As a Defense Industrial Base (DIB) supplier, you’re tasked with handling sensitive defense data on behalf of the government. The data is most likely Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), which you must adopt specific protections according to Cybersecurity Maturity Model Certification (CMMC). Because contract awards are now dependent on CMMC as they roll out, you must familiarize yourself with the information it sets out to protect. This post elaborates on what FCI and CUI are, what is considered CUI, and how you can begin protecting these data types as they relate to CMMC.

What is FCI?

FCI is information not intended for public release. It’s provided or generated under a contract for the purpose of developing or delivering a product/service to the government. Some exceptions are that it doesn’t include information that’s provided by the government to the public or simple transactional information (e.g., necessary to process payments).

What is CUI?

CUI is information that the government protects that is not classified.  Past designations of For Official Use Only (FOUO), Sensitive But Unclassified (SBU) or Law Enforcement Sensitive (LES) should no longer be utilized and replaced with the appropriate markings as defined by the National Archives and Records Administration (NARA)  Despite not being classified, this information still requires optimal protection measures. CUI encompasses a large umbrella of information, including privacy information, legal information, privileged information, and more.

The CUI program touches about every government agency, meaning CUI’s presence is widely spread and needs to be safeguarded properly wherever it resides. It acknowledges that certain types of unclassified information are sensitive and valuable to the United States national security interests, which makes it an ideal target for adversaries.

In relation to FCI, the two information types have an important distinction. All CUI that a government contractor possesses is considered FCI, but not all FCI can be considered CUI. For further details, the (NARA) describes the differences.

What is Considered CUI?

With classified national security information, it’s unlikely that all DIB suppliers handle it. However, suppliers across all mission areas are much more likely to receive, handle, create, and distribute CUI. Because of its prominence, CUI has two subsets for distinguishing information: CUI basic and CUI specified.

CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry. CUI Basic differs from CUI Specified (see definition for CUI Specified), and CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI.

CUI Specified s the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls apply to those aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance.

There are distinctive CUI categories organized by index groupings. A few examples of these groupings include:

  • Critical Infrastructure
  • Defense
  • Financial
  • Intelligence
  • Law Enforcement
  • Nuclear
  • Transportation
  • Privacy
  • Procurement & Acquisition

All approved CUI categories and subcategories are available on the CUI Registry. It provides general descriptions for each, identifies controls, establishes markings, and elaborates on handling procedures.

How Do I Begin Protecting FCI and CUI for CMMC Compliance?

Obtaining CMMC certification is necessary for not only winning contracts but for validating your capacity to protect FCI and CUI. CMMC Maturity Level 1 addresses FCI and its basic safeguarding requirements, while Maturity Level 3 stresses compliance requirements for CUI. There’s considerable planning and implementation that goes into securing these data types, and the expected timeline for CMMC preparation at level 3 and higher is likely greater than six months.

At SoundWay, we can help you achieve optimal FCI and CUI protections through CMMC compliance at the appropriate level. Our consultants work closely with technologists and legal experts alike to cover all bases of data protection requirements. As we guide you through your CMMC preparation, we help you identify recommendations to complete Plans of Actions and Milestones (POA&M). All POA&Ms must be resolved before certification can be granted. We also provide you with solutions to each recommendation that protect FCI, CUI, and your information systems overall.

Contact us to begin discussing your CMMC certification and how we can help you achieve it.