3 Levels of CMMC Certification
The Cybersecurity Maturity Model Certification (CMMC) Program and model consist of 3 levels of certification designed to enforce the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Government contractors will have to determine which level of certification is needed based on the contracts they’re involved in. Below bullet points further describe the differences between FCI and CUI. Below the bullet points is a CMMC Certificate Path and if you remember old school PC’s it done in “Leading Edge Model D” Green and Amber screens.
- Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
- Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoW CUI Registry website.
