Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are both protected categories of unclassified government data, but the obligations they trigger are different in kind, not just in degree. The distinction is the single most important early decision a contractor makes about CMMC scope.
Federal Contract Information (FCI)
FCI is information "not intended for public release" that is provided by or generated for the government under a contract to deliver a product or service. It is broad and mundane: most contract performance data that is not already public qualifies. Protecting FCI requires the 15 basic safeguarding requirements at FAR 52.204-21 and, under CMMC, status at Level 1.
The 15 basic safeguarding requirements every federal contractor that processes FCI must implement. CMMC Level 1 maps to this clause.
View at acquisition.govControlled Unclassified Information (CUI)
CUI is information the government requires safeguarding or dissemination controls for, consistent with applicable laws, regulations, and government-wide policies, but that is not classified. The National Archives maintains the authoritative CUI Registry, which catalogs CUI categories (e.g. Controlled Technical Information, Export Control, Privacy, Defense). In a defense context, CUI most commonly appears as engineering data, technical drawings, specifications, source selection information, and proposal materials.
Protecting CUI on non-federal systems requires the 110 NIST SP 800-171 Revision 2 security requirements and, under CMMC, status at Level 2 (or Level 3 for designated high-priority programs).
The CUI program rule. Establishes the CUI Registry, lawful safeguarding requirements, and the basis for NIST SP 800-171's application to non-federal systems.
View at ecfr.govHow the distinction shows up in real contracts
- A solicitation that includes DFARS 252.204-7012 ("Safeguarding Covered Defense Information and Cyber Incident Reporting") is signaling CUI handling. That clause requires NIST SP 800-171 implementation. Under CMMC, that maps to Level 2.
- A solicitation with only FAR 52.204-21 and no DFARS 7012 is signaling FCI only — Level 1 territory.
- Marking practices matter. The government is supposed to mark CUI consistently with the CUI Registry. If you receive unmarked-but-clearly-CUI material, ask the contracting officer to confirm. Do not guess down.
Why misclassifying costs money
Two failure modes drive the overspend. The first is treating FCI as CUI — paying for an enclave, GCC High licensing, and a Level 2 C3PAO assessment for contracts that only required Level 1. The second is treating CUI as FCI — failing to implement 800-171, posting a low SPRS score, and becoming ineligible for the contracts that pay for the program. Both are recoverable; both are expensive.
Once you know whether your contracts touch CUI, the level decision and the partner-routing decision follow.