by Scott Jack
Content Contributor, E-N Computers
Over 10 years of experience in healthcare IT and tech support.
If you have a business contract with the U.S. federal government, you possess FCI, or Federal Contract Information. Because cyber threats continue to increase in frequency and complexity, the U.S. government wants to make sure defense contractors are properly securing all information related to their federal contracts. FCI is the most basic level of information that you are expected to protect.
Understanding what FCI is and how to handle it properly is crucial. Improper handling of FCI can result in heavy fines, legal problems, and the loss of your contracts. Keep reading to learn the basics of FCI and why it’s important for defense contractors.
QUICK ANSWER:
What is FCI and should I worry about it?
Federal Contract Information, or FCI, is information related to a federal contract not intended for public release. It includes things like emails, invoices, and payment details. A CMMC Registered Practitioner can help you scope your project, figuring out what information you handle and what systems it touches. This can help you avoid fines, legal problems, and the loss of your government contracts.
Why you can trust us
E-N Computers is a CMMC Registered Practitioner Organization (RPO) with multiple Registered Practitioners (RPs). We help defense contractors identify security gaps and adjust their operations to comply with federal regulations. Therefore, we have familiarity with what FCI is and how to protect it.
How FCI is related to CMMC
The Cybersecurity Maturity Model Certification (CMMC) framework was developed by the Department of Defense to standardize and enforce cybersecurity practices across the defense industrial base. It consists of three levels, all of which require protecting FCI.
- Level 1 is for entities handling only FCI and can be self-assessed. That doesn’t mean it’s a simple checkbox. Being honest in your self-assessment is good for business longevity and reputation. Being lax can put you at greater risk to cyber threats; a perfect score is more suspicious and worrisome than an imperfect score because it’s probably not trustworthy. The DoD wants to know that you are identifying and remedying security weaknesses, not ignoring them.
- Level 2 is for entities handling CUI and requires assessment by a certified third-party assessor (C3PAO). Most organizations subject to CMMC fall in this category.
- Level 3 is for prime contractors and is subject to review by federal assessors.
What is FCI?
FCI stands for Federal Contract Information. Federal Acquisition Regulation (FAR) Clause 52.204-21 defines it as:
Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
In other words, if you provide goods or services to the federal government, any information related to your contract that is not intended for public release is FCI and must be protected. This includes invoices, payment information, and emails between you and federal employees. If you are a defense subcontractor, this applies to you. If you use subcontractors, you are obligated to inform them of their responsibility.
Examples of FCI
To begin to give you an idea of what FCI includes, we came up with a few examples. These are not exhaustive but are meant to help you think about what information you might have that is FCI.
- A janitorial company provides cleaning services to a federal facility. They have a diagram of the area to be cleaned. The diagram is considered FCI.
- A propane company delivers propane to a military installation. The amount of propane and where it is to be delivered are FCI.
- An IT company provides cybersecurity training to some federal employees. The personal details of the employees (e.g., name and contact information) are FCI.
How FCI and CUI are different
Controlled unclassified information (CUI) is considered more sensitive than FCI. A breach of CUI could be a national security issue, while FCI is simply not intended for public release. Because of its sensitive nature, CUI requires more safeguards and should be marked. On the other hand, FCI does not need to be marked.
A business that exclusively handles FCI only needs to meet CMMC Level 1 requirements. However, most defense contractors—such as manufacturers and staffing agencies—also handle CUI and must therefore reach CMMC Level 2.
FCI vs. CUI
Scoping is critical!
Scoping refers to the process of figuring out what FCI you have, what systems it touches, and what security controls you need to implement. Organizations can be tempted to jump ahead to lock things down. But start with scoping for at least two reasons:
- Scoping allows you to focus on what matters. When you identify what is in scope, you also know what is out-of-scope, and you don’t have to waste time on those systems. You can put your time and budget toward what’s needed for compliance.
- Scoping makes your assessment go more smoothly. Your CMMC assessor will expect clear documentation of your scope and for you to be familiar with it. It also makes their job easier and allows them to concentrate on scoped items.
If you don’t take time to properly scope your project, you will waste time and money doing unnecessary things, you will make your assessment more stressful, and you may fail to implement needed controls because you weren’t thorough.
What does scoping involve?
Here’s a brief overview of the scoping process:
- Gather your contracts. This includes direct government contracts as well as any subcontracts.
- Review your contracts. They will often mention specific information that you are expected to protect.
- Take inventory of your information assets. This is any information your company processes, stores, or transmits, whether electronically, on paper, or on removable media (e.g., CDs and USB drives).
- Map information to contracts. Document which contract each type of information is associated with.
- Decide what information is FCI. Does the information meet the definition of FCI as outlined in FAR 52.204-21?
- Map information to systems. Clearly document what information is FCI, where it resides, and what systems it touches.
You can find the official Level 1 Scoping Guidance on the Department of Defense’s CMMC website.
How should FCI be handled?
FCI must be protected when being processed, stored, and transmitted. Rules about FCI apply to the physical world just as much as they do to digital information. In fact, two areas that are often overlooked when protecting FCI are media protection and physical access control.
Physical and procedural controls
Media protection means to “sanitize or destroy” storage drives containing FCI before disposal or reuse. In practice, this means you need to put a process in place to securely overwrite or destroy internal drives, external drives, removable media like USB flash drives, and mobile devices. You also need documentation that the process is being followed.
Physical access control means to “limit physical access” to systems and their environments to authorized individuals. This may mean keeping doors locked, having employees and vendors carry badges or other identification, keeping a visitor’s log, and escorting visitors in restricted areas.
Digital security controls
Digital access control refers to restricting access to resources and being able to track that access. In practice, this means that each person must have a unique user account and that there should be no shared passwords. You also need to be able to see which users had access to certain data and when they access something.
Users should only have access to information necessary to do their job. Access to data in files, databases, and online services should be restricted accordingly. Similarly, you should have the ability to audit who accessed information.
Who is responsible for proper handling of FCI?
Everybody plays a part in FCI security. Information security requires top-down leadership as well as the cooperation of all staff because FCI security involves more than getting technical solutions from IT people; it also means changing business processes.
- Management team updates processes: Since FCI compliance might affect how you do things, managers familiar with your current procedures should help write new policies and explain them to everyone.
- Facilities team keeps the building secure: Facilities makes sure only authorized people can access areas with FCI.
- Employees report problems: Everyone needs to know how to spot suspicious activity and report it.
- HR sets consequences: They’ll outline what happens if someone breaks the FCI rules.
Hands-on, not a hand-off
We hear from businesses who want someone else to handle FCI compliance entirely. In effect, they want a turn-key solution that requires minimal involvement from them. But here’s the deal: This is your company, and FCI security will affect the way you do business. You managers need to participate in planning and implementation to end up with a system that works for you.
Being proactive pays off
Following CMMC rules can improve your business. You can:
- Build a security-focused culture. Everyone will be more aware of protecting sensitive information.
- Streamline your operations. Implementing CMMC might reveal ways to work more efficiently.
- Avoid contract headaches. By being proactive, you’ll avoid the stress and cost of losing a contract due to FCI issues.
- Pass the audit. Remember, anyone in your company could be interviewed during a CMMC audit. Make sure everyone knows what to say and can verify your process.
Tools and resources for your compliance project
- The Department of Defense (DoD) website provides official CMMC documentation, including scoping guidance and Level 1 self-assessment guide. You may want to look at “Level 1 Scoping Guidance” and “Level 1 Self-Assessment Guide”.
- E-N Computers has created an audio version of the CMMC Level 1 Self-Assessment Guide as a free resource to the IT community.
- In addition, a GRC tool can be immensely useful. Our favorite GRC tool, FutureFeed, engages business leaders from the beginning, provides solid tracking and reporting tools, and has decent templates for policies and procedures. We love it so much that we include it with every CMMC consulting engagement.
- Speaking of which, CMMC consulting services from a Registered Practitioner (RP) are another valuable resource. The DoD’s official CMMC implementation partner, The Cyber AB, highly recommends working with an RP to reach compliance. We can help you navigate the rules and figure out how they apply to your business. We can also help you look for ways to streamline your business processes using technology.
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082