FAR 52.204-21 & Federal Contract Information (FCI) Considerations
The Department of Defense (DoD) states in the CMMC Model Main document that Level 1 organizations "may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1." This makes it appear that Level 1 organizations have no documentation requirements. However, that is actually incorrect when you look at how Level 1 organizations are focused on protecting Federal Contract Information (FCI) and Covered Contractor Information Systems (CCIS).
Federal Acquisition Regulation (FAR) 52.204-21 specifically calls out in section (b)(1) that contractors “shall apply the following basic safeguarding requirements and procedures to protect CCIS” in regards to the fifteen FAR cybersecurity requirements that form the basis for CMMC Level 1 practices. Given the underlying FAR requirements for Level 1 CMMC organizations, FAR 52.204-21(b)(1) calls out the need for:
Applying the requirements.
In practical terms, this means in order to comply with FAR 52.204-21, any organization going through a Level 1 CMMC assessment is reasonably expected to have documented policies, standards and procedures that document how the FAR requirements are implemented. Without documented evidence of due care and due diligence, the contractor could be considered negligent and could be within scope for a False Claims Act (FCA) violation.
FCI Segmentation Considerations
In order to properly protect FCI, this CUI Scoping Guide can be used in the same manner. If you want to use this guide to focus on FCI instead of CUI, simply use FCI in place of CUI since the principles apply equally. The reason for this is the data-centric approach that the CUI Scoping Guide uses, so any type of sensitive data could be scoped using this methodology.