Federal Contract Information FAQ

What is Federal Contract Information (FCI)?

Per 48 CFR § 52.204-21:

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.

More specifically, FCI is most commonly (but not limited to) found within project that covered by the Cybersecurity Maturity Model Certification (CMMC) program with the Department of Defense. More information can be found here: https://dodcio.defense.gov/cmmc/About/

How will I know if a contract is FCI?

Contracts will be considered FCI when they state within the contract that it is covered by 48 CFR § 52.204-21, CMMC L1, and/or DFARS 252.204-7012.

There are some exceptions to this, if you are are unsure feel free to contact the RCSP-team

Can I print FCI?

We discourage printing FCI as printers can cause complications with our compliance.

If you need to have physical copy of the FCI, store it within a locked container when not in use. Additionally, it must not be visibile while unauthorized people are present, by either covering the document temporarily, or storing it in a container. Once the document is no longer needed put the document in one of the shred boxes available.

Where can I work with FCI?

Please see verified locations for more detail.

In general FCI can be handled while on campus if the space meets these requirements:

  1. The door is kept locked unless authorized employees are present
  2. External visibility into the space is limited so that only low risk information is visible
    1. Example: the screen where in-scope data is viewed on is kept facing away from windows, except when the windows are covered by blinds.
  3. Visitor sign-in sheet is kept for 3 years
    1. A template visitor sign-in sheet from OIT is attached to this article, if desired.

Off-campus spaces may be used when the space is a private location that meets the requirements defined in The University's Physical Protection standards section 4.

What applications or storage can I use with FCI?

  • University employee email (when used with only Microsoft applications)
  • University OneDrive and Sharepoint (Storage.uidaho.edu) when used from a OIT-managed computer
  • OIT-managed SMB drive (S:)
  • TeamDynamix (TDX)
  • VERAS (veras.uidaho.edu)

As well as any local-only software installed on an OIT university managed workstation.

Applications that house FCI must meet certain compliance requirements and these are the only tools verified by the RCSP team as suitable for FCI.

What are the supplemental terms for FCI users?

The terms are applied to individuals who have been identified has handling FCI. If you are seeing these terms but do not handle FCI to your knowledge, please contact the RCSP-team.

The terms are as follows:

You have been identified as someone with access to Federal Contract Information (FCI). To help comply with federal requirements for handling FCI please ensure that you are storing, processing, and transmitting FCI in appropriate locations (university-managed computers, university-managed employee email while using outlook or outlook web, Shared drive, Team Dynamix, OneDrive/SharePoint and VERAS). If you upload the FCI to OneDrive or a SharePoint location (storage.uidaho.edu), review the permissions assigned to that location to ensure it is not shared with individuals without a need to know. Always double check who you are sharing FCI with even when using appropriate locations. You will be required to use a university-managed computer when accessing systems where FCI is, including your email, teams, and OneDrive/SharePoint. When accessing FCI, be sure your screen is private and not visible to others who are not authorized for the FCI. If you have physical copies of FCI, store it within a locked container and put the document in one of the shred boxes available on campus when it is no longer needed. 
Please take note of University of Idaho Standards which apply everywhere that FCI related to the University of Idaho is stored, processed, or transmitted.
More information on FCI at the university can be found at: Federal Contract Information FAQ
As always, if you notice any suspicious activity such as strange MFA requests, phishing emails, or anything that is unusual, report it immediately to security@uidaho.edu. 

Print Article