Policies & Commitments

Compliance & Security

The certifications we hold, the controls we apply, and the standards we flow down across every federal engagement.

Document ID
FCI-POL-CIS-002
Version
1.0
Effective Date
May 8, 2026
Document Owner
VP, Contracts & Counsel
Review Cadence
Annual, or upon material change to a controlling framework or contract
Next Review
May 8, 2027
Approved By
Mohamed Farran, Founder & CEO

1. Purpose

FCI Advisory operates as a federal contractor and subcontractor on engagements where compliance is the precondition for delivery. This statement documents the certifications we hold, the controls we apply, and the standards we flow down to partners and personnel.

2. Scope

This statement governs all FCI engagements, internal operations, personnel, and subcontractor relationships. It applies whether FCI is operating as prime contractor, subcontractor, or value-added reseller.

3. Certifications & Vehicles

  • CMMC Level 1 — Cybersecurity Maturity Model Certification
  • ISO 9001 Certified — Quality Management System
  • GSA Schedule — Information Technology and Professional Services (SIN 541611 and adjacent)
  • Virginia SWaM — Small, Women-owned, and Minority-owned business (Commonwealth of Virginia)

4. Information Security Standards

FCI's information security program is organized to align with the following authorities, configured at engagement start to match each client's controlling framework:

  • NIST SP 800-171 — Protecting Controlled Unclassified Information in Nonfederal Systems
  • FISMA and FedRAMP authorization boundaries on clients' authorized environments
  • Agency security baselines (e.g., ARS / IS2P2) for federal health environments
  • Postal-sector security handbooks (e.g., AS-805) for federal logistics environments
  • Section 508 of the Rehabilitation Act for accessibility of all client-delivered digital products
  • HIPAA Security and Privacy Rules where protected health information is involved
  • FIPS 140-2 (or successor) validated cryptography for encryption of CUI at rest and in transit

5. Federal Contracting Compliance

  • DCAA-compliant timekeeping for all labor charged to federal contracts
  • FAR Part 52 and DFARS clauses flowed down to subcontractors per prime contract terms
  • Organizational Conflict of Interest (OCI) screening at engagement start; ongoing OCI monitoring across active programs (FAR Subpart 9.5)
  • Lobbying restrictions per FAR 52.203-12 and 31 USC § 1352
  • Anti-kickback compliance per 41 USC § 8702 and FAR 52.203-7
  • Buy American and Trade Agreements Act compliance where applicable

6. Personnel & Access Controls

  • Background screening for personnel placed on federal engagements, calibrated to the position-risk level required by the client
  • Annual security awareness training, with role-based training for personnel with elevated access
  • Least-privilege access controls across FCI systems and client-issued environments
  • Access removal within one business day of role change or separation
  • Multi-factor authentication required for all systems containing CUI or client data
  • Acceptable Use Policy acknowledged annually by all personnel

7. Data Handling

  • Client data is segregated by engagement, with access restricted to authorized personnel
  • CUI is encrypted at rest and in transit using FIPS-validated cryptography
  • Retention and destruction governed by the controlling client contract; default retention does not exceed contract requirements
  • Data residency aligned to controlling federal authority and contract terms

8. Subcontractor & OEM Partner Flow-Down

All applicable security and compliance clauses are flowed down to subcontractors and OEM partners — including Boomi, Appian, OpenText, and DataDog — via written agreement. Partner-managed environments operate under the partner's authorization (e.g., FedRAMP) plus FCI's engagement-specific overlay where required.

9. Incident Response

Suspected security incidents are reported to FCI's COO and VP, Contracts & Counsel within 24 hours of detection, and to the affected client per the controlling contract's reporting timeline. Incidents involving CUI are escalated to the DoD Cyber Crime Center (DC3) and other authorities as required by DFARS 252.204-7012 and successor clauses.

10. Governance & Audit

  • Annual internal compliance review led by the COO
  • ISO 9001 surveillance audit on the certification's prescribed cadence
  • CMMC self-assessment renewed annually; supporting evidence retained per CMMC requirements
  • Findings logged in FCI's Quality Management System; corrective actions tracked to closure

11. Review

This statement is reviewed annually, or upon material change to a controlling framework or contract obligation, whichever comes first.

FCI Advisory, LLC · 1660 International Dr, Ste 600, McLean, VA 22102 · info@fciadvisory.com · +1 (202) 717-1122

More policies & commitments

Responsible AIFederal-Grade QualityEqual Opportunity & InclusionPrivacy PolicyTerms of ServiceCookie PolicyAccessibility Statement