What’s Considered “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI)

CMMC 2.0 is still in a developmental phase, there is a chance your business hasn’t had to meet any of the requirements set by the Department of Defense.

If your niche market is government contract work, you’ve probably heard the terms “FCI” and “CUI.” Both terms only add to the alphabet soup of acronyms.

Chances are, you know what they are. But do you really know what they mean? 

The TLDR: FCI data requires a level 1 CMMC, where CUI starts at level 2 CMMC and eventually climbs into level 3. But let’s dig in a little deeper: 

What is Federal Contract Information (FCI)

When handling government paperwork, the first thing that comes to mind is national security. FCI is non-public information that is required to be handled in accordance with federal regulations. FCI can be data that is collected for the federal government or obtained by the contractor during the active contract work.  

FCI Protection 

The protection of federal contract information is a mutual effort between the government and the contractors. The government is responsible for developing agencies whose job it is to ensure there are proper guidelines in place to keep FCI secure during its entire lifecycle. On the other side, contractors are responsible for implementing the security measures created by the federal agencies to protect all FCI while it’s in their possession. 

The guidelines created by federal agencies is what we now know as CMMC 2.0 Framework. The CMMC 2.0 Framework is made up of 3 levels. Depending on what kind of contract work your business is conducting, will determine your level of CMMC compliance. 

Further reading: Understanding the CMMC 2.0 Framework

Types of FCI Information

There are several types of documentation that are considered FCI. Some of the most common  are:

  • Financial reports
  • Technical reports/data
  • Any non-public information 
  • Government provided data
  • Information created by the contractor during contract

FCI information is found in various locations. However, you can find it mostly in databases that are managed by the government. The database in which this information is stored is only accessible by government employees, the contractors and any authorized personnel. Another stipulation to gaining access to this information is having a government issued “need-to-know” basis for completing your contracts. 

What is Controlled Unclassified Information (CUI)

CUI is what the federal government uses to identify information that is not classified but still requires strict guidelines to ensure its safety. The idea behind classifying information as CUI is to create a safety standard used among all government contracts. 

Do I Have CUI?

Because CUI covers a broad range of data, it’s found in a variety of different businesses. Some of the more common entities that handle CUI information include:

  • State and local governments
  • Defense contractors 
  • Federal agencies 
  • Research organizations 

Regardless of how much CUI information your business generates, you can expect to have to meet CMMC compliance level 2. 

Explore an in-depth breakdown of CMMC 2.0 level 2 compliance requirements. 


Staying Compliant

While CMMC 2.0 is still in a developmental phase, there is a chance your business hasn’t had to meet any of the requirements set by the Department of Defense (DoD), yet. If that sounds like you, it’s never too early to consult a CMMC expert to start shaping your business into a CMMC compliance machine! If you’re worried you’re already behind the curve, contact us today, for a free CMMC compliance consultation. 


Similar posts