🎯 CMMC 2.0 Program Overview
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework to ensure that contractors and subcontractors adequately protect sensitive government information.
CMMC 2.0 Levels
- Level 1 (Foundational): Protects Federal Contract Information (FCI)
- Level 2 (Advanced): Protects Controlled Unclassified Information (CUI)
- Level 3 (Expert): Enhanced CUI protection for critical programs
🎯 Learning Objectives
By completing this training, you will be able to:
- Define and identify Federal Contract Information (FCI)
- Understand Controlled Unclassified Information (CUI) and its categories
- Recognize the importance of protecting both FCI and CUI
- Apply appropriate security controls based on information type
- Understand who determines CUI tracking and classification
📄 Federal Contract Information (FCI)
📝 Definition
Federal Contract Information (FCI) is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.
Note: FCI does NOT include information provided by the Government to the public (such as public websites) or simple transactional information (like payment processing).
🎯 Purpose & Importance
FCI serves critical functions in government contracting:
- Decision Making: Supports government planning and execution
- Contract Management: Enables proper oversight and performance tracking
- Resource Allocation: Facilitates efficient use of government resources
- Security Baseline: Establishes minimum protection requirements
🛡️ Security Requirements
FCI must be protected according to:
- CMMC Level 1: 17 basic safeguarding requirements
- FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
- Annual Self-Assessment: Contractors must assess their own compliance
📋 Common FCI Examples
📊 Performance Reports
Contract performance reports, status updates, deliverable documentation
🏢 Organizational Data
Organizational charts, personnel assignments, team structures
📋 Process Documentation
Project plans, workflow procedures, implementation guides
💼 Proposal Materials
Proposal responses, bid documentation, RFP responses
📦 Transaction Records
Delivery orders, purchase orders, invoices (beyond payment processing)
📧 Communications
Email exchanges about contract work, meeting minutes, correspondence
🔒 Controlled Unclassified Information (CUI)
📝 Definition
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
🎯 Purpose & Importance
CUI protection is critical because:
- National Security: Protects sensitive but unclassified information
- Privacy Protection: Safeguards personal and proprietary information
- Critical Infrastructure: Secures information about vital systems
- Competitive Advantage: Prevents unauthorized disclosure to adversaries
🔄 Types of CUI
CUI Basic
Standard safeguarding and dissemination controls. Protected by NIST SP 800-171 requirements.
CUI Specified
Additional safeguarding requirements beyond the standard based on specific laws or regulations.
🛡️ Security Requirements
CUI must be protected according to:
- NIST SP 800-171: 110 security requirements for CUI in non-federal systems
- CMMC Level 2: Advanced cybersecurity practices
- Third-Party Assessment: May require external verification
- DFARS 252.204-7012: Safeguarding covered defense information
📚 CUI Categories
NARA manages 125+ CUI categories organized into 20 index groupings:
👥 Who Determines CUI Tracking?
National Archives and Records Administration (NARA) serves as the Executive Agent for CUI and:
- 🏛️ Manages the CUI Registry: Official repository of all CUI categories and requirements
- 📋 Issues CUI Policy: Develops and publishes government-wide CUI guidance
- 👁️ Provides Oversight: Monitors agency compliance with CUI requirements
- 📝 Updates Categories: Maintains and updates the list of CUI categories as laws change
- 🔍 Ensures Consistency: Standardizes CUI handling across all federal agencies
📋 Common CUI Examples
🛡️ Technical Data
Controlled Technical Information (CTI), blueprints, specifications, source code
🌐 Export Controlled
ITAR controlled items, EAR regulated technology, dual-use technologies
👤 Personal Information
PII under Privacy Act, health records, personnel files
👮 Law Enforcement
Investigation records, operational plans, sensitive activities
🏭 Infrastructure
Critical infrastructure information, vulnerability assessments
💰 Financial
Procurement sensitive information, banking data, financial records
🧠 Knowledge Assessment
⚙️ Practical Exercise: Information Classification
🎯 Exercise Instructions
Drag each information type to the correct category. This will help you practice identifying FCI vs. CUI in real-world scenarios.
📄 Information Types
📄 FCI (Federal Contract Information)
CMMC Level 1 • FAR 52.204-21
🔒 CUI (Controlled Unclassified Information)
CMMC Level 2+ • NIST SP 800-171