What is FCI in CMMC and how does it affect scope?

Picture showing FCI in emails for CMMC

The Cybersecurity Maturity Model Certification references “FCI”.   What is this abbreviation?

FCI in CMMC stands for “Federal Contract Information”.

FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.  FCI does not include information provided by the Government to the public.” 

Reference: Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information

More information that clarifies that FCI is less sensitive than CUI: Archives.gov blog What is the difference between FCI and CUI?

Analysis of term FCI in the CMMC

FCI is a much broader dataset than CUI (Controlled Unclassified Information), but it affects audit scope and security implementations very similarly to CUI. 

DoD Government contractors are already familiar with CUI.  Contractors are required to protect CUI in their computer systems.  The NIST Special Publication 800-171 describes the cybersecurity measures required to protect CUI.   For the CMMC, Level 3 is the minimum protection for CUI.

In the CMMC, FCI is primarily discussed in the Level 1 section.  This makes me think that it is used as a justification and scope identifier for Level 1 and probably Level 2 audits.

FCI identifies scope for CMMC Level 1 and 2?

FCI has been introduced to close a logic gap related to the scope of the CMMC audit.

For organizations with CUI, the scope of CMMC Level 3 audit is limited by computer systems that could access or transmit the CUI.  With the CMMC applying to ALL DOD Contractors, we have a huge question about what the scope of audit should be.  Is it the entire contractor’s computer systems for all customers?  Is there any way to reduce scope?  Until the introduction of FCI, auditors and compliance experts could not identify scope.

By defining FCI as the data being protected by Level 1 and Level 2 CMMC, the scope of audit is clarified for the lower levels.

What systems does the CMMC level 1 and level 2 audit apply to?

Let’s go back to that quote about what FCI is.  “It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.

Or to say it a different way (my emphasis).  Information from the Government provided under a contract.

To me, this means that contractors don’t have FCI until after a contract has been awarded.  It could possibly be interpreted to include data provided during the bidding process, but that data is also provided to the public.

If your company has a current DOD contract,  then I would expect to see FCI in the following systems: 

  • Any systems that process or store email from government addresses (in most organizations, this means the entire email infrastructure)
  • Any systems that store files that are received from the government.  This can be segmented by contract, policy, and technical controls so that FCI from contracts doesn’t mix with other file storage.
  • Hard storage of FCI data such as USB thumb drives, DVDs.
  • Messaging, conference, and other systems that are used to transmit data from the government.
  • Any client workstations or devices that access or store FCI data through email, files, messaging, or other means.
  • Any manufacturing devices that use or store FCI data.
  • Back-up and administrative systems that manage FCI systems.
  • Networks used by the above systems.

These systems in your company probably have FCI and should start to identify scope for CMMC level 1 and level 2 audit.

In addition to FCI systems, the CMMC Accreditation Body has clarified that assessment scope includes other systems which are on the same network as your FCI. The idea is that if your file server has FCI, and you put a severely vulnerable Windows XP workstation in the same network, an attacker could exploit your Windows XP workstation then move from there to attack your file server.

What about secondary FCI data?  When the content is originally from the government, but it has been restated internally?

For example, Joe from the government requests a widget named “wind deflector” with dimensions of 4×8″.  This email is labeled “FCI”.   Joe sends this request via email to Mark the contractor.   Mark takes this information, creates a CAD file with the new dimensions, and saves it to the work queue for the assembler.

Is the CAD file created by Mark considered FCI?

I think yes, but  I haven’t seen full clarification of the concept in CMMC yet.  We can try to use CUI or other federal sensitivity tags such as Confidential and Secret as a precedent.  The classification of a document follows the content included in it, not to who wrote it.

The CMMC Accreditation Body has clarified that a prime with multiple subcontractors working on the same project should ensure that FCI is only provided to contractors that have a CMMC level 1 certification or better. If a contractor lacks CMMC certification, they should only provide COTS products to the project or have an arrangement to utilize a certified network to view FCI data.

Does this mean that different scopes of information systems are audited at level 1, 2, 3, 4, and 5?  

I haven’t seen official guidance about multiple audits of the same organization, but it makes sense.  Here is an example of what I think could happen.

Example Contractor has four DOD contracts.  Two contracts have no CUI, but they do include FCI.  One contract has CUI for facilities maintenance and is assessed level 3.  The last contract has CUI for weapons systems and is assessed level 4.

Scope for CMMC Level 1 and 2: All corporate information systems including HR, general email, accounting.  There is FCI on these systems, but no CUI.

Scope for CMMC Level 3 and 4: A closed network of highly secure systems used only for the facilities maintenance contract and the weapons systems contract.  There is CUI on these systems.

What to audit if your company doesn’t have a contract yet?

This is still an unknown.  For companies that need to get certified because they want to bid on an RFP that requires the CMMC, I haven’t seen any official guidance.

It makes the most sense for a company to identify the scope of network that would process FCI if they won the contract. This could be a completely separate set of systems, just for that contract, or it could be their existing corporate network.

Next articles:

CMMC Level 1 certification and preparation (how-to)

Cyber-security is an allowable cost?

CMMC Compliance FAQs – Organizations seeking certification

Index of CMMC Audit Topics and Articles

I’m looking forward to seeing how the CMMC develops!.  If you have thoughts or know something I don’t, please comment!

V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.

7 thoughts on “What is FCI in CMMC and how does it affect scope?

  1. Jeff Westeman says:

    Once again – great article Amira. I’m in awe of your ability to effectively communicate a complex topic. Further awe of your choice to share your knowledge openly. Thank you.

  2. Randy+A+Renk says:

    Another comment about the rule in the CMMC law. Read closely the new DFARS 252.204-7021. It does not limit subcontractors to only those who handle FCI need a level 1 cert. It say ALL subcontractors…except COTS contracts. (para (c)(1))

    One would hope this was not “their” intent. However, the Interim Rule on about page 30 of 89 repeats that all subcontractors except COTS and micro-purchases require a Level 1. There is nothing about FCI being processed or handled.
    Several public comments to the Interim Rule point this anomaly out that even if the subcontractor has not FCI to protect, they still need have protection rule in-place with nothing to protect.

    Furthermore, Ms. Arrington has given an example publicly on more than one occasion giving of the gardener mowing the lawns on a DoD facility will need a Level 1 certification.

  3. Randy A Renk says:

    Great conversation for trying to clarify what the DoD has not been very clear about wrt to FCI and CUI.
    A couple of comments:
    1. In the FCI definition above, remove the “by” after “generated”. It should reads “generated for”
    2. FAR 52.204-21 has been on the books and most contracts before DFARS 252.204-7012 in Dec 2017. It traces to its first proposed rule back in August 2012. Then publish in May 2016 for effectivity 30 days later …hence it reads (JUN 2016)
    3. Although 52.204-21 was many contracts in FY17, “recognition” of its effect were …well…less than robust …either in industry or by the DoD contracting officers.
    4. I would suggest in your “wind deflector” example, that Mark’s CAD drawing remains FCI under the “generated for” clause in the FCI definition.
    5. If Mark labels his CAD drawing as “Use on US Army fighting vehicle” that CAD drawing turns into CUI via the circuitous route that it is “technical information of a military or space application” from the National CUI Registry. That makes it “Controlled Technical Information” (CTI) which is one of the 125 types of CUI. Then, if NIST 800-171 or DoDI 5200.48 are on the contract, Mark will need to label it correctly.

  4. Kathy Penn says:

    How do companies currently implement the FAR (or DFAR) sections if they don’t have CUI? Are they still required to implement all of 171? I thought there was just one clause — FAR 52.204-21. What would a small company do for that before CMMC?

    I just don’t see how we can have separate networks for our government and non-government work because of email — the same email is required for both sides.

    • Kevin Kane says:

      One way is to migrate the entire email system to a solution that is authorized to handle CUI. For example, moving from Commercial O365 to GCC High requires businesses to replace their existing email system, even if that system is Commercial O365. This can be expensive. That’s where an email solution like PreVeil’s comes in, where only items marked/tagged as CUI get encrypted and handled by their secure email plugin.

      • Amira Armond says:

        Cool recommendation!
        This article is mostly about FCI, so the CUI topic might be overkill for it. Regarding CUI though, email, the need for it to to be available to the employee (ideally on their mobile device) and its normal ties to active directory is a big architectural challenge.
        Does that mean PreVeil would “transmit, process, or store CUI” ? Is PreVeil FedRAMP / DFARS compliant?
        How does PreVeil prevent contamination from incoming messages that don’t have the PreVeil client running on the sender’s PC?

    • Amira Armond says:

      Hi Kathy,

      Q. How do companies currently implement DFAR sections if they don’t have CUI?
      A. The DFARS clause is contained in almost every DoD contract except for COTS products. But it limits itself to systems that “Store, Process, or Transmit” CUI. So if you don’t any CUI, then I don’t think you have to worry about DFARS. The FAR clause would still apply though.

      Q. How can you have separate networks for government and non-government because of email?
      A. Email is so critical in performing business. There are a few ways to segment email though…
      1) You can train your users, partners, and Gov clients to never ever ever send CUI through email. Instead, they could share CUI documents using access-controlled portals like SharePoint, and only send links via email. Or there could be a procedure to always encrypt CUI files before sending in an email.
      2) You could set up a secondary email domain which is rated for CUI (Microsoft GCC high, etc). Occasionally you will see this in practice by the government – they will have an email address for regular unclassified communications, and an email address for classified communications.
      3) By routing your incoming emails across multiple front-end servers (from most secure to least secure), you can use the same domain name for both email domains.

Leave a Reply

Your email address will not be published. Required fields are marked *