Definitions — Federal Contract Information
FAR 4.1901 is the regulatory definition section that defines "Federal Contract Information" (FCI) for the entire federal acquisition system. It is the source contractors should cite when determining whether information they hold qualifies as FCI and therefore triggers FAR 52.204-21.
Who must comply
Definitional — does not impose obligations, but governs the scope of FAR 52.204-21 and CMMC Level 1.
What it requires
- 01Defines Federal Contract Information as information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service.
- 02Excludes information provided by the government to the public (such as on public websites) and simple transactional information.
- 03Establishes that FCI does not need to be marked to be FCI — its status comes from its origin and use, not from a marking.
Related clauses
- FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems
FAR 52.204-21 requires every federal contractor that has Federal Contract Information (FCI) on its systems to implement 15 basic safeguarding requirements covering access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. It is the entire substantive content of CMMC Level 1.
- FAR 4.1903Contract Clause — Requirement to Insert FAR 52.204-21
FAR 4.1903 directs contracting officers to insert the FAR 52.204-21 safeguarding clause into solicitations and contracts when the contractor or subcontractor at any tier may have Federal Contract Information residing in or transiting through its information system. This is the procedural mechanism by which FAR 52.204-21 lands in nearly every federal contract.