Course 8
Cybersecurity, FCI, CUI, and CMMC
Teaches users when cybersecurity, federal information, CUI, DFARS, and CMMC requirements become real contract obligations and bid/no-bid issues.
What This Course Helps You Do
- Understand FCI vs CUI.
- Recognize FAR basic safeguarding requirements.
- Identify DoD/DFARS/CMMC red flags.
- Map data, systems, cloud tools, and subcontractor flow-downs.
- Know when expert help is needed.
Templates
Module 1Cyber as Contract Requirement
2 lessons
Lesson 1
Cyber Is Not Just IT
Cyber requirements can apply whenever federal information touches contractor systems: email, cloud storage, laptops, phones, project tools, accounting, backups, or subcontractor portals.
Lesson 2
Cyber as Bid/No-Bid
CMMC, CUI, DFARS 252.204-7012, NIST SP 800-171, SPRS, SSP, POA&M, incident reporting, and secure cloud requirements can affect eligibility, cost, and timeline.
Module 2FCI and CUI
3 lessons
Lesson 1
Federal Contract Information
FCI is nonpublic information related to a federal contract. FAR basic safeguarding may apply when FCI resides in or transits through contractor systems.
Lesson 2
Controlled Unclassified Information
CUI is unclassified information requiring safeguarding or dissemination controls. It often triggers stronger obligations, especially in DoD contexts.
Lesson 3
FCI vs CUI
FCI is nonpublic federal contract information; CUI is controlled information with higher handling requirements. Contractors should identify what information they receive, create, store, transmit, and share.
Module 3FAR and DoD Cyber
4 lessons
Lesson 1
FAR 52.204-21
Basic safeguarding requires controls such as authorized access, user identification/authentication, limiting public access, media sanitization, physical access control, malicious-code protection, and scans.
Lesson 2
DFARS 252.204-7012
DoD contracts involving covered defense information may require safeguarding, cyber incident reporting, media preservation, malicious software submission, and subcontractor flow-downs.
Lesson 3
NIST SP 800-171, SSP, and POA&M
NIST SP 800-171 requirements support CUI protection. An SSP describes the system and implemented controls. A POA&M tracks gaps and remediation, but it is not a substitute for compliance.
Lesson 4
CMMC
CMMC is DoD's framework for assessing contractor cybersecurity protections. Level and status requirements depend on the solicitation and phased implementation rules.
Module 4Systems, Incidents, and Subcontractors
3 lessons
Lesson 1
Cloud, Email, and Data Map
Identify where FCI/CUI lives: email, attachments, drives, laptops, phones, project tools, backups, printers, paper files, and subcontractor systems. Review whether tools are appropriate for the data type.
Lesson 2
Incident Response
Cyber incidents may include unauthorized access, stolen laptops, ransomware, phishing, accidental public sharing, or compromised accounts. Contracts may require rapid reporting and evidence preservation.
Lesson 3
Subcontractor Cyber Flow-Down
Before sharing federal information, determine whether the subcontractor receives FCI/CUI, what clauses flow down, required CMMC status, secure sharing method, incident reporting, lower-tier subs, and data destruction/return.
Final Exercise
- Search a solicitation for cyber clauses.
- Identify FCI/CUI likelihood.
- Map systems and subs.
- Assess compliance gaps and bid/no-bid risk.
Final Takeaway
Cyber requirements can be manageable, but they can also be hard gates. Know the difference before bidding.