Learn the Difference Between CUI & FCI

If you work with the Department of Defense (DoD), you’ve probably heard these two terms a lot:

• FCI (Federal Contract Information)
• CUI (Controlled Unclassified Information)

They both fall under “unclassified” information, but they’re not the same thing. And in the Cybersecurity Maturity Model Certification (CMMC) world, the difference matters. Whether you work with FCI or CUI affects your required security level to do business with the Pentagon. It also informs your compliance workload, including how you scope systems and users.

Let’s break it down in plain language.

What is FCI?

FCI is information that is provided by or generated for the government under a federal contract, and it is not intended for public release.

Think of FCI as: contract-related information that should stay internal.

It still needs protection, but it does not carry the same formal handling rules as CUI.

Common examples of FCI

• contract details and timelines
• internal emails about contract performance
• work orders or tasks
• purchase orders
• non-public contract requirements
• administrative coordination information

FCI is essentially “not public,” but it’s not the type of data that triggers the heavier safeguarding requirements tied to CUI.

What is CUI?

CUI is unclassified information that still requires safeguarding or dissemination controls due to law, regulation, or government-wide policy.

In other words: it’s not classified, but it still comes with rules.

CUI is the type of information that most often drives CMMC Level 2 requirements because it requires formal protections and controlled handling.

Common examples of CUI

• technical drawings and schematics
• engineering and manufacturing specifications
• system configurations and security documentation
• vulnerability data
• export-controlled technical data
• logistics or operational information that creates risk if exposed

Sometimes CUI is clearly marked. Sometimes it shows up inside email threads or attachments and isn’t obvious until you review the context.

The biggest difference: CUI has formal protection rules

Here’s the cleanest way to understand it:

• FCI = not public, handle responsibly
• CUI = not public, handle with defined controls

FCI is protected under baseline federal expectations.

CUI is protected under a federal-wide control program, and mishandling it can create real contract and compliance risk.

What CUI vs FCI means for your CMMC requirements

This part is the big one.

If you handle only FCI

You typically fall under CMMC Level 1 expectations.

This is the “basic safeguarding” side of the house. You still need controls, but they’re lighter than Level 2.

If you handle CUI

You’re in CMMC Level 2 territory, which aligns with NIST SP 800-171.

That means stronger cybersecurity requirements like:

• tighter access control
• audit logging and monitoring
• incident response processes
• configuration and change management
• secure system boundaries and documentation
• continuous policy enforcement

The type of information you handle determines the security maturity you’re expected to prove.

How to Determine FCI vs CUI

You’re more likely handling CUI if…

• your contract includes DFARS requirements
• your contract references NIST SP 800-171
• you receive files marked CUI
• you touch engineering, technical, or manufacturing deliverables
• you support systems used to build or store sensitive DoD deliverables

You’re more likely handling only FCI if…

• your data is mostly scheduling, coordination, or contract admin
• your work is contract support without technical deliverable content
• you don't receive controlled technical packages or specs
• your contract activity is internal but low sensitivity

And yes, plenty of government suppliers handle both. That’s normal. The real risk: 'CUI creep happens fast.

A lot of businesses think they are FCI-only… until one errant attachment changes everything.

Here’s how CUI commonly sneaks into general workflows:

• a subcontractor forwards technical drawings
• a customer sends controlled requirements in an email thread
• a proposal response includes detailed system specs
• IT is asked to store or troubleshoot controlled information
• a team member saves a file into a general SharePoint location

Once CUI touches your environment, your obligations change. That’s why scoping is one of the most important parts of CMMC planning.

CUI Has Categories (and 2 'Types')

Something most people miss: CUI isn’t one single label. It has Categories and Subcategories, which are essentially the different “flavors” of CUI.

The CUI Program is founded on a key requirement: only information requiring protection based in a law, federal regulation, or government-wide policy can qualify as CUI. This distinction matters because different categories exist for different reasons, and some categories can include extra handling rules.

CUI Basic vs. CUI Specified

There are two types of CUI Categories and Subcategories:

CUI Basic

This is the standard “flavor” of CUI. All standard CUI rules apply, and it’s generally the simplest to mark and handle.

CUI Specified

CUI Specified is different because certain laws or regulations have very specific handling requirements that apply to that type of information. Those requirements wouldn’t make sense for all CUI types, so they’re only attached to certain categories or subcategories.

One key point: CUI Specified is not a “higher level” of CUI. It’s simply different, and those requirements are tied to legal authorities that can't be ignored. This also matters for marking: documents containing multiple CUI Specified Categories/Subcategories must include all applicable ones in the CUI banner marking.

Adjacent Terms: DFARS, ITAR, and More

When you start untangling CUI vs FCI, you’ll hear a bunch of related terms that live right next door. These don’t replace CUI or FCI, but they often indicate which direction your contract requirements are heading.

FAR (Federal Acquisition Regulation)

FAR is the baseline rulebook for federal contracting.

For FCI, the cybersecurity minimums often trace back to FAR, including basic safeguarding expectations like those found in FAR 52.204-21.

DFARS (Defense Federal Acquisition Regulation Supplement)

DFARS is the DoD’s additional rule layer on top of FAR. The clause you’ll hear the most in cybersecurity conversations is DFARS 252.204-7012. If it appears in your contracts, it’s a strong signal you may be dealing with CUI and requirements connected to NIST SP 800-171.

CDI (Covered Defense Information)

CDI is a DFARS term that generally includes CUI and other protected contract information.

In practice, many people treat CDI as “handle this like CUI.”

CTI (Controlled Technical Information)

CTI is a common CUI category that typically includes:

• technical specs
• drawings and schematics
• engineering requirements
• manufacturing processes

CTI is one of the most common types of CUI that contractors run into.

ITAR (International Traffic in Arms Regulations)

ITAR is not a CMMC level, but it can create strict access restrictions related to export-controlled technical data. If ITAR applies, it may limit who can access certain data and can heavily influence your scoping, policies, and vendor decisions.

EAR (Export Administration Regulations)

EAR is another export-control framework, often applied to dual-use technologies. EAR, like ITAR, can impact how you store, share, and grant access to technical information.

FOUO (For Official Use Only)

FOUO is an older label that still shows up sometimes. It isn’t the official modern designation like CUI, but it usually indicates information not intended for public release.

When you see it, treat it cautiously and confirm the true data type and handling expectations.

Why This Matters Beyond Compliance

Knowing whether you handle FCI or CUI impacts real operational decisions like:

• which systems can store contract data
• whether personal devices can be used for contract work
• how files can be shared and retained
• which employees and vendors are in scope
• how strict access control and logging need to be

When Pentagon suppliers struggle with CMMC, it’s often because the environment wasn’t scoped correctly from the start.

What You Should Do Next

If you’re not sure whether you handle CUI or FCI, don’t guess. Start with a clean scoping process:

1. Identify which contracts are in scope
2. Map where contract information lives (email, endpoints, SharePoint, ticketing, backups)
3. Confirm whether any information qualifies as CUI
4. Define boundaries to prevent CUI from spreading into general systems
5. Align your CMMC plan to the highest data type you handle

Good scoping keeps compliance manageable. Bad scoping can drag your whole business into unnecessary requirements.

FCI and CUI are both non-public contract-related information, but they sit in different risk categories.

• FCI typically aligns to CMMC Level 1 expectations
• CUI generally triggers CMMC Level 2 and NIST SP 800-171 controls

If you get the scoping right early, CMMC becomes much easier to plan, budget, and implement.

If you want help confirming whether you’re handling CUI or FCI, STACK Cybersecurity can help. We're a Registered Practitioner Organization (RPO) for CMMC, designated by the CyberAB. Contact Us