Controlled Unclassified Information (CUI) is unclassified information the government — or a contractor acting on its behalf — creates or possesses that a law, regulation, or government-wide policy requires or permits an agency to handle with safeguarding or dissemination controls. Federal Contract Information (FCI) is the broader category — non-public information provided by or generated for the government under a contract. That single distinction is the most expensive call you’ll make in CMMC, because it sets your level before you spend a dollar: handle only FCI, and you’re generally looking at CMMC Level 1; handle CUI, and you’re at Level 2 or higher, built on the 110 security requirements in NIST SP 800-171 Revision 2. So the real question hiding inside “what is CUI” and “FCI vs CUI” was never academic. It’s “Which bucket am I in — and what does that obligate me to do?”
Here’s the part most guides skip. Plenty of contractors get the definitions right and still get the decisionwrong, because of one myth about CUI markings that quietly walks small suppliers into failed prime reviews and lost awards. We’ll name it, and show you the regulation that kills it. First, the fast version you came for.
In short: FCI and CUI are two different categories of government information, and which one you handle determines the CMMC level and safeguarding obligations that apply to your contract. That distinction comes from your contract clauses, not a self-assessment. Which path fits your situation varies — use Find My CMMC Path to map it before requesting quotes.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
FCI vs CUI at a glance
| The question | FCI (Federal Contract Information) | CUI (Controlled Unclassified Information) |
|---|---|---|
| What is it? | Non-public information provided by or generated for the government under a contract | Unclassified info a law, regulation, or government-wide policy requires or permits an agency to handle with safeguarding or dissemination controls |
| How sensitive? | Broad floor — most non-public contract info | Narrower, more sensitive subset (only what’s in the NARA CUI Registry) |
| Usual CMMC level | Level 1 (Foundational) | Level 2 (Advanced) minimum; Level 3 for the most sensitive cases |
| Security standard | 15 basic safeguards (FAR 52.204-21) | 110 requirements / 14 families (NIST SP 800-171 Rev. 2) |
| Assessment | Annual self-assessment | Self-assessment or C3PAO assessment — set by your contract |
| Strongest signal in your contract | FAR 52.204-21 | DFARS 252.204-7012, CUI markings, the NARA Registry category |
| The mistake that hurts | Treating FCI like public information | Treating CUI like ordinary business data |
If you read nothing else, read this: all CUI a contractor holds while performing a federal contract is also FCI, but not all FCI is CUI. That isn’t our opinion — it’s the published position of the government office that runs the CUI program (more on that below). It’s also the line that decides whether your next CMMC step costs a weekend of policy work or becomes a multi-month budget line.
Not sure which bucket your data falls into? Before you price a single tool or call a single vendor, walk your actual contract and data through the FCI/CUI Contract-Triage Matrix further down this page. And one standing rule, because this is a page about CUI: never paste CUI into any web form or tool, including ours.
What is CUI, in plain English?
CUI is unclassified information that still requires protection because a law, regulation, or government-wide policy says so. It is not classified information, and it is not “anything sensitive.” For a defense contractor, CUI is the specific category of information that usually turns a routine CMMC conversation into a Level 2 scoping conversation — the moment your obligations jump from 15 basic safeguards to 110 security requirements.
The federal definition is precise. The CMMC contract clause itself, DFARS 252.204-7021, borrows it word-for-word from the CUI program rule at 32 CFR 2002.4(h): CUI is information the government creates or possesses — or that an entity creates or possesses for or on behalf of the government — that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. We read that clause directly on Acquisition.gov to confirm the language still matches the underlying rule. It does.
Two things follow from that definition, and both save contractors money.
CUI is not “everything sensitive in the building”
Your pricing strategy, your internal HR files, your trade secrets, your CEO’s email — none of that is automatically CUI. CUI has to trace back to an authorized category with a legal basis. If you can’t point to the category and the authority, you’re probably not looking at CUI. It’s easy to over-scope by treating every confidential document as CUI, then paying to protect data the government never asked you to protect.
The NARA CUI Registry is the only list that counts
There is exactly one authoritative, government-wide list of what qualifies as CUI: the CUI Registry, maintained by the National Archives and Records Administration (NARA). It names the categories, subcategories, markings, and legal authorities. If a category isn’t in that Registry, it isn’t CUI. When a prime or a vendor tells you something “is CUI,” the right reflex is to ask which Registry category and which authority — and then check it yourself.
CUI Basic vs CUI Specified (the 30-second version)
CUI Basic is the default — the standard handling authorized holders apply unless the CUI Registry flags the information as CUI Specified, where the underlying law or regulation spells out stricter or more specific controls. You don’t need to master this distinction to figure out your CMMC level; you need to know it exists, so that when a marking reads “CUI//SP-” you don’t treat it like ordinary CUI. Your markings and the Registry tell you which is which.
Use this as your CUI gut-check before you scope anything:
| What the regulation says (32 CFR 2002.4(h)) | What to check in your world | Don’t assume |
|---|---|---|
| CUI is info a law, regulation, or government-wide policy requires or permits an agency to handle with safeguarding or dissemination controls; only NARA Registry categories qualify | Which Registry category and legal authority apply? Are there CUI markings? Is DFARS 252.204-7012 in the contract? | “Sensitive” does not equal CUI. “Unmarked” does not equal “not CUI.” |
CUI is information the government creates or possesses — or that a contractor creates or possesses for or on behalf of the government — that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
View at ecfr.govWhat is FCI, in plain English?
FCI is non-public information provided by or generated for the government under a contract to develop or deliver a product or service. It’s broader than CUI, and it has two clean carve-outs: information the government already made public, and simple transactional information such as the data needed to process a payment.
That definition comes straight from FAR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”). We pulled the clause text on Acquisition.gov to confirm the carve-outs are still exactly those two. They are.
Here’s the practical reality almost every defense contractor misses: if your systems process, store, or transmit any non-public information generated for or provided by the government under the contract, you have FCI. The only carve-outs are information the government already made public and simple payment-processing data. For most contractors, that means FCI is the floor, not a special category.
FCI examples a real contractor recognizes
- Non-public contract documents and award paperwork
- Delivery and production schedules tied to a contract
- Internal emails coordinating contract performance
- Non-public statement-of-work or task-order details
- Prime/subcontractor coordination that isn’t public
What is not FCI
- Information the government posts publicly (a public solicitation on SAM.gov, content on a public website)
- Simple transactional data — the basics needed to process a payment, by themselves
One detail that trips people up: there is no “FCI Registry”
Unlike CUI, FCI has no government-wide list of categories or markings. You identify FCI by context— is this non-public information tied to a federal contract? — and by the presence of FAR 52.204-21 in your agreement. That absence of a marking scheme is exactly why the “if it’s not marked, it’s not regulated” instinct is so dangerous, and why we keep pointing you back to the contract instead of the file.
And FCI is not a free pass. Handling FCI on your systems can trigger CMMC Level 1, because CMMC applies to contractor systems that process, store, or transmit FCI or CUI.
| What the regulation says (FAR 52.204-21) | What to check in your world | Don’t assume |
|---|---|---|
| FCI is non-public info provided by or generated for the government under a contract; public government info and simple payment-processing data are excluded | Is FAR 52.204-21 in the contract? Is the information non-public and tied to performance? | “Public” status isn’t automatic. A missing clause doesn’t erase your obligations if FCI is present. |
FCI is information provided by or generated for the government under a contract to develop or deliver a product or service — not intended for public release. Applies to contractor information systems that process, store, or transmit FCI.
View at acquisition.govWhat is the difference between FCI and CUI?
The difference is sensitivity and authority. FCI is the broad bucket of non-public contract information, defined by the FAR. CUI is the controlled subset that needs stronger protection, defined by Executive Order 13556, the CUI program rule at 32 CFR Part 2002, and the NARA Registry. For CMMC, that line is the difference between Level 1 (15 safeguards) and Level 2 (110 requirements in NIST SP 800-171 Rev. 2).
| Dimension | FCI | CUI |
|---|---|---|
| Public? | No | No |
| Classified? | No | No |
| Requires safeguarding? | Yes — basic | Yes — stronger, control-based |
| Usual CMMC level | Level 1 | Level 2 (Level 3 for the most sensitive) |
| Defining authority | FAR 52.204-21 | EO 13556 · 32 CFR 2002 · NARA CUI Registry |
| Security standard | 15 basic safeguards | NIST SP 800-171 Rev. 2 (110 reqs, 14 families) |
| First question to ask | “Is this non-public contract information?” | “What category and authority make this CUI?” |
The mental model that keeps you out of trouble
Think of it as nested rings:
Public information → FCI → CUI → high-sensitivity CUI (Level 3 territory)

The government’s own CUI authority states the relationship plainly. NARA’s Information Security Oversight Office (ISOO) — the office that administers the CUI program — has published that all CUI in a contractor’s possession is FCI, but not all FCI is CUI. We cite that not as trivia but because it resolves the single most common argument in a CMMC kickoff meeting: yes, your CUI is also FCI; no, your routine FCI is not automatically CUI.
Why the difference is a money decision, in both directions
This is where it stops being vocabulary and starts being budget. Get the call wrong one way — under-scoping— and you treat CUI like FCI, miss Level 2 obligations, and risk failing a prime’s review or a future assessment. Get it wrong the other way — over-scoping— and you treat ordinary FCI like CUI, then pay to migrate everything into a high-security environment you didn’t need. Both mistakes are expensive. Only one of them is loud enough to notice before the invoice arrives.
The FCI vs CUI Contract-Triage Matrix
Definitions don’t fail contractors. Applicationdoes. You’re not holding a definition — you’re holding a drawing, an invoice, a flow-down email, a shared drive full of mixed documents — and you need to know what it means for your CMMC level before you hire anyone.
So here’s the asset we built that you won’t find on a competitor’s page: a triage matrix that maps the real things you’re actually looking at to a likely bucket, the CMMC implication, where to verify it, and — just as important — what not to do yet. We built it by cross-checking each row against the controlling sources cited throughout this page — FAR 52.204-21, DFARS 252.204-7012, the NARA CUI Registry, and 32 CFR Part 170.
| What you’re actually holding | Likely bucket | Why | CMMC implication | First action | Don’t do yet |
|---|---|---|---|---|---|
| Public solicitation downloaded from SAM.gov | Public (unless restricted) | Public release removes it from FCI by definition | Not enough by itself to trigger anything | Check for non-public attachments | Don’t assume the whole opportunity is “open” data |
| Awarded contract documents, not public | FCI | Non-public info generated under a contract | Level 1 baseline if no CUI present | Confirm whether CUI is also in scope | Don’t jump to Level 2 |
| Purchase order from a prime | FCI or CUI (depends on attachments) | The PO is FCI; attachments may be CUI | Usually Level 1 unless CUI rides along | Open every attachment | Don’t ignore the technical files |
| Simple invoice / payment data | Often outside FCI if purely transactional | The FAR carves out simple payment data | Usually not CUI by itself | Confirm what the record actually contains | Don’t put accounting in scope reflexively |
| Statement of work after award | Often FCI; sometimes CUI | Depends on content and markings | Depends | Read it for controlled content | Don’t assume “internal” means “ignore it” |
| Engineering drawing from DoD or a prime | Likely CUI when it’s Controlled Technical Information | CTI is technical data with military or space application subject to access/dissemination controls | Level 2 likely | Treat as CUI pending confirmation | Don’t email it around unprotected |
| CAD model / full technical package | Likely CUI if controlled or export-controlled | Technical data with military/space application | Level 2 likely | Isolate it; ask for the marking basis | Don’t load it onto general file shares |
| Source code written under a DoD contract | Clarify (often CUI if controlled) | Depends on authority and contract terms | Often Level 2 | Ask the CO/prime in writing | Don’t open-host the repo |
| Export-controlled technical data (ITAR/EAR) | Likely CUI (Export Controlled category) | Export-controlled tech data is a Registry category | Level 2 likely plus export access rules | Add controls for foreign-person access | Don’t treat export rules as “the same as CMMC” |
| Source-selection information | Possible CUI (Source Selection) | Restricted when prepared for an agency’s evaluation of bids/proposals | Level 2 likely if the authority applies | Confirm it ties to a federal source selection | Don’t assume all internal evaluations qualify |
| SBIR/STTR information | Possible CUI | May match the Small Business R&T category, or CTI/Export Controlled | Level 2 likely if it qualifies | Check your data-rights legend and the category | Don’t assume every SBIR file is CUI |
| Email coordinating delivery dates | Usually FCI | Non-public, contract-related, no controlled content | Level 1 if nothing more | Keep doing business | Don’t over-engineer it |
| Email with a controlled drawing attached | CUI in your mail system | The attachment pulls the system into scope | Level 2 scope expands to email | Map your mail/storage path | Don’t pretend the attachment “doesn’t count” |
| Prime says “you need Level 2” but sends no CUI | Needs written clarification | Level 2 should tie to actual CUI | Don’t assume — confirm | Send the clarification email (below) | Don’t buy Level 2 tooling on a verbal |
| File marked “CUI” | Explicit CUI | The marking is a direct designation | Level 2 path | Handle per the marking | Don’t strip or “clean up” the marking |
| Unmarked file the contract calls CDI/CTI | Potential CUI/CDI | DFARS 7012 covers qualifying data you create/handle in performance | Clarify; may still require protection | Escalate before assuming | Don’t treat “unmarked” as “uncontrolled” |
| Internal HR/payroll | Usually not CUI | No contract-specific controlled info | Usually outside CMMC CUI scope | Confirm no controlled data is mixed in | Don’t pull HR into the boundary by default |
| Accounting system with contract numbers + invoice attachments | Possible FCI exposure | Contract data lives here; attachments might carry CUI | Level 1, or segmented Level 2 if CUI enters | Inventory what’s stored | Don’t assume it’s clean or dirty — check |
| Shared drive of mixed contract docs + drawings | Mixed FCI/CUI | The drawings likely make it a CUI store | Scope risk — the boundary grows here | Inventory, then decide on isolation | Don’t certify the whole drive before sorting it |
How does FCI vs CUI determine your CMMC level?
Your CMMC level starts with the information you process, store, or transmit — not your size, your revenue, or your preference. FCI-only work generally points to CMMC Level 1. CUI points to Level 2 at minimum. Level 3 is reserved for the most sensitive CUI on the highest-priority programs, layering selected NIST SP 800-172 requirements on top of Level 2. The CMMC program rule, 32 CFR Part 170, became effective December 16, 2024, and ties the whole model to safeguarding FCI and CUI.
| If you handle… | Likely CMMC path | Assessment type | What to verify |
|---|---|---|---|
| Public information only | CMMC may not be triggered by that data alone | None from that data | Contract clauses and flow-down |
| FCI only | Level 1 | Annual self-assessment + annual affirmation | FAR 52.204-21, contract language |
| CUI, contract allows self-assessment | Level 2 (Self) | Triennial self-assessment + annual affirmation | The CMMC status in your solicitation/contract |
| CUI requiring third-party certification | Level 2 (C3PAO) | Triennial C3PAO assessment + annual affirmation | The required status in DFARS 252.204-7021 |
| Sensitive CUI on a priority program | Level 3 | DIBCAC (government-led) assessment | An explicit DoD Level 3 requirement |
A few clarifications we make on every Level conversation, because blurring them is how people overpay or under-protect:
Level 1 is not “no compliance”
It’s 15 basic safeguarding requirements from FAR 52.204-21, an annual self-assessment, and an annual affirmation posted in the Supplier Performance Risk System (SPRS — the DoD database where assessment results and affirmations live). There’s no plan-of-action-and-milestones (POA&M) allowance at Level 1: you meet all 15, or you’re not compliant.
Level 2 is not automatically a C3PAO assessment
This is the single most common panic we see contractors arrive with. A C3PAO is a Certified Third-Party Assessment Organization — an independent assessment organization authorized or accredited by the Cyber AB to conduct CMMC Level 2 certification assessments. But Level 2 can be a self-assessment or a C3PAO assessmentdepending on what your contract requires. The assessment type changes your cost and timeline dramatically, so don’t assume the expensive path before you’ve read the clause that sets it.
Why NIST SP 800-171 Revision 2 — not Revision 3 — is the standard for CMMC
If you’ve seen headlines about NIST SP 800-171 Revision 3, set them aside for CMMC purposes. We confirmed this against the program rule itself: 32 CFR 170.5 states that CMMC verifies implementation of FAR 52.204-21, NIST SP 800-171 Revision 2, and NIST SP 800-172 (Feb 2021), as applicable. For CMMC Level 2 today, Rev. 2’s 110 requirements across 14 control families are the controlling set — unless and until DoD amends the rule. Don’t let a vendor scope you to Rev. 3 because it’s newer.
What phase of CMMC are we in right now?
As of , CMMC Phase 1 is active — it runs November 10, 2025 through November 9, 2026 — and focuses primarily on CMMC Level 1 and Level 2 self-assessments. Per the DoD CIO and 32 CFR 170.3(e), Phase 2 begins November 10, 2026, when applicable solicitations will start requiring Level 2 (C3PAO) certifications.
The phased rollout matters for your timing. During Phase 1, where applicable, solicitations require a Level 1 or Level 2 self-assessment as a condition of award — though DoD may, at its discretion, require a Level 2 (C3PAO) assessment on a given contract even now. The contract requirement was made enforceable by the DFARS rule, which was published September 10, 2025 and took effect November 10, 2025. Translation: if you handle CUI and you’ll be bidding into Level 2 (C3PAO) contracts, the runway to get assessed is shrinking, and C3PAO capacity is finite. That’s not a scare tactic — it’s the schedule.
Which contract clauses tell you FCI or CUI is in scope?
The fastest way to stop guessing is to inspect the solicitation, contract, and flow-down package for specific clauses and markings. FAR 52.204-21 signals FCI. DFARS 252.204-7012 is a strong CUI signal. The 7019/7020 clauses concern your NIST SP 800-171 score in SPRS. And as of the DFARS rule effective November 10, 2025, DFARS 252.204-7021 (in contracts) and DFARS 252.204-7025 (a notice in solicitations) tie your required CMMC status to award eligibility. We pulled each from Acquisition.gov to confirm titles and effective dates. Here’s the map.
| Clause / clue | What it signals | The data question to ask | CMMC implication | Evidence to save |
|---|---|---|---|---|
| FAR 52.204-21 | Basic safeguarding of covered contractor information systems | Do we process/store/transmit FCI? | Level 1 in play | Clause text, contract section |
| DFARS 252.204-7012 | Covered Defense Information + 72-hour cyber-incident reporting; ties to NIST SP 800-171 | Do we receive, create, store, or transmit CDI/CTI/CUI? | Level 2 likely if CUI/CDI exists | Clause, technical attachments, system boundary |
| DFARS 252.204-7019 | Notice of NIST SP 800-171 DoD assessment requirements (offeror notice) | Do we need a current NIST score posted? | CUI/assessment relevance | SPRS score and evidence |
| DFARS 252.204-7020 | NIST SP 800-171 DoD assessment requirements (the SPRS posting obligation) | Is DoD relying on our posted assessment? | CUI/assessment relevance | SPRS posting + scope |
| DFARS 252.204-7021 | Contractor compliance with CMMC level requirements (the contract clause) | What CMMC status does the contract require? | Level/status requirement, flows down to subs | The clause and the required level |
| DFARS 252.204-7025 | Notice of CMMC level requirements (the solicitation provision) | What level/status is required before award? | Pre-award decision point | The solicitation notice |
| CUI marking | A direct CUI designation | What category, authority, and dissemination controls apply? | Level 2 scope likely | The marking, category, authority |
| Distribution Statement B–F | Controlled technical distribution | Is this technical information restricted? | CUI/CTI possibility | The drawing/document cover page |
| Prime flow-down note | A subcontractor requirement | What information is actually flowed down? | Level depends on FCI vs CUI | Written prime clarification |
Ask, don’t assume: two clarification emails you can send today
When the contract is ambiguous, the professional move — and the one that protects you in a dispute — is to get the answer in writing. Copy, adapt, and send.
To your contracting officer or prime (data-type confirmation):
Subject: CMMC scope clarification — [Solicitation/Contract #]
We’re confirming CMMC scope for this [solicitation/subcontract]. Please confirm whether the information we will process, store, or transmit is FCI only or includes CUI/CDI/CTI. If CUI is included, please identify the CUI category, the applicable marking guidance, the relevant contract clauses, and whether the required CMMC status is Level 2 (Self-Assessment) or Level 2 (C3PAO). We want to scope our environment accurately rather than over- or under-build it.
To a prime that asserted “Level 2” with no CUI package (flow-down traceability):
Subject: Level 2 flow-down — please identify the CUI
To size our compliance correctly, please identify the specific CUI you intend to flow down to us, the contract clause requiring CMMC, and the required CMMC status. If no CUI will be processed, stored, or transmitted on our systems, please confirm whether a Level 1 status is acceptable for this scope.
Build your evidence packet before you hire anyone.
Use the clause-signal table and the clarification emails above to gather the clauses, markings, distribution statements, and written answers a readiness provider, MSP, or assessor will ask for on day one. Our CMMC readiness checklist maps the groundwork to the 14 control families — no sales call required. Show up scoped, and you’ll spend less.
Real examples: when is something FCI vs CUI?
A file’s label alone often isn’t enough. The content, the contract, the marking, the Registry category, and the legal authority decide it together. The examples below show the patterns we see most, but your contract and your government or prime clarification always control the final call.
We’ll be straight with you: no web page — not ours, not anyone’s — can definitively classify your specific file from a one-line description. The same drawing can be public, FCI, or CUI depending on the contract behind it, the marking on it, the technical content inside it, and the legal authority that governs it. Anyone who promises a universal answer to “is a drawing CUI?” is selling certainty they don’t have.
What we can hand you is the same triage a good readiness team runs in its first week — the matrix above, plus the category patterns below — so you walk into any conversation scoped instead of guessing.
Engineering drawings and technical packages
Controlled Technical Information (CTI) is a category in the NARA CUI Registry, and DFARS 252.204-7012 ties it to technical data with military or space application that’s subject to controls on access, use, reproduction, release, disclosure, or dissemination — research and engineering data, drawings, specifications, manuals, technical reports, and source code among the examples. Not every drawing is automatically CTI. But because so many DoD and prime technical packages are, the safe operating assumption is to protect a drawing until a marking, distribution statement, or written answer confirms its status.
Export-controlled data
The CUI Registry includes an Export Controlled category for unclassified information governed by export-control laws (ITAR/EAR). Important nuance: export control is not a CMMC level. It adds foreign-person access restrictions on top of whatever CMMC level applies. Handle both, separately.
SBIR/STTR information
The Registry includes a Small Business Research and Technology category, which relates to certainSBIR/STTR information in a government database. Don’t assume every SBIR/STTR file is CUI under that category from the data-rights legend alone. Your SBIR/STTR technical deliverables may still be CUI under another category — Controlled Technical Information or Export Controlled — so check the content, not just the program.
Source-selection information
The Registry includes a Source Selection category, tied to information prepared for an agency’s evaluation of bids or proposals and not publicly released. Your own internal prime-to-subcontractor evaluation records are not automatically Source Selection CUI unless they’re tied to an applicable authority, contract requirement, or flow-down.
What if the file is unmarked, badly marked, or came from a prime?
Don’t assume a file is safe just because it’s unmarked — and don’t assume everything is CUI just because a prime is nervous. Marking matters, but the rules also recognize that a missing marking does not automatically release an authorized holder from safeguarding obligations. This is the myth we promised to kill.
The marking myth: “if it’s not marked CUI, it’s not CUI”
Here’s why that belief fails contractors. DFARS 252.204-7012 defines Covered Defense Information as unclassified Controlled Technical Information or other information described in the CUI Registry that requires safeguarding or dissemination controls — and that reaches you by one of two paths:
| DFARS 7012 path | What it means | What to ask in writing |
|---|---|---|
| (1) Marked or otherwise identified in the contract and provided by or on behalf of DoD | The government flagged it as CDI for you | “Which CUI category and marking guidance apply to this data?” |
| (2) Collected, developed, received, transmitted, used, or stored by you in support of the contract | CDI you generate or handle can qualify even without a government marking — when it meets the definition (CTI or other CUI-Registry information requiring controls) | “Is the technical data we produce under this contract CDI/CTI, and how should we handle it?” |
That second path is the one people forget. An unmarked technical file you generated under the contract can still require protection when it meets the CDI definition. We confirmed this against the clause text on Acquisition.gov.
The government is supposed to mark and identify CUI. In the real world, markings get missed, especially on legacy programs and in subcontractor packages. So the absenceof a CUI marking is not proof you’re FCI-only. When the contract, the technical content, or the flow-down suggests CUI, escalate and ask in writing before you assume Level 1.
Over-marking is a problem too
If you swing the other way and treat everythingas CUI, you inflate your Level 2 boundary, trigger an unnecessary migration to a high-security environment, and buy tooling you don’t need. It’s common for companies to fund a full secure-cloud migration to protect data the government never controlled. Precision saves money in both directions.
The rule that keeps you safe: get it in writing
When data is ambiguous, ask the prime or contracting officer for written clarification (the email scripts above do this in 30 seconds). Document the question and the answer. It’s the cheapest insurance in CMMC, and it’s the record you’ll want if a determination is ever challenged. None of this is legal advice — when the stakes are high, loop in counsel.
Is all CUI FCI? Is all FCI CUI?
For contractor decision-making: yes, the CUI you handle while performing a federal contract is also FCI — but no, your routine FCI is not automatically CUI. CUI is the controlled, higher-sensitivity subset inside the broader universe of non-public contract information. That’s the published position of NARA’s Information Security Oversight Office, the office that administers the CUI program.
The practical payoff is avoiding the two opposite mistakes one more time, because this is the question your whole budget hinges on:
- Under-scoping: treating CUI like FCI, missing Level 2, and failing a prime review or assessment.
- Over-scoping: treating ordinary FCI like CUI, and buying a bigger solution than your contract requires.
Hold the mental model — public → FCI → CUI → high-sensitivity CUI— and you’ll resist both.
Does CUI mean you need GCC High, GovCloud, or a CUI enclave?
No — CUI does not automatically require Microsoft GCC High, AWS GovCloud, or any single product. It requires that the systems which process, store, or transmit CUI meet the applicable NIST SP 800-171 Rev. 2 safeguards. The right architecture depends on your scope, your users, your cloud services, export-control issues, and what your contract actually requires. Product choice is the last decision, not the first.
We bring this up because “CUI means GCC High” is the most expensive assumption in the niche, and vendors have every incentive to let it ride. Here’s the order that protects your budget.
The four decisions, in order
- Identify your CUI. What is it, and which Registry category and authority cover it?
- Map your data flows. Where does that CUI actually live and travel — email, file shares, ERP, ticketing, endpoints, portals?
- Draw your CMMC boundary. Which systems are in scope, and which can stay out?
- Choose architecture. Now decide between an enclave, a managed compliance environment, or a broader Microsoft 365 / GCC High implementation.
Match the architecture to your CUI footprint
| Your CUI footprint | Architecture to evaluate first | Scope risk | Verify before requesting quotes |
|---|---|---|---|
| CUI touches a small, defined team | A CUI enclave (a real, enforced boundary) | Low if the boundary holds | That the enclave actually isolates CUI in practice |
| CUI limited to a single project | Project-scoped enclave or managed environment | Moderate | Whether project data leaks into shared systems |
| CUI scattered across email/shared drives | Managed compliance environment or consolidation | High — the boundary is everywhere | A full data inventory before you commit |
| CUI is company-wide | Broader Microsoft 365 / GCC High implementation | Higher cost, but may be necessary | Whether scope reduction is realistic first |
| You only touch CUI inside a prime’s portal | Possibly minimal new architecture | Low if CUI never lands on your systems | Whether any CUI is downloaded or synced locally |
There’s a real cloud nuance to know, not fear: DFARS 252.204-7012 includes requirements for cloud service providers handling covered defense information, including FedRAMP Moderate (or equivalent) language. That can point toward a government-community cloud for some contractors — but it’s a consequence of your scope and contract, not an automatic mandate for everyone who touches any CUI.
Worried Level 2 means moving your whole company into a secure cloud?
It usually doesn’t — but which model fits (enclave, managed compliance, or full GCC High) depends on your scope, and getting that wrong is the difference between a right-sized project and a six-figure over-build. Tell us your level, scope, and timeline, and we’ll match you with the right provider category before you request a single quote.
Tell us your level and scope →Can you cut CMMC cost by separating FCI and CUI systems?
Often, yes — but only if the CUI boundary is real, documented, and actually enforced. CMMC Level 2 scoping (defined in 32 CFR 170.19) sorts your environment into asset categories tied to where CUI and its protections live. Careless data mixing pulls far more systems into scope than contractors expect, and that’s where Level 2 budgets balloon.
The cost mistake
Buying a broad Level 2 environment before confirming whether CUI is limited to one team, one project, or one data flow. Scope first, then spend.
The scope mistake
Letting CUI sprawl — into general email, open shared drives, helpdesk tickets, CRM, accounting attachments, and unmanaged laptops. Every place CUI lands becomes part of the boundary you have to assess and protect.
The operating rule
“Compliance follows the data” is a useful phrase, and the scoping rule at 32 CFR 170.19 is the reason it’s true: your boundary is defined by where CUI and its security protections actually are. Contain the data, and you contain the cost. (When you’re ready to put numbers to it, our CMMC Level 2 cost breakdown walks through what drives the range.)
What should subcontractors do when a prime flows down Level 2?
Don’t ignore a Level 2 flow-down — but don’t silently accept a vague one either. Under 32 CFR 170.23, a subcontractor’s requirement depends on whether it processes, stores, or transmits FCI or CUI and on the prime contract’s required status. A sub handling only FCI can be set at Level 1; a sub handling CUI must be at least Level 2. As of the November 10, 2025 DFARS rule, the 252.204-7021 clause flows down to subcontracts that will involve FCI or CUI, and subs post their own status in SPRS.
The most useful thing we can give a subcontractor is the set of questions that turn a vague demand into a scoped requirement.
| When the prime says… | You should ask… | Why it matters |
|---|---|---|
| “You need CMMC Level 2.” | “What CUI will we process, store, or transmit?” | Level 2 should tie to actual CUI, not general caution. |
| “It’s flowed down from the prime contract.” | “Which clause and which CMMC status?” | Flow-down has to be traceable to a requirement. |
| “You need to be certified.” | “Is it Level 2 Self-Assessment or Level 2 C3PAO?” | The assessment type drives your cost and timeline. |
| “The files are controlled.” | “What CUI category, marking, or authority applies?” | The category determines how you handle it. |
| “Just use our portal.” | “Will CUI ever leave the portal and enter our systems?” | If it doesn’t touch your systems, your scope may stay small. |
Got a Level 2 flow-down but no clear CUI package?
Tell us your role, your contract clues, and your timeline, and we’ll match you with the right provider category to talk to first — readiness, enclave, MSP/MSSP, GRC, or assessment. You shouldn’t buy a Level 2 environment on a verbal instruction.
Match me with the right provider category →What to do next if you think you have CUI
Don’t start by buying software or calling a C3PAO. Start by collecting evidence, so your next conversation is scoped instead of speculative. Here’s the order we recommend, and each step is small enough to do this week.
Step 1 — Save the contract evidence
Solicitation CMMC language · FAR/DFARS clauses · flow-down language · CUI-marked attachments · distribution statements · technical-data-package cover pages · written prime/CO clarifications.
Step 2 — Map where the data lives
Email · file shares and cloud storage · engineering tools · ERP/accounting (and their attachments) · ticketing/helpdesk · laptops and endpoints · contractor/sub portals.
Step 3 — Sort into three buckets
- Confirmed CUI (marked, or clearly within a Registry category and authority)
- Possible CUI (needs written clarification)
- FCI-only / non-CUI contract data
Step 4 — Choose the right provider category (not yet a specific vendor)
| Your situation | Provider category to consider first |
|---|---|
| You don’t know your level or scope | Readiness / RPO (Registered Provider Organization) / vCISO |
| You have CUI but it’s scattered | CMMC-focused MSP/MSSP or a CUI enclave advisor |
| You need evidence workflows (SSP, POA&M) | GRC / compliance software — as a supporting layer, not the whole solution |
| You’re genuinely assessment-ready | C3PAO / assessment resources (kept separate from your remediation help) |
| You need cloud architecture for CUI | GCC High / GovCloud / secure-collaboration provider |
Ready to turn FCI/CUI confusion into a scoped plan?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options that fit the stage you’re actually in — readiness, enclave, MSP/MSSP, GRC, or assessment. No pressure, no premature C3PAO pitch; just the right category for where you stand today.
Get matched with source-checked CMMC provider options →What we verified for this guide
This guide is built from primary and authoritative sources, not paraphrase. On , we read the controlling clause, rule, and Registry text directly and recorded what each one says. The triage matrix and the decision tables are our editorial synthesis — useful for scoping, not a legal determination or a government decision. (More on how we work: our editorial standards.)
What we checked, and where:
- FCI definition + 15 safeguards — FAR 52.204-21 (Acquisition.gov)
- CUI definition + program — Executive Order 13556; 32 CFR Part 2002; the NARA CUI Registry (32 CFR 2002.4(h), echoed in DFARS 252.204-7021)
- Covered Defense Information, two-path definition + 72-hour reporting — DFARS 252.204-7012 (Acquisition.gov)
- CMMC level/assessment mapping + Rev. 2 confirmation — 32 CFR Part 170; 32 CFR 170.5 (NIST SP 800-171 Rev. 2 and NIST SP 800-172, Feb 2021)
- CMMC contract + solicitation clauses, effective dates — DFARS 252.204-7019, 7020, 7021, 7025 (Acquisition.gov; effective November 10, 2025)
- Phase timing — DoD CIO CMMC page and 32 CFR 170.3(e): Phase 1, Nov 10, 2025 – Nov 9, 2026; Phase 2 begins Nov 10, 2026
- Scoping, flow-down, POA&M — 32 CFR 170.19, 170.23, 170.21
- Rule timeline — 32 CFR Part 170 effective December 16, 2024; the DFARS CMMC rule published September 10, 2025, effective November 10, 2025
Frequently asked questions: CUI vs FCI
Most FCI vs CUI confusion comes from trying to classify a single file without its contract context. The reliable approach is to combine the definition, the Registry category, the marking, the clause, the data flow, and a written clarification before you settle your CMMC level or pick a provider path.
Is CUI classified information?
No. CUI is unclassified information that still requires safeguarding or dissemination controls under a law, regulation, or government-wide policy. It is explicitly not classified under Executive Order 13526 or the Atomic Energy Act.
Is all FCI CUI?
No. FCI is broader than CUI. Many non-public contract documents are FCI without ever rising to CUI.
Is all CUI FCI?
For contractor purposes, yes — CUI you handle while performing a federal contract is also FCI, per NARA’s Information Security Oversight Office. The reverse is not true: routine FCI is not automatically CUI. CUI is the controlled, higher-sensitivity subset.
Does FCI require CMMC Level 1?
Generally, yes. Contractor systems that process, store, or transmit FCI map to CMMC Level 1 — 15 FAR 52.204-21 safeguards, an annual self-assessment, and an annual affirmation in SPRS — subject to the contract.
Does CUI require CMMC Level 2?
Generally, yes. Level 2 is built on the 110 requirements of NIST SP 800-171 Revision 2 for protecting CUI. Your contract decides whether that Level 2 status is self-assessed or assessed by a C3PAO.
Who decides if information is CUI?
The government designates CUI, tied to a specific NARA Registry category and legal authority, and is responsible for marking it. Contractors should not invent CUI categories — but they also can’t ignore CUI they create or handle in performance just because it arrived unmarked.
What if a file isn’t marked CUI?
Don’t assume it’s safe. A missing marking does not automatically remove safeguarding obligations, and DFARS 252.204-7012 covers Covered Defense Information you collect, develop, receive, transmit, use, or store in support of the contract when it meets the clause definition — including Controlled Technical Information or other CUI-Registry information requiring controls. Ask for written clarification when the contract or content suggests CUI.
Is an invoice CUI?
Usually not by itself, especially if it contains only simple payment information. But it can pull into scope if it includes or attaches controlled technical, source-selection, or export-controlled content.
Is a part number CUI?
Sometimes. A commercial catalog part number generally isn’t. A part number inside a controlled technical package or a restricted drawing may need review.
Is an engineering drawing CUI?
Often, yes — particularly if it’s Controlled Technical Information (technical data with military or space application subject to dissemination controls) tied to a Registry category and a contract requirement. Verify the marking, distribution statement, DFARS clause, and Registry category; not every drawing automatically qualifies.
Does CUI require GCC High?
Not automatically. CUI requires appropriate safeguarding; the right environment depends on data type, contract terms, cloud needs, export-control issues, scope, and assessment expectations. Identify your CUI and map your data flows before choosing a product.
Should we call a C3PAO first?
Usually not, if you’re still unsure whether you hold FCI or CUI. Clarify your data type, scope, clauses, and gaps first; then decide whether you need readiness help, managed compliance, software, enclave design, or a formal assessment.
Which provider category fits your situation
- If you handle only FCI,you’re generally at CMMC Level 1 and can often self-serve the 15 FAR 52.204-21 safeguards and the annual self-assessment — many small suppliers don’t need a paid provider to start.
- If you handle CUI,you’re at Level 2 or higher, and a Registered Provider Organization (RPO) / Registered Practitioner (RP) or an MSSP (Managed Security Service Provider) can help you scope CUI, map data flows, and implement the 110 NIST SP 800-171 Rev. 2 requirements.
- If your contract requires a Level 2 C3PAO assessment, a C3PAO (Certified Third-Party Assessment Organization) conducts the formal assessment — engage one once you’re assessment-ready.
- If CUI is scattered across email, file shares, and laptops, a CUI enclavecan shrink what’s in scope before you spend on broader remediation.
- You don’t need a C3PAO yet ifyou’re still unsure whether you hold FCI or CUI — clarify your data type, scope, and clauses first.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Get matched →
Find My CMMC Path
The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →