What is Federal Contract Information (FCI)?
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
CMMC requires protection for, both, Controlled Unclassified Information (CUI) and FCI, and succinctly defines FCI as information provided by or generated for the Government under contract that has not or will not be publicly released (within a reasonable period of time). Unlike CUI, FCI and its protection requirements are defined in the Federal Acquisition Regulation (FAR) rather than National Archives and Records Administration (NARA) documents and NIST 800-171 / DFARS 7012.
What are some examples of FCI?
Some examples of FCI would be contract performance reports, organizational or programmatic charts, and process documentation.
How Can I Protect FCI?
CMMC associates Level 1 maturity – along with all practices and processes required – to the protection of FCI. Defense industrial base (DIB) contractors can mostly lump FCI and CMMC L1 requirements into two categories: policy-based requirements and information system requirements.
Below is a loose breakdown of those Level 1 requirements, but it’s important to note that all technical practices will need written policies of some kind in a contractor’s System Security Plan (SSP) to articulate what technical implementation is established.
Though the entirety of NIST 800-171 and its 110 controls are typically associated with CMMC Level 3, several of these controls are included in CMMC Level 1 and the protection of FCI. In fact, all of the 17 Level 1 practices are tied to NIST 800-171 controls and 15 overlap with FAR 52.204-21.
For example, Media Protection (MP) 1.118 corresponds to NIST 800-171 Media Protection “sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.”
Your company will need to maintain written policies for proper disposal of CD’s, USB drives, and paper documents containing FCI; however, FCI could be found on users mobile devices and mobile applications. Therefore, products like Microsoft Endpoint Manager and Microsoft Intune can erase FCI from personal devices while leaving all personal content.
That is one specific example of many. Domains with Level 1 requirements include Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. Those most clearly should be domains your organization should focus on first; however, it will be rare that a company who needs to protect FCI today will never need to protect CUI unless the core focus of the business maintains singularly bound to auxiliary services (i.e. non-technical work that requires very little customer interaction or information).
If I need to meet CMMC Level 3, should I protect FCI to that Level?
DIB suppliers do not have an explicit requirement to do so, but it may be prudent. For instance, there is no official documentation explicitly stating that a company must implement “multifactor authentication for local and network access (IA.3.083)” where FCI is present and a company is seeking CMMC Level 3 or certified at CMMC Level 3. However, many organizations will likely enforce MFA on the entirety of their system(s) because it can be difficult to manage and maintain two separate systems – one environment for FCI and another for CUI – and ensure certain data does not traverse between them.