FCI vs CUI: Which Type of Data Are You Handling?

Your Cybersecurity Maturity Model Certification (CMMC) level is not based on how big your company is or how long you have held a Department of Defense (DoD) contract. It comes down to one question: what kind of government data do you handle?


There are two types that matter. Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). If you only handle FCI, you are looking at CMMC Level 1. If you handle CUI, you are looking at Level 2, which is a much larger undertaking. The problem is that a lot of contractors are not sure which one they have, and some assume FCI when they are actually touching CUI.


This post explains the difference in plain language, shows you how to tell which type you handle, and walks through what each one triggers.

What FCI Is

Federal Contract Information is defined in Federal Acquisition Regulation (FAR) 52.204-21. In plain terms, it is information the government provides to you, or information you generate for the government, as part of doing the work on a contract, and that is not meant for public release.


It does not include two things. It does not cover information the government already makes public, such as content on a public agency website. It also does not cover simple transactional information, like the data needed to process a payment.


Almost everything else tied to your contract counts. Emails with a contracting officer about delivery schedules, internal performance reports, contract correspondence, and basic project documents are all FCI. If you do any work for the DoD, you almost certainly handle FCI. It is the floor, not the exception.

What CUI Is

Controlled Unclassified Information is a broader and more sensitive category. It is unclassified information that a law, regulation, or government-wide policy requires you to safeguard. The National Archives and Records Administration (NARA) governs CUI and maintains the official CUI Registry, which lists every approved category.


In the defense world, the most common category is Controlled Technical Information (CTI). This is technical data and engineering information with a military or space application, such as research data, engineering drawings, specifications, and process documents. Other categories you may run into include export-controlled data under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR).


One detail trips people up. CUI is often marked, but not always. A document with no marking can still be CUI if it falls into a registered category. Do not treat the absence of a stamp as proof that something is safe to handle as FCI.

How to Tell Which One You Handle

The fastest way to tell is to read your contract. The clauses tell you what is in scope.

FAR 52.204-21

If your contract includes FAR 52.204-21, FCI is in scope and basic safeguarding is required. That clause is what the 15 Level 1 requirements are built on.

DFARS 252.204-7012

If your contract includes Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, CUI is in scope. That clause covers the safeguarding of covered defense information and cyber incident reporting. When you see 7012 in a contract, or see it flowed down to you from a prime contractor, covered defense information is in scope. That means CUI protections apply and you are looking at Level 2.

Two things matter here. First, check the full contract, including attachments and statements of work, not just the cover page. Second, if you are a subcontractor, check what your prime has flowed down to you. A prime that handles CUI will often pass DFARS 252.204-7012 down to the subs who touch that data.

Two Real Examples

Examples make the line clearer.

Janitorial Subcontractor

A company provides cleaning services at a defense contractor's facility. The only government information it receives is the service contract, a schedule, and invoices. None of it is technical, and none of it is marked CUI. This contractor handles FCI only, which puts it at Level 1.

Small Machine Shop

A small shop machines parts for a defense prime. To make those parts, it receives engineering drawings and specifications from the prime. That technical data is almost always Controlled Technical Information, a category of CUI. Because CUI now lives on the shop's systems, the shop is looking at Level 2.

The difference is not the size of the company. It is the kind of data each one touches.

The janitorial firm can stay at Level 1. The machine shop cannot.

What Each One Triggers

Once you know your data type, you know your path.

FCI

FCI only points to CMMC Level 1. Level 1 covers 15 basic safeguarding requirements drawn from FAR 52.204-21. It is handled through annual self-attestation, where a senior company official affirms compliance in the Supplier Performance Risk System (SPRS). There is no third-party assessment required at this level. If you are trying to determine whether Level 1 is your ceiling, see Can You Stop at CMMC Level 1?

CUI

CUI points to CMMC Level 2. Level 2 covers 110 practices aligned to National Institute of Standards and Technology (NIST) Special Publication 800-171. Level 2 contracts specify one of two assessment types. Some require a third-party certification assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). Others allow a self-assessment, where your organization evaluates its own compliance and enters the results in SPRS. Your contract language will indicate which applies. Both pathways require a System Security Plan (SSP) and, where gaps exist, a Plan of Action and Milestones (POA&M). It is a significantly larger effort than Level 1.

If you want a fuller breakdown of the levels and how to confirm which your contract requires, see our guide on Level 1 or Level 2? How to Tell Which Your Contract Requires. For a broader overview of the framework itself, start with What is CMMC 2.0?.

What to Do If You Still Are Not Sure

Plenty of contractors finish this article and still are not certain. That is normal, and there are clear next steps.


A CMMC gap assessment starts with exactly this scoping work. As a Registered Practitioner, APT can help you sort FCI from CUI, confirm your correct level, and map out what compliance actually involves before you commit time and budget. You can see how the full engagement works on our CMMC Compliance Prep page.

Ask your prime. If you are a subcontractor, your prime contractor is responsible for telling you what data flows down to you and which clauses apply. Put the question in writing.

Ask the contracting officer. The contracting officer can clarify what data a contract involves and how it should be handled. This is a reasonable question, and asking it early is far better than guessing.

Run a data classification exercise. Inventory the data that comes into your business. Note where it lives, who touches it, and which systems store it. Then map each item to FCI or CUI. APT's free CUI Identifier tool walks you through that mapping as a decision tree. This exercise is also the first real step of scoping for CMMC, so the work is not wasted.

Do not guess. Guessing wrong is costly in both directions. Under-scope, and you may sign a self-attestation you cannot actually back up, which carries real legal exposure. Over-scope, and you spend money preparing for Level 2 when Level 1 was all the contract required.

Frequently Asked Questions

What is the difference between FCI and CUI?

Federal Contract Information (FCI) is non-public information provided by or generated for the government as part of contract work. Controlled Unclassified Information (CUI) is a broader, more sensitive category of unclassified information that law, regulation, or policy requires you to safeguard, such as Controlled Technical Information and export-controlled data.

How do I know if I handle FCI or CUI?

Check your contract clauses. FAR 52.204-21 indicates FCI is in scope. DFARS 252.204-7012 indicates CUI is in scope. If you are a subcontractor, also check what your prime contractor has flowed down to you.

Does FCI or CUI determine my CMMC level?

Yes. Handling FCI only points to CMMC Level 1, which uses annual self-attestation. Handling CUI points to CMMC Level 2, which requires NIST 800-171 alignment and, in most cases, a third-party assessment.

Not sure whether your contracts put you at Level 1 or Level 2?

Book a free 30-minute consultation. We will walk through your data, your contract clauses, and your likely CMMC scope, so you know where you stand before you spend a dollar on prep.

Book a Free Consultation