FAR 52.204-21 & Federal Contract Information (FCI) Considerations  

The Department of Defense (DoD) states in the CMMC Model Main document that Level 1 organizations "may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1." This makes it appear that Level 1 organizations have no documentation requirements. However, that is actually incorrect when you look at how Level 1 organizations are focused on protecting Federal Contract Information (FCI) and Covered Contractor Information Systems (CCIS).

Federal Acquisition Regulation (FAR) 52.204-21 specifically calls out in section (b)(1) that contractors “shall apply the following basic safeguarding requirements and procedures to protect CCIS” in regards to the fifteen FAR cybersecurity requirements that form the basis for CMMC Level 1 practices. Given the underlying FAR requirements for Level 1 CMMC organizations, FAR 52.204-21(b)(1) calls out the need for:

  • Procedures; and

  • Applying the requirements.


In practical terms, this means in order to comply with FAR 52.204-21, any organization going through a Level 1 CMMC assessment is reasonably expected to have documented policies, standards and procedures that document how the FAR requirements are implemented. Without documented evidence of due care and due diligence, the contractor could be considered negligent and could be within scope for a False Claims Act (FCA) violation.  

   FCI Segmentation Considerations  

In order to properly protect FCI, this CUI Scoping Guide can be used in the same manner. If you want to use this guide to focus on FCI instead of CUI, simply use FCI in place of CUI since the principles apply equally. The reason for this is the data-centric approach that the CUI Scoping Guide uses, so any type of sensitive data could be scoped using this methodology.

Disclaimer: This information is provided for educational purposes only. This website does not render professional services and is not a substitute for professional services. If you have compliance questions, you are encouraged to consult a cybersecurity professional.


© Compliance Forge, LLC (ComplianceForge). All Rights Reserved.

Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.