FCI vs CUI: The Difference Between FCI and CUI Data in CMMC

Executive Order 13556 was issued to establish a uniform program for executive federal agencies to manage controlled unclassified information (CUI). As a result of this executive order, the government implemented two key clauses applicable to government contractors, including one that specifically dealt with the basic safeguarding of contractor information systems that process, store, or transmit Federal Contract Information (FCI). This clause required federal contracts be governed by a strict set of terms and conditions, as the clause is now required to be inserted into every solicitation and contract where a contractor or subcontractor may have FCI residing in or transitioning through its information system. What is the main difference in FCI vs. CUI data? FCI data is not considered as sensitive as CUI Data, so it doesn’t require the same level of safeguarding vs. CUI, but it does need to be protected.

What is FCI Data and Specifically what Does FCI Stand for In the Military and Government?

FCI (Federal Contract Information) is data, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the government (i.e. on public websites) or simple transactional information.

What is the difference between FCI and CUI?

The main difference between CUI and FCI is that while both types of data need to be protected, CUI is more sensitive than FCI. As a result, CUI requires additional safeguarding as the loss of CUI data could result in a risk to national security.

FCI vs. CUI Comparison Chart

The chart below is a comparison between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Although they are both considered to be sensitive types of data that need to be safeguarded, they both have different sensitivity levels and sets of controls and requirements to protect the sensitive information:

Compliance52.204-21NIST 800-171
CMMC Level RequirementsCMMC Maturity Level 1CMMC Maturity Level 2
Mandated ByFederal Acquisition RegulationsExecutive Order 13556
MarkingInformation not marked as public or for public releaseInformation that is marked or identified as requiring protection
Who Labels It?FCI needs safeguarding; there is no classification systemEntity that creates the CUI labels CUI; Authorized Holders with a lawful govt. purpose mark CUI
TypesNo classification systemCUI Basic and CUI Specified

CUI vs. FCI differences in depth

FCI is any data that is generated during a contract with the Government that does not fall into the stricter category of CUI but is important enough that it shouldn’t be made publicly available. Controlled Unclassified Information (CUI) is a generalized classification for information that covers a broad spectrum of data that, although not deemed classified, requires stringent security protections. All CUI in possession of a Government contractor is FCI, but not all FCI is CUI. FCI cyber security standards for the handling of FCI only encompass 17 cyber controls whereby CUI encompasses many more.

CUI and FCI Compliance

FCI is protected largely in accordance with FAR 52.204-21, “Basic Safeguarding of Covered Contractors Information Systems”, while CUI is protected largely in accordance with NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.

CUI vs. FCI CMMC Level Requirements

CMMC assesses members of the DIB to ensure they have sufficient systems in place on their networks to protect sensitive data, including CUI and FCI. The CMMC framework has built-in maturity models that require members that handle FCI meet CMMC FCI Maturity Level 1 controls while those that handle CUI meet CMMC Maturity Level 2 controls.

FCI and CUI Mandated By:

Executive Order 13556 was issued to establish a uniform program for executive federal agencies to manage CUI and the National Archives and Records Administration (NARA) was designated to ensure compliance with this order. The FAR covers contracts issued by the US military, NASA, and US civilian agencies with FCI being protected in accordance with FAR 52.204-21.

FCI vs. CUI Markings

CUI is information that is marked or identified as requiring protection. FCI is information that is not marked as public or for public release, and is subject to minimum cybersecurity requirements, such as CMMC Level 1.

FCI vs. CUI Labeling

The entity that creates the CUI is responsible for labeling it CUI. In addition, authorized holders with a lawful government purpose are responsible for marking CUI. Although FCI needs safeguarding there is no classification system.

Types of FCI and CUI

There is no classification for FCI, however, there are two subsets for CUI: CUI Basic and CUI Specified. CUI Basic requires no specific handling or dissemination controls versus CUI Specified where a law, regulation, or government-wide policy requires protection of the information and there are specific controls provided.

Need Help with CUI or FCI Compliance?

Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s tool used to ensure the CUI Program, which was established in 2010, is implemented evenly across the DoD and the Defense Industrial Base (DIB), to comply with the many federal laws and regulations governing CUI. The CMMC framework has built-in maturity methods to guide an organization to the level of compliance that demonstrates appropriate CUI security measures that vary based on the nature of work and government information. Members of the DIB that handle FCI must meet Maturity Level 1 controls while those that handle CUI must meet Maturity Level 2 controls. SoundWay Consulting Inc. understands the major challenges you face as an organization with CMMC compliance, and you can trust SoundWay to be your consistent expert guide towards compliance. Please contact SoundWay Consulting Inc. at 571-210-0624 or via email at contact@SoundWayConsulting.com to see how we can assist you.


What is FAR 52.204-21?

FAR 52.204-21 is a government mandate requiring contractors that do business with the Government (handle FCI) protect their systems with 15 basic cybersecurity control requirements. FAR 52.204-21 is entitled “Basic Safeguarding of Covered Contractor Information Systems.”

Does CMMC Require Protection of FCI as well as CUI?

Yes, CMMC requires protection for both CUI and FCI and defines FCI as information provided by or generated for the Government under contract that has not or will not be publicly released (within a reasonable period of time).

What are Some Examples of FCI?

Some examples of FCI would be contract performance reports, organizational or programmatic charts, and process documentation.

Are the Controls for FCI in CMMC the Same Controls as those in FAR 52.204-21?

There are a total of 17 Level 1 controls for FCI in CMMC and 15 of them overlap with FAR 52.204-21.

Free CMMC Consultation

SoundWay has been helping the U.S. Government and its business partners for over a decade. To schedule a free CMMC consultation, please contact us at CMMC@soundwayconsulting.com