At the present time, the Cybersecurity Maturity Model Certification (CMMC) is fast gaining steam in the defense industry. A previous whitepaper has explored the CMMC in much more detail, but essentially, this is where any defense contractors and any subcontractors must be certified at a certain level before the Department of Defense (DoD) will allow for any type of entity to bid on projects.

Essentially, one of the primary objectives of the CMMC is to make sure that the defense contractors and their counterparts are maintaining a good level of Cyber Hygiene before they will be entrusted with any kind of datasets.

What Are The Datasets That Need To Be Protected?


First, there is what is known as the “Controlled Unclassified Information”, or simply known as “CUI” for short. Simply put, these are the datasets that are owned by the Federal Government in which the defense contractor (and their affiliates) must have the minimum level of controls put into place in order to safeguard them.

This can be initially misleading, because of the term “Unclassified”. This means that these datasets can be shared with other entities that are CMMC certified, but they cannot be released to the public.

Very often, the CUI is needed by the defense contractor in order to submit a comprehensive Request For Proposal (RFP) to the DoD, and to initiate the work that needs to be done.

Typical examples of CUI datasets include the following:

  • Intellectual Property;
  • Technical drawings;
  • Blueprints;
  • Other forms of related documentation, such as those for export control, Cyber vulnerability information, and other sorts of financial data.


Second, there is what is also known as the “Federal Contract Information”, or “FCI” for short. A technical definition of it as follows:

“It is information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.”

(SOURCE: 1).

By the very nature of its name, the FCI has a much narrower scope than the CUI datasets (as just reviewed). In other words, these are the proprietary datasets that have been created and developed when the defense contractor and their third parties actually provide a tangible good to the Federal Government, under the terms of the contract that were awarded.

Examples of FCI datasets include the following:

  • Any emails that are transmitted from the DoD to the defense contractor (and vice versa);
  • Any other subcontracts and policies that are needed by the defense contractor;
  • Any information that has been garnered as a result of instant messaging, video conferencing, etc.

The Levels At Which The FCI Is Implemented

In the CMMC, there are, at the present time, five levels of maturity, which were also explored in greater detail in the previous whitepaper. But, with specific regards to the FCI, it impacts only the first two levels which are as follows:

  1. Level One:

This is deemed to be the initial phase, where there is no formal structure yet in place in order to accomplish the work processes that are needed in order to deliver the good or service to the Federal Government. Rather, the approach is Ad Hoc until it is all formalized. These typically can include the first round of meetings, information/data gathering, preliminary analysis requirements, etc.

  1. Level Two:

At this level, the respective workflows and processes needed to fulfill the terms of the DoD contract become more defined. In other words, the ability to track in more detail what is happening can now take place. This also involves the following activities:

    • The tracking of various costing schedules;
    • Workflow scheduling;
    • Defining the functionalities of the established workflows (in other words, defining in further detail the output that is expected, with an emphasis on the FCI related datasets that are to be created when developing the good or service to the Federal Government).


Overall, this article has provided a very high overview into what the FCI is all about. If you have any questions, please contact us today. Remember, the bottom line is that before you can be awarded any sort of CMMC accreditation by the DoD, you must first have the appropriate set of security controls in place and documented.