The Difference Between FCI and CUI

By Scott Dawson
August 16, 2021

Updated April 11, 2023

Cybersecurity Maturity Model Certification

In 2020, the Department of Defense released the official requirements for Cybersecurity Maturity Model Certification or CMMC. In November 2021, these requirements were updated to CMMC 2.0. Soon, all DoD contractors will need to meet these requirements to keep their contracts. Other government agencies are already considering CMMC as a security standard for contractors.

CMMC Consultant explaining FCI vs. CUI

But these requirements won’t look the same for everyone. As a maturity model, CMMC comes in three different levels. These levels build on one another, adding more practices as they go. Your required level depends on the type of information you handle.

CMMC primarily deals with two types of government information: FCI and CUI. To understand CMMC and your own cybersecurity responsibilities, you need to understand these two terms.

Want to learn more about securing FCI and CUI? Click here to watch a video.

What are CMMC’s 3 Primary Objectives?

CMMC has three primary objectives: to sustain and verify cybersecurity, to create a unified standard, and to protect sensitive defense-related information.

Cybersecurity can be thought of as information security. The goal of CMMC—and of all cybersecurity practices—is to keep important information out of the wrong hands.

CMMC exists to protect information that, if jeopardized or stolen by our nation’s adversaries, could be used for harm. This includes technical information, such as design drawings, and contract information, such as organizational charts. It’s anything that could give our nation’s adversaries a tactical advantage or lead to further breaches.  When such information resides in secure government systems, it’s difficult to exfiltrate. But as that information flows down to contractors and sub-contractors, the potential vulnerabilities grow exponentially.

CMMC discussion

Our nation’s adversaries have learned that it’s much easier to steal sensitive information from outside contractors with poor cybersecurity.

That’s why CMMC focuses on protecting information, whether that information resides on your own network, a supplier’s network, or a customer’s network. The more sensitive that information, the higher the CMMC level required.

CUI Chart

What is the Difference between FCI and CUI?

Let’s begin with the first type of protected information: Federal Contract Information, or FCI.

Definition of Federal Contract Information (FCI)

“Information, not intended for public release, that is provided or generated for the Government under a contract to deliver a product or service to the Government.”

– Official Government Definition of FCI

CMMC Level 1 exists to protect FCI. This is any non-public information exchanged with the government pertaining to a contract. This includes information exchanged during the proposal phase, the RFP phase, the award phase, or any information used to maintain that contract.

This does not include technical information, such as designs or drawings. That information takes you into another level of CMMC requirements. Instead, FCI comprises the day-to-day correspondence and documentation that comes with all government contracting. Every contractor in the Defense Industrial Base handles FCI.

Specific Examples of FCI Include:

  • Contract performance reports

  • Organizational or programmatic charts

  • Process documentation

  • Proposal responses

  • Past performance information

  • Contract information

  • Emails exchanged with the DoD or defense contractor

consultant showing specific FCI examples

Because every DoD contract contains FCI, every contractor will require at least CMMC Level 1. The previous cybersecurity requirements of NIST SP 800-171 did not cover this type of information, so many contractors will now need to think about cybersecurity for the first time.

Definition of Controlled Unclassified Information (CUI)

“CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

– Official Government Definition of CUI

Specific examples of CUI include:

  • Information Systems Vulnerability Information

  • Personally Identifiable Information (PII) (Could be your employees, government employees, or even employees of a third party)

  • Research and engineering data

  • Engineering drawings

  • Specifications

  • Standards

  • Process sheets

  • Manuals

  • Technical reports

  • Technical orders

  • Catalog-item identifications

  • Data sets

  • Studies and analysis

  • Executable code and source code

You can access the full CUI Registry at

Consultant showing specific examples of CUI
2 people having a conversation about CUI

In the future, CUI will be clearly labeled on government contracts. But at the moment, it’s not always clear whether your contract contains CUI. Sometimes it’s obvious, as with technical drawings or source code. Other times, it’s not so obvious.

As a general rule of thumb: If it describes the technical aspects of a product or system, it’s CUI.

The safest approach? Treat everything in your contract as if it’s CUI. It’s better to be prepared and safe than to risk losing a lucrative government contract, or worse, to risk an actual security breach.

How Core Business Solutions Can Help

At Core Business Solutions, we specialize in helping American small businesses achieve cybersecurity.  As a Registered Provider Organization with the CMMC Accreditation Board, we are officially recognized as a trusted provider of CMMC consulting and solutions.

We’re real people with a story like yours, and we have a team of InfoSec consultants ready to help. Our security solutions are constantly evolving to meet government requirements and the ever-changing cyber-threat landscape.

We take on the complicated parts of certification so that you can focus on your business. Learn more about our CMMC consulting programs or get a free quote today.

Related Articles:

What Are FCI and CUI? NIST/CMMC Explained

What Are FCI and CUI? NIST/CMMC Explained

If you contract or subcontract with the U.S. Department of Defense (DoD), you’ve probably heard the terms “FCI” and “CUI.” These acronyms relate to different types of sensitive information....

The CMMC Rollout Has Been Delayed. What Now?

The CMMC Rollout Has Been Delayed. What Now?

CMMC Compliance With international tensions brewing and technologies growing fast, America’s cybersecurity matters more than ever. But the wheels of government aren’t always the fastest turning. The...

Smartlink Execution Complete Please note that the CORE Application window may have fallen behind this window and your Email client. Close this Message