Buckle up, this is a long one…
First, a disclaimer:
This blog post does not constitute CUI guidance. This post is solely an effort to provide helpful information and context.
Then on to some definitions!
Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Controlled Unclassified Information (from 32 CFR 2002.4) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. [emphasis added]
When we look at both of these definitions, we find some similarities as well as a very important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding.
In short: All CUI in possession of a Government contractor is FCI, but not all FCI is CUI.
So, what does this mean for safeguarding in a non-federal system?
Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.
Non-federal systems that store, process, or transmit CUI are required to meet any additional safeguarding requirements identified in the contract. As agencies implement the CUI program and incorporate the standards of this program into their contracts and agreements, the NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).
Will we see a movement away from FCI and towards CUI//SP-PROCURE as described at https://www.archives.gov/cui/registry/category-detail/procurement-acquisition.html? It seems like that is the same type of data that falls under FCI now.
Most likely not.
It is important to understand that the descriptions of categories on the CUI registry are general and are not prescriptive. To determine the information that is authorized for protection under a category of CUI one must look to the Safeguarding and/or Dissemination Authorities listed under the category.
If you read the authorities listed under the General Procurement and Acquisition category you will see that this category of information mostly relates to information provided to the government as part of the contracting / award process and would only be considered CUI once the government has received it as part of this process. This is pretty different from the definition of FCI which mentions information that is “provided by or generated for the Government under a contract to develop or deliver a product or service to the Government”.
In other words, FCI is more about what the government gives to you as part of the contract or what you create for them under the contract, while CUI protected under the General Procurement and Acquisition category is mostly proprietary information and sensitive information that is provided to the government and protected throughout the contracting/award process.
If you right-click and select “open image in new tab” you should be able to save the image from there.