As more contractors work toward their Cybersecurity Maturity Model Certifications (CMMC), we’ve seen a growing concern about the difference between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Whether you’re working with DoD contracts or not, the heightened concern around information security requires all government contractors to understand what information needs protection, how to distinguish between certain types of information, and the regulations covering them.
Here’s a brief overview of FCI and CUI, their differences, and their audit scope for different CMMC levels.
What is FCI?
FCI refers to any information given or generated by a government contractor for service/product delivery throughout a contract period. FCI doesn’t include information that a government agency has provided to the public, either through their website or transactional information. In other words, it’s not meant for public use.
According to the Committee on National Security Systems Instruction (CNSSI), that information includes any “any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual,” regarding protected information around a contract (FAR 4.1901).
What is CUI
On the other hand, CUI is any information created by a government agency or possessed by them. It requires special safeguards — i.e., a law, regulation, policy, or permit — to disseminate for a contractor to access them. There are two specifications under the control of that information determining the safeguarding level: CUI Basic and CUI Specified.
CUI Basic refers to when information needs protection, but the government doesn’t divulge the exact safeguard necessities. When information requires certain safeguards or controls to maintain the information’s privacy and specific rules are disclosed, the information is considered CUI Specified. Neither of these includes information held in a non-executive branch agency’s systems that was not created, possessed, or used by an executive branch agency.
Any specific and identifiable information like a company’s intellectual property, legal or health documents, blueprints or renderings particular to an ongoing project, and any other information about the agency’s contract with a company is deemed CUI.
Where do We Draw the Line?
There’s one similarity between these two that can cause confusion: both FCI and CUI include information created, possessed, or collected by or for government agencies. And the significant difference that sets them apart is that FCI is not intended for public use while CUI requires certain levels of security. So, while not all FCI is CUI, all CUI that a government contractor possesses is FCI.
Regarding the audit scope for CMMC levels, FCI is covered under both CMMC Level One and Level Two, while there are specific implications for CUI under Level Three through Level Five. In a previous blog, we covered each CMMC level, and the documentation protecting FCI and CUI exhibits the following:
- Level One: The first level requires companies to have basic security measures in place (“basic cyber hygiene”), which includes antivirus software, Multi-factor authentication (MFA), or consistent password changes. These measures ensure the company is protecting Federal Contract Information (FCI), including any government information for a contract not intended for public release.
- Level Two: Transitioning to Level Two certification requires “intermediate cyber hygiene,” meaning the company follows procedures to protect FCI and Controlled Unclassified Information (CUI) via NIST’s (National Institute of Standards and Technology) 800-171 Revision 2 standards. Any information the government requires to be safeguarded by companies is considered CUI.
Even though the audits for getting your Level Three through Five don’t specifically call for protecting FCI or CUI, their necessity as “basic security” sets the field for each following level.
Navigating the intricacies of CMMC and arising security regulations is not the most exciting excursion, but the information you collect is worth the journey. An encompassing understanding of safeguarding government information is often accompanied by trust and the opportunity to gain recognition. You won’t regret it when the awards are rolling in!