CUI or FCI: What’s the Difference, and How Do You Protect Each?

These days, how you manage your data matters. A lot. We’ve seen time and again how not having the appropriate cybersecurity measures in place can leave a company vulnerable to hacked systems, stolen information, and costly downtime. That’s why government organizations must comply with NIST SP 800-171, and why the federal government is becoming adamant that civilian contractors do the same through enforcement from the Cybersecurity Maturity Model Certification (CMMC). But meeting these requirements may be difficult if you don’t understand the types of data that you manage. Is it CUI or FCI? If you don’t know what each of these are, or what they mean for your cyber defense, here’s a brief overview.

Controlled Unclassified Information (CUI)

Controlled Unclassified Information is data that is generated for the government or provided by the government. When this data is shared with civilian contractors, those contractors must have specific safeguarding or dissemination controls in place to protect it, regardless of the product or service that they provide. While it may not be classified, CUI is still highly sensitive information that is not intended for public release and would be illegal to do so. The best way to keep that information secure is to follow the requirements under the second and third levels of the CMMC framework (more on that below).

Federal Contract Information (FCI)

Federal Contract Information is also data that is not permitted for public disclosure, but it is not considered as sensitive as CUI. Still, safeguards are important to house and protect it, which can be found in the first level of the CMMC framework.

CUI or FCI: Which Types of Data Do You Have?

If you’re a prime contractor, the government will likely indicate in your agreement what data you’ll be handling, and whether it will be labeled CUI or FCI. If you’re a government agency, the Department of Defense has a registry available to compare your data against categories that are commonly considered CUI.

How To Protect Your CUI

If you determine that you manage CUI, then it’s important that you meet the requirements under NIST SP 800-171 at minimum, and that you provide proof of this to the Cybersecurity Maturity Model Certification. CMMC has been instrumental in auditing contractors and holding them accountable, as evidenced by the report roughly a year ago about 75 percent of contractors that were found to be wrong in their self-reporting.

CMMC Is Changing

In order to improve the application process for CMMC, and to allow more organizations to be eligible, the DoD is currently finalizing the latest version of its framework. Dubbed CMMC 2.0, it includes three levels.

Level 1 is Foundational, which requires an organization to meet 17 practices that align with the existing standard for FAR 52.204-21, as well as present a passed self-assessment that confirms this. As mentioned above, Level 1 is relevant to those managing FCI, but not sufficient for CUI.

Level 2 is Advanced, which requires 110 practices that are aligned with NIST SP 800-171, an annual self-assessment for select programs, and a triennial, third-party assessment for information that is critical to national security. Anyone managing CUI should achieve this level or above.

Level 3 is Expert, where an organization demonstrates through triennial, government-led assessments that they meet over 110 practices based on NIST SP 800-172. This applies primarily to the protection of High Value Assets (HVAs), which are defined by the Cybersecurity and Infrastructure Security Agency (CISA) as information or information systems that are “so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business.” Even if you only manage CUI and not HVAs, Level 3 compliance demonstrates your commitment to cyber excellence, which can also improve your standing for consideration on future government contracts.

Planning for CMMC Level 2? You’ll Need a C3PAO.

If you want to be officially recognized as compliant with CMMC, you need to obtain a third-party assessment for Level 2 from a CMMC Third-Party Assessment Organization (C3PAO). These are organizations that are vetted and authorized by The Cyber AB, the official accreditation body for the CMMC ecosystem. Click here to learn more about the review and authorization process for C3PAOs on The Cyber AB’s website.

Once your assessment is complete and you’ve met all Level 2 requirements, you will need to upload your score to the DoD’s Supplier Performance Risk System (SPRS) to be given consideration on future contracts. You will also need to verify that you have two (2) pieces of evidence for each of the 110 practices from NIST SP 800-171 to support your compliance.

Still Not Sure If It’s CUI or FCI?

When it comes to managing CUI or FCI, the definitions and requirements may seem confusing. Both require a thorough understanding of the particulars laid out in FAR 52.204-21, NIST SP 800-171, and NIST SP 800-172. While you could choose to review these internally, you may find it much more cost effective to obtain guidance from a Cyber AB-certified consultant.

That’s where Brenda Doles can help. After spending the last 25 years leading the team at Healthcare Resolution Services (HCRS), she has now expanded her CMMC consulting services to organizations across all industries — including those that are required to comply with CMMC, and those that recognize it as a valuable framework for their cyber defense.

Contact her today for an introductory meeting to learn more about her process for identifying what changes are needed for your team to protect Controlled Unclassified Information and Federal Contract Information.