect FCI can have severe repercussions, including:
-
- Contract Termination: Non-compliance with FAR requirements may lead to the cancellation of contracts, jeopardizing business continuity.
- Reputational Damage: Mishandling sensitive information can tarnish a contractor’s credibility and hinder future opportunities.
- Legal and Financial Risks: Violations may result in fines, legal battles, and increased scrutiny from federal agencies.
Protecting Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) encompasses information that requires safeguarding or dissemination controls consistent with law, regulations, and government policies. Protecting CUI is essential to maintaining national security and operational integrity.
Governing Frameworks
The CUI Program sets the foundation for safeguarding, disseminating, and decontrolling CUI. Organizations handling CUI must adhere to these standards to remain compliant.
For the Department of Defense (DoD), DFARS 252.204-7012 outlines additional protection measures. These include safeguarding Covered Defense Information (CDI), which involves technical data, research, and engineering details that are sensitive or vital to national security.
Key Requirements for CUI Protection
-
- Implementing Security Controls: Contractors must establish rigorous security protocols to safeguard CUI from unauthorized access or cyber threats.
- Incident Reporting: Any cyber-attack that compromises CDI must be reported promptly, ensuring transparency and enabling swift countermeasures.
Why Compliance Matters
Adhering to these federal regulations is not just a legal obligation but a responsibility that underscores the integrity and reliability of contractors.
By implementing the required security controls and maintaining compliance, organizations can:
-
- Build trust with federal agencies and stakeholders.
- Protect sensitive information critical to national interests.
- Mitigate risks associated with cyber threats and data breaches.
Protecting FCI and CUI is a shared priority between contractors and the federal government. By aligning with these regulations, organizations can contribute to a more secure and resilient national defense and procurement ecosystem.
Best Practices for Handling FCI and CUI
Ready to strengthen your cybersecurity? Start with these steps:
1. Identify the Information: Determine whether you’re dealing with FCI, CUI, or both.
2. Apply Required Controls: Align with NIST 800-171 guidelines for CUI or FAR 52.204-21 for FCI.
3. Develop Policies and Procedures: Document how information is handled, accessed, and stored.
4. Invest in Employee Training: Educate staff about security practices—they’re often the weakest link.
5. Conduct Regular Assessments: Perform periodic audits to ensure your controls remain effective.
How to Prepare for CMMC Certification
Certification under the CMMC will eventually become mandatory for contracts involving FCI and CUI. While the exact timeline remains uncertain, preparation is key.
Focus on these action items:
-
- Ensure compliance with NIST 800-171.
- Use templates or software tools to organize your documentation (e.g., system security plans).
- Stay informed about changes to CMMC’s rollout timeline.
If you’re unsure where to start, consulting experts or using tools like Core Business Solutions’ Security Suite can simplify the process.
How Apex Accelerators Can Help
Apex Accelerators serve as a bridge between businesses and government opportunities. These centers offer guidance on:
-
- Government vendor registration
- Contract bid preparation
- Certifications and compliance
With locations nationwide, accessing support through programs like Apex can help streamline your journey to compliance.
Final Thoughts
Protecting FCI and CUI isn’t just about following regulations—it’s about safeguarding sensitive information for the sake of national security and your organization’s success. Companies should act now to comply with NIST 800-171, avoid misunderstandings about CMMC, and work toward future certifications.
For resources, guidance, and helpful tools, check out Core Business Solutions or contact your local Apex Accelerator for one-on-one assistance. Remember, preparation today protects your business tomorrow.
About CORE Vault for NIST CMMC
Everything you need for NIST/CMMC in one cloud-based solution. The CORE Vault CUI Enclave and Consulting Services.
If you contract with the Department of Defense, you require advanced cybersecurity protections. To comply with DFARS, you need to meet the requirements of NIST SP 800-171. Soon, DoD contractors will also need to meet the requirements of Cybersecurity Maturity Model Certification (CMMC 2.0). However most contractors don’t have the resources to overhaul their entire network for compliance. With CORE Vault, you don’t have to.
With CORE Vault, you can separate government data from your network and access it through a secure, cloud-based environment managed by our cyber experts.
CORE Vault also includes the support needed to reach full compliance with the non-technical cybersecurity requirements, such as your system security plan and required policies.
We’ve seen contractors achieve their maximum DoD-required SPRS score in 30 days.
Core Business Solutions, established in 2000, is a Registered Practitioner Organization through the Cyber AB and has been providing consulting and technical solutions for NIST/CMMC for over 5 years. Rick Krick is the Director of Security Solutions for Core Business Solutions and directs our Cybersecurity Services solutions including CMMC. Rick has over 25 years of experience in Management System implementations, software development, IT services, and certifications.