Documentation Index

Fetch the complete documentation index at: https://kb.northerndatasolutions.com/llms.txt

Use this file to discover all available pages before exploring further.

FCI Flow for CMMC Level 1

  • Updated on Apr 10, 2026
  • Published on Apr 9, 2026
  • 7 minute(s) read
  • CT
 Prev Next

Understanding Your FCI Flow

An Executive's Guide to CMMC 2.0 Level 1 and Protecting Federal Contract Information

Why This Matters to You

If your company does any business with the federal government — even as a subcontractor two or three tiers down — you almost certainly handle Federal Contract Information (FCI). And if you handle FCI, you are subject to CMMC 2.0 Level 1. Unlike Level 2, Level 1 does not require a third-party assessment, but it does require an annual self-assessment and an affirmation signed by a senior executive. That signature carries real legal weight under the False Claims Act.

Level 1 covers 17 basic safeguarding practices drawn from FAR clause 52.204-21. These are not advanced security controls. They are the common-sense hygiene measures that any responsible business should already be doing: lock the doors, use passwords, update the antivirus, limit who can see what. The hard part is not the technology — it is knowing where your FCI actually lives so you can confirm those basics are in place everywhere it touches.

FCI is broader than most executives realize. It is any information provided by or generated for the government under a contract that is not intended for public release. Purchase orders, statements of work, specifications, delivery schedules, and proposal correspondence are all FCI. You do not need a classified contract or a CUI marking to be in scope — you only need a federal contract. This article walks you through seven questions that will help you map your FCI flow from end to end.

Step 1: How Does FCI Enter Your Company?

Every FCI flow starts with a trigger: an RFQ, a purchase order, a contract award, an email from a prime contractor. Identify every way FCI arrives — email attachments, contracting officer portals (SAM.gov, PIEE, DIBBS), prime contractor supplier portals, and physical mail. Know who receives it first and where it lands.

Example: A small fabrication shop receives FCI as purchase orders emailed from a Tier 1 prime, as solicitations downloaded from DIBBS, and occasionally as paper drawings mailed to the front office. Two estimators and the owner are the first recipients.

Why it matters: Level 1 practice AC.L1-3.1.1 requires that you limit system access to authorized users. You cannot limit access you have not mapped. Knowing every entry point is the first step in ensuring only the right people see FCI as it arrives.

Step 2: Who Touches FCI?

List every role and person who sees, uses, or routes FCI. This includes estimators, purchasing staff, shop floor supervisors reading work orders, accounting staff processing invoices, and your IT provider or MSP who administers the systems storing it. It also includes family members or part-time help if the owner routinely forwards emails to them.

Example: The owner, two estimators, one purchasing agent, three shop supervisors who receive printed work orders, one bookkeeper, and an external IT consultant with remote admin access. Twelve people, including one who does not even work at the company full time.

Why it matters: Level 1 requires you to identify users and authenticate them (IA.L1-3.5.1 and 3.5.2) and to limit access to authorized users (AC.L1-3.1.1 and 3.1.2). Shared logins, generic 'shop floor' accounts, and giving the bookkeeper the same password as the owner are the most common Level 1 failures — and all of them stem from not knowing who really touches the data.

Step 3: What Computers and Systems Touch FCI?

Inventory every device and system that processes, stores, or transmits FCI: desktops, laptops, the file server or NAS, email (often Microsoft 365 or Google Workspace), accounting software like QuickBooks, the firewall, wireless access points, and any mobile device used to check work email. Do not forget the shop PC that everyone shares or the old Windows machine that still runs a critical application.

Example: Five Windows desktops, two laptops, a Synology NAS, Microsoft 365 Business Standard, QuickBooks Online, a Netgear firewall/router, and three employee phones with company email. One legacy Windows 10 machine still runs the CNC programming software.

Why it matters: Level 1 requires you to control connections to external systems (AC.L1-3.1.20), use boundary protection like firewalls (SC.L1-3.13.1), and keep antimalware current (SI.L1-3.14.2, 3.14.4, 3.14.5). Unsupported operating systems and consumer-grade networking equipment are where small businesses fail their self-assessment — and the only way to catch them is a complete inventory.

Step 4: Do You Print or Physically Handle FCI?

Paper FCI is still FCI. Printed purchase orders pinned to a shop wall, printed drawings handed to a welder, printed invoices in a filing cabinet — all are in scope. So are the printers themselves, many of which store copies on internal hard drives.

Example: A shared HP printer in the front office prints POs and drawings. Work orders are posted on a shop bulletin board visible to every employee and visitor who walks through the shop. Completed paperwork goes into an unlocked filing cabinet in the hallway.

Why it matters: Level 1 requires that you limit physical access to authorized individuals (PE.L1-3.10.1), escort visitors (PE.L1-3.10.3), and control physical access devices like keys and badges (PE.L1-3.10.5). A bulletin board in an unescorted shop and an unlocked filing cabinet in a common area are direct findings against these practices.

Step 5: Where Does FCI Sit at Rest?

FCI spends most of its life sitting still: in email inboxes, on the file server, in the accounting system, in backups, on laptop hard drives, and sometimes on USB drives stuffed in a desk drawer. Every one of those resting places is part of your Level 1 scope.

Example: FCI lives in 12 Microsoft 365 mailboxes, in a \\SERVER\Jobs file share, in QuickBooks Online, on two laptops used by estimators working from home, in nightly backups stored on an external drive, and on an unknown number of personal USB drives.

Why it matters: Level 1 requires you to limit access to authorized users (AC.L1-3.1.1), control information posted on publicly accessible systems (AC.L1-3.1.22), and identify, report, and correct flaws in systems in a timely manner (SI.L1-3.14.1). You cannot protect what you have not located, and personal USB drives are the quintessential blind spot.

Step 6: How Does FCI Leave Your Company?

FCI leaves through the same channels it enters: email to the prime, uploads to a supplier portal, invoices through the accounting system, and physical shipments with accompanying paperwork. It also leaves in ways you may not think of — forwarded to a personal Gmail account so someone can work at home, attached to a quote sent to a subcontractor, or printed and handed to a delivery driver.

Example: Quotes and acknowledgments are emailed back to the prime from company accounts. Invoices are submitted through WAWF. Packing slips accompany shipments. On two occasions, the owner forwarded a PO to a personal Gmail to print at home over the weekend.

Why it matters: Level 1 requires that connections to external systems be controlled (AC.L1-3.1.20) and that information posted or processed on publicly accessible systems be controlled (AC.L1-3.1.22). Personal email accounts and unapproved cloud storage are the exact kind of 'external system' the practice is written to prevent.

Step 7: How Do You Destroy FCI?

When a contract ends or a document is no longer needed, FCI must be disposed of in a way that prevents unauthorized recovery. For Level 1 this does not require NIST 800-88 Purge procedures or witnessed destruction logs, but it does require that the destruction actually happen and that paper and digital media be treated with the same care.

Example: Paper FCI is shredded in a cross-cut office shredder when jobs close out. Old hard drives are given to the IT consultant, who wipes them before reuse or disposal. The owner keeps a simple notebook log of any drives sent out for disposal.

Why it matters: Level 1 requires you to sanitize or destroy information system media before disposal or release for reuse (MP.L1-3.8.3). 'I threw the old laptop in the dumpster' is not destruction, and neither is a quick format of a hard drive. A basic, consistent routine is all that is required — but it must exist.

What To Do With This Information

Once you have answered these seven questions, you are in a position to perform an honest Level 1 self-assessment against the 17 FAR safeguarding practices and to sign the annual affirmation in the Supplier Performance Risk System (SPRS) with confidence. Most small defense suppliers can complete Level 1 compliance without buying new technology — it is overwhelmingly a matter of tightening up practices you already have in place.

Typical quick wins include eliminating shared logins, enabling multi-factor authentication on email, replacing consumer routers with business-grade firewalls, retiring unsupported operating systems, locking up printed work orders, and writing down a simple media disposal routine. None of these require a large budget. All of them require executive attention.

One final caution: if your work ever expands from FCI into Controlled Unclassified Information (CUI), your obligations jump from Level 1 to Level 2, from 17 practices to 110, and from self-assessment to third-party assessment. The seven-step mapping exercise you just completed is the same exercise you will use for CUI when the time comes — so think of this as both a compliance task and a foundation for whatever comes next.

Related articles