CUI vs. FCI: What Every DoD Contractor Must Get Right Before Chasing CMMC

Why this article on CUI vs. FCI matters

If you’re a prime, a sub, or an overwhelmed SMB in the Defense Industrial Base (DIB), your CMMC journey starts with one decision: What data are we protecting – Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both? Get this wrong and everything downstream – scope, controls, budget, tools, even your chances at award – will be off. The good news: you can make this call with clear, objective criteria grounded in FAR 52.204‑21 (FCI) and 32 CFR Part 2002 (CUI), along with DoD and NIST guidance.

Quick CUI vs. FCI definitions (plain English)

• FCI (Federal Contract Information)
  Information not intended for public release that the Government provides to you or that you generate under a Federal contract to deliver a product or service. If it’s on a public website or simple payment data, it’s not FCI. Think SOWs, deliverable drafts, CO emails, project plans. FCI invokes FAR 52.204‑21 and its 15 basic safeguards.
• CUI (Controlled Unclassified Information)
  Unclassified information that Federal law/regulation/policy requires or permits safeguarding or limited dissemination. It is created or possessed by the Government, or by you for/on behalf of the Government. CUI is standardized under the government‑wide CUI Program and cataloged in the CUI Registry; DoD also maintains a DoD‑specific registry. In DoD contracts, CUI generally triggers DFARS 252.204‑7012 and NIST SP 800‑171 implementation.

Practical rule of thumb: If it’s just contract‑related but not public, it’s probably FCI. If a law/regulation/policy says it needs protection (e.g., export control, Controlled Technical Information (CTI), Personally Identifiable Information (PII) tied to a DoD purpose), it’s CUI – check the registry category and your contract.

Where CMMC fits right now (as of today)

CMMC is no longer theoretical. DoD finalized the program rule (32 CFR Part 170) effective December 16, 2024, and then issued the DFARS rule that begins a three‑year rollout starting November 10, 2025. Level 1 covers FCI (self‑assessment), Level 2 covers CUI (mostly third‑party certification via C3PAO), Level 3 addresses APT‑level threats. Plan on progressive inclusion in solicitations through 2028.

Key alignment:

• Level 1 ↔ FAR 52.204‑21 basic safeguards (for FCI).
• Level 2 ↔ NIST SP 800‑171 (for CUI), assessed by a C3PAO for most contracts.

The legal backbone, in brief

1. FAR 52.204‑21 (Basic Safeguarding of Covered Contractor Information Systems)
   Sets 15 minimum cybersecurity practices for systems with FCI (e.g., access controls, media sanitization, flaw remediation, malware protection, boundary defense, physical access controls). These flow to subs (except COTS).
2. DFARS 252.204‑7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
   Requires protection of Covered Defense Information (CDI)—which ties to the CUI Registry—and mandates NIST SP 800‑171 implementation plus cyber‑incident reporting to DoD. Applies broadly to DoD contracts except those solely for COTS items.
3. 32 CFR Part 2002 (CUI Program)
   Government‑wide policy defining CUI, the roles of the CUI Executive Agent (NARA/ISOO), and the CUI Registry for categories and markings. Distinguishes CUI Basic vs. CUI Specified.
4. NIST SP 800‑171 (Rev. 2 currently required by DoD; Rev. 3 published)
   The technical requirements (110 controls in Rev. 2) for protecting CUI in nonfederal systems. Rev. 3 (May 2024) is final, but DoD has instructed the DIB to keep using Rev. 2 for DFARS/CMMC alignment (for now) while it transitions.

Real‑world examples: What counts as FCI vs. CUI?

FCI examples (typical SMB contractor):

• Statement of Work and schedule drafts prepared under your DoD contract.
• Non‑public CO emails with performance instructions.
• Internal progress reports tied to deliverables.
  All are not for public release and contract‑related → FCI → FAR 52.204‑21 controls apply.

CUI examples (common in DIB):

• Controlled Technical Information (CTI) and export‑controlled data (e.g., ITAR/EAR) → category entries in the CUI Registry.
• DoD‑specific CUI like Unclassified Controlled Nuclear Information – Defense, or DoD Critical Infrastructure Security Information.
• Privacy or health information handled for a DoD purpose (where law/policy requires control).
  These are CUI categories that require safeguarding per DFARS 7012 and NIST SP 800‑171.

Tip: When in doubt, look for explicit regulatory hooks (e.g., export control), markings, or contract language calling out “CUI,” “CDI,” “CTI,” or referencing DFARS 7012. Validate against the CUI Registry entry.

Decision guide: Is it FCI or CUI?

• FCI → FAR 52.204‑21 baseline controls (Level 1 in CMMC).
• CUI → DFARS 7012 + NIST SP 800‑171 (CMMC Level 2).

What “good” looks like for FCI (Level 1)

Scope: Any system that processes, stores, or transmits FCI. Do this right away:

1. Access Control: Limit access to authorized users and only to necessary functions.
2. Authentication: Verify user identities before granting access.
3. Boundary Defense: Monitor and protect communications at external/key internal boundaries.
4. Malware Protection: Protect and update anti‑malware defenses; fix vulnerabilities in a timely way.
5. Media Sanitization: Sanitize/destroy media containing FCI prior to disposal/reuse.
6. Physical Security: Limit/monitor physical access; escort visitors; manage keys/badges.

Outcome: You can credibly self‑assess Level 1 under CMMC as these are the very 15 basic safeguards baked into FAR 52.204‑21.

What “good” looks like for CUI (Level 2)

Scope: The enclave (or broader environment) where CUI is processed/stored/transmitted.

Controls baseline: NIST SP 800‑171 (Rev. 2 for DoD alignment), with an SSP, policies/procedures, and evidence that the controls operate in practice (not just on paper).

Assessment reality: Under CMMC, most CUI environments will require a C3PAO certification at Level 2. Plan for assessor testing/interviews, objective evidence, and tight scoping per DoD’s Level 2 Assessment Guide.

Rev. 3 awareness: NIST finalized Rev. 3 in May 2024 (fewer total requirements, new families, ODPs). DoD has directed sticking with Rev. 2 for now, but tracking Rev. 3 helps you be future‑ready.

Typical CUI data flow (simplified)

Summary of Key Points

• Understanding the distinction between FCI and CUI is the first and most critical step in any CMMC strategy. Misclassification creates unnecessary scope, cost, and compliance risk.
• FCI is non‑public information provided or generated under a Federal contract and is protected by FAR 52.204‑21’s 15 basic safeguards. It aligns directly with CMMC Level 1 requirements for self‑assessment.
• CUI requires safeguarding or dissemination controls under law, regulation, or government‑wide policy. It triggers DFARS 252.204‑7012 and implementation of NIST SP 800‑171, forming the basis for CMMC Level 2.
• Most contractor data is FCI—not CUI—unless a legal or regulatory basis exists. Verification should always reference the CUI Registry and contract clauses.
• CMMC is now a finalized and active DoD requirement, with full rollout progressing through 2028. Contractors handling CUI will require third‑party C3PAO certification.
• A properly scoped architecture—preferably with a dedicated CUI enclave—reduces cost and complexity, especially for SMBs.
• Documentation matters. A strong SSP, policies/procedures, and evidence aligned to the CMMC Assessment Guide are essential for passing a Level 2 assessment.
• The False Claims Act is a real and increasing risk. Misrepresenting cybersecurity posture can result in severe penalties, regardless of whether a breach occurs.
• Success depends on early action: identify your data types, apply the right control baseline, build evidence continuously, and validate subcontractor compliance.