Skip to main content
govconCyber — Federal Cybersecurity Law Reference

Research

CUI vs. FCI: Getting the Category Right

FCI and CUI are not the same, and mislabeling either changes what you must do. Getting the category right is the first compliance decision — not a formality.

On this page
  1. Federal Contract Information (FCI)
  2. Controlled Unclassified Information (CUI)
  3. How They Relate
  4. Who Decides
  5. A Practical Test
  6. Source Notes

Takeaway: Before you choose a safeguard, you have to know what kind of information you are holding. FCI and CUI carry different obligations, and the most expensive compliance errors start with putting information in the wrong bucket.

Federal Contract Information (FCI)

FCI is information provided by or generated for the government under a contract that is not intended for public release. It excludes simple transactional information and anything the government already makes public. FCI is the universal floor: under FAR 52.204-21, nearly every federal contractor that handles FCI owes 15 basic safeguarding requirements, regardless of agency.

Controlled Unclassified Information (CUI)

CUI is information that law, regulation, or government-wide policy requires to be safeguarded, organized into categories by the NARA CUI Registry under 32 CFR Part 2002. For DoD contractors, protecting CUI on nonfederal systems means the full NIST SP 800-171 standard — 110 controls — and the DFARS 252.204-7012 obligations that ride with it.

How They Relate

Think of it as a hierarchy of protection, not two unrelated boxes. FCI is the baseline; CUI is the elevated category that triggers far heavier obligations. Information can be FCI without being CUI, but information that meets a CUI category demands the higher standard. The jump from "FCI only" to "we hold CUI" is the single biggest change in a contractor's cybersecurity burden.

Who Decides

The government is responsible for identifying CUI and specifying its protection in the contract, and for marking the CUI it provides. But two realities complicate that: contractors routinely generate CUI in performance (and must mark it), and contracts are not always clear about what is in scope. Waiting to be told, with no internal process to recognize CUI yourself, is how contractors end up under-protecting information they were obligated to safeguard.

A Practical Test

For a given set of information, ask in order: Is it non-public and tied to the contract? (likely FCI). Does a law, regulation, or government-wide policy require it to be protected — does it fit a CUI Registry category? (CUI; apply the higher standard). Could it also be export-controlled or otherwise specially regulated? (additional regimes may stack). When in doubt about a specific data set, resolve it with your contracting officer and qualified counsel rather than guessing.

Source Notes

Primary sources: FAR 52.204-21; 32 CFR Part 2002 and the NARA CUI Registry; NIST SP 800-171; and DFARS 252.204-7012. Status summarized as of the review date and subject to change. Educational analysis, not legal advice.

Was this page helpful?