CMMC : What is FCI, CUI, CTI, DCI, FAR, DFARS and FedRAMP

Here are some great terminologies you need to master if you need to comply with CMMC or NIST 800-171:

DoD (Department of Defense): the U.S. Department of Defense. 

FCI (Federal Contract Information): information on U.S. federal contracts (the bidding documents and their contents).

CUI (Controlled Unclassified Information): Controlled Unclassified Information (e.g. diagrams or drawings of parts used on US military equipment). Encryption of this data is mandatory.

DCI (Defense Controlled Information): CUI belonging exclusively to DoD (or that you create exclusively for DoD). 

CTI (Controlled Technical Information): category of DCI that concern technical drawings owned by DoD. CTI are in the CUI category.

FAR 52.204-21: basic cybersecurity requirements to protect FCI-type data.

DoD-CIO-00002: requirements for CMMC Level 1 evaluation.

DFARS 252.204-7012: security requirements for protecting DoD-owned CUI (or CUI you create for DoD).

FedRAMP: mandatory security certification for Cloud providers who want to be able to store US government data.

And finally, if you're a DoD contractor or subcontractor:

Comply with FAR 52.204-21 = obtain CMMC Level 1 certification.

Comply with DFARS 252.204-7012 = obtain CMMC Level 2 certification.

Comply with NIST 800-171 = obtain CMMC Level 2 certification

If you want to store your CUI in the Cloud, make sure your Cloud provider is FedRAMP certified.