What Is CUI and How Does It Differ from FCI? | Stealth Technology Group
CMMC 2.0 Final Rule is active. DFARS 252.204-7021 is being written into new DoD contracts now. Get Compliant →
Compliance & Certification

What Is CUI and How Does It Differ from FCI?

Michael Bannach, CISSP March 2026
~5 min read

If you’re a defense contractor navigating CMMC compliance, understanding the distinction between CUI (Controlled Unclassified Information) and FCI (Federal Contract Information) is absolutely critical. Many organizations treat these terms interchangeably, but they have distinct definitions, regulatory frameworks, and compliance implications that can directly affect your certification level and contract eligibility.

In this post, we’ll break down what each designation means, examine their key differences, and explain why misclassifying your data can put your DoD contracts at risk.

What Is CUI (Controlled Unclassified Information)?

CUI is defined as unclassified information that requires safeguarding or dissemination controls according to and consistent with applicable law, regulations, and government-wide policies. The formal framework for CUI was established by Executive Order 13556, signed in November 2010, which created the CUI Program.

Origins and Authority

Executive Order 13556 directed all federal agencies to implement a standardized, government-wide approach to managing sensitive unclassified information. Before this executive order, agencies maintained separate “controlled unclassified information” categories with inconsistent handling procedures—creating significant confusion across government and industry.

The National Archives established the CUI Registry to maintain an official, authoritative list of all CUI categories and subcategories. This registry provides agencies and their contractors with clear guidance on what constitutes CUI and how to handle it.

CUI Categories

CUI encompasses numerous categories, including but not limited to:

  • Export Controlled Information: Technical data, software, and commodities subject to International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR)
  • Patent Information: Unpublished patent applications and related technical disclosures
  • Proprietary Business Information: Trade secrets, pricing data, and competitive business strategies
  • Safeguards Information: Details about security measures protecting government facilities or systems
  • Critical Infrastructure Information: Information related to the protection of critical infrastructure systems
  • Law Enforcement Sensitive Information: Details that could compromise ongoing investigations
  • Privacy Information: Personally identifiable information (PII) and personally sensitive information
  • Procurement Sensitive Information: Details that could unfairly advantage competitors in contract competitions

Handling and Marking Requirements

CUI must be marked to indicate its status. The standard marking format is: CUI//[category] or CUI//[category//subcategory]. Organizations handling CUI must implement safeguarding measures appropriate to the sensitivity level and category of the information.

What Is FCI (Federal Contract Information)?

FCI is a more specific term that refers to unclassified information or data that is provided by or on behalf of the federal government or is collected, developed, received, or transmitted by a contractor in the performance of a federal contract. FCI is defined in the Federal Acquisition Regulation (FAR) clause 52.204-21, which became effective in June 2011.

FAR 52.204-21 Requirements

FAR 52.204-21 establishes contractor responsibilities for protecting federal contract information and requires contractors to implement information security protections that are appropriate to the sensitivity level of the information. This clause flows down to all subcontractors and requires compliance with NIST standards, most notably NIST SP 800-171 for information security controls.

The clause applies to all DoD contractors and applies when the contract involves:

  • Unclassified information that could be subject to regulations
  • Covered Defense Information (CDI) as defined by DFARS 252.204-7012
  • Any information that is collected, developed, received, or transmitted during contract performance

Scope of FCI

FCI is broader in scope than many contractors realize. It includes:

  • Technical specifications and requirements documents
  • Contract terms, pricing, and payment information
  • Government personnel information and communications
  • System designs, architectural diagrams, and implementation details
  • Performance data, test results, and engineering analysis
  • Government records and correspondence related to the contract
  • Any information marked as “Controlled Unclassified Information” (CUI)

Key Differences Between CUI and FCI

While both CUI and FCI are unclassified and require protection, understanding their differences is essential for compliance:

Aspect CUI (Controlled Unclassified Information) FCI (Federal Contract Information)
Definition Source Executive Order 13556 & CUI Registry FAR 52.204-21 & DFARS regulations
Scope Government-wide unclassified information requiring protection Unclassified federal contract information provided to or created by contractors
Marking Requirements Must be marked with CUI// designation May or may not be explicitly marked; contractor responsible for identification
Categories Multiple designated categories (export control, IP, proprietary, etc.) All unclassified information related to federal contracts
Safeguarding Standards Category-specific controls per CUI Registry NIST SP 800-171 for contractors (appropriate security controls)
Primary Regulatory Driver OMB Circular A-130, agency policies FAR 52.204-21, DFARS 252.204-7021
CMMC Applicability Often addressed at CMMC Level 2 Addressed at CMMC Level 1

Why This Distinction Matters for CMMC Compliance

The CUI vs. FCI distinction directly impacts your CMMC certification requirements:

CMMC Level 1 — FCI Protection

CMMC Level 1 focuses on the basic safeguarding of Federal Contract Information (FCI). All DoD contractors must achieve Level 1 certification to maintain contract eligibility. Level 1 requires implementation of 17 foundational security practices addressing basic controls for information confidentiality, integrity, and availability.

Level 1 specifically addresses the contractual obligation to protect FCI as required by FAR 52.204-21. The practices include access control, identification and authentication, basic awareness training, and contingency planning.

CMMC Level 2 — Advanced Practices

CMMC Level 2 includes all Level 1 practices plus an additional 110 advanced practices that address more sophisticated threats and provide enhanced protection for both FCI and CUI. Level 2 requires implementation of controls aligned with NIST SP 800-171, which provides more granular requirements for protecting sensitive unclassified information including CUI.

Contractors handling CUI (such as export-controlled technical data, proprietary business information, or other sensitive unclassified data) may need to achieve Level 2 certification, particularly if their contracts involve work at higher sensitivity levels.

Key Takeaway: Simply protecting FCI at Level 1 may be insufficient if your organization handles CUI. The presence of CUI in your environment typically necessitates Level 2 certification and the more comprehensive safeguarding practices it requires.

How to Determine Which Type of Data Your Organization Handles

Many contractors struggle to distinguish between CUI and FCI in their own environments. Here’s a practical framework:

Step 1: Audit Your Information Inventory

Document all types of information your organization creates, receives, or stores in performing government contracts. Categories include:

  • Technical and engineering documentation
  • Contract terms and pricing information
  • Employee and personnel records
  • System designs and architectural documentation
  • Performance reports and test data
  • Government correspondence and directives
  • Proprietary business information (if relevant to contract work)

Step 2: Identify Government-Provided Data

Any unclassified information provided by the government or marked as “Controlled Unclassified Information” is by definition Federal Contract Information. Check your contract files, emails, and government-provided documentation for explicit CUI markings (CUI//) or agency directives indicating protected information.

Step 3: Apply the CUI Registry

Review the official CUI Registry at https://www.archives.gov/cui to identify any CUI categories present in your environment. Common defense-related CUI categories include:

  • Export controlled technical data (ITAR/EAR)
  • International agreements and negotiations
  • Military planning and operational information
  • Acquisition and procurement sensitive information

Step 4: Document Your Findings

Create a data classification inventory that identifies:

  • Where FCI is stored and processed
  • Which systems handle CUI and what categories
  • Who has access to each data type
  • Current safeguarding measures in place

This inventory becomes essential documentation for CMMC assessments and demonstrates that your organization understands its data environment and regulatory obligations.

What Happens If You Misclassify Your Data?

Misclassifying data—either treating FCI as less sensitive than it is, or failing to identify CUI in your environment—creates serious compliance and contractual risks:

Insufficient Safeguarding

If you underestimate your data sensitivity and fail to implement appropriate controls, you violate your contractual obligations under FAR 52.204-21. This can result in:

  • Contract termination or loss of future contract awards
  • Compliance violations during CMMC assessments
  • Exposure to data breaches or unauthorized disclosures
  • Regulatory penalties from government agencies

Over-Classification Burden

Conversely, treating all information as CUI when much is simply standard FCI creates unnecessary operational burden and expense. This can lead to:

  • Excessive security controls that reduce operational efficiency
  • Higher CMMC certification and assessment costs
  • Difficulty collaborating with partners or vendors
  • Unnecessary operational restrictions

Assessment Failures

During CMMC assessments, external assessors evaluate whether your organization correctly identifies and protects both FCI and CUI. Misclassification can result in:

  • Assessment failures and certification denial
  • Repeat assessments at additional cost
  • Temporary contract work restrictions
  • Loss of competitive advantage on future bids

What to Do Next: Taking Action

If you’re uncertain about your organization’s data classification or CMMC readiness, here are immediate steps:

1. Conduct a Data Classification Assessment

Work with your security team or an external consultant to audit all systems and data types. Document which information qualifies as FCI and which as CUI. This assessment is foundational to your entire CMMC compliance program.

2. Determine Your Required CMMC Level

Review your current and anticipated DoD contracts to determine whether you need Level 1 or Level 2 certification. The presence of CUI in your environment typically requires Level 2.

3. Map Controls to Your Data Types

For FCI: Ensure you’re implementing the 17 Level 1 practices and appropriate NIST SP 800-171 controls.
For CUI: Implement the full suite of Level 2 practices aligned with category-specific safeguarding requirements.

4. Perform a CMMC Readiness Assessment

A readiness assessment identifies gaps between your current state and CMMC requirements. This helps you prioritize remediation efforts and develop a realistic path to certification.

5. Develop a Remediation Plan

Based on assessment findings, create a documented plan to address gaps. Assign responsibilities, set timelines, and allocate budget for any necessary technology investments or security upgrades.

6. Schedule Your Official Assessment

Once you’ve addressed identified gaps and achieved a stable security posture, schedule your official CMMC assessment with an authorized C3PAO (Certified Third Party Assessment Organization).

Final Thoughts

The distinction between CUI and FCI is not academic—it directly affects your contract eligibility, compliance obligations, and assessment requirements. By correctly identifying the types of unclassified information in your environment and implementing appropriate safeguarding measures, you protect your organization, maintain compliance with government regulations, and position yourself for continued success in the defense contracting space.

The path to CMMC compliance begins with understanding your data. If you’re uncertain where you stand, a professional assessment can provide clarity and direction. Your DoD contracts depend on it.

Michael Bannach

Michael Bannach, CISSP

Michael Bannach is a Senior Cybersecurity Consultant at Stealth Technology Group with over 15 years of experience in CMMC compliance, defense contractor security, and federal information protection. He holds the Certified Information Systems Security Professional (CISSP) credential and has guided hundreds of contractors through the CMMC certification process.

Need help determining your CMMC level?

Our experts can assess your current security posture and create a roadmap to certification.

Get Started Today

Related Articles

CMMC Levels Explained: What You Need to Know

A comprehensive guide to understanding CMMC Level 1 and Level 2 requirements, assessment timelines, and certification benefits.

NIST SP 800-171: Essential Controls for Defense Contractors

Explore the NIST security controls that form the foundation of CMMC compliance and federal contract information protection.