Applicability of Cybersecurity Requirements

The specific requirements depend on the nature of the federal project and the type of information handled. Key designations include:

• Federal Contract Information (FCI): At a minimum, all vendors must meet CMMC Level 1 (Basic Safeguarding), aligning with FAR 52.204-21.
• Controlled Unclassified Information (CUI): For vendors handling sensitive data (including SBU and FOUO), CMMC Level 2 (aligned with NIST SP 800-171) is required. Some of our projects will require an independent third-party certification (C3PAO).
• Specialized Data: Projects involving the FBI (CJIS) or DOE may require additional security “overlays” beyond the CMMC baseline.

Furthermore, agencies like GSA now require alignment with NIST SP 800-171 Revision 3 for certain new contracts.