top of page
Search

What Really Are FCI and CUI – And Why They Matter for CMMC Compliance

In our last post, we explored the broader business impacts of CMMC 2.0. Today, we’re zooming in on two key terms that drive your compliance obligations:


Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).


Understanding the difference between them isn’t just academic, it directly affects your CMMC level, audit scope, and contract eligibility.


What Is FCI?

Federal Contract Information (FCI) is any information not intended for public release that is provided by, or generated for, the government under a contract to develop or deliver a product or service. For Example:

  • Internal reports

  • Government communications

  • Contract deliverables


It does not include publicly available information or simple transactional data like invoice numbers.

If your company handles FCI, you’re required to meet CMMC Level 1, which includes:

  • 15 basic safeguarding controls (FAR 52.204-21)

  • Annual self-assessment

  • Affirmation of compliance in SPRS


What Is CUI?

Controlled Unclassified Information (CUI) is more sensitive. It includes unclassified data that requires safeguarding under federal law, regulation, or policy. Examples include:

  • Technical drawings

  • Export-controlled data

  • Legal, health, or financial records


Handling CUI requires CMMC Level 2 compliance, which means:

  • Full implementation of NIST SP 800-171 (110 controls)

  • Third-party assessment by a C3PAO (in most cases)

  • More rigorous documentation and monitoring


Why the Distinction Matters

The difference between FCI and CUI determines:

  • Your required CMMC level

  • The systems and users in scope for audit

  • Whether you need a third-party assessment or can self-attest


All CUI documents are also FCI, but not all FCI is CUI. Think of FCI as the baseline and CUI as the high-risk tier.


Real-World Impacts

At CompleteMSP, we’ve seen firsthand how misclassifying data can derail compliance efforts. In one case, a contractor assumed all their work was COTS and therefore exempt from CMMC. But upon closer inspection, they were handling marked media and technical documents that clearly qualified as CUI.


This misstep nearly cost them their eligibility for future DoD contracts.

 

Final Thoughts

FCI and CUI are more than just acronyms; they’re the foundation of your CMMC compliance strategy. Misunderstanding them can lead to audit failures, lost contracts, and legal exposure. Get them right, and you’re well on your way to securing your place in the defense supply chain.


  📞 Contact us today:

- Phone: 256-684-8083

 

bottom of page