Federal Contract Information (FCI) is defined inFAR 52.204-21as information provided by or generated for the government under contract but not intended for public release. UnderCMMC 2.0, organizations handling FCI must implementFAR 52.204-21 Basic Safeguarding Requirements, ensuring proper protection inprocessing, storing, and transmittingFCI.
Analyzing the Given OptionsThe question involves an email system that is used tosendFCI to a subcontractor. Let’s break down the possible answers:
A. Manage FCI→ Incorrect
Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an email does not fall under management; it is an act of transmission.
B. Process FCI→ Incorrect
Processing refers to actively using FCI for operational or analytical purposes, such as analyzing, modifying, or computing data. Simply sending an email does not constitute processing.
C. Transmit FCI→ Correct
Transmission refers to the act of sending FCI from one entity to another. Since the contractor issendingFCI via email, this falls undertransmittingthe data.
[Reference:NIST SP 800-171 Rev. 2, 3.1.3– "Control CUI (or FCI) by transmitting it using authorized mechanisms.", D. Generate FCI→ Incorrect, Generating FCI means creating new contract-related information. The contractor is not creating FCI in this scenario but merely transmitting it., Official References Supporting the Correct AnswerCMMC 2.0 Level 1 Practices (FAR 52.204-21 Basic Safeguarding Controls), 3.1.3: "Control CUI (or FCI) by transmitting it using authorized mechanisms.", This confirms that email transmission falls under"transmitting" FCI, not managing or processing., NIST SP 800-171 Rev. 2 (Protecting CUI in Non-Federal Systems), Requirement 3.13.8: "Implement cryptographic methods to protect CUI when transmitted.", While this applies more to CUI, FCI should also be protected during transmission, confirming that email is a form oftransmittinginformation., ConclusionSince the contractor issendingFCI via email, the correct answer isC. Transmit FCI.This aligns withCMMC 2.0 Level 1practices underFAR 52.204-21andNIST SP 800-171, which emphasize securing transmitted data., , , ]
