Federal Contractor Information (FCI) and Controlled Unclassified Information (CUI) are data provided by the federal government that may be received, processed, and stored on non-federal computer systems. To ensure the safety of FCI & CUI, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171) outlines specific guidelines for organizations to follow. The Department of Defense (DoD) has established the Cybersecurity Maturity Model Certification (CMMC) program to confirm that contractors and subcontractors adhere to these standards.
It is essential for contractors to trace the flow of FCI & CUI within their organization to identify areas that handle sensitive information (Data pertaining to critical infrastructures, such as defense, nuclear, and natural resources, Financial Records, international agreements, privacy-related intelligence, and data from governmental agencies). By doing so, contractors can concentrate their security efforts on the right CMMC compliance level, streamline compliance management, and obtain certification more efficiently and cost-effectively.
What is Federal Contract Information (FCI)?
According to Federal Acquisition Regulations, Section 52.204-21 – ‘Basic Safeguarding of Covered Contractor Information System’ (48 CFR 52.204-21), “Federal Contractor Information” (FCI) refers to information that is not intended for public release and is provided by or generated for the government under a contract for the development or delivery of a product or service. This excludes information that is already publicly available, such as on government websites or basic transactional information used for payment processing. In other words, FCI includes data considered important but not classified as “Controlled Unclassified Information” (CUI) and may include items like contracts and subcontract information, emails, notes, recordings, reports, charts, and so forth.
Scope of FCI for CMMC:
The scope of FCI for CMMC includes the following:
- Contracts and sub-contracts
- Purchase orders and delivery orders
- Technical data and specifications
- Drawings and blueprints
- Software and software components
- Data related to the testing and evaluation of products or services
Any other information that is exchanged between the government and the contractor or subcontractor
It’s important to note that FCI does not include information that is already publicly available or information that is intended for public release. Also, FCI does not apply to information a contractor or subcontractor generates for their internal use only.
What is Controlled Unclassified Information (CUI)?
As per 32 CFR 2002.4, “Controlled Unclassified Information” (CUI) refers to any information that the government creates, possesses, or has access to, which is deemed sensitive enough that its loss or unauthorized access could threaten national security. This includes information protected by laws, regulations, or policies requiring special handling and protection. Examples of CUI may include blueprints, technical manuals, engineering drawings, or data related to critical infrastructure, financial transactions, privacy, taxes, and the like.
Scope of CUI for CMMC:
Controlled unclassified information (CUI) refers to any information that requires some level of protection but is not classified as national security information. The scope of CUI for CMMC includes the following:
- Protected Health Information (PHI)
- Export-controlled or International Trade Data:
- Intellectual Property
- Contractor-sensitive Information
- Proprietary Business Information (PBI)
- Unclassified Controlled Technical Information (UCTI)
- Sensitive But Unclassified (SBU)
Key Differences Between FCI and CUI:
While both FCI and CUI refer to information that requires protection, there are some key differences between the two:
Scope:
FCI is any data generated during a contract with the Government that does not fall into the stricter category of CUI but is important enough that it shouldn’t be made publicly available. Controlled Unclassified Information (CUI) is a generalized classification for information that covers a broad spectrum of data that, although not deemed classified, requires stringent security protections. All CUI in possession of a Government contractor is FCI, but not all FCI is CUI. FCI cyber security standards for handling FCI only encompass 17 cyber controls, whereas CUI encompasses many more.
Origin:
FCI typically includes information such as contract specifications, pricing data, and other unclassified but sensitive data. The focus of FCI protection is on ensuring the confidentiality and integrity of this information to prevent unauthorized access or modification, while CUI encompasses a wide range of data types, including but not limited to export-controlled data, proprietary business information, personally identifiable information (PII), and more. The focus of CUI protection is on safeguarding confidentiality, integrity, and availability, as it may be critical for various government functions.
Purpose:
FCI refers to information that is provided or generated by the government under a federal contract. The primary purpose of FCI is to protect information that is not considered classified but is still sensitive and vital for the functioning of government programs and operations.CUI, on the other hand, refers to a broader category of sensitive information that is subject to various laws, regulations, and government policies. The purpose of CUI is to protect information that, while unclassified, requires safeguarding due to its importance to national security, privacy, or other interests.
The importance of properly managing FCI and CUI cannot be overstated, especially given the increasing number of cyberattacks and data breaches in recent years. Organizations must take proactive steps to implement robust security measures and protocols to protect against unauthorized access, disclosure, or misuse of sensitive information. At iQuasar Cyber, Inc., we understand the importance of protecting your data, especially when it comes to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) as a Cyber-AB Registered Practitioner Organization (RPO), our team of experts has extensive knowledge of various regulations such as NIST 800-171, FedRamp, NYDFS, HIPAA, PCI, and more. We specialize in helping organizations like yours prepare for CMMC compliance and providing recommendations for both self-assessments and external evaluations.