4 min read

CUI vs. FCI: How to Tell Them Apart and Handle Each Correctly

One decides fifteen requirements, the other one hundred ten. The actual definitions, the gray areas, and the scoping consequence nobody prices in.

Whether a file is FCI or CUI is the single most consequential classification call a small defense contractor makes, because it decides which rulebook applies: fifteen safeguarding requirements, or one hundred ten. Get it wrong in one direction and you are paying for controls you did not need; get it wrong in the other and you are self-attesting in SPRS to a program you have not built. The definitions are more workable than most people fear, so here they are with their actual sources, followed by the gray areas where judgment lives.

FCI: the broad, shallow category

FAR 52.204-21 defines Federal Contract Information as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

Read that twice and notice how much it covers: your contract terms, delivery schedules, performance discussions, the email thread about the late shipment. If it exists because of the contract and is not public, it is probably FCI. The obligation it triggers is the same clause’s fifteen basic safeguarding requirements, things like limiting access to authorized users, sanitizing media, escorting visitors, patching, and malware protection. In CMMC terms that is Level 1: an annual self-assessment of all fifteen, entered in SPRS with an affirmation by your affirming official, and with no POA&Ms permitted at Level 1 (32 CFR 170.15).

CUI: the narrow, deep category

32 CFR 2002.4(h) defines CUI as information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, “that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” The operative test is that last clause: some specific authority requires protection. The exclusive catalog of those authorities is the NARA CUI Registry, and for defense work the categories that matter most are Controlled Technical Information (technical data with military or space application, the drawings, specs, models, and technical reports carrying distribution statements B through F) and Export Controlled (ITAR and EAR data).

Two facts about designation prevent most confusion. The government designates CUI; contractors identify and handle it but do not invent categories. And it should arrive identified: DFARS 252.204-7012’s covered defense information is information “marked or otherwise identified in the contract, task order, or delivery order” or generated in performance of the contract. In practice identification lives in the SOW, CDRLs, and attachments, and marking follows DoDI 5200.48: a CUI banner, a designation-indicator block, and for CTI the distribution statement.

The distinction in practice

Likely FCILikely CUI
Contract terms, pricing, invoices, PO numbersDrawings, specs, and models with distribution statements B–F
Delivery schedules and performance status emailsTechnical data packages and source code with military application
Non-public administrative SOW contentITAR/EAR-controlled technical data, marked or not

The gray areas are where the judgment calls live, and three come up constantly. Export-controlled data is CUI by authority, so ITAR technical data that arrived without a CUI banner is still export controlled; markings do not create the status, the authority does. Legacy “FOUO” markings are defunct in DoD, but the content under them often maps to a Registry category and needs a fresh look before you dismiss it. And when a prime sends you something that walks and talks like CTI with no markings at all, the defensible move is to safeguard it as CUI and ask the prime or contracting officer for written clarification, because mislabeling by the sender does not transfer the risk away from you.

What each one obligates you to do

FCICUI
Safeguards15 requirements, FAR 52.204-21110 requirements, NIST SP 800-171 Rev 2 via DFARS 252.204-7012
CMMC levelLevel 1 annual self-assessment + SPRS affirmationLevel 2; self-assessment or C3PAO certification as the contract specifies
Incident reportingNo 7012 obligationRapid reporting within 72 hours of discovery to DIBNet, which requires a medium-assurance ECA certificate you should obtain before the bad day
FlowdownTo non-COTS subs whose systems may hold FCI7012 flows to subs handling CDI; 252.204-7021 flows the CMMC level requirement per 32 CFR 170.23

Since November 10, 2025, DFARS 252.204-7021 puts the required CMMC status directly into new solicitations, so this classification question now determines what you must hold at award time, not just your general hygiene.

The scoping consequence nobody prices in

FCI-only scope is one asset class: systems that process, store, or transmit FCI. The moment CUI enters, the Level 2 scoping guide gives you five asset categories: CUI assets, Security Protection Assets (your MDM, SIEM, identity provider, and MSP tooling are now in the assessment), Contractor Risk Managed Assets, Specialized Assets, and out-of-scope. That drag-net effect on infrastructure, not the count of 110 versus 15, is what actually moves the budget. It is also why segmenting CUI into a deliberately small enclave, whether that is a tight Mac fleet or a VDI environment, is the highest-leverage architectural decision available to a small contractor.

Four misconceptions worth retiring

“Everything on a DoD contract is CUI” is false and over-marking is itself contrary to 32 CFR 2002. “We can designate our own CUI” inverts the rule; designation is a government act. “FCI requires 800-171” confuses the levels; FCI needs the fifteen. And “it isn’t marked, so it isn’t controlled” is the expensive one, because authorities, not banners, create the obligation.

Educational content, not legal advice; classification calls on real contracts deserve counsel and your contracting officer in the loop. Definitions and clause text verified against acquisition.gov, eCFR, and archives.gov in July 2026.