What is the Difference Between FCI and CUI?

Understand the difference between FCI & CUI, and learn about handling these types of data to stay DoD and CMMC compliant.

Since the CMMC framework revolves around around the protection of FCI and CUI, it’s important that we clarify the difference between these potentially confusing terms Here’s how the National Archives and Records Administration defines each term:

Federal Contract Information (FCI) – “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites), or simple transactional information, such as necessary to process payments.”

Controlled Unclassified Information (CUI) – Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

FCI and CUI definitions provided by the National Archives and Records Administration.


As the two definitions explain, the terms FCI and CUI are both used to describe information created or collected by or for the government, as well as information received by the government. The most important difference between these two categories of information is that CUI requires safeguarding, while FCI is merely not intended for public release but doesn’t require any specific protection.

There are two subsets of CUI, CUI Basic and CUI Specified. (This article goes into detail about the two subsets and their differences.) All CUI is FCI, but not all FCI is CUI. How do you know which is which? Below are just a few examples of Federal Contract Information:

  • Emails from the DoD to the defense contractor (and vice versa)
  • Any other subcontracts or policies needed by the defense contractor
  • Any information or communication that has been garnered as a result of instant messaging, video conferencing, etc. in relationship to the contractor or contract

Level Up: The relationship between CMMC & FCI


In the CMMC (Cyber Maturity Model Certification), there are currently five levels of maturity that encompass a great deal of things. FCI specifically impacts the first two levels:

Level One

The initial phase, where there is no formal structure in place yet to accomplish the work processes needed to deliver the goods or services to the Federal Government. At this stage the approach is extemporaneous until contracts or agreements are formalized. These typically can include the first round of meetings and discussions, information/data gathering or discovery, preliminary analysis requirements, etc.

Level Two:

At this stage, the respective workflows and processes needed to fulfill the terms of the Department of Defense contract become more defined. The ability to outline and track in higher detail discussions, terms, schedules, and overall scope are being laid out with detail. This phase also involves the following activities:

  • The tracking of various cost & rate schedules;
  • Workflow and process coordination and scheduling;
  • Defining functionalities of established workflows (or defining in further detail the output that is expected, with an emphasis on the FCI related data and information that will be created when developing or coordinating the goods/ service for the Federal Government).

If you think you currently or may in the future work with FCI related data, it’s critical that you ensure you are taking the proper security precautions and measures to keep that information private. FCI & CUI data are some of the most targeted information by information thieves because of how often security measures leave open doors for important information. If you have questions about what security measures you should take, or would like someone to take a look to ensure you are within the guidelines you can reach out directly to the Simple Plan IT team at info@simpleplanit.com. You can also find out more information about CMMC here. Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB).

Need more information about CUI?  Read CUI – What Is It And Why Should You Care?

Follow Us on Social Media

Subscribe to our Blog

Most Recent Blog Posts

Don’t Stop Here

More Useful Security Information

Top 10 IT Security Myths — Debunked


Thanks to the recent COVID-19 pandemic, there has been a historic shift in the way people work. Remote work or work-from-home (WFH) policies were set

Cybersecurity Policies That Bridge Generations


Cybersecurity policies are necessary for any business to avoid becoming cybercrime victims. Cybercrimes continue to rise as cybercriminals get more creative- it’s imperative every business