FCI, CUI and CMMC 2.0’s Final Rule

If you are a contractor doing business with the DoD, your contracts will soon become (and maybe already are) dependent on a Cybersecurity Maturity Model Certification (CMMC). The final rule for CMMC 2.0 was published on October 15, 2024. It will become effective on Dec 16, 2024, and enter contracts in mid-2025.

CMMC 2.0 verifies defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI), and are protecting that information from the risk of cybersecurity threats in accordance with NIST 800-171. CMMC 2.0 has three levels of compliance (the original CMMC had five levels) depending on what kind of government information you handle and store, as well as the threats you face:

• Level 1. This impacts all contracts and specifically safeguards FCI. Contractors self-assess annually.
• Level 2. This impacts most contracts and specifically focuses on safeguarding CUI. It requires third-party or self-assessments every three years.
• Level 3. This impacts some contracts, protects CUI and reduces the risk of advanced persistent threats (APTs). It requires government assessment every three years.

Understanding the difference between FCI and CUI in CMMC 2.0.

Among other refinements to the program, the final rule for CMMC 2.0 spells out the different requirements for protecting FCI and CUI. Because it can be easy to confuse FCI and CUI, here is a definition of each:

• Federal Contract Information (FCI) is information that is provided in a contract that is not intended for public release and must remain confidential to protect the integrity of government operations. It may include contract details, personal details, emails, diagrams or other information not intended for public release.
• Controlled Unclassified Information (CUI) is information the government creates or possesses (or that an entity creates or possesses on behalf of the government) that must be safeguarded. This may include financial information, infrastructure information, taxpayer information or any other unclassified, but protected, information.

While both include information created or collected by/for the government, FCI covers information that is “not intended for public release,” and CUI covers information that requires safeguarding. Therefore, CUI is more sensitive than FCI and requires stricter handling and protection.

Improper handling of CUI could harm national security or government, whereas FCI involves confidential but lower-risk data used in government contracts. In essence, all CUI in possession of a contractor is FCI, but not all FCI is CUI. Any questions?

Simplifying compliance with CMMC 2.0’s NIST 800-171 requirements.

While CMMC has been refined over time to reduce the number of levels and refine requirements to simplify compliance for businesses small to large, only the rules and requirements have been simplified. Contractors still have to do the work of compliance.

The good news is that Levels 2 and 3 can benefit greatly from automation. Both require alignment with over 100 requirements in NIST 800-171, the prescribed approach to protecting CUI. This process can put a significant strain on resources to establish and maintain. Automation removes that burden and ensures error-free compliance.

Automating CMMC 2.0 requirements with a trusted solution in the DoD.

SteelCloud’s ConfigOS is proven throughout the DoD and its contractors to automate NIST 800-171 compliance. ConfigOS scans all the vulnerabilities in your system that impact CUI, hardens around them and gives you insight into their current state.

This can save weeks and months in meeting your certification requirements and eliminate up to 90% of the effort in maintaining your compliant baseline. It’s also an approach the DoD uses for its own systems, reinforcing your desire to keep your client in good stead.

To learn more about automating your CMMC 2.0 requirements or to schedule a demo of ConfigOS, contact SteelCloud. We’ll help you make meeting your requirements easy.