Get Your Free SPRS Score

Get Your Free SPRS Score

Book a personalized demo to unify tasks, pass audits, and scale.

FCI vs CUI: What Determines Your CMMC Level

FCI vs CUI What Determines Your CMMC Level
Facebook
Twitter
Pinterest
LinkedIn

CMMC is increasingly important for the overall security of the government, and by extension, the people. Threats are continually evolving, so security standards have to rise to meet them. Programs like CMMC exist to enforce standards capable of resisting most common threats and protecting sensitive information. It's no surprise, then, that more and more businesses are finding CMMC to be mandatory for the government contracts they want to win.

Before you dig too deep, a filter: are you looking to work with the federal government in general, or with the Department of Defense specifically? If you want to work with government agencies, but not the DoD, you will need FedRAMP rather than CMMC. If you're planning to work with the DoD or with a DoD subcontractor, you'll need to look at CMMC.

If you're staring down the barrel of a CMMC implementation and looking at the daunting list of tasks you'll need to complete, the first thing to do is figure out where you stand. What level of CMMC will you need?

BLUF - Bottom Line Up Front

CMMC protects government data as threats evolve, so security standards must rise. FedRAMP covers non-DoD federal contracts; CMMC covers DoD work. CMMC has three levels: Level 1 for FCI with 15 basic controls; Level 2 for CUI with 110 NIST SP 800-171 controls; Level 3 adds NIST SP 800-172 controls and DIBCAC review for APT risk. First, determine your needed level, assess security, and hire a C3PAO or expert for audits.

Understanding CMMC Levels

CMMC has three levels, simply named Level 1, Level 2, and Level 3. While these are broadly comparable to other frameworks with similar levels, you can't rely on what you know from other frameworks to determine your path with CMMC.

Understanding CMMC Levels

To understand what level you'll need, you need to know what the levels mean. The simple version is this: The higher the level, the more sensitive the information you're handling, so the stronger the security you need.

CMMC Level 1

CMMC Level 1 is the lowest level you can get to work with the Department of Defense and as part of the defense supply chain. It requires a certain minimum level of information security, but the standards aren't terribly high. They're more or less on par with other entry-level cybersecurity frameworks, and if you already adhere to something like SOC 2 or PCI DSS, you may have a good portion of the work done already.

CMMC Level 1

At Level 1, you're expected to handle basic cyber hygiene, which ranges from access control to user authentication to physical and digital security, as well as your ongoing monitoring and improvement for the systems as a whole.

The burden for CMMC Level 1 is fairly low and is defined by the controls outlined in FAR 52.204-21. This covers 15 basic cybersecurity practices.

Who needs CMMC Level 1? You need CMMC Level 1 if your business will work with either the Department of Defense or a DoD subcontractor, following the information. Specifically, Level 1 is for companies that will handle, store, process, or otherwise interact with FCI: Federal Contract Information, but not CUI: Controlled Unclassified Information.

CMMC Level 1 is easy to achieve, but only offers a limited amount of engagement with the Defense supply chain, as only a limited number of roles exist that handle FCI but not CUI.

CMMC Level 2

CMMC Level 2 is the mid-range version of CMMC and is by far the most common position for DoD contractors and subcontractors. It sets much higher and stricter levels of security.

CMMC Level 2

Level 2 security is required by DFARS clause 252.204-7012, which is commonly seen in DoD and DoD-sub contracts. The security itself is defined by the 110 security controls outlined in NIST SP 800-171. Specifically, NIST SP 800-171 Revision 2; even though Revision 3 exists, the DoD is still using Revision 2.

The jump from 15 cybersecurity practices to 110 security controls is very significant. These controls span a wide range of security areas, and include everything from configuration management and audit logging to continuous monitoring and incident response.

Where Level 1 is designed for basic cyber hygiene and security, Level 2 is where you start to take things seriously, on the level you would expect from government frameworks.

The primary goal of Level 2 is to protect CUI: Controlled Unclassified Information. You may also handle FCI, but the CUI is the determining factor.

CMMC Level 3

CMMC Level 3 is the high-end version of security for DoD contractors and subcontractors handling CUI: Controlled Unclassified Information.

CMMC Level 3

In addition to the full slate of security controls outlined in NIST SP 800-171, those who need CMMC Level 3 will also need to adhere to a selection of additional controls found in NIST SP 800-172. These controls encompass additional security measures such as advanced monitoring, anomaly detection, and a higher degree of incident response requirements.

If both Level 2 and Level 3 protect CUI, how do you know whether or not you need Level 3?

Level 3 is taken more seriously, and as such, it's handled much more directly by the government. CMMC Level 1 is handled with a self-assessment. Level 2 is handled by a C3PAO's external audit. Level 3 is handled directly by the Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, which is a department within the Department of Defense itself.

The determination as to whether you need CMMC Level 3 or not comes down to the specific contract you're looking to win. The contract will be based on the information that will need to be handled, and as such, the level of security necessary to protect it.

The biggest determining factor is if the information is considered sensitive enough that it's subject to APTs, or Advanced Persistent Threats. APTs are high-level, long-term threats that target specific kinds of information, specific kinds of businesses, or specific goals. These aren't your average drive-by ransomware attacks or phishing attempts; these are long-term, dedicated campaigns by specific organized groups, targeting your business directly and adapting to the security measures you put in place.

FCI Vs. CUI: Understanding the Information

If the primary determining factor between Level 1 and Level 2 is whether you're handling just FCI, or FCI and CUI, or just CUI, how can you tell?

FCI Vs CUI Understanding The Information

Well, the easiest way is to simply read the contract you're hoping to win. You know what kind of services you provide, you know what kinds of government contracts are asking for your services, so you can read those potential contracts and see whether they stipulate Level 1 or Level 2. But that's descriptivist; you aren't learning how to tell yourself. So, it's worth learning what, exactly, FCI and CUI really are.

Federal Contract Information: FCI

Federal Contract Information, or FCI, is effectively the least sensitive kind of sensitive information the federal government can handle. The only information that is less sensitive is the kind of information that isn't sensitive at all. You don't need to protect the name of the Department of Defense, the address of the White House, or the names of the people in Congress, after all; it's all public information.

Federal Contract Information FCI

FCI is information relating to government contracts. This can be, for example, the contract you're bidding on. It can also be contracts that other companies have with government departments. It includes a wide range of different kinds of data, the kinds of things you want kept out of public hands, but which can do very limited damage if they leak.

You could imagine a scenario where the DoD needs to hire a local contractor to put up a new fence around a facility they're building. Information surrounding that scenario is considered FCI; things like:

  • Emails between the local DoD representative for the facility and the project coordinator for the local contractor.
  • Site-specific details like measurements, locations of buried utilities, and access information.
  • Written feedback on the project as it proceeds, including changes made along the way.
  • Drafts of various deliverables, like projected blueprints or drawings.
  • Schedules for the project as it progresses.
  • Financial records for the project, including specific invoice information, cost/pricing data, and billing records.

Most of this is routine information for a contractor, but it's information that could be used with malicious intent if it fell into the wrong hands. But, by the same token, it has relatively low impact. There's only so much an attacker could do with an email from a DoD facility saying "hey, we need a new fence", after all.

This is why the safeguards required from CMMC Level 1 are quite low. If the bar was set too high, very few contractors would be able to meet it, in comparison to the scope and value of the work. It would be like requiring a biometric scan to access the shed where you keep your old lawn tools; the scale doesn't make sense.

Controlled Unclassified Information: CUI

Controlled Unclassified Information is a step above FCI in terms of sensitivity, but it's still below the level of being classified or secret information.

Controlled Unclassified Information CUI

CUI has a specific definition from the National Institute of Standards and Technology:

"Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls."

CUI comes in many forms, and the government maintains a full list of categories here.

What falls into the CUI category? All kinds of things. Examples include:

  • Emergency Management
  • Privileged Safety Information
  • Export Controlled Information
  • Federal Housing Finance Non-Public Information
  • Geodetic Product Information
  • Law Enforcement Financial Records
  • Prior Arrest information
  • General Nuclear Information
  • Patent Applications
  • Government Personnel Records
  • Proprietary Postal Information
  • US Census Information
  • Federal Taxpayer Information

This is just a handful of the 125 categories, showcasing how broad the categories can be.

All of these categories are divided into either CUI Basic or CUI Specified.

CUI Basic is information labeled as controlled or as CUI. It's sensitive information, but it's not special in any way beyond being CUI.

CUI Specified is CUI that has additional security required on top of it. For example, Naval Nuclear Propulsion Information is given specific rules for handling it from the Department of Defense. Basically, it's CUI with added rules stapled on top.

The kind of information you'll handle depends on the contract you'll be working, and the rules for handling that information will all start with the NIST SP 800-171 security controls, and stretch out from there.

Implementing the Right Level of Security

Working with the DoD supply line and achieving certification under CMMC is a powerful way to grow your business, but it's also a source of a lot of risk. You really need to understand what information you're handling, and what security it needs.

If you handle FCI as if it's CUI, you're going above and beyond. There's nothing directly wrong with this, but it does mean you're jumping through a lot of unnecessary hoops and enforcing security that isn't necessary. This is often costly, in terms of time and money, and can lead to compliance fatigue.

On the other hand, if you handle CUI as if it's FCI, you're in violation of your contract and can face serious sanctions. The penalties are steep.

Likewise, CUI Specified that you handle as if it's CUI Basic means you can be in violation of the terms of your contract, and can run into problems with your partners.

Implementing The Right Level Of Security

Navigating all of this is tricky, and one of the best options is to work with a CMMC expert who can help you out, talk with the potential sponsors and others you want to work with, and retain the services of a C3PAO who will help you with your assessments when it's time.

We can serve all of these roles and more. At Ignyte, we're experts in CMMC, and we're a Certified Third-Party Assessor Organization capable of performing Level 2 assessments. We're more than happy to discuss your goals and situation or work with you for your assessments. We also provide the Ignyte Assurance Platform, a world-class tool meant for tracking the implementation and ongoing compliance with frameworks like CMMC.

To see what we can do for you, and to see the Platform in action first-hand, simply reach out and contact us for a discussion and a demo. Act fast: as CMMC grows more and more mandatory throughout the Defense Industrial Base, the time to get the ball rolling is now.

Stay up to date with everything Ignyte