What is Federal Contract Information (FCI)?
CMMC requires protection for, both, Controlled Unclassified Information (CUI) and FCI, and succinctly defines FCI as information provided by or generated for the Government under contract that has not or will not be publicly released (within a reasonable period of time). Unlike CUI, FCI and its protection requirements are defined in the Federal Acquisition Regulation (FAR) rather than National Archives and Records Administration (NARA) documents and NIST 800-171 / DFARS 7012.
FAR 52.204-21 ("Basic Safeguarding of Covered Contractor Information Systems") states a similar definition (the original definition): "facts, data, or opinions... provided by or generated for the Government under a contract... [that's] not provided to the public".
Originated in the year 2012, and established in 2016 prior to DFARS 7012, this regulation institution may come as a surprise to some simply because FCI is a relatively new term for those who are not familiar with federal contract regulations.
Some examples of FCI would be contract performance reports, organizational or programmatic charts, process documentation, etc. These are most likely provided by the Government, but some can originate for your people - that's why clear labeling and communication with your contracting officer is key.
Another example CMMC provides in Access Control (AC) 1.003 is a scenario where your business development and proposal teams are creating an RFP/RFI/RFQ response to the DoD for a new contract or rebid. It is possible that in that proposal response, your company may include detailed processes, past performance, and contract information from existing or contracts from the recent past. This contract data in some cases may be clearly identified as FCI, or should at least be considered as FCI.
NOTE: It doesn't mean the actual RFP is FCI. Those documents are public.
How Must I Protect FCI?
CMMC associates Level 1 maturity - along with all practices and processes required - to the protection of FCI. Defense industrial base (DIB) contractors can mostly lump FCI and CMMC L1 requirements into two categories: policy-based requirements and information system requirements.
Below is a loose breakdown of those Level 1 requirements, but it's important to note that all technical practices will need written policies of some kind in a contractor's System Security Plan (SSP) to articulate what technical implementation is established.
|Policy Driven||Both||Technical/IS Driven|
Though the entirety of NIST 800-171 and its 110 controls are typically associated with CMMC Level 3, several of these controls are included in CMMC Level 1 and the protection of FCI. In fact, all of the 17 Level 1 practices are tied to NIST 800-171 controls and 15 overlap with FAR 52.204-21.
For example, Media Protection (MP) 1.118 corresponds to NIST 800-171 Media Protection "sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse."
Your company will need to maintain written policies for proper disposal of CD's, USB drives, and paper documents containing FCI; however, FCI could be found on users mobile devices and mobile applications. Therefore, products like Microsoft Endpoint Manager and Microsoft Intune can erase FCI from personal devices while leaving all personal content.
That is one specific example of many. Domains with Level 1 requirements include Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. Those most clearly should be domains your organization should focus on first; however, it will be rare that a company who needs to protect FCI today will never need to protect CUI unless the core focus of the business maintains singularly bound to auxiliary services (i.e. non-technical work that requires very little customer interaction or information).
If I need to meet CMMC Level 3, should I protect FCI to that Level?
DIB suppliers do not have an explicit requirement to do so, but it may be prudent. For instance, there is no official documentation explicitly stating that a company must implement "multifactor authentication for local and network access (IA.3.083)" where FCI is present and a company is seeking CMMC Level 3 or certified at CMMC Level 3. However, many organizations will likely enforce MFA on the entirety of their system(s) because it can be difficult to manage and maintain two separate systems - one environment for FCI and another for CUI - and ensure certain data does not traverse between them.