The Cybersecurity Maturity Model Certification references “FCI”. What is this abbreviation?
FCI in CMMC stands for “Federal Contract Information”.
FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.”
Reference: Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information
More information that clarifies that FCI is less sensitive than CUI: Archives.gov blog What is the difference between FCI and CUI?
Analysis of term FCI in the CMMC
FCI is a much broader dataset than CUI (Controlled Unclassified Information), but it affects audit scope and security implementations very similarly to CUI.
DoD Government contractors are already familiar with CUI. Contractors are required to protect CUI in their computer systems. The NIST Special Publication 800-171 describes the cybersecurity measures required to protect CUI. For the CMMC, Level 3 is the minimum protection for CUI.
In the CMMC, FCI is primarily discussed in the Level 1 section. This makes me think that it is used as a justification and scope identifier for Level 1 and probably Level 2 audits.
FCI identifies scope for CMMC Level 1 and 2?
FCI has been introduced to close a logic gap related to the scope of the CMMC audit.
For organizations with CUI, the scope of CMMC Level 3 audit is limited by computer systems that could access or transmit the CUI. With the CMMC applying to ALL DOD Contractors, we have a huge question about what the scope of audit should be. Is it the entire contractor’s computer systems for all customers? Is there any way to reduce scope? Until the introduction of FCI, auditors and compliance experts could not identify scope.
By defining FCI as the data being protected by Level 1 and Level 2 CMMC, the scope of audit is clarified for the lower levels.
What systems does the CMMC level 1 and level 2 audit apply to?
Let’s go back to that quote about what FCI is. “It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. “
Or to say it a different way (my emphasis). Information from the Government provided under a contract.
To me, this means that contractors don’t have FCI until after a contract has been awarded. It could possibly be interpreted to include data provided during the bidding process, but that data is also provided to the public.
If your company has a current DOD contract, then I would expect to see FCI in the following systems:
- Any systems that process or store email from government addresses (in most organizations, this means the entire email infrastructure)
- Any systems that store files that are received from the government. This can be segmented by contract, policy, and technical controls so that FCI from contracts doesn’t mix with other file storage.
- Hard storage of FCI data such as USB thumb drives, DVDs.
- Messaging, conference, and other systems that are used to transmit data from the government.
- Any client workstations or devices that access or store FCI data through email, files, messaging, or other means.
- Any manufacturing devices that use or store FCI data.
- Back-up and administrative systems that manage FCI systems.
- Networks used by the above systems.
These systems in your company probably have FCI and should start to identify scope for CMMC level 1 and level 2 audit.
In addition to FCI systems, the CMMC Accreditation Body has clarified that assessment scope includes other systems which are on the same network as your FCI. The idea is that if your file server has FCI, and you put a severely vulnerable Windows XP workstation in the same network, an attacker could exploit your Windows XP workstation then move from there to attack your file server.
What about secondary FCI data? When the content is originally from the government, but it has been restated internally?
For example, Joe from the government requests a widget named “wind deflector” with dimensions of 4×8″. This email is labeled “FCI”. Joe sends this request via email to Mark the contractor. Mark takes this information, creates a CAD file with the new dimensions, and saves it to the work queue for the assembler.
Is the CAD file created by Mark considered FCI?
I think yes, but I haven’t seen full clarification of the concept in CMMC yet. We can try to use CUI or other federal sensitivity tags such as Confidential and Secret as a precedent. The classification of a document follows the content included in it, not to who wrote it.
The CMMC Accreditation Body has clarified that a prime with multiple subcontractors working on the same project should ensure that FCI is only provided to contractors that have a CMMC level 1 certification or better. If a contractor lacks CMMC certification, they should only provide COTS products to the project or have an arrangement to utilize a certified network to view FCI data.
Does this mean that different scopes of information systems are audited at level 1, 2, 3, 4, and 5?
I haven’t seen official guidance about multiple audits of the same organization, but it makes sense. Here is an example of what I think could happen.
Example Contractor has four DOD contracts. Two contracts have no CUI, but they do include FCI. One contract has CUI for facilities maintenance and is assessed level 3. The last contract has CUI for weapons systems and is assessed level 4.
Scope for CMMC Level 1 and 2: All corporate information systems including HR, general email, accounting. There is FCI on these systems, but no CUI.
Scope for CMMC Level 3 and 4: A closed network of highly secure systems used only for the facilities maintenance contract and the weapons systems contract. There is CUI on these systems.
What to audit if your company doesn’t have a contract yet?
This is still an unknown. For companies that need to get certified because they want to bid on an RFP that requires the CMMC, I haven’t seen any official guidance.
It makes the most sense for a company to identify the scope of network that would process FCI if they won the contract. This could be a completely separate set of systems, just for that contract, or it could be their existing corporate network.
I’m looking forward to seeing how the CMMC develops!. If you have thoughts or know something I don’t, please comment!
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.