SUMMARY:
Government contractors must accurately distinguish between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to implement the security protocols required for each Cybersecurity Maturity Model Certification (CMMC) level.
- FCI includes any information generated or provided under a government contract that is not intended for public release.
- CUI refers to a subset of data that requires specific safeguarding measures defined by laws, regulations, or government policies.
- While all CUI in a contractor’s possession is considered FCI, not all FCI meets the stricter criteria requiring CUI protection.
- CMMC Level 1 audits focus on basic cyber hygiene for FCI, whereas Level 2 requires intermediate measures to protect CUI in accordance with NIST 800-171 standards.
Accurately categorizing these data types ensures organizations can navigate audits successfully and secure the trust necessary for future government contracts.
Table of contents
As more contractors work toward their Cybersecurity Maturity Model Certifications (CMMC), we’ve seen a growing concern about the difference between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Whether you’re working with DoD contracts or not, the heightened concern around information security requires all government contractors to understand what information needs protection, how to distinguish between certain types of information, and the regulations covering them.
Here’s a brief overview of FCI and CUI, their differences, and their audit scope for different CMMC levels.
What is FCI?
FCI refers to any information given or generated by a government contractor for service/product delivery throughout a contract period. FCI doesn’t include information that a government agency has provided to the public, either through their website or transactional information. In other words, it’s not meant for public use.
According to the Committee on National Security Systems Instruction (CNSSI), that information includes any “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual,” regarding protected information around a contract (FAR 4.1901).
What is CUI
On the other hand, CUI is any information created or possessed by a government agency. It requires special safeguards — i.e., a law, regulation, policy, or permit — for a contractor to access them. There are two specifications under the control of that information determining the safeguarding level: CUI Basic and CUI Specified.
CUI Basic refers to when information needs protection, but the government doesn’t divulge the exact safeguard necessities. When information requires certain safeguards or controls to maintain the information’s privacy and specific rules are disclosed, the information is considered CUI Specified. Neither of these includes information held in a non-executive branch agency’s systems that was not created, possessed, or used by an executive branch agency.
Any specific and identifiable information like a company’s intellectual property, legal or health documents, blueprints or renderings particular to an ongoing project, and any other information about the agency’s contract with a company is deemed CUI.
Where do We Draw the Line?
There’s one similarity between these two that can cause confusion: both FCI and CUI include information created, possessed, or collected by or for government agencies. The significant difference is that FCI is not intended for public use, whereas CUI requires certain levels of security. So, while not all FCI is CUI, all CUI that a government contractor possesses is FCI.
Regarding the audit scope for CMMC levels, FCI is covered under both CMMC Level One and Level Two, while there are specific implications for CUI under Level Three through Level Five. In a previous blog, we covered each CMMC level, and the documentation protecting FCI and CUI exhibits the following:
- Level One: The first level requires companies to have basic security measures in place (“basic cyber hygiene”), including antivirus software, Multi-factor authentication (MFA), and password changes. These measures ensure the company protects Federal Contract Information (FCI), including any government information for a contract that is not intended for public release.
- Level Two: Transitioning to Level Two certification requires “intermediate cyber hygiene,” meaning the company follows procedures to protect FCI and Controlled Unclassified Information (CUI) via NIST’s (National Institute of Standards and Technology) 800-171 Revision 2 standards. Any information the government requires companies to safeguard is considered CUI.
Even though the audits for getting your Level Three through Five don’t specifically call for protecting FCI or CUI, their necessity as “basic security” sets the field for each following level.
Navigating the intricacies of CMMC and arising security regulations is not the most exciting excursion, but the information you collect is worth the journey. An encompassing understanding of safeguarding government information is often accompanied by trust and the opportunity to gain recognition. You won’t regret it when the awards are rolling in!