Federal Contract Information (FCI)

Chad Griffith, Founder & CEO

FileFlo — AI compliance document intelligence for DOT, OSHA, and EPA regulated businesses. LinkedIn · About

Last reviewed May 7, 2026 · By Chad Griffith

Federal Contract Information (FCI) is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Defined in FAR 52.204-21 ('Basic Safeguarding of Covered Contractor Information Systems'), FCI requires contractors to implement 15 basic cybersecurity controls. Under CMMC 2.0, FCI handlers must achieve Level 1 Foundational certification — 17 cybersecurity practices, annual self-assessment, senior official affirmation submitted to SPRS. FCI does not include information provided by the Government to the public or simple transactional information necessary to process payments.

Frequently Asked Questions

What is the difference between FCI and CUI?

FCI is information generated for or provided by the Government under contract that is not intended for public release. CUI is information requiring safeguarding or dissemination controls per laws, regulations, or government policies — defined and registered through the National Archives CUI Registry. FCI handlers face Level 1 (17 practices); CUI handlers face Level 2 (110 controls) or Level 3.

What are examples of FCI?

Common FCI examples: contract terms and conditions, internal correspondence about contract performance, draft deliverables before public release, contractor proprietary work product developed under government contract, and information about government program details that hasn't been publicly released.

What controls protect FCI?

FAR 52.204-21 requires 15 basic safeguarding controls covering: limiting system access to authorized users, controlling external connections, implementing physical security, using anti-malware tools, applying security configurations, and monitoring for unauthorized activity. CMMC Level 1 builds on these with 17 mapped practices.

Is all government contract data FCI?

No. Public-facing government information (e.g., federal contract awards, public RFPs, government press releases) is not FCI even though it relates to government contracts. FCI specifically covers information not intended for public release. Information clearly intended for public dissemination is not FCI even if generated under contract.

Authoritative sources

FAR 52.204-21

Related terms

FileFlo classifies and tracks compliance documents against rule packs that map directly to the regulators referenced above. Run a free CFR-cited audit →