FCI vs CUI: The Distinction That Determines CMMC Level
Last reviewed · By Chad Griffith
Whether your business handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) determines your CMMC certification level. FCI is information not intended for public release that is provided by or generated for the Government under contract to develop or deliver a product or service. CUI is information requiring safeguarding or dissemination controls per laws, regulations, or government policies — defined and registered through the National Archives and Records Administration (NARA) CUI Registry. The distinction is critical: FCI handlers need Level 1; CUI handlers need Level 2 or Level 3.
Federal Contract Information (FCI)
FCI is defined in FAR 52.204-21 as 'information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.' FCI does not include information provided by the Government to the public or simple transactional information necessary to process payments. Examples of FCI: contract terms, internal correspondence about contract performance, draft deliverables, contractor proprietary work product. FCI handlers face Level 1 requirements (17 practices).
Controlled Unclassified Information (CUI)
CUI is information requiring safeguarding or dissemination controls per laws, regulations, or government-wide policies — but not classified information. The CUI Program is administered by NARA and the CUI Registry lists categories. Common CUI categories: Critical Infrastructure (Critical Energy Infrastructure Information), Defense (Naval Nuclear Propulsion, Unclassified Controlled Nuclear Information), Export Control (ITAR information not classified), Financial (Financial Records), Privacy (PII, Personnel Records), Procurement and Acquisition (Source Selection), and Technical Data (Defense-related technical data not classified).
How to Identify CUI in Practice
The DoD typically marks CUI through documents themselves (banners, footers identifying the CUI category) or through contract clauses indicating CUI will be exchanged. Contractors should: (1) check contract documents for CUI markings or clauses indicating CUI; (2) review the CUI Registry at archives.gov/cui to identify categories applicable to their work; (3) implement access controls to ensure CUI does not leak outside the certification boundary; (4) train personnel to recognize and properly handle CUI markings.
Why the Distinction Matters
The CMMC certification level required is determined by the type of data handled. FCI handlers need only Level 1 — 17 practices, self-assessment. CUI handlers need Level 2 — 110 controls, often C3PAO-assessed. Highest-priority CUI handlers need Level 3 — additional NIST 800-172 controls, DIBCAC-assessed. Mistakenly classifying CUI as FCI and certifying only at Level 1 exposes the contractor to: contract termination, civil and criminal penalties under the False Claims Act, and suspension/debarment from federal contracting.
Frequently Asked Questions
Where is CUI defined?
CUI is defined in 32 CFR Part 2002 (the CUI Program rule) and the CUI Registry maintained by the National Archives and Records Administration (NARA) at archives.gov/cui. The Registry lists every approved CUI category along with safeguarding and dissemination controls applicable to each category.
How is CUI marked?
CUI documents must be marked with: a banner marking at the top identifying 'CONTROLLED UNCLASSIFIED INFORMATION' or 'CUI'; category markings if applicable (e.g., 'CUI//SP-PRVCY' for Privacy CUI); and dissemination controls if applicable. The DoD provides specific marking guidance through its CUI Program.
What if my contract is unclear whether data is FCI or CUI?
Contact the contracting officer for clarification before assuming. Misclassification can result in major compliance gaps. Best practice: implement higher-level controls (treat ambiguous data as CUI) until classification is confirmed. Many contractors implement Level 2 controls organization-wide even on contracts that only require Level 1 to simplify operations.
Can the same contract include both FCI and CUI?
Yes. Many DoD contracts involve both FCI (general contract performance information) and CUI (technical data, controlled procurement information). Contractors handling both must achieve at least Level 2 certification because Level 2 covers both data types. The CMMC level is determined by the most-sensitive data handled.
Authoritative sources