CUI vs. FCI: How to Tell Them Apart and Handle Each Correctly
Whether a file is FCI or CUI is the single most consequential classification call a small defense contractor makes, because it decides which rulebook applies: fifteen safeguarding requirements, or one hundred ten. Get it wrong in one direction and you are paying for controls you did not need; get it wrong in the other and you are self-attesting in SPRS to a program you have not built. The definitions are more workable than most people fear, so here they are with their actual sources, followed by the gray areas where judgment lives.
FCI: the broad, shallow category
FAR 52.204-21 defines Federal Contract Information as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
Read that twice and notice how much it covers: your contract terms, delivery schedules, performance discussions, the email thread about the late shipment. If it exists because of the contract and is not public, it is probably FCI. The obligation it triggers is the same clause’s fifteen basic safeguarding requirements, things like limiting access to authorized users, sanitizing media, escorting visitors, patching, and malware protection. In CMMC terms that is Level 1: an annual self-assessment of all fifteen, entered in SPRS with an affirmation by your affirming official, and with no POA&Ms permitted at Level 1 (32 CFR 170.15).
CUI: the narrow, deep category
32 CFR 2002.4(h) defines CUI as information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, “that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” The operative test is that last clause: some specific authority requires protection. The exclusive catalog of those authorities is the NARA CUI Registry, and for defense work the categories that matter most are Controlled Technical Information (technical data with military or space application, the drawings, specs, models, and technical reports carrying distribution statements B through F) and Export Controlled (ITAR and EAR data).
Two facts about designation prevent most confusion. The government designates CUI; contractors identify and handle it but do not invent categories. And it should arrive identified: DFARS 252.204-7012’s covered defense information is information “marked or otherwise identified in the contract, task order, or delivery order” or generated in performance of the contract. In practice identification lives in the SOW, CDRLs, and attachments, and marking follows DoDI 5200.48: a CUI banner, a designation-indicator block, and for CTI the distribution statement.
The distinction in practice
| Likely FCI | Likely CUI |
|---|---|
| Contract terms, pricing, invoices, PO numbers | Drawings, specs, and models with distribution statements B–F |
| Delivery schedules and performance status emails | Technical data packages and source code with military application |
| Non-public administrative SOW content | ITAR/EAR-controlled technical data, marked or not |
The gray areas are where the judgment calls live, and three come up constantly. Export-controlled data is CUI by authority, so ITAR technical data that arrived without a CUI banner is still export controlled; markings do not create the status, the authority does. Legacy “FOUO” markings are defunct in DoD, but the content under them often maps to a Registry category and needs a fresh look before you dismiss it. And when a prime sends you something that walks and talks like CTI with no markings at all, the defensible move is to safeguard it as CUI and ask the prime or contracting officer for written clarification, because mislabeling by the sender does not transfer the risk away from you.
What each one obligates you to do
| FCI | CUI | |
|---|---|---|
| Safeguards | 15 requirements, FAR 52.204-21 | 110 requirements, NIST SP 800-171 Rev 2 via DFARS 252.204-7012 |
| CMMC level | Level 1 annual self-assessment + SPRS affirmation | Level 2; self-assessment or C3PAO certification as the contract specifies |
| Incident reporting | No 7012 obligation | Rapid reporting within 72 hours of discovery to DIBNet, which requires a medium-assurance ECA certificate you should obtain before the bad day |
| Flowdown | To non-COTS subs whose systems may hold FCI | 7012 flows to subs handling CDI; 252.204-7021 flows the CMMC level requirement per 32 CFR 170.23 |
Since November 10, 2025, DFARS 252.204-7021 puts the required CMMC status directly into new solicitations, so this classification question now determines what you must hold at award time, not just your general hygiene.
The scoping consequence nobody prices in
FCI-only scope is one asset class: systems that process, store, or transmit FCI. The moment CUI enters, the Level 2 scoping guide gives you five asset categories: CUI assets, Security Protection Assets (your MDM, SIEM, identity provider, and MSP tooling are now in the assessment), Contractor Risk Managed Assets, Specialized Assets, and out-of-scope. That drag-net effect on infrastructure, not the count of 110 versus 15, is what actually moves the budget. It is also why segmenting CUI into a deliberately small enclave, whether that is a tight Mac fleet or a VDI environment, is the highest-leverage architectural decision available to a small contractor.
Four misconceptions worth retiring
“Everything on a DoD contract is CUI” is false and over-marking is itself contrary to 32 CFR 2002. “We can designate our own CUI” inverts the rule; designation is a government act. “FCI requires 800-171” confuses the levels; FCI needs the fifteen. And “it isn’t marked, so it isn’t controlled” is the expensive one, because authorities, not banners, create the obligation.
Educational content, not legal advice; classification calls on real contracts deserve counsel and your contracting officer in the loop. Definitions and clause text verified against acquisition.gov, eCFR, and archives.gov in July 2026.
Member discussion