CUI vs FCI: Defense Contractor Guide (2026)

Posted: May 21, 2026 to Compliance.

If your company holds a federal contract and someone has told you that you "probably have CUI," stop. That single sentence has launched more failed CMMC scoping efforts than any other phrase in the defense industrial base. Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are not the same thing. They originate from different authorities, carry different control obligations, map to different CMMC levels, and produce wildly different price tags when a Registered Practitioner (RP) or C3PAO scopes your environment. Treating them as interchangeable is the single most expensive mistake we see at Petronella Technology Group when a new defense contractor calls us mid-bid in a panic.

The conflation is understandable. Both terms describe non-public information the federal government cares about. Both appear in DoD solicitations. Both are referenced in the CMMC program. Both can trigger flowdown obligations on your subcontractors. The differences, however, are codified in two completely separate regulatory regimes that were written years apart by different agencies for different purposes. This guide walks through every distinction that matters when you are scoping a CMMC Level 1, Level 2, or Level 3 engagement, marking documents for the field, training staff on handling rules, or deciding whether you need a dedicated CUI enclave at all.

Craig Petronella, our founder and a CMMC Registered Practitioner (RPO #1449), has spent the last seven years walking small and mid-sized DoD primes and subs through this exact distinction. The 2,500 words that follow are the briefing we wish every contractor had on day one of contract award.

What is Federal Contract Information (FCI)?

Federal Contract Information is defined in Federal Acquisition Regulation (FAR) clause 52.204-21, which has been a standard clause in nearly every non-COTS federal contract since June 2016. The clause defines FCI as:

"Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments."

Read that definition carefully. FCI is the floor. If you hold a federal contract that is not for a publicly available commercial-off-the-shelf product, and your contract is not purely transactional (a credit-card buy of paper clips), you have FCI. The contract itself is FCI. The Statement of Work is FCI. The performance reports you send back to the contracting officer are FCI. Emails about delivery schedules are FCI. Drawings, technical questions, change orders, and award correspondence are all FCI.

FCI is the broadest category of federal non-public information. The DoD estimates that more than 220,000 companies in the Defense Industrial Base handle FCI of some form. The vast majority of those companies never touch CUI. They are subcontractors providing landscaping, janitorial services, basic IT support, simple manufactured parts, or commercial software resold to a base exchange. If you provide anything that requires a federal contract and produces non-public correspondence with a contracting officer, you have FCI.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information is a much narrower and more sensitive category, and its definition lives in an entirely different regulatory regime. CUI was created by Executive Order 13556, signed in November 2010, which directed the National Archives and Records Administration (NARA) to establish a single executive-branch program for handling unclassified information that requires safeguarding or dissemination controls. The implementing regulation is 32 CFR Part 2002, finalized in 2016.

32 CFR 2002 defines CUI as:

"Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls."

The crucial phrase is "a law, regulation, or Government-wide policy requires or permits." Unlike FCI, which is defined by its source (provided by or generated for the Government under a contract), CUI is defined by its sensitivity category. Those categories live in the NARA CUI Registry, a public document maintained by the Information Security Oversight Office (ISOO) at archives.gov. The registry contains roughly 125 categories grouped under 20 organizational indexes. Common DoD-relevant categories include Controlled Technical Information (CTI), Naval Nuclear Propulsion Information (NNPI), Export Controlled (EXPT), Critical Infrastructure Security Information (CRIT), and Privacy.

For DoD contractors, the most frequently encountered CUI category is Controlled Technical Information, which is governed by DFARS 252.204-7012. CTI covers technical data with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Engineering drawings of weapons systems, technical manuals for fielded equipment, software source code for defense applications, and test data from controlled experiments are all CTI, and therefore CUI.

A useful mental model: every piece of CUI is also FCI (because it was created for or possessed on behalf of the Government), but the vast majority of FCI is not CUI. CUI sits inside the FCI universe as a smaller, more strictly controlled subset.

The 15 basic safeguarding requirements for FCI

FAR 52.204-21(b) imposes 15 basic safeguarding controls on any contractor that processes, stores, or transmits FCI on its information systems. These 15 controls are the entire universe of cybersecurity obligation for an FCI-only contractor, and they map directly to CMMC Level 1. The controls are:

• Limit information system access to authorized users, processes acting on behalf of authorized users, and devices.
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• Verify and control connections to and use of external information systems.
• Control information posted or processed on publicly accessible information systems.
• Identify users, processes acting on behalf of users, or devices.
• Authenticate or verify the identities of users, processes, or devices as a prerequisite to allowing access to organizational information systems.
• Sanitize or destroy information system media containing FCI before disposal or release for reuse.
• Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
• Escort visitors and monitor visitor activity, maintain audit logs of physical access, and control and manage physical access devices.
• Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems.
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
• Identify, report, and correct information and information system flaws in a timely manner.
• Provide protection from malicious code at appropriate locations within organizational information systems.
• Update malicious code protection mechanisms when new releases are available.
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These 15 controls are not optional, but they are also not exotic. A small business running properly configured Microsoft 365 Business Premium with Windows 11 Pro endpoints, a current firewall, and basic written policies will meet the substance of all 15 with minimal added tooling. CMMC Level 1 certification is a self-assessment annually attested in the Supplier Performance Risk System (SPRS). No C3PAO is required, no third-party assessor body, no formal audit. That is by design. Level 1 is meant to be reachable by a five-person prime or sub with limited IT budget.

The 110 NIST 800-171 requirements for CUI

Once your environment touches actual CUI, the regulatory floor moves dramatically. DFARS 252.204-7012, which has been in DoD contracts involving CUI since 2017, requires contractors to implement the 110 security requirements in NIST Special Publication 800-171, Revision 2 (and Revision 3 going forward). These 110 controls are organized into 14 control families:

• Access Control (22 controls)
• Awareness and Training (3 controls)
• Audit and Accountability (9 controls)
• Configuration Management (9 controls)
• Identification and Authentication (11 controls)
• Incident Response (3 controls)
• Maintenance (6 controls)
• Media Protection (9 controls)
• Personnel Security (2 controls)
• Physical Protection (6 controls)
• Risk Assessment (3 controls)
• Security Assessment (4 controls)
• System and Communications Protection (16 controls)
• System and Information Integrity (7 controls)

The 17 FCI controls from FAR 52.204-21 are a strict subset of the 110, which is why CMMC Level 1 (FCI) is a clean stepping stone toward Level 2 (CUI). For the full control catalog with plain-English explanations and Petronella implementation guidance, see our NIST 800-171 control reference. Each of the 110 has a corresponding Cybersecurity Maturity Model Certification (CMMC) Level 2 assessment objective in CMMC Assessment Guide Level 2, and a third-party Certified CMMC Assessor (CCA) from an authorized C3PAO will score each one as MET, NOT MET, or NOT APPLICABLE during a Level 2 certification assessment.

CUI Basic vs CUI Specified - the second distinction inside CUI

Inside the CUI universe, there is a further split that catches even experienced compliance teams off-guard. The NARA CUI Registry categorizes every CUI category as either CUI Basic or CUI Specified.

CUI Basic is the default. If a category is marked CUI Basic in the registry, the handling rules are the generic baseline established in 32 CFR 2002 and (for DoD systems) NIST 800-171. There are no additional handling requirements beyond the baseline.

CUI Specified is more restrictive. If a category is marked CUI Specified, there is a specific law, regulation, or government-wide policy that imposes additional handling requirements on top of the baseline. Those additional requirements might include who can access the information, how it must be marked, how it must be destroyed, how it must be transmitted, or which countries it can be exported to. Examples of CUI Specified categories include Naval Nuclear Propulsion Information, Export Controlled (which carries ITAR or EAR overlays), and Privacy categories like Health Information that carry HIPAA obligations.

The practical implication: if your contract involves CUI Specified, your handling procedures are governed by NIST 800-171 plus the underlying specified-category authority. A pure NIST 800-171 implementation is not sufficient. We see this pattern most often with engineering contractors who hold ITAR-controlled drawings, which are simultaneously CUI Specified (Export Controlled) and CTI Basic.

FCI vs CUI Basic vs CUI Specified - side-by-side comparison

Attribute	FCI	CUI Basic	CUI Specified
Source authority	FAR 52.204-21	EO 13556, 32 CFR 2002, DFARS 252.204-7012	32 CFR 2002 plus category-specific law or policy (e.g., ITAR, HIPAA, AEA)
Required controls	15 basic safeguarding (FAR 52.204-21(b))	110 (NIST 800-171 R2/R3)	110 plus category-specific overlays
Marking requirement	Not formally required, but recommended in headers/footers	"CUI" banner top and bottom, distribution statement, designating agency	"CUI//SP-" banner plus all specified-category marking rules
Destruction standard	NIST 800-88 sanitization (any method)	NIST 800-88 Clear, Purge, or Destroy as appropriate	NIST 800-88 plus category-specific destruction (often Destroy-only)
Subcontractor flowdown	FAR 52.204-21 flows to all subs that process FCI	DFARS 252.204-7012 flows to all subs that process CUI	Same as CUI Basic plus the category-specific clause (e.g., 252.225-7048 for ITAR)
CMMC level	Level 1 (self-assessment)	Level 2 (C3PAO assessment for prioritized contracts)	Level 2 or Level 3 depending on contract
Incident reporting	None required by FAR 52.204-21	72-hour report to DoD via DIBNet (DFARS 252.204-7012(c))	72-hour DIBNet plus category-specific reporting

CMMC Level mapping - where the rubber meets the road

The Cybersecurity Maturity Model Certification (CMMC) program rolled out by the DoD in its final 32 CFR Part 170 rule formalizes three levels of certification that map directly to the FCI vs CUI distinction. Petronella's CMMC compliance overview walks through the program at a strategic level; the level mapping below is the tactical view.

CMMC Level 1 - FCI only

Level 1 covers contractors who handle FCI but not CUI. The control set is the 17 controls derived from FAR 52.204-21(b) (the 15 listed above plus two grouped granularly in the CMMC assessment guide). Certification is by annual self-assessment, attested in SPRS by a senior company official. The DoD estimates roughly 140,000 companies in the DIB will need Level 1. Our CMMC level breakdown covers the assessment-objective details by level.

CMMC Level 2 - CUI

Level 2 covers contractors who handle CUI of any kind. The control set is the full 110 NIST 800-171 R2 controls. Certification is by a Certified CMMC Assessor working under an authorized C3PAO, with results scored in SPRS using the NIST 800-171 DoD Assessment Methodology (a -203 to +110 point scale). DoD estimates 80,000 DIB companies will need Level 2. For a deeper look at Level 2 mechanics, see our Level 2 implementation guide.

CMMC Level 3 - CUI with Advanced Persistent Threat exposure

Level 3 is reserved for contractors whose CUI is at risk from nation-state Advanced Persistent Threats (APTs). The control set is the 110 from NIST 800-171 plus a curated subset of enhanced security requirements from NIST SP 800-172. Certification is conducted by DoD assessors at the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not a commercial C3PAO. The DoD estimates only about 1,500 DIB companies will require Level 3. Level 3 typically attaches to contracts producing CUI that touches weapons systems, controlled nuclear information, or critical infrastructure. Petronella Technology Group consults at all three CMMC levels (L1, L2, and L3).

Flowdown requirements - what your subs actually need

One of the most expensive misunderstandings in CMMC scoping is over-flowdown. Companies receive a prime contract with both FAR 52.204-21 and DFARS 252.204-7012, assume every subcontractor needs full Level 2, and proceed to demand 110-control compliance from janitors and parts suppliers. The actual flowdown rules are more nuanced.

FAR 52.204-21 flowdown: The clause requires the prime to include FAR 52.204-21 in subcontracts where the subcontractor "may have Federal contract information residing in or transiting through its information system." If the sub never has FCI on its systems (a typical landscaping or office cleaning sub), the clause does not flow.

DFARS 252.204-7012 flowdown: The clause flows to "all subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information." If the sub never sees CUI, DFARS 252.204-7012 does not flow, and the sub does not need NIST 800-171 or CMMC Level 2. This is true even when the prime contract contains 7012.

The practical scoping question is: does the subcontractor's information system ever process, store, or transmit FCI or CUI? If only FCI, Level 1 self-assessment is sufficient. If CUI, Level 2 is required. If neither, no CMMC obligation flows down at all, although general FAR 52.204-21 cyber hygiene is still a good idea. We cover the subcontractor handling rules in detail in our CUI handling guide for DoD subcontractors.

Five common scoping mistakes we see in the field

These are the five scoping errors that show up most often when a defense contractor calls Petronella Technology Group for a second opinion after a failed gap assessment or a stalled C3PAO engagement. None of these are theoretical. All five appear in the field every quarter.

Mistake 1: Treating all FCI as CUI. The contractor reads FAR 52.204-21 and DFARS 252.204-7012 both in the contract, assumes CUI is present, and scopes the entire business for Level 2. Cost overruns of 5x to 10x are typical. The fix is a documented CUI determination: write down which specific contracts produce CUI, which CUI category applies, and which systems touch that CUI. Everything outside that scope is FCI-only and Level 1.

Mistake 2: Missing the Covered Defense Information (CDI) label. Some DoD contracts use the term "Covered Defense Information" rather than CUI. CDI is defined in DFARS 252.204-7012 and is essentially CUI plus a few unclassified controlled technical information sub-types. If your contract mentions CDI, you have CUI obligations regardless of whether the word "CUI" appears.

Mistake 3: No enclave separation. The contractor processes CUI on the same workstations and email tenant as general business email, marketing, and HR. Now the entire company is in scope for the 110 controls. A properly architected CUI enclave (separate Microsoft 365 GCC High tenant, separate endpoint policy, separate identity boundary) shrinks the in-scope footprint by 60 to 90 percent and dramatically reduces both implementation cost and ongoing audit burden.

Mistake 4: Improper marking. The contractor receives CUI but does not mark outbound derivative documents with the required CUI banner. 32 CFR 2002.20 makes the recipient responsible for proper marking of CUI it creates from received CUI. Unmarked CUI is a finding in any C3PAO assessment and can be a contract breach.

Mistake 5: Treating SPRS scoring as optional. DoD contracts with DFARS 252.204-7019 require an annual NIST 800-171 self-assessment score posted in SPRS. Many contractors either skip this entirely or post a score that does not match the underlying System Security Plan. Our free SPRS score calculator walks through the methodology and produces a defensible score with category attribution.

How Petronella supports CMMC scoping and certification

Petronella Technology Group is a Cyber AB Registered Provider Organization (RPO #1449) based at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606, with a fully CMMC-RP-certified four-person practitioner team led by Craig Petronella, CMMC-RP, CCNA, CWNE, DFE #604180, MIT-Certified in AI and Blockchain. We have been in business since 2002 and hold an A+ BBB rating since 2003.

Our CMMC engagements start with a documented CUI determination that uses the framework in this guide to separate true CUI scope from FCI-only scope, often cutting projected control implementation cost by half. We support all three CMMC levels (L1, L2, and L3) including DIBCAC pre-assessment readiness. Our drivable Southeast and Mid-Atlantic coverage area means we can deliver on-site assessment days from Raleigh to Charleston, Augusta, Norfolk, Newport News, Charlotte, Huntsville, and Warner Robins without paying national-firm travel premiums.

Underneath the consulting practice, we operate ComplianceArmor, our policy automation and POA&M tracking platform. From $497/month it generates a complete NIST 800-171 System Security Plan, maintains your POA&M with auto-aging tasks, calculates and updates your SPRS score, and produces audit-ready evidence packages. For contractors handling CUI on internal AI tooling, we operate a private AI cluster that keeps CUI off public LLM endpoints and aligns with DFARS 252.204-7012 data residency requirements.

Frequently asked questions

Is the contract itself considered FCI?

Yes. The contract document, statement of work, and most contract correspondence are FCI under FAR 52.204-21. They are not typically CUI unless the contract itself contains technical data marked as a CUI category. Most contract documents are FCI-only.

If I only have FCI, do I need a C3PAO?

No. CMMC Level 1 (FCI only) is an annual self-assessment attested in SPRS by a senior company official. A C3PAO is required only for Level 2 certification of prioritized CUI contracts. Most FCI-only contractors will never engage a C3PAO.

Does CUI marking happen at the document level or the system level?

Both. Individual documents containing CUI must carry the CUI banner top and bottom and a CUI designation indicator block. Systems that process CUI must carry the appropriate boundary markings (login banners, screen savers) and follow NIST 800-171 control 3.8.1 media marking. 32 CFR 2002.20 covers the document marking rules in full.

How long do I have to report a CUI security incident?

72 hours from discovery, per DFARS 252.204-7012(c). The report goes to DoD via the DIBNet portal at dibnet.dod.mil. Incident reporting timelines for CUI Specified categories may be shorter depending on the underlying authority (e.g., ITAR breach reporting timelines).

Can I store CUI in commercial Microsoft 365 (not GCC High)?

Generally no. DFARS 252.204-7012(b)(2)(ii)(D) requires that cloud services storing CUI meet the FedRAMP Moderate baseline or equivalent and that the contractor flow the DFARS clause to the cloud provider. Commercial Microsoft 365 does not meet this requirement; Microsoft 365 GCC High does. Petronella implements GCC High tenancies as part of standard Level 2 readiness work.

If my prime contract has CUI but my subcontract scope does not, do I still need Level 2?

No. The DFARS 252.204-7012 flowdown is triggered only when the subcontract scope itself involves covered defense information. If your work for the prime is entirely outside the CUI boundary, you have FCI obligations only. Document this distinction in writing with your prime's contracting representative.

What is the difference between CUI and Classified information?

Classified information (Confidential, Secret, Top Secret) is governed by Executive Order 13526 and requires a security clearance and a classified handling facility. CUI is unclassified but still controlled. The two regimes do not overlap; information is either Classified or CUI or neither, but never both. Most defense contractors will encounter CUI; only a much smaller subset hold facility clearances for Classified work.

Next step - get the scoping right before the controls

The single highest-leverage moment in any CMMC program is the scoping decision at the very beginning. Get the FCI vs CUI determination right and your control implementation budget is reasonable, your audit timeline is predictable, and your subcontractor flowdown obligations are honest. Get it wrong and you will spend money on controls you do not need while missing controls you do. If you want a second opinion on your CMMC scope or a documented CUI determination before you start spending on tooling and assessment fees, call Petronella Technology Group at (919) 348-4912 or reach us through our contact form for a free 15-minute scoping conversation with a CMMC-RP practitioner.