Understanding Public Information, FCI, CUI, CDI, and CTI
Hello there! If you’re involved in government contracting or work with the Department of Defense (DoD), you’ve likely encountered a slew of acronyms—FCI, CUI, CDI, CTI—each representing different types of information that require varying levels of protection. We, at SMPL-C, are here to help you understand these terms and guide you on how to identify them within your organization. So let’s dive into this alphabet soup together!
Public Information: The Open Book
Public information is the easiest to understand. It’s any information that is not exempt from public disclosure. This includes information that an agency is required to disclose under the Freedom of Information Act (FOIA) or information which an agency has published or is required to make available to the public. Examples include press releases, job postings, and published research.
Federal Contract Information (FCI): The First Layer of Sensitivity
Defined in FAR 52.204-21, FCI refers to information provided by or generated for the Government under a contract not intended for public release. It’s not classified, but it’s not something you’d post on your company’s bulletin board either. FCI examples include internal emails about a government contract, contract specifications, or schedules that aren’t meant to be public knowledge.
Controlled Unclassified Information (CUI): A Step Up in Confidentiality
CUI is a category of sensitive information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies. Established by Executive Order 13556 and further delineated in DFARS 7012 and the CMMC framework, CUI is not classified but is still important enough to warrant protection. Examples of CUI might include technical drawings, blueprints, or other documents marked with CUI indicators that relate to national security interests.
Covered Defense Information (CDI): Tailored for Defense
CDI is a subset of CUI specific to DoD contracts. Defined in DFARS 252.204-7012, it encompasses unclassified controlled technical information or other information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies. CDI examples could be detailed manufacturing information for military equipment or operational plans.
Controlled Technical Information (CTI): The Specifics Matter
CTI refers to technical data or computer software with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Essentially, CTI is a type of CDI with a focus on the technical aspects that are critical to military or space applications.
Identifying the Types of Information: A How-To Guide
Identifying which type of information you’re handling can be challenging but is crucial for compliance and security. Here are some steps you can take:
1. Educate Your Team: Ensure everyone who handles sensitive information understands the different categories and their significance. Some important links:
- The CUI Registry – https://www.archives.gov/cui
- CUI Program Blog by the Information Security Oversight Office (ISOO) – https://isoo.blogs.archives.gov/2020/06/19/%E2%80%8Bfci-and-cui-what-is-the-difference/
- Federal Acquisition Regulation (FAR) 52.204-21 – https://www.acquisition.gov/far/52.204-21
- Federal Register documentation – https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems
2. Review Documentation: Look for markings that indicate the sensitivity level of the document. For example, CUI should be marked accordingly.
3. Understand the Context: Consider the nature of your work with government agencies. What kind of information are you handling? Where did it come from?
4. Consult Regulations: When in doubt, refer to the FAR, DFARS, and CMMC guidelines for definitions and handling procedures.
5. Engage your Contracting Officer (CO): Your CO can provide the customized guidance and clarification needed to navigate the complexities of CDI, CTI, and CUI responsibilities.
6. Work with a CMMC Specialist: A CCA (Certified CMMC Assessor) or CCP (Certified CMMC Professional) can provide tailored advice and help ensure your compliance. SMPL-C can provide means to expedite this as well.
Remember that mismanaging any of these types of information can lead to serious consequences for your organization and national security. As we progress towards a more secure digital future in government contracting, understanding these categories is more important than ever.
I hope this guide has been helpful in clarifying these critical terms. If you have further questions or need assistance with your cybersecurity posture related to handling sensitive government information, don’t hesitate to reach out to us.
Stay secure and compliant!