FCI vs. CUI: Knowing What You’re Actually Protecting

The single most important distinction in CMMC is the kind of information you handle. It determines your level, your scope, and the size of your assessment. Two terms do all the work: FCI and CUI.

Federal Contract Information (FCI)

FCI is information provided by or generated for the government under a contract that is not intended for public release. Think non-public details in statements of work, delivery schedules, or internal correspondence. Protecting FCI is the job of CMMC Level 1 and the 15 basic safeguarding requirements.

Controlled Unclassified Information (CUI)

CUI is information the government requires to be safeguarded under a specific law, regulation, or government-wide policy — for example, controlled technical information, export-controlled data, or certain privacy data. Protecting CUI triggers NIST 800-171 and CMMC Level 2.

Why the distinction is expensive to get wrong

• —Mislabel CUI as FCI and you under-protect data the government expects safeguarded — a compliance and contractual risk.
• —Treat everything as CUI and you balloon your scope, your tooling, and your assessment cost for no benefit.
• —The right move is a deliberate data inventory: identify exactly what CUI you receive or create, and where it lives.

Get this right first. Every scoping and SSP decision downstream depends on knowing precisely what you protect.