The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Scoping guide

What Is CUI? FCI vs CUI Explained for CMMC Contractors

The exact FAR & DFARS definitions, which CMMC level each triggers, and the marking myth that quietly fails small suppliers.

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

By The Defense Compliance Report Editorial Team · · Corrections policy

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance — the independent CMMC decision layer for defense contractors. This article is educational, not legal or contractual advice.

Controlled Unclassified Information (CUI) is unclassified information the government — or a contractor acting on its behalf — creates or possesses that a law, regulation, or government-wide policy requires or permits an agency to handle with safeguarding or dissemination controls. Federal Contract Information (FCI) is the broader category — non-public information provided by or generated for the government under a contract. That single distinction is the most expensive call you’ll make in CMMC, because it sets your level before you spend a dollar: handle only FCI, and you’re generally looking at CMMC Level 1; handle CUI, and you’re at Level 2 or higher, built on the 110 security requirements in NIST SP 800-171 Revision 2. So the real question hiding inside “what is CUI” and “FCI vs CUI” was never academic. It’s “Which bucket am I in — and what does that obligate me to do?”

Here’s the part most guides skip. Plenty of contractors get the definitions right and still get the decisionwrong, because of one myth about CUI markings that quietly walks small suppliers into failed prime reviews and lost awards. We’ll name it, and show you the regulation that kills it. First, the fast version you came for.

Last reviewed June 2026

In short: FCI and CUI are two different categories of government information, and which one you handle determines the CMMC level and safeguarding obligations that apply to your contract. That distinction comes from your contract clauses, not a self-assessment. Which path fits your situation varies — use Find My CMMC Path to map it before requesting quotes.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

FCI vs CUI at a glance

The questionFCI (Federal Contract Information)CUI (Controlled Unclassified Information)
What is it?Non-public information provided by or generated for the government under a contractUnclassified info a law, regulation, or government-wide policy requires or permits an agency to handle with safeguarding or dissemination controls
How sensitive?Broad floor — most non-public contract infoNarrower, more sensitive subset (only what’s in the NARA CUI Registry)
Usual CMMC levelLevel 1 (Foundational)Level 2 (Advanced) minimum; Level 3 for the most sensitive cases
Security standard15 basic safeguards (FAR 52.204-21)110 requirements / 14 families (NIST SP 800-171 Rev. 2)
AssessmentAnnual self-assessmentSelf-assessment or C3PAO assessment — set by your contract
Strongest signal in your contractFAR 52.204-21DFARS 252.204-7012, CUI markings, the NARA Registry category
The mistake that hurtsTreating FCI like public informationTreating CUI like ordinary business data

If you read nothing else, read this: all CUI a contractor holds while performing a federal contract is also FCI, but not all FCI is CUI. That isn’t our opinion — it’s the published position of the government office that runs the CUI program (more on that below). It’s also the line that decides whether your next CMMC step costs a weekend of policy work or becomes a multi-month budget line.

Not sure which bucket your data falls into? Before you price a single tool or call a single vendor, walk your actual contract and data through the FCI/CUI Contract-Triage Matrix further down this page. And one standing rule, because this is a page about CUI: never paste CUI into any web form or tool, including ours.

What is CUI, in plain English?

CUI is unclassified information that still requires protection because a law, regulation, or government-wide policy says so. It is not classified information, and it is not “anything sensitive.” For a defense contractor, CUI is the specific category of information that usually turns a routine CMMC conversation into a Level 2 scoping conversation — the moment your obligations jump from 15 basic safeguards to 110 security requirements.

The federal definition is precise. The CMMC contract clause itself, DFARS 252.204-7021, borrows it word-for-word from the CUI program rule at 32 CFR 2002.4(h): CUI is information the government creates or possesses — or that an entity creates or possesses for or on behalf of the government — that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. We read that clause directly on Acquisition.gov to confirm the language still matches the underlying rule. It does.

Two things follow from that definition, and both save contractors money.

CUI is not “everything sensitive in the building”

Your pricing strategy, your internal HR files, your trade secrets, your CEO’s email — none of that is automatically CUI. CUI has to trace back to an authorized category with a legal basis. If you can’t point to the category and the authority, you’re probably not looking at CUI. It’s easy to over-scope by treating every confidential document as CUI, then paying to protect data the government never asked you to protect.

The NARA CUI Registry is the only list that counts

There is exactly one authoritative, government-wide list of what qualifies as CUI: the CUI Registry, maintained by the National Archives and Records Administration (NARA). It names the categories, subcategories, markings, and legal authorities. If a category isn’t in that Registry, it isn’t CUI. When a prime or a vendor tells you something “is CUI,” the right reflex is to ask which Registry category and which authority — and then check it yourself.

CUI Basic vs CUI Specified (the 30-second version)

CUI Basic is the default — the standard handling authorized holders apply unless the CUI Registry flags the information as CUI Specified, where the underlying law or regulation spells out stricter or more specific controls. You don’t need to master this distinction to figure out your CMMC level; you need to know it exists, so that when a marking reads “CUI//SP-” you don’t treat it like ordinary CUI. Your markings and the Registry tell you which is which.

Use this as your CUI gut-check before you scope anything:

What the regulation says (32 CFR 2002.4(h))What to check in your worldDon’t assume
CUI is info a law, regulation, or government-wide policy requires or permits an agency to handle with safeguarding or dissemination controls; only NARA Registry categories qualifyWhich Registry category and legal authority apply? Are there CUI markings? Is DFARS 252.204-7012 in the contract?“Sensitive” does not equal CUI. “Unmarked” does not equal “not CUI.”
32 CFR 2002.4(h) — CUI definition (echoed in DFARS 252.204-7021)

CUI is information the government creates or possesses — or that a contractor creates or possesses for or on behalf of the government — that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

View at ecfr.gov

What is FCI, in plain English?

FCI is non-public information provided by or generated for the government under a contract to develop or deliver a product or service. It’s broader than CUI, and it has two clean carve-outs: information the government already made public, and simple transactional information such as the data needed to process a payment.

That definition comes straight from FAR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”). We pulled the clause text on Acquisition.gov to confirm the carve-outs are still exactly those two. They are.

Here’s the practical reality almost every defense contractor misses: if your systems process, store, or transmit any non-public information generated for or provided by the government under the contract, you have FCI. The only carve-outs are information the government already made public and simple payment-processing data. For most contractors, that means FCI is the floor, not a special category.

FCI examples a real contractor recognizes

What is not FCI

One detail that trips people up: there is no “FCI Registry”

Unlike CUI, FCI has no government-wide list of categories or markings. You identify FCI by context— is this non-public information tied to a federal contract? — and by the presence of FAR 52.204-21 in your agreement. That absence of a marking scheme is exactly why the “if it’s not marked, it’s not regulated” instinct is so dangerous, and why we keep pointing you back to the contract instead of the file.

And FCI is not a free pass. Handling FCI on your systems can trigger CMMC Level 1, because CMMC applies to contractor systems that process, store, or transmit FCI or CUI.

What the regulation says (FAR 52.204-21)What to check in your worldDon’t assume
FCI is non-public info provided by or generated for the government under a contract; public government info and simple payment-processing data are excludedIs FAR 52.204-21 in the contract? Is the information non-public and tied to performance?“Public” status isn’t automatic. A missing clause doesn’t erase your obligations if FCI is present.
FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems

FCI is information provided by or generated for the government under a contract to develop or deliver a product or service — not intended for public release. Applies to contractor information systems that process, store, or transmit FCI.

View at acquisition.gov

What is the difference between FCI and CUI?

The difference is sensitivity and authority. FCI is the broad bucket of non-public contract information, defined by the FAR. CUI is the controlled subset that needs stronger protection, defined by Executive Order 13556, the CUI program rule at 32 CFR Part 2002, and the NARA Registry. For CMMC, that line is the difference between Level 1 (15 safeguards) and Level 2 (110 requirements in NIST SP 800-171 Rev. 2).

DimensionFCICUI
Public?NoNo
Classified?NoNo
Requires safeguarding?Yes — basicYes — stronger, control-based
Usual CMMC levelLevel 1Level 2 (Level 3 for the most sensitive)
Defining authorityFAR 52.204-21EO 13556 · 32 CFR 2002 · NARA CUI Registry
Security standard15 basic safeguardsNIST SP 800-171 Rev. 2 (110 reqs, 14 families)
First question to ask“Is this non-public contract information?”“What category and authority make this CUI?”

The mental model that keeps you out of trouble

Think of it as nested rings:

Public information → FCI → CUI → high-sensitivity CUI (Level 3 territory)

CUI data flow diagram showing how controlled unclassified information moves through contractor systems in a CMMC scoping exampleExample CUI data flow through contractor environments. Click to jump to the Contract-Triage Matrix ↓

The government’s own CUI authority states the relationship plainly. NARA’s Information Security Oversight Office (ISOO) — the office that administers the CUI program — has published that all CUI in a contractor’s possession is FCI, but not all FCI is CUI. We cite that not as trivia but because it resolves the single most common argument in a CMMC kickoff meeting: yes, your CUI is also FCI; no, your routine FCI is not automatically CUI.

Why the difference is a money decision, in both directions

This is where it stops being vocabulary and starts being budget. Get the call wrong one way — under-scoping— and you treat CUI like FCI, miss Level 2 obligations, and risk failing a prime’s review or a future assessment. Get it wrong the other way — over-scoping— and you treat ordinary FCI like CUI, then pay to migrate everything into a high-security environment you didn’t need. Both mistakes are expensive. Only one of them is loud enough to notice before the invoice arrives.

The FCI vs CUI Contract-Triage Matrix

Definitions don’t fail contractors. Applicationdoes. You’re not holding a definition — you’re holding a drawing, an invoice, a flow-down email, a shared drive full of mixed documents — and you need to know what it means for your CMMC level before you hire anyone.

So here’s the asset we built that you won’t find on a competitor’s page: a triage matrix that maps the real things you’re actually looking at to a likely bucket, the CMMC implication, where to verify it, and — just as important — what not to do yet. We built it by cross-checking each row against the controlling sources cited throughout this page — FAR 52.204-21, DFARS 252.204-7012, the NARA CUI Registry, and 32 CFR Part 170.

This is guidance to scope your thinking, not a determination. Your contract language, your CUI markings, and your contracting officer are the authorities.

What you’re actually holdingLikely bucketWhyCMMC implicationFirst actionDon’t do yet
Public solicitation downloaded from SAM.govPublic (unless restricted)Public release removes it from FCI by definitionNot enough by itself to trigger anythingCheck for non-public attachmentsDon’t assume the whole opportunity is “open” data
Awarded contract documents, not publicFCINon-public info generated under a contractLevel 1 baseline if no CUI presentConfirm whether CUI is also in scopeDon’t jump to Level 2
Purchase order from a primeFCI or CUI (depends on attachments)The PO is FCI; attachments may be CUIUsually Level 1 unless CUI rides alongOpen every attachmentDon’t ignore the technical files
Simple invoice / payment dataOften outside FCI if purely transactionalThe FAR carves out simple payment dataUsually not CUI by itselfConfirm what the record actually containsDon’t put accounting in scope reflexively
Statement of work after awardOften FCI; sometimes CUIDepends on content and markingsDependsRead it for controlled contentDon’t assume “internal” means “ignore it”
Engineering drawing from DoD or a primeLikely CUI when it’s Controlled Technical InformationCTI is technical data with military or space application subject to access/dissemination controlsLevel 2 likelyTreat as CUI pending confirmationDon’t email it around unprotected
CAD model / full technical packageLikely CUI if controlled or export-controlledTechnical data with military/space applicationLevel 2 likelyIsolate it; ask for the marking basisDon’t load it onto general file shares
Source code written under a DoD contractClarify (often CUI if controlled)Depends on authority and contract termsOften Level 2Ask the CO/prime in writingDon’t open-host the repo
Export-controlled technical data (ITAR/EAR)Likely CUI (Export Controlled category)Export-controlled tech data is a Registry categoryLevel 2 likely plus export access rulesAdd controls for foreign-person accessDon’t treat export rules as “the same as CMMC”
Source-selection informationPossible CUI (Source Selection)Restricted when prepared for an agency’s evaluation of bids/proposalsLevel 2 likely if the authority appliesConfirm it ties to a federal source selectionDon’t assume all internal evaluations qualify
SBIR/STTR informationPossible CUIMay match the Small Business R&T category, or CTI/Export ControlledLevel 2 likely if it qualifiesCheck your data-rights legend and the categoryDon’t assume every SBIR file is CUI
Email coordinating delivery datesUsually FCINon-public, contract-related, no controlled contentLevel 1 if nothing moreKeep doing businessDon’t over-engineer it
Email with a controlled drawing attachedCUI in your mail systemThe attachment pulls the system into scopeLevel 2 scope expands to emailMap your mail/storage pathDon’t pretend the attachment “doesn’t count”
Prime says “you need Level 2” but sends no CUINeeds written clarificationLevel 2 should tie to actual CUIDon’t assume — confirmSend the clarification email (below)Don’t buy Level 2 tooling on a verbal
File marked “CUI”Explicit CUIThe marking is a direct designationLevel 2 pathHandle per the markingDon’t strip or “clean up” the marking
Unmarked file the contract calls CDI/CTIPotential CUI/CDIDFARS 7012 covers qualifying data you create/handle in performanceClarify; may still require protectionEscalate before assumingDon’t treat “unmarked” as “uncontrolled”
Internal HR/payrollUsually not CUINo contract-specific controlled infoUsually outside CMMC CUI scopeConfirm no controlled data is mixed inDon’t pull HR into the boundary by default
Accounting system with contract numbers + invoice attachmentsPossible FCI exposureContract data lives here; attachments might carry CUILevel 1, or segmented Level 2 if CUI entersInventory what’s storedDon’t assume it’s clean or dirty — check
Shared drive of mixed contract docs + drawingsMixed FCI/CUIThe drawings likely make it a CUI storeScope risk — the boundary grows hereInventory, then decide on isolationDon’t certify the whole drive before sorting it

How does FCI vs CUI determine your CMMC level?

Your CMMC level starts with the information you process, store, or transmit — not your size, your revenue, or your preference. FCI-only work generally points to CMMC Level 1. CUI points to Level 2 at minimum. Level 3 is reserved for the most sensitive CUI on the highest-priority programs, layering selected NIST SP 800-172 requirements on top of Level 2. The CMMC program rule, 32 CFR Part 170, became effective December 16, 2024, and ties the whole model to safeguarding FCI and CUI.

If you handle…Likely CMMC pathAssessment typeWhat to verify
Public information onlyCMMC may not be triggered by that data aloneNone from that dataContract clauses and flow-down
FCI onlyLevel 1Annual self-assessment + annual affirmationFAR 52.204-21, contract language
CUI, contract allows self-assessmentLevel 2 (Self)Triennial self-assessment + annual affirmationThe CMMC status in your solicitation/contract
CUI requiring third-party certificationLevel 2 (C3PAO)Triennial C3PAO assessment + annual affirmationThe required status in DFARS 252.204-7021
Sensitive CUI on a priority programLevel 3DIBCAC (government-led) assessmentAn explicit DoD Level 3 requirement

A few clarifications we make on every Level conversation, because blurring them is how people overpay or under-protect:

Level 1 is not “no compliance”

It’s 15 basic safeguarding requirements from FAR 52.204-21, an annual self-assessment, and an annual affirmation posted in the Supplier Performance Risk System (SPRS — the DoD database where assessment results and affirmations live). There’s no plan-of-action-and-milestones (POA&M) allowance at Level 1: you meet all 15, or you’re not compliant.

Level 2 is not automatically a C3PAO assessment

This is the single most common panic we see contractors arrive with. A C3PAO is a Certified Third-Party Assessment Organization — an independent assessment organization authorized or accredited by the Cyber AB to conduct CMMC Level 2 certification assessments. But Level 2 can be a self-assessment or a C3PAO assessmentdepending on what your contract requires. The assessment type changes your cost and timeline dramatically, so don’t assume the expensive path before you’ve read the clause that sets it.

Why NIST SP 800-171 Revision 2 — not Revision 3 — is the standard for CMMC

If you’ve seen headlines about NIST SP 800-171 Revision 3, set them aside for CMMC purposes. We confirmed this against the program rule itself: 32 CFR 170.5 states that CMMC verifies implementation of FAR 52.204-21, NIST SP 800-171 Revision 2, and NIST SP 800-172 (Feb 2021), as applicable. For CMMC Level 2 today, Rev. 2’s 110 requirements across 14 control families are the controlling set — unless and until DoD amends the rule. Don’t let a vendor scope you to Rev. 3 because it’s newer.

What phase of CMMC are we in right now?

As of , CMMC Phase 1 is active — it runs November 10, 2025 through November 9, 2026 — and focuses primarily on CMMC Level 1 and Level 2 self-assessments. Per the DoD CIO and 32 CFR 170.3(e), Phase 2 begins November 10, 2026, when applicable solicitations will start requiring Level 2 (C3PAO) certifications.

The phased rollout matters for your timing. During Phase 1, where applicable, solicitations require a Level 1 or Level 2 self-assessment as a condition of award — though DoD may, at its discretion, require a Level 2 (C3PAO) assessment on a given contract even now. The contract requirement was made enforceable by the DFARS rule, which was published September 10, 2025 and took effect November 10, 2025. Translation: if you handle CUI and you’ll be bidding into Level 2 (C3PAO) contracts, the runway to get assessed is shrinking, and C3PAO capacity is finite. That’s not a scare tactic — it’s the schedule.

Which contract clauses tell you FCI or CUI is in scope?

The fastest way to stop guessing is to inspect the solicitation, contract, and flow-down package for specific clauses and markings. FAR 52.204-21 signals FCI. DFARS 252.204-7012 is a strong CUI signal. The 7019/7020 clauses concern your NIST SP 800-171 score in SPRS. And as of the DFARS rule effective November 10, 2025, DFARS 252.204-7021 (in contracts) and DFARS 252.204-7025 (a notice in solicitations) tie your required CMMC status to award eligibility. We pulled each from Acquisition.gov to confirm titles and effective dates. Here’s the map.

Clause / clueWhat it signalsThe data question to askCMMC implicationEvidence to save
FAR 52.204-21Basic safeguarding of covered contractor information systemsDo we process/store/transmit FCI?Level 1 in playClause text, contract section
DFARS 252.204-7012Covered Defense Information + 72-hour cyber-incident reporting; ties to NIST SP 800-171Do we receive, create, store, or transmit CDI/CTI/CUI?Level 2 likely if CUI/CDI existsClause, technical attachments, system boundary
DFARS 252.204-7019Notice of NIST SP 800-171 DoD assessment requirements (offeror notice)Do we need a current NIST score posted?CUI/assessment relevanceSPRS score and evidence
DFARS 252.204-7020NIST SP 800-171 DoD assessment requirements (the SPRS posting obligation)Is DoD relying on our posted assessment?CUI/assessment relevanceSPRS posting + scope
DFARS 252.204-7021Contractor compliance with CMMC level requirements (the contract clause)What CMMC status does the contract require?Level/status requirement, flows down to subsThe clause and the required level
DFARS 252.204-7025Notice of CMMC level requirements (the solicitation provision)What level/status is required before award?Pre-award decision pointThe solicitation notice
CUI markingA direct CUI designationWhat category, authority, and dissemination controls apply?Level 2 scope likelyThe marking, category, authority
Distribution Statement B–FControlled technical distributionIs this technical information restricted?CUI/CTI possibilityThe drawing/document cover page
Prime flow-down noteA subcontractor requirementWhat information is actually flowed down?Level depends on FCI vs CUIWritten prime clarification

Ask, don’t assume: two clarification emails you can send today

When the contract is ambiguous, the professional move — and the one that protects you in a dispute — is to get the answer in writing. Copy, adapt, and send.

To your contracting officer or prime (data-type confirmation):

Subject: CMMC scope clarification — [Solicitation/Contract #]

We’re confirming CMMC scope for this [solicitation/subcontract]. Please confirm whether the information we will process, store, or transmit is FCI only or includes CUI/CDI/CTI. If CUI is included, please identify the CUI category, the applicable marking guidance, the relevant contract clauses, and whether the required CMMC status is Level 2 (Self-Assessment) or Level 2 (C3PAO). We want to scope our environment accurately rather than over- or under-build it.

To a prime that asserted “Level 2” with no CUI package (flow-down traceability):

Subject: Level 2 flow-down — please identify the CUI

To size our compliance correctly, please identify the specific CUI you intend to flow down to us, the contract clause requiring CMMC, and the required CMMC status. If no CUI will be processed, stored, or transmitted on our systems, please confirm whether a Level 1 status is acceptable for this scope.

Build your evidence packet before you hire anyone.

Use the clause-signal table and the clarification emails above to gather the clauses, markings, distribution statements, and written answers a readiness provider, MSP, or assessor will ask for on day one. Our CMMC readiness checklist maps the groundwork to the 14 control families — no sales call required. Show up scoped, and you’ll spend less.

Real examples: when is something FCI vs CUI?

A file’s label alone often isn’t enough. The content, the contract, the marking, the Registry category, and the legal authority decide it together. The examples below show the patterns we see most, but your contract and your government or prime clarification always control the final call.

We’ll be straight with you: no web page — not ours, not anyone’s — can definitively classify your specific file from a one-line description. The same drawing can be public, FCI, or CUI depending on the contract behind it, the marking on it, the technical content inside it, and the legal authority that governs it. Anyone who promises a universal answer to “is a drawing CUI?” is selling certainty they don’t have.

What we can hand you is the same triage a good readiness team runs in its first week — the matrix above, plus the category patterns below — so you walk into any conversation scoped instead of guessing.

Engineering drawings and technical packages

Controlled Technical Information (CTI) is a category in the NARA CUI Registry, and DFARS 252.204-7012 ties it to technical data with military or space application that’s subject to controls on access, use, reproduction, release, disclosure, or dissemination — research and engineering data, drawings, specifications, manuals, technical reports, and source code among the examples. Not every drawing is automatically CTI. But because so many DoD and prime technical packages are, the safe operating assumption is to protect a drawing until a marking, distribution statement, or written answer confirms its status.

Export-controlled data

The CUI Registry includes an Export Controlled category for unclassified information governed by export-control laws (ITAR/EAR). Important nuance: export control is not a CMMC level. It adds foreign-person access restrictions on top of whatever CMMC level applies. Handle both, separately.

SBIR/STTR information

The Registry includes a Small Business Research and Technology category, which relates to certainSBIR/STTR information in a government database. Don’t assume every SBIR/STTR file is CUI under that category from the data-rights legend alone. Your SBIR/STTR technical deliverables may still be CUI under another category — Controlled Technical Information or Export Controlled — so check the content, not just the program.

Source-selection information

The Registry includes a Source Selection category, tied to information prepared for an agency’s evaluation of bids or proposals and not publicly released. Your own internal prime-to-subcontractor evaluation records are not automatically Source Selection CUI unless they’re tied to an applicable authority, contract requirement, or flow-down.

What if the file is unmarked, badly marked, or came from a prime?

Don’t assume a file is safe just because it’s unmarked — and don’t assume everything is CUI just because a prime is nervous. Marking matters, but the rules also recognize that a missing marking does not automatically release an authorized holder from safeguarding obligations. This is the myth we promised to kill.

The marking myth: “if it’s not marked CUI, it’s not CUI”

Here’s why that belief fails contractors. DFARS 252.204-7012 defines Covered Defense Information as unclassified Controlled Technical Information or other information described in the CUI Registry that requires safeguarding or dissemination controls — and that reaches you by one of two paths:

DFARS 7012 pathWhat it meansWhat to ask in writing
(1) Marked or otherwise identified in the contract and provided by or on behalf of DoDThe government flagged it as CDI for you“Which CUI category and marking guidance apply to this data?”
(2) Collected, developed, received, transmitted, used, or stored by you in support of the contractCDI you generate or handle can qualify even without a government marking — when it meets the definition (CTI or other CUI-Registry information requiring controls)“Is the technical data we produce under this contract CDI/CTI, and how should we handle it?”

That second path is the one people forget. An unmarked technical file you generated under the contract can still require protection when it meets the CDI definition. We confirmed this against the clause text on Acquisition.gov.

The government is supposed to mark and identify CUI. In the real world, markings get missed, especially on legacy programs and in subcontractor packages. So the absenceof a CUI marking is not proof you’re FCI-only. When the contract, the technical content, or the flow-down suggests CUI, escalate and ask in writing before you assume Level 1.

Over-marking is a problem too

If you swing the other way and treat everythingas CUI, you inflate your Level 2 boundary, trigger an unnecessary migration to a high-security environment, and buy tooling you don’t need. It’s common for companies to fund a full secure-cloud migration to protect data the government never controlled. Precision saves money in both directions.

The rule that keeps you safe: get it in writing

When data is ambiguous, ask the prime or contracting officer for written clarification (the email scripts above do this in 30 seconds). Document the question and the answer. It’s the cheapest insurance in CMMC, and it’s the record you’ll want if a determination is ever challenged. None of this is legal advice — when the stakes are high, loop in counsel.

Is all CUI FCI? Is all FCI CUI?

For contractor decision-making: yes, the CUI you handle while performing a federal contract is also FCI — but no, your routine FCI is not automatically CUI. CUI is the controlled, higher-sensitivity subset inside the broader universe of non-public contract information. That’s the published position of NARA’s Information Security Oversight Office, the office that administers the CUI program.

The practical payoff is avoiding the two opposite mistakes one more time, because this is the question your whole budget hinges on:

Hold the mental model — public → FCI → CUI → high-sensitivity CUI— and you’ll resist both.

Does CUI mean you need GCC High, GovCloud, or a CUI enclave?

No — CUI does not automatically require Microsoft GCC High, AWS GovCloud, or any single product. It requires that the systems which process, store, or transmit CUI meet the applicable NIST SP 800-171 Rev. 2 safeguards. The right architecture depends on your scope, your users, your cloud services, export-control issues, and what your contract actually requires. Product choice is the last decision, not the first.

We bring this up because “CUI means GCC High” is the most expensive assumption in the niche, and vendors have every incentive to let it ride. Here’s the order that protects your budget.

The four decisions, in order

  1. Identify your CUI. What is it, and which Registry category and authority cover it?
  2. Map your data flows. Where does that CUI actually live and travel — email, file shares, ERP, ticketing, endpoints, portals?
  3. Draw your CMMC boundary. Which systems are in scope, and which can stay out?
  4. Choose architecture. Now decide between an enclave, a managed compliance environment, or a broader Microsoft 365 / GCC High implementation.

Match the architecture to your CUI footprint

Your CUI footprintArchitecture to evaluate firstScope riskVerify before requesting quotes
CUI touches a small, defined teamA CUI enclave (a real, enforced boundary)Low if the boundary holdsThat the enclave actually isolates CUI in practice
CUI limited to a single projectProject-scoped enclave or managed environmentModerateWhether project data leaks into shared systems
CUI scattered across email/shared drivesManaged compliance environment or consolidationHigh — the boundary is everywhereA full data inventory before you commit
CUI is company-wideBroader Microsoft 365 / GCC High implementationHigher cost, but may be necessaryWhether scope reduction is realistic first
You only touch CUI inside a prime’s portalPossibly minimal new architectureLow if CUI never lands on your systemsWhether any CUI is downloaded or synced locally

There’s a real cloud nuance to know, not fear: DFARS 252.204-7012 includes requirements for cloud service providers handling covered defense information, including FedRAMP Moderate (or equivalent) language. That can point toward a government-community cloud for some contractors — but it’s a consequence of your scope and contract, not an automatic mandate for everyone who touches any CUI.

Worried Level 2 means moving your whole company into a secure cloud?

It usually doesn’t — but which model fits (enclave, managed compliance, or full GCC High) depends on your scope, and getting that wrong is the difference between a right-sized project and a six-figure over-build. Tell us your level, scope, and timeline, and we’ll match you with the right provider category before you request a single quote.

Provider matching is a free service for readers. Where DCR may receive compensation from a partner, that compensation does not influence our editorial analysis. See our Editorial & Advertising Policy.

Tell us your level and scope →

Can you cut CMMC cost by separating FCI and CUI systems?

Often, yes — but only if the CUI boundary is real, documented, and actually enforced. CMMC Level 2 scoping (defined in 32 CFR 170.19) sorts your environment into asset categories tied to where CUI and its protections live. Careless data mixing pulls far more systems into scope than contractors expect, and that’s where Level 2 budgets balloon.

The cost mistake

Buying a broad Level 2 environment before confirming whether CUI is limited to one team, one project, or one data flow. Scope first, then spend.

The scope mistake

Letting CUI sprawl — into general email, open shared drives, helpdesk tickets, CRM, accounting attachments, and unmanaged laptops. Every place CUI lands becomes part of the boundary you have to assess and protect.

The operating rule

“Compliance follows the data” is a useful phrase, and the scoping rule at 32 CFR 170.19 is the reason it’s true: your boundary is defined by where CUI and its security protections actually are. Contain the data, and you contain the cost. (When you’re ready to put numbers to it, our CMMC Level 2 cost breakdown walks through what drives the range.)

What should subcontractors do when a prime flows down Level 2?

Don’t ignore a Level 2 flow-down — but don’t silently accept a vague one either. Under 32 CFR 170.23, a subcontractor’s requirement depends on whether it processes, stores, or transmits FCI or CUI and on the prime contract’s required status. A sub handling only FCI can be set at Level 1; a sub handling CUI must be at least Level 2. As of the November 10, 2025 DFARS rule, the 252.204-7021 clause flows down to subcontracts that will involve FCI or CUI, and subs post their own status in SPRS.

The most useful thing we can give a subcontractor is the set of questions that turn a vague demand into a scoped requirement.

When the prime says…You should ask…Why it matters
“You need CMMC Level 2.”“What CUI will we process, store, or transmit?”Level 2 should tie to actual CUI, not general caution.
“It’s flowed down from the prime contract.”“Which clause and which CMMC status?”Flow-down has to be traceable to a requirement.
“You need to be certified.”“Is it Level 2 Self-Assessment or Level 2 C3PAO?”The assessment type drives your cost and timeline.
“The files are controlled.”“What CUI category, marking, or authority applies?”The category determines how you handle it.
“Just use our portal.”“Will CUI ever leave the portal and enter our systems?”If it doesn’t touch your systems, your scope may stay small.

Got a Level 2 flow-down but no clear CUI package?

Tell us your role, your contract clues, and your timeline, and we’ll match you with the right provider category to talk to first — readiness, enclave, MSP/MSSP, GRC, or assessment. You shouldn’t buy a Level 2 environment on a verbal instruction.

Provider matching is a free service for readers. Where DCR may receive compensation from a partner, that compensation does not influence our editorial analysis. See our Editorial & Advertising Policy.

Match me with the right provider category →

What to do next if you think you have CUI

Don’t start by buying software or calling a C3PAO. Start by collecting evidence, so your next conversation is scoped instead of speculative. Here’s the order we recommend, and each step is small enough to do this week.

Step 1 — Save the contract evidence

Solicitation CMMC language · FAR/DFARS clauses · flow-down language · CUI-marked attachments · distribution statements · technical-data-package cover pages · written prime/CO clarifications.

Step 2 — Map where the data lives

Email · file shares and cloud storage · engineering tools · ERP/accounting (and their attachments) · ticketing/helpdesk · laptops and endpoints · contractor/sub portals.

Step 3 — Sort into three buckets

  1. Confirmed CUI (marked, or clearly within a Registry category and authority)
  2. Possible CUI (needs written clarification)
  3. FCI-only / non-CUI contract data

Step 4 — Choose the right provider category (not yet a specific vendor)

Your situationProvider category to consider first
You don’t know your level or scopeReadiness / RPO (Registered Provider Organization) / vCISO
You have CUI but it’s scatteredCMMC-focused MSP/MSSP or a CUI enclave advisor
You need evidence workflows (SSP, POA&M)GRC / compliance software — as a supporting layer, not the whole solution
You’re genuinely assessment-readyC3PAO / assessment resources (kept separate from your remediation help)
You need cloud architecture for CUIGCC High / GovCloud / secure-collaboration provider

One independence note that protects you: readiness and remediation help must stay appropriately separated from your formal C3PAO assessment. The team that fixes your gaps generally should not be the team that certifies them. And no software, by itself, makes you CMMC compliant — it supports the work; it doesn’t replace it.

Ready to turn FCI/CUI confusion into a scoped plan?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options that fit the stage you’re actually in — readiness, enclave, MSP/MSSP, GRC, or assessment. No pressure, no premature C3PAO pitch; just the right category for where you stand today.

Provider matching is a free service for readers. Where DCR may receive compensation from a partner, that compensation does not influence our editorial analysis. See our Editorial & Advertising Policy.

Get matched with source-checked CMMC provider options →

What we verified for this guide

This guide is built from primary and authoritative sources, not paraphrase. On , we read the controlling clause, rule, and Registry text directly and recorded what each one says. The triage matrix and the decision tables are our editorial synthesis — useful for scoping, not a legal determination or a government decision. (More on how we work: our editorial standards.)

What we checked, and where:

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Limitations and ground rules:

  • This is educational information, not legal, contractual, or compliance advice.
  • Do not upload CUI to this page, any form, or any tool.
  • Your contracting officer, your prime contract, the flow-down language, your CUI markings, and the applicable legal authorities control your actual obligations.
  • Provider-category guidance is editorial decision support, not a certification guarantee.
  • We are not affiliated with the Department of Defense, the Cyber AB, or any U.S. government agency.

Frequently asked questions: CUI vs FCI

Most FCI vs CUI confusion comes from trying to classify a single file without its contract context. The reliable approach is to combine the definition, the Registry category, the marking, the clause, the data flow, and a written clarification before you settle your CMMC level or pick a provider path.

Is CUI classified information?

No. CUI is unclassified information that still requires safeguarding or dissemination controls under a law, regulation, or government-wide policy. It is explicitly not classified under Executive Order 13526 or the Atomic Energy Act.

Is all FCI CUI?

No. FCI is broader than CUI. Many non-public contract documents are FCI without ever rising to CUI.

Is all CUI FCI?

For contractor purposes, yes — CUI you handle while performing a federal contract is also FCI, per NARA’s Information Security Oversight Office. The reverse is not true: routine FCI is not automatically CUI. CUI is the controlled, higher-sensitivity subset.

Does FCI require CMMC Level 1?

Generally, yes. Contractor systems that process, store, or transmit FCI map to CMMC Level 1 — 15 FAR 52.204-21 safeguards, an annual self-assessment, and an annual affirmation in SPRS — subject to the contract.

Does CUI require CMMC Level 2?

Generally, yes. Level 2 is built on the 110 requirements of NIST SP 800-171 Revision 2 for protecting CUI. Your contract decides whether that Level 2 status is self-assessed or assessed by a C3PAO.

Who decides if information is CUI?

The government designates CUI, tied to a specific NARA Registry category and legal authority, and is responsible for marking it. Contractors should not invent CUI categories — but they also can’t ignore CUI they create or handle in performance just because it arrived unmarked.

What if a file isn’t marked CUI?

Don’t assume it’s safe. A missing marking does not automatically remove safeguarding obligations, and DFARS 252.204-7012 covers Covered Defense Information you collect, develop, receive, transmit, use, or store in support of the contract when it meets the clause definition — including Controlled Technical Information or other CUI-Registry information requiring controls. Ask for written clarification when the contract or content suggests CUI.

Is an invoice CUI?

Usually not by itself, especially if it contains only simple payment information. But it can pull into scope if it includes or attaches controlled technical, source-selection, or export-controlled content.

Is a part number CUI?

Sometimes. A commercial catalog part number generally isn’t. A part number inside a controlled technical package or a restricted drawing may need review.

Is an engineering drawing CUI?

Often, yes — particularly if it’s Controlled Technical Information (technical data with military or space application subject to dissemination controls) tied to a Registry category and a contract requirement. Verify the marking, distribution statement, DFARS clause, and Registry category; not every drawing automatically qualifies.

Does CUI require GCC High?

Not automatically. CUI requires appropriate safeguarding; the right environment depends on data type, contract terms, cloud needs, export-control issues, scope, and assessment expectations. Identify your CUI and map your data flows before choosing a product.

Should we call a C3PAO first?

Usually not, if you’re still unsure whether you hold FCI or CUI. Clarify your data type, scope, clauses, and gaps first; then decide whether you need readiness help, managed compliance, software, enclave design, or a formal assessment.

Which provider category fits your situation

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Get matched →

Or keep going at your own pace: walk your data through the Contract-Triage Matrix · start the CMMC readiness checklist · see what CMMC Level 2 readiness involves · review the CMMC Level 2 cost breakdown · or see how CMMC and NIST 800-171 fit together.

The Defense Compliance Report is the independent CMMC decision layer for defense contractors. Choose the right CMMC path before you hire.

Your situation changes the answer

Find My CMMC Path

The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →