CMMC Compliance 101 for San Diego Businesses

With the ever-increasing importance of cybersecurity in government contracts, Excedeo has established itself as a trusted partner for organizations seeking to achieve compliance with the Cybersecurity Maturity Model Certification (CMMC) framework. By implementing robust cybersecurity measures, Excedeo helps San Diego organizations safeguard sensitive information and fortify their overall cybersecurity. This protection not only ensures compliance but also instills trust among stakeholders, enabling businesses to pursue lucrative government contracts. This makes Excedeo an ideal partner for businesses needing to become CMMC compliant. Let’s take a closer look at CMMC and what it takes for a San Diego business to start on the compliance journey with the help of a trusted IT partner such as Excedeo. 

What Is CMMC?

CMMC (Cybersecurity Maturity Model Certification) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors handling Controlled Unclassified Information (CUI) meet specific cybersecurity requirements. CMMC defines different levels of maturity, ranging from Level 1 to Level 5, with increasing security controls at each level. It is important to understand the difference between CUI and FCI. The main difference between CUI and FCI is that while both types of data need to be protected, CUI is more sensitive than FCI. As a result, CUI requires additional safeguarding as the loss of CUI data could result in a risk to national security.

What is FCI Data and Specifically what Does FCI Stand for In the Military and Government?

FCI (Federal Contract Information): FCI refers to information provided by or generated for the government under a federal contract. This information is not intended for public release and is considered sensitive but unclassified. Examples of FCI include contract-related data, financial information, and personally identifiable information (PII) provided by or generated for the government.

While this information is not as sensitive as CUI, it must still be protected. FCI may be stored in many places such as:

  • emails originating from government addresses
  • systems that store files received from the government
  • hard storage devices
  • workstations
  • manufacturing devices
  • backup systems
  • networks

If your San Diego business has a contract with the DoD, and you are not selling COTS or you only sell products under the micro-purchase threshold, you are touching FCI – at a minimum – and your company needs to begin the process of becoming compliant to CMMC Level 1 requirements as soon as possible.

What is CUI?

CUI (Controlled Unclassified Information): CUI refers to unclassified information that requires safeguarding or dissemination controls as mandated by U.S. federal laws, regulations, or government policies. CUI includes information such as export-controlled data, intellectual property, and sensitive information related to defense, law enforcement, or infrastructure. CUI describes the information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. This is information that does not meet the criteria of classified information but needs a level of protection from unauthorized access and release.

Examples of Controlled Unclassified Information

  • Personally Identifiable Information (PII): PII refers to information that can be used to identify an individual, such as social security numbers, driver’s license numbers, passport numbers, or financial account information.
  • Export-Controlled Information: Information that is subject to export control regulations, such as technical data, software, or technologies that have restrictions on their international transfer or release.
  • Intellectual Property: Proprietary information, trade secrets, patents, copyrights, or any other information that is protected by intellectual property laws.
  • Law Enforcement Sensitive Information: Information related to ongoing investigations, intelligence operations, or sensitive law enforcement activities.
  • Privacy Act Information: Information protected by the Privacy Act of 1974, which governs the collection, use, and dissemination of personal information by federal agencies.
  • Protected Health Information (PHI): Health-related information protected under the Health Insurance Portability and Accountability Act (HIPAA), such as medical records, health insurance details, or other individually identifiable health information.
  • Critical Infrastructure Information: Information related to the security and resilience of critical infrastructure sectors, such as energy, transportation, communication, or financial systems.
  • Sensitive Security Information (SSI): Information related to transportation security, including security plans, vulnerability assessments, or sensitive operational details.
  • Controlled Technical Information: Technical data or information that is subject to controls under export control regulations, International Traffic in Arms Regulations (ITAR), or other specific government regulations.
  • For Official Use Only (FOUO) Information: Sensitive but unclassified information that is not intended for public release but does not meet the criteria for classification as classified information.

CMMC Compliance, FCI, and CIU:

Now, let’s address the terms in the context of CMMC compliance:

  • FCI: In the CMMC framework, FCI is not explicitly mentioned as a separate concept. However, certain practices and controls within CMMC levels, particularly Level 3 and above, cover the protection of sensitive but unclassified information, which aligns with the definition of FCI.
  • CIU (Controlled Unclassified Information and Covered Defense Information): CIU is a term used in previous DoD guidelines, primarily associated with DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012. DFARS clause 252.204-7012 requires defense contractors to implement specific security controls to protect Covered Defense Information (CDI), which is similar to CUI. CDI encompasses both FCI and other types of unclassified information that the government considers sensitive and subject to safeguarding requirements.

Who Needs CMMC Compliance?

Are you an organization operating with DoD information? Then CMMC certification is required for you. This means any contractor or subcontractor in the DOD supply chain, regardless of whether they interact exclusively with the Department of Defense or not. The Department estimates that over 300,000 organizations will be affected by the CMMC requirements.

It’s important to note that the level of clearance needed depends on the type of information the organization is operating with. If it’s non-classified DoD information, a Level 3 clearance or below may suffice. However, if the information is highly valuable, then a Level 4 clearance or higher will likely be necessary. Of course, classifications are ultimately set by the project, so it’s crucial to stay up-to-date with the latest regulations to avoid any complications.

How Excedeo Can Help You With CMMC Compliance

Looking to navigate the complex world of CMMC compliance but don’t know where to start? Look no further than Excedeo! Our team of experienced professionals can help you understand the regulations, conduct an audit of your existing security measures, and guide you through the entire certification process. 

Excedeo’s CMMC Expertise:

  • In-Depth Knowledge: Excedeo boasts a team of seasoned professionals with comprehensive knowledge of CMMC requirements and best practices. They stay up to date with the latest updates and guidelines, enabling them to provide accurate guidance to clients seeking compliance.
  • Tailored Assessments: Excedeo understands that each organization has unique needs and challenges. They conduct thorough assessments to identify the existing security posture, identify gaps, and develop tailored strategies to achieve the desired CMMC level. This approach ensures that clients receive personalized recommendations and solutions aligned with their specific requirements.
  • Compliance Roadmap: Excedeo creates a well-defined compliance roadmap that outlines the necessary steps to achieve CMMC certification. Their experts work closely with clients to establish a clear understanding of the compliance process, breaking it down into manageable phases for streamlined implementation.
  • Technical Implementation: Excedeo’s technical prowess allows them to implement the required security controls and practices outlined in the CMMC framework. From network security enhancements to access control measures and data encryption, Excedeo’s team leverages their expertise to strengthen the client’s cybersecurity infrastructure.
  • Ongoing Support: Achieving CMMC compliance is not a one-time task; it requires continuous effort and maintenance. Excedeo offers ongoing support, monitoring, and maintenance services to ensure that clients remain compliant with evolving regulations and security standards. This proactive approach helps organizations mitigate risks and respond effectively to emerging cyber threats.

Don’t let CMMC compliance hold you back from pursuing government contracts and dealing with sensitive information. Whether the information your company handles falls in the FCI or CIU category, we can help. Contact us today to learn how we can help you become CMMC compliant and take your business to the next level.