Slack Archived

This page is long term preservation of some of the conversations from HigherEdCUI Slack Site [Join from this page] beyond 90 days deletion policy.

FCI vs Fundamental Research (FR) - Legal

Community Member: How are folks interpreting fundamental research designations within DoD contracts and CMMC Level1? 

FCI is defined as: "Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.", 

Fundamental Research (FR) "'Fundamental research' means basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons."

Community Member Responses citing official documentation:

Defense Acquisition Regulations System 48 CFR Parts 204, 212, 217, and 252 | [Docket DARS–2020–0034] | RIN 0750–AK81 | https://www.govinfo.gov/content/pkg/FR-2024-08-15/pdf/2024-18110.pdf#

Fundamental Research Comment: Many respondents commented that clarification is needed regarding whether CMMC applies to fundamental research. 

Response: Fundamental research, as defined in National Security Decision Directive (NSDD) 189, is published and broadly shared within the scientific community and, as such, cannot be safeguarded as either FCI or CUI; however, if fundamental research has the potential to become CUI, it would be subject to the requirements of CMMC.

Cybersecurity Maturity Model Certification (CMMC) Program  | 32 CFR Part 170 |  [Docket ID: DoD-2023-OS-0063] | RIN 0790-AL49 | https://www.federalregister.gov/d/2024-22905/p-327 

Fundamental Research Response: One of the main purposes of the CMMC Program is to ensure that DoD contracts that require contractors to safeguard CUI will be awarded to contractors with the ability to protect that information. All contractor-owned information systems that process, store, or transmit CUI are subject to the requirements of NIST SP 800-171 when DFARS clause 252.204-7012 is included in the contract. This is the case whether or not the contractor is engaged in fundamental research.

To the extent that universities are solely engaged in fundamental research that only includes information intended for public release and does not include FCI or CUI, no CMMC requirement is likely to apply. When a research institution does process, store, or transmit FCI, the information should be adequately safeguarded in accordance with the FAR clause 52.204-21, if applied. When a research institution does process, store, or transmit CUI, the information should be adequately safeguarded in accordance with the DFARS clause 252.204-7012, if applied. That clause makes the contractor owned information system subject to NIST SP 800-171, which includes requirements for Awareness and Training (AT) and Physical Protection (PE). The CMMC Program provides a means to verify compliance.

Defense Acquisition Regulations System 48 CFR Parts 204, 212, 217, and 252 | [Docket DARS-2020-0034] | RIN 0750-AK81 | https://www.federalregister.gov/d/2024-18110/p-79 

Comment: Many respondents commented that clarification is needed regarding whether CMMC applies to fundamental research.

Response: Fundamental research, as defined in National Security Decision Directive (NSDD) 189, is published and broadly shared within the scientific community and, as such, cannot be safeguarded as either FCI or CUI; however, if fundamental research has the potential to become CUI, it would be subject to the requirements of CMMC.

NIH will require 800-171 starting January 25, 2025

Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy | Notice Number: NOT-OD-24-157 | https://grants.nih.gov/grants/guide/notice-files/NOT-OD-24-157.html

The “NIH Security Best Practices for Users of Controlled-Access Data” update will be effective on January 25, 2025, at which point adherence to this standard will be included in new or renewed Data Use Certifications or similar agreements stipulating terms of access to controlled-access human genomic data regardless of whether the Approved User is supported by NIH or not.

RRCoP Community Response: 

See: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.pdf 

800-171 allows for POA&Ms and even “enduring exceptions” “Some systems, including specialized systems (e.g., industrial/process control systems, medical devices, computer numerical control machines), may have limitations on the application of certain security requirements. To accommodate such issues, the system security plan — as reflected in requirement 03.15.02 — is used to describe any enduring exceptions to the security requirements. Individual, isolated, or temporary deficiencies are managed though plans of action and milestones, as reflected in requirement 03.12.02.