CMMC Level 1

Understanding Your FCI Flow: An Executive's Guide to CMMC Level 1 and Protecting Federal Contract Information

If your company does any business with the federal government, even as a subcontractor two or three tiers down, you almost certainly handle Federal Contract Information (FCI). If you handle FCI, you are subject to CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1. Unlike Level 2, Level 1 does not require a third-party assessment, but it requires an annual self-assessment and an affirmation signed by a senior executive. That signature carries real legal weight under the False Claims Act. Level 1 covers 17 basic safeguarding practices derived from FAR (Federal Acquisition Regulation) clause 52.204-21. These are not advanced security controls; rather, they represent common-sense hygiene measures that any responsible business should already be implementing: lock the doors, use passwords, update the antivirus, and limit who can access information.

The challenging part is not the technology; it is knowing where your FCI actually resides so you can confirm that these foundational practices are in place everywhere the information touches. FCI encompasses any information provided by or generated for the government under a contract that is not intended for public release, including purchase orders, statements of work, specifications, delivery schedules, and proposal correspondence. This article provides a guide through seven key questions to help you map your FCI flow from end to end.

Step 1: How Does FCI Enter Your Company?

The FCI flow begins with various triggers such as an RFQ (Request for Quotation), a purchase order, a contract award, or an email from a prime contractor. Identify every channel through which FCI arrives—this includes email attachments, contracting officer portals (e.g., SAM.gov, PIEE, DIBBS), prime contractor supplier portals, and physical mail.

For example, a small fabrication shop may receive FCI as purchase orders sent via email from a Tier 1 prime contractor, solicitations downloaded from DIBBS, and occasionally paper drawings mailed directly to the front office. It is vital to know who receives the information first and where it lands.

Step 2: Who Touches FCI?

Document every role and person who sees, uses, or routes FCI. This includes estimators, purchasing staff, shop floor supervisors reading work orders, accounting personnel processing invoices, and possibly your IT provider who manages the systems that store it. Include even those who might incidentally come into contact with the data.

For instance, the owner, two estimators, a purchasing agent, three shop supervisors, one bookkeeper, and an external IT consultant with remote admin access can collectively touch FCI. Knowing every individual who interacts with this data is crucial for maintaining security protocols.

Step 3: What Computers and Systems Touch FCI?

It is essential to inventory all devices and systems that process, store, or transmit FCI, including desktops, laptops, file servers, email systems (such as Microsoft 365), accounting software like QuickBooks, and firewalls. Do not forget shared computers or legacy systems still in use.

For example, your inventory might include five Windows desktops, two laptops, a Synology NAS, Microsoft 365 Business Standard, QuickBooks Online, and various mobile devices. This comprehensive inventory provides a clearer picture of potential vulnerabilities and security needs.

Step 4: Do You Print or Physically Handle FCI?

Paper FCI should not be overlooked. Printed documents, such as purchase orders or invoices, also require protection. If FCI is printed or physically handled, specific protocols must be established to manage access and ensure secure disposal.

An example scenario might involve printed work orders pinned to a bulletin board or stored in an unlocked filing cabinet. Both practices allow unauthorized individuals access to sensitive information, which violates various Level 1 security practices.

Step 5: Where Does FCI Sit at Rest?

FCI is most likely stored in various locations such as email inboxes, file servers, accounting systems, backups, and local devices. Each of these resting locations is central to the Level 1 compliance framework.

Consider the various places FCI might reside: twelve Microsoft 365 mailboxes, a shared folder on a server, a QuickBooks Online account, laptops, and backups on external drives. Identifying these locations is vital for ensuring proper access controls are in place.

Step 6: How Does FCI Leave Your Company?

FCI departs through numerous channels similar to its entry pathways: emails to primes, uploads to supplier portals, invoices through accounting systems, and physical shipments. It can also leave in unexpected manners, such as forwarding email attachments to personal accounts.

For instance, after an order is processed, an owner may mistakenly forward a purchase order to a personal email for printing, an act that undermines Level 1 requirements. This step is crucial for reviewing and tightening security measures around data transmission.

Step 7: How Do You Destroy FCI?

When a contract or document becomes obsolete, FCI must be disposed of in a manner that prevents unauthorized recovery. This does not necessitate extensive NIST 800-88 procedures, but it must occur, and both digital and paper materials should be treated equally during destruction.

For example, paper FCI could be shredded with a cross-cut shredder, while old hard drives get wiped or disposed of appropriately. Recordkeeping of destruction activities is recommended for compliance validation.

What To Do With This Information

Following these seven questions will provide you with a solid foundation to conduct a Level 1 self-assessment against the 17 FAR safeguarding practices. Most small defense suppliers can achieve Level 1 compliance without investing in new technology. It primarily involves enhancing existing practices. Simple improvements might include eliminating shared logins, enabling multi-factor authentication, replacing consumer-grade routers, and establishing clear media disposal routines.

As your work evolves from handling FCI to Controlled Unclassified Information (CUI), your compliance obligations increase significantly. The transition from Level 1 to Level 2 brings the requirement for third-party assessments and adherence to a wide array of additional practices. Thus, the mapping exercise undertaken here serves both as a compliance task and a preparation for future challenges.