These two acronyms are the most-confused pair in federal compliance. They sound the same, the government uses them in the same sentence, and the contracts themselves rarely spell out which one you have. Get the answer wrong in either direction and you either overspend by a factor of ten or under-comply on an active contract.
Below is the plain-English breakdown, twelve examples drawn from real contracts, and the single question that resolves 95% of the confusion in under a minute.
TL;DR — which is which
| FCI | CUI | |
|---|---|---|
| Stands for | Federal Contract Information | Controlled Unclassified Information |
| Defined in | FAR 4.1901 / FAR 52.204-21 | 32 CFR Part 2002 / DFARS 252.204-7012 |
| Marking required? | No marking. It's the default. | Yes — must say 'CUI' on the document. |
| CMMC level | Level 1 (15 requirements) | Level 2 (110 NIST 800-171 controls) |
| Assessment | Self-assessment + SPRS affirmation | C3PAO assessment every 3 years |
| Typical cost | $0–$5k (DIY) or $249–$397/mo (guided) | $20k–$80k first year, $10k+/yr ongoing |
| Who has it? | Anyone with a federal contract. | A subset — typically DoD prime/sub work involving CTI, EXPT, or specific designated info. |
Federal Contract Information
Non-public information you receive or generate under a federal contract, but that the government has not specifically designated for protection.
- · A delivery schedule for non-classified parts
- · A statement of work for routine IT support
- · Pricing on a maintenance contract
- · Email about a janitorial scope of work on a base
Controlled Unclassified Information
Information the government has specifically designated for safeguarding under the CUI program (32 CFR Part 2002). Usually carries a banner marking like CUI//SP-EXPT.
- · A technical drawing marked CUI//SP-EXPT
- · Export-controlled (ITAR) technical data
- · PII from a DoD personnel records contract
- · A vulnerability assessment of a DoD system
What each one actually is
FCI — Federal Contract Information
FCI is defined at FAR 4.1901as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
In English: the routine non-public paperwork of doing federal business. It excludes information the government has cleared for public release (a press release, a SAM.gov posting) and simple transactional data (the dollar amount on an invoice). Everything else under a federal contract is, by default, FCI.
FCI is not marked. There is no banner. No header. No special handling instructions. It is the default category for federal contract data — which is exactly why people miss it.
CUI — Controlled Unclassified Information
CUI is defined under Executive Order 13556 and codified at 32 CFR Part 2002. It is information the executive branch has specifically designated as requiring safeguarding or dissemination controls — short of classified, but more sensitive than ordinary FCI.
Critically, CUI must be marked. A document carrying CUI bears a banner at the top and bottom (usually formatted like CUI or CUI//SP-CTI) and is governed by either the broad CUI rule (32 CFR 2002), the contract-specific clause (typically DFARS 252.204-7012 for DoD work), or both.
The one-question test
If yes: you have CUI. CMMC Level 2 applies. Take it seriously — the assessment is performed by a third party (a C3PAO) and the gap between “feels compliant” and “is compliant” is wide.
If no: you have FCI only. CMMC Level 1 applies. The path is short: 15 safeguarding requirements, a self-assessment, and an annual SPRS affirmation. Most small contractors finish it in a week.
If you're unsure: write to your contracting officer and ask in writing whether the contract involves CUI. CUI must be designated in writing — an absence of designation is a meaningful signal.
Twelve real-world examples
Drawn from the kinds of contracts a small business actually signs. Identifiable details changed.
Examples of FCI (not CUI)
- A statement of work emailed by a contracting officer for a $40k machined-parts order. No CUI marking. FCI.
- A delivery schedule on a federal task order. Not public, but unmarked. FCI.
- A non-public price quote you submitted on a federal RFP. FCI.
- A contract modification (Mod 4, extending the period of performance by 30 days). No marking. FCI.
- Internal email between two employees discussing the schedule on a federal contract. FCI.
- A NIST-style audit-friendly summary of your build process, shared with the prime — unmarked. FCI.
Examples of CUI
- A DoD technical drawing for a non-classified subsystem with a banner reading
CUI//SP-CTI. CUI (Controlled Technical Information). - A spreadsheet of military service members' names and duty stations marked
CUI//SP-PRVCY. CUI (Privacy). - Export-controlled engineering data marked
CUI//SP-EXPT. CUI. - A research dataset from a DoE national lab marked
CUI//SP-OUO(Official Use Only). CUI. - Critical infrastructure details for a federal facility, marked
CUI//SP-CRIT. CUI. - A draft DD Form 254 (security classification specification) shared by a prime, marked CUI. CUI.
Why it decides your CMMC level
CMMC has three levels. Which one applies to you is entirely determined by what kind of federal information you handle.
| Level | What it covers | Trigger |
|---|---|---|
| Level 1 | 15 basic safeguarding requirements from FAR 52.204-21 | You handle FCI (no CUI) |
| Level 2 | 110 controls from NIST SP 800-171 Rev 2 | You handle CUI |
| Level 3 | Level 2 + a subset of NIST SP 800-172 enhancements | You handle CUI on a high-priority DoD program (rare) |
For most small defense contractors — machine shops, IT MSPs, R&D firms, software vendors selling to DoD — the question is “Level 1 or Level 2?”. The FCI-vs-CUI test answers it definitively.
What if I have both?
Some contractors hold a mix of contracts: Level 1 work for one prime, Level 2 work for another. The DoD's position is that scope follows the data. You have two legitimate paths:
- Treat the whole business as Level 2. Simpler to document. More expensive. Common for contractors whose entire revenue is federal.
- Build a separate CUI enclave. Isolate everything that touches CUI on its own network, with its own set of users, devices, and policies. The rest of the business stays Level 1. Cheaper long-term, more work to set up. This is what mature small contractors typically do.
Either way: do not let CUI and FCI mingle on the same general-purpose laptop or shared drive without Level-2 protections. The cleanest physical separation is the cheapest insurance you can buy.
What to do this week
- Open your last three federal contracts.Search them for the strings “CUI” and “DFARS 252.204-7012”. Their presence is your first signal.
- Look at the documents the government sent you. Are any of them marked “CUI” at the top or bottom? If not — you almost certainly have FCI only.
- Decide your CMMC level.FCI only → Level 1. CUI → Level 2.
- Start there. For Level 1, take our free SPRS quiz and grab the printable Level 1 checklist.
Frequently asked questions
What is the difference between CUI and FCI?
FCI (Federal Contract Information) is routine non-public information you receive or generate under a federal contract — schedules, internal emails, pricing, statements of work. It has no special marking. CUI (Controlled Unclassified Information) is information the government has specifically designated for safeguarding, identified by a 'CUI' banner marking. FCI triggers CMMC Level 1 (15 safeguarding requirements, self-assessed). CUI triggers CMMC Level 2 (110 NIST SP 800-171 controls, C3PAO-assessed).
Is CUI also FCI?
Technically yes — CUI is a subset of FCI. All CUI is FCI, but not all FCI is CUI. The distinction matters because CUI brings additional handling rules and triggers a much higher CMMC level. If you hold CUI, you also hold FCI, but your obligations follow the CUI rules.
How do I know if I have CUI or just FCI?
Look at the documents. CUI is required to be marked with a 'CUI' banner at the top and bottom of the document (or as part of an electronic banner), often with a category code like CUI//SP-CTI or CUI//SP-EXPT. If there is no CUI marking on any of your federal contract documents, you almost certainly have FCI only — which means CMMC Level 1 applies, not Level 2.
Can a contracting officer make information CUI verbally?
No. CUI must be designated in writing, typically through the contract itself (DFARS 252.204-7012 or a CUI clause), a Statement of Work, or a marked document. A verbal instruction does not create CUI obligations. If a contracting officer tells you something is 'sensitive', ask for the written CUI designation before treating it as Level 2 information.
What if my contract has both CUI and FCI?
You're scoped at the higher level — CMMC Level 2. The DoD does not let you carve out FCI-only systems and treat them separately if they share a network or boundary with CUI systems. The cleanest answer is to either (a) implement Level 2 across the whole environment, or (b) build a separate, isolated CUI enclave so the rest of the business stays Level 1.
Does FAR 52.204-21 apply to CUI?
Yes, but it's not enough on its own. FAR 52.204-21 establishes the 15 basic safeguarding requirements that protect FCI. When CUI is involved, DFARS 252.204-7012 layers on top and requires the 110 controls in NIST SP 800-171 — the foundation of CMMC Level 2. So a contract with CUI typically flows down both clauses.