What is the difference between FCI and CUI?

FCI (Federal Contract Information) is information provided by or generated for the government under a contract that is not intended for public release — but it is not specially designated as sensitive. CUI (Controlled Unclassified Information) is information the government has specifically designated as requiring safeguarding and possibly dissemination controls. The practical difference: FCI requires the 15 basic safeguards in FAR 52.204-21 (CMMC Level 1), while CUI requires the full 110 controls of NIST SP 800-171 (CMMC Level 2).

Does FCI require CMMC Level 2?

No. If you only handle FCI and not CUI, you generally fall under CMMC Level 1 — an annual self-assessment against the 15 practices in FAR 52.204-21, with no C3PAO required. Level 2 and its 110 controls apply when you store, process, or transmit CUI. Your contract and the data you actually handle determine which level applies.

Can the same company handle both FCI and CUI?

Yes, and many do. In that case CUI sets your bar: you scope where CUI lives and apply Level 2 (the 110 controls) to that environment, while the rest of your FCI obligations are covered along the way. A common approach is to put CUI in a tightly scoped enclave so only that boundary carries the full Level 2 requirements.

FCI vs CUI: The Difference That Sets Your CMMC Level

Before you spend a dollar on CMMC, answer one question: do you handle FCI, CUI, or both? That single distinction determines whether you're on the hook for 15 basic safeguards or the full 110 controls — a difference of months of work and tens of thousands of dollars. Here's the plain-English version.

What each one is

FCI — Federal Contract Information. Information provided by or generated for the government under a contract that isn't intended for public release — but isn't specially designated as sensitive either. Think ordinary, non-public contract material.

CUI — Controlled Unclassified Information. Information the government has specifically designated as requiring safeguarding, and sometimes dissemination controls, under law or policy. It's the more sensitive category. (For the deeper dive, see what is CUI.)

The difference that actually matters

	FCI	CUI
Sensitivity	Non-public, but not specially designated	Government-designated as needing safeguarding
Governing requirement	FAR 52.204-21 (15 basic safeguards)	NIST SP 800-171 (110 controls)
CMMC level	Level 1	Level 2
How it's assessed	Annual self-assessment, no C3PAO	Self-assessment or C3PAO certification, by contract

The clean mental model: FCI → Level 1 → 15 practices → self-assess. CUI → Level 2 → 110 controls → SPRS score + often a C3PAO. If you handle CUI, it sets your bar.

How to tell which one you have

Start with your contract and what the government actually shares with — or asks you to generate. CUI is usually marked or identified in the contract, often referencing DFARS 252.204-7012. If you only receive and produce ordinary non-public contract information and nothing designated as CUI, you likely handle only FCI. When it's ambiguous, ask your contracting officer — mislabeling CUI as FCI is a common and expensive mistake, because it means you under-built your security and can fail when it counts.

If you handle both (many do)

CUI sets the bar. You scope where CUI lives and apply Level 2 (the 110 controls) to that environment, while your FCI obligations are covered along the way. A common, cost-saving approach is to put CUI in a tightly scoped enclave so only that boundary carries the full Level 2 weight.

Handle CUI? See where you stand on all 110 controls

If you're Level 2, the first move is knowing your real SPRS score. Free, all 110 controls, about 10 minutes — no signup.

Calculate your SPRS score free →

Where to go next

If you only handle FCI, your path is the lighter CMMC Level 1 self-assessment (the 15 FAR 52.204-21 practices). If you handle CUI, you're in Level 2 territory: score yourself, draft your SSP, and work the 110-control library. Still not sure you even need CMMC? Start with do I need CMMC.

FCI vs CUI — frequently asked

What's the difference?

FCI is non-public contract information that isn't specially designated; CUI is government-designated as needing safeguarding. FCI → 15 practices (Level 1); CUI → 110 controls (Level 2).

Does FCI require Level 2?

No — FCI-only generally means Level 1 (15 practices, annual self-assessment, no C3PAO). Level 2 applies when you handle CUI.

How do I know which I have?

Check your contract; CUI is usually marked or referenced (often via DFARS 252.204-7012). If nothing is designated CUI, you likely have only FCI. Ask your contracting officer when unsure.

Can a company have both?

Yes. CUI sets the bar — scope where it lives and apply Level 2 there, often via a tightly scoped enclave.