In my last column, we discussed the implementation of the CMMC framework. The rule that is enforcing this is the September 2020 DFARS Interim Rule, a compliance requirement that applies to all defense industrial base businesses. The requirement mandates compliance to NIST SP 800-171, and it outlines a phased rollout to the Cybersecurity Maturity Model Certification (CMMC) framework. The rule establishes the requirement for assessment and certification to a CMMC Level prior to a contract award. The rule establishes that the phased rollout ends on September 30, 2025, and all contracts will require CMMC certification prior to award.
The NIST-171 requirement is specifically focused on protecting controlled unclassified information (CUI). The CMMC framework is focused on protecting both federal contract information (FCI) and controlled unclassified information (CUI) -- what CMMC level a company will have to meet will depend on the contract and the type and value of the information. In general, a company will need to meet the information security requirements based on one of five CMMC levels.
For most companies, this will be CMMC Level 1 FCI; depending on the source, this is about 60 to 80 percent of all companies in the defense industrial base. The remaining 40 percent of companies will be Levels two to five, with Levels three to five focused on CUI. CMMC Level 2 is considered a transition level, one that is not qualified for CUI, only FCI. Levels four and five will be considerably less than one percent of the Defense Industrial Base and will be expensive to attain and to maintain.
With most companies falling into CMMC Level 1, it is important to understand what FCI is. But first, it may be good to define what FCI is not; for example, it is not information in the public domain, this is not the contract solicitation language, to include the statement of work, and details in terms of the contract and the goods or services to be delivered. Essentially, this is not the information posted by the government in the request for information, solicitation request, and other public documents. It is not information necessary to process payments, and it will not include information regarding commercial off-the-shelf (COTS) products. However, elements of the contract for COTS items may be FCI. FCI is considered information that is not intended for public release, that is provided by or generated for the government.
Despite that guidance, the question of what specifically is FCI is not straight forward. Unlike CUI, where the onus is on the government to plainly mark all CUI, there is no such requirement for FCI. The recommendation is then to treat all contract information as FCI. This approach would then treat non-FCI as FCI. This broad-brush approach for a sole source government contractor may be a sound one. However, it may not work if there are subcontractors.
At some point in the bid process, there will be a subcontractor to the prime conversation regarding the statement of work. Clearly, if the statement of work is in the solicitation, it is not FCI. However, the details and specifications that are not in the published statement of work matter. This, then, returns to the question: Where does FCI begin and end? There is a school of thought that states all contractors within the defense industrial base need to be certified no matter what they do. Again a broad-brush approach may not work for many subcontractors, especially in construction and manufacturing, defense work is only a part of their business. One would think that a CMMC certification is required only if FCI is passed from the prime to the subcontractor. With most primes using their own contract language in subcontracts and purposely avoiding FCI information, this would be an easy solution.
The interim rule states that on the award, a contractor must be certified to the appropriate CMMC level. Most contractors will be CMMC Level 1, which is focused on FCI. Defining what is specifically FCI is a bit murky because, unlike CUI, it is not explicitly marked; FCI is often best in terms of what it is not. Identifying and protecting FCI may not be an issue for the sole-prime contractor. If there are subcontractors, the difficulty is identifying and protecting FCI since what it is may be unknown. Obviously, the answer rests with the government. That is getting the government to identify what is FCI. Once there is a clear understanding of the contract FCI, avoiding FCI is easier, and the contracting tasks become simpler.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at firstname.lastname@example.org.
This is the fifth column in a five-part series on the CMMC program. Read the other columns here.