FCI vs CUI: What's the Difference and Why It Matters

Written By Joseph Lissenden

If you're a small manufacturer in the DoD supply chain, you've probably seen "FCI" and "CUI" thrown around in contracts or CMMC discussions. These acronyms define what data you handle and which CMMC level you need. Get it wrong, and you risk non-compliance or lost bids.

What is FCI (Federal Contract Information)?

FCI is basic, non-public information provided by or generated for the government under a contract to deliver products/services. It excludes public info (like on government websites) or simple transactional data (e.g., payment processing).

From FAR 52.204-21: "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government..."

Examples: contract admin details, delivery schedules, basic invoices (if not public).

What is CUI (Controlled Unclassified Information)?

CUI is sensitive unclassified info that requires safeguarding or dissemination controls per law, regulation, or policy. It's listed in the NARA CUI Registry and often marked "CUI" on documents.

DoW aligns CUI with categories like controlled technical info, export-controlled data, or proprietary defense details. NIST SP 800-171 protects it in non-federal systems.

Examples: technical drawings, engineering specs, software code, test data tied to DoD work.

How Are They Different? Quick Comparison (2026 Reality)

  • Sensitivity — FCI: Low (basic contract stuff). CUI: Higher (could harm national security if leaked).

  • Marking — FCI: No specific marking required. CUI: Must be marked (e.g., "CUI//SP-EXPORT") per DoW rules.

  • Controls Required — FCI: 15 basic safeguards (FAR 52.204-21). CUI: Full 110 controls (NIST SP 800-171 Rev 2).

  • CMMC Level — FCI only: Level 1 (annual self-assessment + affirmation in SPRS). CUI: Level 2 (self now in Phase 1; third-party C3PAO cert starting Nov 2026 for many contracts).

  • Overlap — All CUI is FCI, but not vice versa. Handle any CUI? You need Level 2 for that boundary.

Why This Matters Right Now

In January 2026 (Phase 1 of CMMC rollout), new DoW contracts require Level 1 for FCI-only work and Level 2 self for CUI. Miss the right level, and you can't bid or perform. Many small suppliers start with FCI but discover CUI flows down from primes (ask: "Does this include CUI?").

Quick Action Steps

  1. Review contracts/drawings for markings or CUI language.

  2. Ask your prime directly: "Is this FCI only, or does it include CUI?"

  3. If CUI, run a gap check against NIST 800-171.

  4. Submit self-assessment/affirmation in SPRS via PIEE if needed.

The distinction is clear on paper, but real contracts blur lines. Many shops think they're FCI-only until a drawing arrives marked CUI.

Joseph Lissenden
Previous

Best Resources for Learning CMMC Compliance in 2026
Next

What Is PIEE?