Federal Contract Information (FCI) is defined in FAR 52.204-21 as information provided by or generated for the government under contract but not intended for public release. Under CMMC 2.0, organizations handling FCI must implement FAR 52.204-21 Basic Safeguarding Requirements, ensuring proper protection in processing, storing, and transmitting FCI.
Analyzing the Given Options
The question involves an email system that is used to send FCI to a subcontractor. Let’s break down the possible answers:
A. Manage FCI → Incorrect
Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an email does not fall under management; it is an act of transmission.
B. Process FCI → Incorrect
Processing refers to actively using FCI for operational or analytical purposes, such as analyzing, modifying, or computing data. Simply sending an email does not constitute processing.
C. Transmit FCI → Correct
Transmission refers to the act of sending FCI from one entity to another. Since the contractor is sending FCI via email, this falls under transmitting the data.
[Reference: NIST SP 800-171 Rev. 2, 3.1.3 – "Control CUI (or FCI) by transmitting it using authorized mechanisms.", D. Generate FCI → Incorrect, Generating FCI means creating new contract-related information. The contractor is not creating FCI in this scenario but merely transmitting it., Official References Supporting the Correct Answer, CMMC 2.0 Level 1 Practices (FAR 52.204-21 Basic Safeguarding Controls), 3.1.3: "Control CUI (or FCI) by transmitting it using authorized mechanisms.", This confirms that email transmission falls under "transmitting" FCI, not managing or processing., NIST SP 800-171 Rev. 2 (Protecting CUI in Non-Federal Systems), Requirement 3.13.8: "Implement cryptographic methods to protect CUI when transmitted.", While this applies more to CUI, FCI should also be protected during transmission, confirming that email is a form of transmitting information., Conclusion, Since the contractor is sending FCI via email, the correct answer is C. Transmit FCI. This aligns with CMMC 2.0 Level 1 practices under FAR 52.204-21 and NIST SP 800-171, which emphasize securing transmitted data., , ]
Submit