Skip to main content
govconCyber
Compliance Guidance

CUI vs. FCI: The Distinction That Sets Your Cybersecurity Burden

Two acronyms decide how much cybersecurity a federal contract demands of you. Get the FCI-versus-CUI line wrong and you either over-build or — far worse — under-protect data the government expects you to guard.

Brandon Hancock, J.D., CMMC-RPPublished June 8, 2026Updated June 8, 20265 min read

Almost every federal cybersecurity obligation turns on a single question: what kind of government information is on your systems? The two categories that matter most for contractors are Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). They sound similar, they often travel together, and contractors routinely conflate them — but they trigger very different requirements. Knowing which one you handle is the difference between fifteen basic safeguards and a 110-control standard with third-party assessment.

Federal Contract Information (FCI)

FCI is information provided by or generated for the Government under a contract that is not intended for public release. That is a deliberately broad, lower-sensitivity bucket: delivery schedules, internal contract correspondence, process documents, and similar non-public material all qualify. If you have a federal contract, you almost certainly handle FCI.

The obligation that attaches to FCI is FAR 52.204-21 — the fifteen "basic safeguarding" requirements that apply to every federal contractor, government-wide, with no dollar threshold and only a narrow carve-out for commercially available off-the-shelf (COTS) items. FCI is the floor.

Controlled Unclassified Information (CUI)

CUI is the more sensitive category: information the Government creates or possesses (or that an entity creates for it) that law, regulation, or government-wide policy requires to be safeguarded — but that is not classified. In the contracting world this often means technical data, controlled defense information, export-controlled information, and similar material with a specific protection mandate behind it.

When CUI enters the picture, the bar jumps. The governing standard is NIST SP 800-171, with 110 requirements organized across fourteen control families. For Department of Defense work, CMMC then *verifies* that you have actually implemented those controls. CUI is not the floor — it is the layer that turns a basic safeguarding obligation into a full security program.

Why the Line Matters So Much

The practical stakes sit at the boundary between the two:

  • Scope of controls. FCI gets you fifteen safeguards. CUI gets you all 110 NIST 800-171 controls — a different order of magnitude in policy, technology, and documentation.
  • How you're checked. FCI safeguards map to CMMC Level 1, an *annual self-assessment*. CUI maps to CMMC Level 2, which for most CUI requires a *third-party (C3PAO) assessment* — outside verification, not self-attestation.
  • Enforcement exposure. Misjudging data as "just FCI" when it is actually CUI can leave you under-protected against the standard the government will hold you to — and, under the DOJ's Civil Cyber-Fraud Initiative, misrepresenting your security posture can carry False Claims Act liability.

A useful mental model: **all CUI obligations sit on top of the FCI floor, which sits on top of the generally-applicable legal baseline** every business already owes. You don't choose between them — you accumulate them as the sensitivity of the data rises.

How to Tell Which You Have

Start with your contract. Look for the clauses (FAR 52.204-21 signals FCI; DFARS 252.204-7012 signals CUI on DoD work), check for a CUI marking or a Security Classification/CUI guide, and ask the contracting officer if the designation is unclear. Then inventory where that information actually lives — the systems, the people, the subcontractors — because the requirements flow down to every tier that touches the data. When CUI and FCI coexist on the same network, the higher CUI standard generally governs the environment they share.

Key Takeaways

  • FCI is the broad, lower-sensitivity floor — non-public contract information protected by FAR 52.204-21's fifteen basic safeguards (CMMC Level 1, self-assessment).
  • CUI is the sensitive layer — protected by NIST SP 800-171's 110 controls and, for DoD, verified by CMMC Level 2 (often a third-party assessment).
  • Classifying your data correctly is the first compliance decision you make. Under-scoping CUI as FCI is the costly mistake, and it carries enforcement risk.

See how the standards stack up on Frameworks and FAR Cybersecurity Baseline, review enforcement exposure on Enforcement & Penalties, and pin down exactly what applies to your contracts with Find My Requirements.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Compliance GuidanceCISA Reopened the CIRCIA Comment Window — and the Defense Industrial Base Has a Seat on June 18CISA reopened CIRCIA stakeholder input with town halls June 15-18, 2026; the defense industrial base is scheduled June 18. The 72-hour reporting rule isn't final — its scope and burden are still open for comment.June 14, 2026 · 5 min readCompliance GuidanceDoD's Cyber-Harmonization Deadline Has Passed: What NDAA Section 866 Means for Defense ContractorsNDAA Section 866 required DoD to harmonize and trim defense-industrial-base cyber requirements by June 1, 2026. Relief will roll out gradually, but the security bar stays in place.June 9, 2026 · 6 min readCompliance GuidanceFAR 52.204-21: The 15 Basic Safeguards Every Federal Contractor Has to MeetFAR 52.204-21 is the one cybersecurity clause that applies government-wide, no matter the agency, contract size, or industry. If Federal Contract Information touches your network, you owe all fifteen safeguards.June 8, 2026 · 5 min read