What Are FCI and CUI? NIST/CMMC Explained

By Scott Dawson
April 27, 2023

If you contract or subcontract with the U.S. Department of Defense (DoD), you’ve probably heard the terms “FCI” and “CUI.” These acronyms relate to different types of sensitive information. Depending on which type of information you handle, you will face different cybersecurity requirements.

You often hear these terms in relation to the DoD’s upcoming Cybersecurity Maturity Model Certification (CMMC). These security requirements have yet to appear in contracts, but even now contractors face legal requirements for protecting FCI and CUI.

So just what are FCI and CUI? How do you which one you handle—if either? And most importantly: What compliance requirements do you actually face?

Read on for the full scoop on FCI and CUI, as well as the requirements you face to protect them and keep your contracts.

What are FCI and CUI?

FCI and CUI are different types of information that government contractors may handle. FCI stands for “Federal Contracting Information.” CUI stands for “Controlled Unclassified Information,” and it requires stricter security controls than FCI. This information may flow down from the DoD or from prime contractors, or it may be produced by contractors as part of their contracting work.

Both of these types of information are not considered classified, but they also are not meant for public release. Contractors who handle this information have a legal responsibility to protect it.

Where Do FCI and CUI Come From?

FCI and CUI flow down to contractors from a prime contractor or from the government itself. But keep in mind: As part of your contracting work, you might produce information that falls into these categories. For example, if you produce part designs for use by the DoD, those designs might be considered CUI, even though they did not originate with the government. They still contain valuable information that belongs to the DoD.

Do All DoD Contractors Handle FCI and CUI?

Almost every DoD contractor handles at least FCI. Commercial Off-The-Shelf (COTS) products are the only possible exception. If you only provide the DoD with a publicly-available, unaltered product that anyone else could purchase, you likely don’t handle sensitive information. However, it’s always best to assume that you handle at least FCI.

FCI: Federal Contracting Information

What is Federally Contracted Information?

The U.S. government defines FCI as “information, not intended for public release, that is provided or generated for the Government under a contract to deliver a product or service to the Government.”

If you contract with the DoD, you almost certainly handle FCI. This information usually relates directly to your DoD contracts. Although not particularly sensitive, it is still not intended for the public. In the wrong hands, it could be misused.

What information might be considered FCI? Common examples include:

    • Contract performance reports
    • Organizational/programmatic charts (this would include any charts issued by the DoD)
    • Process documentation (also known as procedures)
    • Proposal responses
    • Past performance information
    • Contract information
Consultant explaining CMMC Rollout

What Regulations Do I Need to Follow if I Handle FCI?

If your business handles FCI, you are currently responsible to follow the regulations of the Federal Acquisition Regulation clause 52.204-21 (or simply “FAR 52.204-21.”)

This clause requires you to follow 15 basic cybersecurity controls. These controls help you protect FCI from unauthorized access, disclosure, or use.

Even if you don’t handle FCI, it’s a good idea to follow these practices. The 15 controls required by this FAR clause contain cyber hygiene basics that can benefit any business. In today’s world of ever-developing cyber threats, no business can afford to ignore basic cybersecurity principles.

These regulations do not require an official assessment or certification.

If I Handle FCI, How Will CMMC Affect Me?

As with everything relating to CMMC, the details remain unfinalized. The current version of CMMC (CMMC v2.0) requires contractors who handle FCI to achieve CMMC Level 1 certification. This is the least stringent level of CMMC.

This level currently contains the same controls as FAR 52.204-21 but they have been expanded from 15 to 17. However, CMMC will require a greater level of accountability for these controls. Under CMMC, you must complete a self-assessment against these controls and submit your compliance score to the Supplier Performance Risk System (SPRS) database.

What if I Fail to Comply with FCI Regulations?

Contractors who ignore or fail to comply with FAR 52.204-21 might face several negative consequences:

1. Loss of reputation. Contractors who fail to meet their contract requirements might damage their chances at winning future contracts from other businesses or government agencies.

2. Legal and financial consequences. The mishandling of FCI may result in fines or even legal action from the government.

3. Loss of contract. In extreme cases, a contractor may even lose its contract by failing to meet basic FCI-handling requirements.

How Can I Tell if I Handle FCI?

Unless you are simply supplying COTS products to the DoD, you should probably assume your business handles FCI. To make sure, you can search your contract for references to FAR 52.204-21. If this clause appears in your contract, you handle FCI.

If you remain unsure, you can also reach out to your contracting officer or prime contractor for further details.

CUI: Controlled Unclassified Information

What is Controlled Unclassified Information?

The U.S. government defines CUI as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

In other words: CUI is sensitive information that legally requires proper safeguarding. While more sensitive than FCI, it remains less sensitive than classified information. However, it still requires strict cybersecurity controls. CUI may not appear sensitive at first glance, but bad actors can use this information to piece together even more sensitive information.

As with FCI, CUI may be passed down to you by the government itself or by a prime contractor, but you also might produce CUI for the government as part of your contracting work.

What information might be considered CUI? Common examples include:

    • Information about your own system or network vulnerabilities
    • Personally identifiable information (PII)
    • Research and engineering data related to your contracting work
    • Export-controlled information
    • Specifications or other requirements passed down from the DoD or a prime contractor
    • Standards
    • Process sheets (also called procedures)

For a fuller list of items considered CUI, you can visit www.archives.gov/cui.

Consultant explaining CMMC Rollout

What Regulations Do I Need to Follow if I Handle CUI?

CUI comes with much stricter regulations than FCI.

Currently, CUI-handling contractors must meet the requirements of Defense Federal Acquisition Regulation Supplement clause 252.204-7012 (or simply “DFARS 252-204-7012”).

DFARS 252.204-7012 mandates compliance with the cybersecurity controls of NIST SP 800-171. NIST contains 110 security controls designed to prevent the mishandling of CUI. Broadly speaking, the controls fall into two categories:

1. Technical controls. These controls relate to the actual technologies you put in place to prevent cyberattacks. Here, implementation often requires the guidance of a trained cybersecurity expert.

2. Organizational controls. These controls mostly relate to policies and procedures. They require less technical expertise, but they help prevent the number one cause of cyber breaches: human error.

Currently, DFARS 252.204-7012 requires you to self-assess your NIST compliance and submit a compliance score to the SPRS database.

It’s important to note: This score does not need to be perfect. Technically speaking, to be compliant, you must simply submit a score. Even the lowest possible score would still be considered compliance.

For the NIST controls you have not yet met by the time of your self-assessment, you must develop a Plan of Action and Milestones (POA&M). This POA&M outlines your path to implementing those controls in the future.

These requirements often flow down from prime contractors. If you are a prime contractor, you are responsible for handing these requirements to your subcontractors.

If I Handle CUI, How Will CMMC Affect Me?

According to CMMC v2.0, contractors who handle CUI will be required to achieve CMMC Level 2.


What if I Fail to Comply with CUI Regulations?

Mishandling CUI may result in more severe consequences than mishandling FCI. As stated in its official definition, CUI is provided to contractors with an understanding that the information will be safeguarded. Consequences for compliance failure could include:

1. Loss of reputation. As with FCI, a failure to meet contract requirements reflects poorly on a business in the eyes of future customers.

2. Legal/financial consequences. Fines and other consequences for mishandling CUI can be severe. In 2021, the Department of Justice introduced the Civil Cyber-Fraud Initiative. Under this initiative, government contractors who knowingly ignore requirements or falsely report compliance could face hefty fines.

3. Loss of contract.

4. Damage to national security. In the wrong hands, CUI can give America’s adversaries an advantage. Bad actors can even use CUI to piece together full design plans and undercut America’s technological advantages. This is why the DoD and other government agencies are pushing for greater cybersecurity accountability.

How Can I Tell if I Handle CUI?

Unfortunately, CUI is not always clearly marked. But even if the DoD has failed to label it, you are still responsible to protect it.

Check your contract for references to DFARS 252.204-7012. If you see this clause in your contract, you handle CUI, and you must meet the requirements of NIST SP 800-171.

As a general rule of thumb: When in doubt, assume it’s CUI.

Remember that CUI can flow down from prime contractors to subcontractors. If you’re a prime contractor, that makes you responsible for the way your subcontractors handle CUI. A subcontractor’s compliance failure could cost you your contract. You must pass along the necessary CMMC requirements.

If you’re a subcontractor, this means paying careful attention to your cybersecurity requirements, even if you don’t think you handle CUI. Some prime contractors may require CMMC Level 2 for all subcontractors, regardless of the information they handle, as a means of ensuring proper protection.

Common Misconceptions About FCI and CUI

The complexity of this topic leads to many common misconceptions. Here are some of the information myths we hear most often:

Misconception #1: FCI and CUI are the same thing.

FCI and CUI are related but not the same. They both refer to information created by or for the government. In both instances, this information requires protection. However, CUI requires much greater protection than FCI.

Misconception #2: All FCI and CUI are classified.

Neither FCI nor CUI requires strict security controls for classified information. But remember: Even though not classified, FCI and CUI still require cybersecurity protections, and the mishandling of this information still brings negative consequences.

Misconception #3: Only government contractors must comply with FCI/CUI requirements.

As mentioned above, even DoD subcontractors who don’t directly interact with the government must follow the requirements for FCI and CUI. It’s also important to remember that these requirements apply to employees themselves. Employees must be properly trained to follow the required security procedures.

Misconception #4: Compliance with FCI/CUI requirements is optional.

Cybersecurity requirements for FCI and CUI have been federally mandated since 2016. Sometimes these requirements have lacked accountability, creating the illusion that they are optional. But even now, DoD contractors have a legal and contractual responsibility to protect FCI and CUI. Failure to do so may result in legal fines, lost contracts, and more.

Misconception #5: FCI and CUI requirements only apply to information stored on computers.

FCI and CUI can come in any form. Often this information exists in physical hard copy. Such copies must be stored securely or destroyed after use. Information security doesn’t stop at cybersecurity; it includes an awareness of your surroundings. It’s not just about what you access, but about where you access it, and how.

FCI and CUI: Your Next Steps

So what comes next? We recommend these five basic steps to meet your current requirements and prepare for future CMMC compliance

Step 1: Determine whether you handle FCI or CUI. You can use the above information as a guide to help make this determination. Remember: If in doubt, reach out to your prime contractor or contracting officer.

Step 2: Implement the controls you’re required to meet. If you only handle FCI, you must implement the 17 controls of FAR 52.204-21/CMMC Level 1. If you handle CUI, you must implement the 110 controls of NIST SP 800-171/CMMC Level 2.

Step 3: Develop policies and procedures for handling FCI/CUI. NIST and CMMC require you to develop certain policies and procedures, but the specifics will depend on your business.

Step 4: Train your employees. Most cybersecurity breaches result from basic human error. You can’t have good cybersecurity without well-trained employees.

Step 5: Conduct regular assessments. Make sure you’re accomplishing what you set out to accomplish. If required, submit your self-assessment score to the SPRS database. When CMMC finally rolls out, this may involve a third-party assessment.

How Core Can Help

We hope this article helps you better understand the difference between FCI and CUI. But we understand if the compliance process still feels overwhelming. At Core, we specialize in helping small businesses achieve cybersecurity. We believe any contractor can meet government requirements, protect information, and win contracts. It just takes the right help and the right tools.

Core Business Solutions is a registered provider organization (CMMC RPO) with the CMMC Accreditation Board. We have a team of registeredCMMC RPO Core Business Solutions practitioners on staff to help small businesses implement cybersecurity requirements and achieve success. Our CORE Security Suite provides automated tools to help you achieve compliance, including a NIST score calculator and ready-made policy templates.

For businesses who simply don’t have the time to overhaul their network to meet the requirements, we also offer technical solutions like CORE Vault, which provides everything you need for NIST/CMMC in one cloud-based solution. We also provide hands-on consulting support and employee training.

Let us handle NIST and CMMC so you can focus on your business. Give us a call at 866.354.0300 or contact us today for a free quote.

Related Articles:

CMMC 2.0 Certification Costs

CMMC 2.0 Certification Costs

Do I Need CMMC? Cybersecurity Security Model Certification (CMMC) will soon be required for all Department of Defense contractors. Whether you are a major corporation or a small manufacturer, you’ll...

CMMC Compliance Overview

CMMC Compliance Overview

CMMC for Small Business As small businesses face the requirements of the CMMC, they’ll quickly realize the need for careful,  planning to meet the latest benchmarks. CMMC introduces a major shift in...