What is FCI and why does it trigger CMMC Level 1 compliance?
What Is FCI (Federal Contract Information)?
Federal Contract Information, or FCI, is defined by the Federal Acquisition Regulation (FAR) as information provided by or generated for the government under a contract that is not intended for public release. It includes:
Non-public technical documents
Contract performance data
Internal communications related to a federal contract
Government emails or attachments
Even if your company is not handling classified data or Controlled Unclassified Information (CUI), just handling FCI triggers a requirement to be CMMC Level 1 compliant. Below are examples of FCI that requires CMMC Level 1 compliance:
Examples of FCI in Small Contractor Environments:
A prime contractor sends your company a purchase order related to a federal contract
You receive a scope of work (SOW) or performance spec from a federal customer
You email project updates that reference contract details
You log in to a government portal to retrieve contract documents
If your business touches this kind of information — even just to view or store it temporarily — you are responsible for protecting it according to federal cybersecurity standards.
Examples of Project- level FCI:
Detailed design plans
Utility maps
Information related to permitting, environmental regulations, and safety protocols
Technical specifications related to unique building materials or systems used in the project
Specific data related to project milestones, quality control results, and budget management
Cost breakdowns
Project schedules
Federal facility access protocols
Subcontractor information
Specific material specifications
Performance reports
Progress updates
Technical data related to building systems
Financial details of the contract
Any sensitive information regarding the project's unique design features or proprietary technologies used
If you currently or might need a compliant IT system to process FCI, contact us! We can help keep your business moving quickly and affordably.
