The short answer is, “it depends”. If your organization creates or receives Controlled Unclassified Information (“CUI”), then the environment(s) which is/are used in the creation, receipt, storage, processing, or transmission of the CUI (we refer to this as “handling” the CUI) must be certified at at least Maturity Level 3. The exact level (3, 4, or 5) will be determined based on the nature of the information. The exact confines of what constitutes Maturity Level 4 or 5 CUI have not been published at this time. In addition, the requirements for certification at Maturity Levels 4 and 5 are not finalized. Thus, organizations handling CUI should focus on obtaining Maturity Level 3 certification at this time.

Federal Contract information (“FCI”) is any of the Federal Government’s nonpublic information, including information you create for the government. That means just about any information your organization receives from, or creates for, the Federal Government. Any portion(s) of your organization’s environment that handle FCI will need to be certified at a minimum of Maturity Level 1.