What is FCI ?
FCI – Federal Contract Information is data provided by or generated for the U.S. Government which is not intended for public release. Specifically, this information is related to a government contract. FCI must be kept confidential and safeguarded. It is important to note that FCI is non-public information and does not include public information provided by the government, such as public websites, or other publicly sourced information. FCI is subject to minimum cybersecurity requirements.
How do you know if you have FCI?
If you have, or are seeking, a contract with the Federal Government, you have, or will have, FCI. Clear communication with your contracting officer is key to providing clear labeling and data identification. Examples of FCI are performance reports, organizational or program charts, process documentation, etc. These may be provided to you by the Government, or your organization may be creating them. Data you provide as part of business development and proposals as part of RFP/RFI/RFQ responses to DoD or other agency are likely to include FCI.
*NOTE* The RFP itself is public and therefore not FCI, thus care must be taken on what data is appropriate to include.
What laws/Regulations apply to you?
FCI is covered under Federal Acquisition Regulation (FAR) 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems”. This regulation lays out 15 controls organizations must implement to protect FCI. FCI may also be covered under Defense Federal Acquisition Regulation (DFAR) 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” which lays out 17 controls to protect FCI. The 17 controls of DFARS 252.204 7012 map to the 15 controls from FAR 52.204-21 with two bifurcated controls and are equivalent to CMMC Level 1. Finally, FCI for Defense Industrial Base (DIB) contractors must meet CMMC 2.0 Level 1 Controls per DFARS 252.204 7021 “Cybersecurity Maturity Model Certification Requirements”.
What about CUI?
CUI – Controlled Unclassified Information, is a subset of FCI and has specific requirements for labeling and protection. These requirements are laid out in DFAR 252.204- 7020, CMMC 2.0 Level 2, and the National Archives and Record Administration (NARA) CUI marking requirements.
How can we help?
Here at Sher-Tech we will help you every step of the way. From Gap Assessments to identify inadequate controls, to System Security design and CMMC Level 1 implementation.