What is FCI in CMMC and how does it affect scope?

Picture showing FCI in emails for CMMC
Cybersecurity maturity model certification CMMC logo

The Cybersecurity Maturity Model Certification references “FCI”.   What is this abbreviation?

FCI in CMMC stands for “Federal Contract Information”.

FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.  FCI does not include information provided by the Government to the public.” 

Reference: Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information

Analysis of term FCI in the CMMC

FCI is a much broader dataset than CUI (Controlled Unclassified Information), but it affects audit scope and security implementations very similarly to CUI. 

DoD Government contractors are already familiar with CUI.  Contractors are required to protect CUI in their computer systems.  The NIST Special Publication 800-171 describes the cybersecurity measures required to protect CUI.   For the CMMC, Level 3 is the minimum protection for CUI.

In the CMMC, FCI is primarily discussed in the Level 1 section.  This makes me think that it is used as a justification and scope identifier for Level 1, and probably Level 2 audits.

FCI identifies scope for CMMC Level 1 and 2?

My thought is that FCI has been introduced to close a logic gap related to the scope of the CMMC audit.

For organizations with CUI, the scope of the audit is limited by computer systems that could access or transmit the CUI.  With the CMMC applying to ALL DOD Contractors, we have a huge question about what the scope of audit should be.  Is it the entire contractor’s computer systems for all customers?  Is there any way to reduce scope?  Until the introduction of FCI, auditors and compliance experts could not identify scope.

By defining FCI as the data being protected by Level 1 and Level 2 CMMC, the scope of audit is clarified for the lower levels.

What systems does the CMMC level 1 and level 2 audit apply to?

Let’s go back to that quote about what FCI is.  “It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.

Or to say it a different way (my emphasis).  Information from the Government provided under a contract.

To me, this means that contractors don’t have FCI until after a contract has been awarded.  It could possibly be interpreted to include data provided during the bidding process, but that data is also provided to the public.

If your company has a current DOD contract,  then I would expect to see FCI in the following systems: 

  • Any systems that process or store email from government addresses (in most organizations, this means the entire email infrastructure)
  • Any systems that store files that are received from the government.  This can be segmented by contract, policy, and technical controls so that FCI from contracts doesn’t mix with other file storage.
  • Hard storage of FCI data such as USB thumb drives, DVDs.
  • Messaging, conference, and other systems that are used to transmit data from the government.
  • Any client workstations or devices that access or store FCI data through email, files, messaging, or other means.
  • Any manufacturing devices that use or store FCI data.
  • Back-up and administrative systems that manage FCI systems.
  • Networks used by the above systems.

These systems in your company probably have FCI and should be included in the scope of a CMMC level 1 and level 2 audit.

What about secondary FCI data?  When the content is originally from the government, but it has been restated internally?

For example, Joe from the government requests a widget named “wind deflector” with dimensions of 4×8″.  This email is labeled “FCI”.   Joe sends this request via email to Mark the contractor.   Mark takes this information, creates a CAD file with the new dimensions, and saves it to the work queue for the assembler.

Is the CAD file created by Mark considered FCI?

I think yes, but  I haven’t seen full clarification of the concept in CMMC yet.  We can try to use CUI or other federal sensitivity tags such as Confidential and Secret as a precedent.  The classification of a document follows the content included in it, not to who wrote it.

Does this mean that different scopes of information systems are audited at level 1, 2, 3, 4, and 5?  

I haven’t seen official guidance, but it makes sense.  Here is an example of what I think could happen.

Example Contractor has four DOD contracts.  Two contracts have no CUI, but they do include FCI.  One contract has CUI for facilities maintenance and is assessed level 3.  The last contract has CUI for weapons systems and is assessed level 4.

Scope for CMMC Level 1 and 2: All corporate information systems including HR, general email, accounting.  There is FCI on these systems, but no CUI.

Scope for CMMC Level 3 and 4: A closed network of highly secure systems used only for the facilities maintenance contract and the weapons systems contract.  There is CUI on these systems.

What to audit if your company doesn’t have a contract yet?

This is still an unknown.  For companies that need to get certified because they want to bid on an RFP that requires the CMMC, I haven’t seen any official guidance.

It makes the most sense for a company to identify the scope of network that would process FCI if they won the contract. This could be a completely separate set of systems, just for that contract, or it could be their existing corporate network.

Next article: Cyber-security is an allowable cost?

I’m looking forward to seeing how the CMMC develops and how these questions are answered.  If you have thoughts or know something I don’t, please comment!

V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.

4 thoughts on “What is FCI in CMMC and how does it affect scope?

  1. Kathy Penn says:

    How do companies currently implement the FAR (or DFAR) sections if they don’t have CUI? Are they still required to implement all of 171? I thought there was just one clause — FAR 52.204-21. What would a small company do for that before CMMC?

    I just don’t see how we can have separate networks for our government and non-government work because of email — the same email is required for both sides.

    • Kevin Kane says:

      One way is to migrate the entire email system to a solution that is authorized to handle CUI. For example, moving from Commercial O365 to GCC High requires businesses to replace their existing email system, even if that system is Commercial O365. This can be expensive. That’s where an email solution like PreVeil’s comes in, where only items marked/tagged as CUI get encrypted and handled by their secure email plugin.

      • Amira Armond says:

        Cool recommendation!
        This article is mostly about FCI, so the CUI topic might be overkill for it. Regarding CUI though, email, the need for it to to be available to the employee (ideally on their mobile device) and its normal ties to active directory is a big architectural challenge.
        Does that mean PreVeil would “transmit, process, or store CUI” ? Is PreVeil FedRAMP / DFARS compliant?
        How does PreVeil prevent contamination from incoming messages that don’t have the PreVeil client running on the sender’s PC?

    • Amira Armond says:

      Hi Kathy,

      Q. How do companies currently implement DFAR sections if they don’t have CUI?
      A. The DFARS clause is contained in almost every DoD contract except for COTS products. But it limits itself to systems that “Store, Process, or Transmit” CUI. So if you don’t any CUI, then I don’t think you have to worry about DFARS. The FAR clause would still apply though.

      Q. How can you have separate networks for government and non-government because of email?
      A. Email is so critical in performing business. There are a few ways to segment email though…
      1) You can train your users, partners, and Gov clients to never ever ever send CUI through email. Instead, they could share CUI documents using access-controlled portals like SharePoint, and only send links via email. Or there could be a procedure to always encrypt CUI files before sending in an email.
      2) You could set up a secondary email domain which is rated for CUI (Microsoft GCC high, etc). Occasionally you will see this in practice by the government – they will have an email address for regular unclassified communications, and an email address for classified communications.
      3) By routing your incoming emails across multiple front-end servers (from most secure to least secure), you can use the same domain name for both email domains.

Leave a Reply

Your email address will not be published. Required fields are marked *