The Cybersecurity Maturity Model Certification references “FCI” in draft version 0.6b. What is this abbreviation?
FCI in CMMC stands for “Federal Contract Information”.
FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.” Page 6, CMMC Preface V0.6b 20191107.docx
Analysis of term FCI in the CMMC
FCI appears to be a term very similar to CUI (Controlled Unclassified Information).
DoD Government contractors are already familiar with CUI. Contractors are required to protect CUI in their computer systems. The NIST Special Publication 800-171 describes the cybersecurity measures required to protect CUI. For the CMMC, Level 3 is the minimum protection for CUI.
In the CMMC draft v0.6, FCI is primarily discussed in the Level 1 section. This makes me think that it is used as a justification and scope limiter for Level 1, and probably Level 2 audits.
FCI identifies scope for CMMC Level 1 and 2?
My thought is that FCI has been introduced to close a logic gap related to the scope of the CMMC audit.
For organizations with CUI, the scope of the audit is limited by computer systems that could access or transmit the CUI. With the CMMC applying to ALL DOD Contractors, we have a huge question about what the scope of audit should be. Is it the entire contractor’s computer systems for all customers? Is there any way to reduce scope? Until the introduction of FCI, auditors and compliance experts could not identify scope.
By defining FCI as the data being protected by Level 1 and Level 2 CMMC, the scope of audit is clarified for the lower levels.
What systems does the CMMC level 1 and level 2 audit apply to?
Let’s go back to that quote about what FCI is. “It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. “
Or to say it a different way (my emphasis). Information from the Government provided under a contract.
To me, this means that contractors don’t have FCI until after a contract has been awarded. It could possibly be interpreted to include data provided during the bidding process, but that data is also provided to the public.
If your company has a current DOD contract, then I would expect to see FCI in the following systems:
- Any systems that process or store email from government addresses (in most organizations, this means the entire email infrastructure)
- Any systems that store files that are received from the government. This can be segmented by contract, policy, and technical controls so that FCI from contracts don’t mix with other file storage.
- Hard storage of FCI data such as USB thumb drives, DVDs.
- Messaging, conference, and other systems that are used to transmit data from the government.
- Any client workstations or devices that access or store FCI data through email, files, messaging, or other means.
- Any manufacturing devices that use or store FCI data.
- Back-up and administrative systems that manage FCI systems.
- Networks used by the above systems.
These systems in your company probably have FCI and should be included in the scope of a CMMC level 1 and level 2 audit.
What about secondary FCI data? When the content is originally from the government, but it has been restated internally?
For example, Joe from the government requests a widget named “wind deflector” with dimensions of 4×8″. This email is labeled “FCI”. Joe sends this request via email to Mark the contractor. Mark takes this information, creates a CAD file with the new dimensions, and saves it to the work queue for the assembler.
Is the CAD file created by Mark considered FCI?
I think yes, but I haven’t seen full clarification of the concept in CMMC yet. We can try to use CUI or other federal sensitivity tags such as Confidential and Secret as a precedent. The classification of a document follows the content included in it, not to who wrote it.
Does this mean that different scopes of information systems are audited at level 1, 2, 3, 4, and 5?
I haven’t seen official guidance, but it makes sense. Here is an example of what I think could happen.
Example Contractor has four DOD contracts. Two contracts have no CUI, but they do include FCI. One contract has CUI for facilities maintenance and is assessed level 3. The last contract has CUI for weapons systems and is assessed level 4.
Scope for CMMC Level 1 and 2: All corporate information systems including HR, general email, accounting. There is FCI on these systems, but no CUI.
Scope for CMMC Level 3 and 4: A closed network of highly secure systems used only for the facilities maintenance contract and the weapons systems contract. There is CUI on these systems.
What to audit if your company doesn’t have a contract yet?
This is still an unknown. For companies that need to get certified because they want to bid on an RFP that requires the CMMC, I haven’t seen any official guidance.
It makes the most sense for a company to identify the scope of network that would process FCI if they won the contract. This could be a completely separate set of systems, just for that contract, or it could be their existing corporate network.
Next article: Cyber-security is an allowable cost?
I’m looking forward to seeing how the CMMC develops and how these questions are answered. If you have thoughts or know something I don’t, please comment!