CMMC : What is FCI, CUI, CTI, DCI, FAR, DFARS and FedRAMP

Here are some great terminologies you need to master if you need to comply with CMMC or NIST 800-171:

👉 DoD (Department of Defense): the U.S. Department of Defense. 

👉 FCI (Federal Contract Information): information on U.S. federal contracts (the bidding documents and their contents).

👉 CUI (Controlled Unclassified Information): Controlled Unclassified Information (e.g. diagrams or drawings of parts used on US military equipment). Encryption of this data is mandatory.

👉 DCI (Defense Controlled Information): CUI belonging exclusively to DoD (or that you create exclusively for DoD). 

👉 CTI (Controlled Technical Information): category of DCI that concern technical drawings owned by DoD. CTI are in the CUI category.

👉 FAR 52.204-21: basic cybersecurity requirements to protect FCI-type data.

👉 DoD-CIO-00002: requirements for CMMC Level 1 evaluation.

👉 DFARS 252.204-7012: security requirements for protecting DoD-owned CUI (or CUI you create for DoD).

👉 FedRAMP: mandatory security certification for Cloud providers who want to be able to store US government data.

And finally, if you're a DoD contractor or subcontractor:

👉 Comply with FAR 52.204-21 = obtain CMMC Level 1 certification.

👉 Comply with DFARS 252.204-7012 = obtain CMMC Level 2 certification.

👉 Comply with NIST 800-171 = obtain CMMC Level 2 certification

👉 If you want to store your CUI in the Cloud, make sure your Cloud provider is FedRAMP certified.