Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are types of data that are collected, created, transmitted or received as a requirement of fulfilling the obligations of the contract – to develop or deliver a product or service.
FCI is information that is not marked as public or for public release, and is subject to minimum cybersecurity requirements, such as CMMC Level 1. FCI does not include information provided by the government to the public or simple transactional information, such as that required to process payments. While this information is not as sensitive as CUI, it must still be protected. FCI may be stored in many places such as:
• emails originating from government addresses
• systems that store files received from the government
• hard storage devices
• manufacturing devices
• backup systems
If you have a contract with the DoD, and you are not selling COTS or you only sell products under the micro-purchase threshold, you are touching FCI – at a minimum – and your company needs to begin the process of becoming compliant to CMMC Level 1 requirements as soon as possible.
CUI is information that requires safeguarding or dissemination controls but is not considered classified – it is information that legally cannot be made public. CUI must be legally protected but is not deemed sensitive enough to require a high-level security level clearance to access. CUI is data, that if leaked or accessed by our adversaries, could negatively impact national security by showing our vulnerabilities or giving our adversaries an advantage.
Examples of CUI include legal material, health documents, technical drawings and blueprints, intellectual property, ITAR controlled documents/products, etc. Click here for a link to the CUI Registry housed in the National Archives. It is important to look at each category, not just the Defense category.
Please click here to access DoD CUI training. The course is mandatory training for all of DoD and Industry personnel with access to controlled unclassified information.
REMEMBER – data is only categorized as FCI or CUI if the data is collected, transmitted, created and/or stored as a requirement of your contract with the DoD. For example, the personal information your company has collected on its employees is data that you are legally required to protect but is only considered CUI if you collected the data as a requirement of the contract. If you did not collect the data as a requirement of the contract it is not considered CUI and therefore is not within the scope of a cybersecurity audit.
If your company has a contract with the DoD and you touch CUI, DFARS 252.204-7012 is most likely in your contract. By accepting the contract you have implicitly self-attested that you are compliant with the DFARS clause, which means you have attested that your company: (1) has done a self-assessment to the 110 controls in NIST SP 800-171, (2) has a Plan of Action and Milestones (POAMs) in place showing how and when you plan to be compliant with all 110 controls.
The new DFARS Interim rule is now requiring that the results of your self-assessment be uploaded to the SPRS website. Self-attestation is no longer an option. Please click here to access information about how to comply with the new DFARS Interim Rule.
CUI is often transmitted or stored unnecessarily, so if you receive information from your contracting officer that would be considered CUI and it is not data that you need to complete the requirements of the contract, work with your contracting officer to eliminate the CUI.
Security Awareness Hub: https://securityhub.usalearning.gov/index.html