What is an example of FCI?

Common examples of FCI include: a statement of work emailed by a contracting officer, a delivery schedule on a federal task order, internal correspondence about a federal contract, pricing details on a non-public proposal, technical specifications for non-classified parts, and a contract modification. None of these typically carry a CUI marking — that is what makes them FCI rather than CUI.

Is an email from a federal contracting officer FCI?

Usually yes. If the email contains non-public information about the contract — schedules, pricing, technical direction, performance feedback, or instructions for delivery — it is FCI under FAR 4.1901, and the system that received it falls inside the CMMC Level 1 scope. Routine administrative emails that contain only public information are not FCI.

What Is FCI? The 90-Second Definition That Decides Your CMMC Level (2026)

Q: What is Federal Contract Information (FCI)?

Federal Contract Information (FCI) is non-public information provided by or generated for the federal government under a contract to develop or deliver a product or service. It is defined in FAR 4.1901 and excludes information the government has cleared for public release (like a press release) and simple transactional data (like an invoice). FCI is the trigger for CMMC Level 1.

Q: What is the difference between FCI and CUI?

FCI is non-public contract information without a special government designation. CUI (Controlled Unclassified Information) is information the government has specifically designated for safeguarding, identified by a banner marking like CUI//SP-EXPT on the document. FCI triggers CMMC Level 1 (15 safeguarding requirements, self-assessed). CUI triggers CMMC Level 2 (110 NIST SP 800-171 controls, C3PAO-assessed).

Q: Does FCI apply to civilian agency contracts?

Yes. FAR 52.204-21 (the clause that defines the 15 safeguarding requirements for FCI) applies to all federal contractors above the micro-purchase threshold — DoD and civilian. The CMMC affirmation requirement in SPRS, however, is currently a DoD program. Civilian-only contractors still owe the safeguarding requirements as a matter of contract compliance.

Of every term in the CMMC universe, FCI is the one that decides the most and explains the least. The acronym sounds technical. The reality is mundane: FCI is almost certainly already sitting in your inbox, on your laptop, and printed in a folder on your desk. This post is the plain-English walkthrough so you can identify it on sight.

TL;DR — FCI in 90 seconds

FCI = Federal Contract Information. Non-public info you receive or create under a federal contract.
It's the default. If you have a federal contract, you almost certainly have FCI.
It is NOT marked. No banner. No header. No special handling instructions. Unlike CUI.
It triggers CMMC Level 1. The 15 FAR 52.204-21 safeguarding requirements, self-assessed annually.
It is NOT CUI. CUI is information the government has specifically designated for protection.

The actual regulatory definition

The authoritative definition is in FAR 4.1901. The clean version:

Three pieces matter:

Not intended for public release.If the government has cleared it — a press release, a published FAQ on agency.gov, a SAM.gov public solicitation notice — it is not FCI.
Under a contract. It has to come from or be generated for an active federal contract. Information from a state contract, a commercial contract, or pre-award marketing conversations is not FCI.
Not pure transactional data. An invoice or payment confirmation by itself is not FCI. Almost everything else is.

Six examples (and three things FCI isn't)

The fastest way to internalize FCI is to see it next to its near-misses.

Document	FCI?	Why
Statement of work from the contracting officer	Yes	Non-public, given to you under the contract.
Delivery schedule for non-classified parts	Yes	Generated for the government under the contract.
Email thread negotiating change-order pricing	Yes	Non-public contract correspondence.
Technical drawing for a routine MRO part (unmarked)	Yes	Contract deliverable; no CUI marking = FCI, not CUI.
Internal performance feedback from the COR	Yes	Non-public information about the contract.
Subcontract flow-down language and the prime's task list	Yes	FCI flows down to subs; the prime's package is yours to protect.
The public SAM.gov solicitation notice itself	No	Cleared for public release by the government.
A press release announcing the award	No	Public release by definition.
A Treasury-issued payment confirmation	No	Pure transactional data.
Anything marked CUI	No — it's CUI	Different category. Triggers Level 2.

FCI vs CUI: the one-question test

This is the question that decides whether your CMMC obligation is Level 1 or Level 2 (or higher):

FCI — Level 1

Federal Contract Information

Non-public information you receive or generate under a federal contract, but that the government has not specifically designated for protection.

Examples

· A delivery schedule for non-classified parts
· A statement of work for routine IT support
· Pricing on a maintenance contract
· Email about a janitorial scope of work on a base

CUI — Level 2

Controlled Unclassified Information

Information the government has specifically designated for safeguarding under the CUI program (32 CFR Part 2002). Usually carries a banner marking like CUI//SP-EXPT.

Examples

· A technical drawing marked CUI//SP-EXPT
· Export-controlled (ITAR) technical data
· PII from a DoD personnel records contract
· A vulnerability assessment of a DoD system

FCI vs CUI — the single decision that puts you in Level 1 or Level 2. Source: 32 CFR Part 2002 §2002.4 (CUI definition); FAR 4.1901 (FCI definition).

For an exhaustive comparison see our CMMC Level 1 vs Level 2 guide.

Why FCI matters: it triggers CMMC Level 1

The presence of FCI on your systems is what makes you a CMMC Level 1 contractor. The DoD's rule at 32 CFR Part 170 defines Level 1 as the tier that protects FCI. The implementing clause — FAR 52.204-21(b)(1) — lists 15 safeguarding requirements you must meet on any system that processes, stores, or transmits FCI. The requirements have been in federal contracts since 2016; what changed with CMMC is the annual senior-official affirmation posted in SPRS.

What to do this week

Audit your inbox.Search your email for the contracting officer's name and the contract number. Every non-public attachment you find is FCI.
Identify the systems those documents touch: which email account, which laptop, which file share, which backup. Those systems are in your CMMC Level 1 scope.
Take the free CMMC check to confirm Level 1 actually applies.
Subscribe to the Monday Bid Digest — weekly Level 1-fit federal opportunities, free.

FAQ

What is Federal Contract Information (FCI)?

Non-public information you receive or generate under a federal contract. Defined at FAR 4.1901. Triggers CMMC Level 1.

Is an email from a contracting officer FCI?

Usually yes — any non-public contract correspondence (schedules, pricing, technical direction, feedback) is FCI under FAR 4.1901.

Is FCI the same as CUI?

No. CUI is information the government has specifically designated for safeguarding, identified by a banner marking. FCI has no marking. CUI triggers Level 2; FCI triggers Level 1.

Does FCI apply to civilian agency contracts?

Yes. FAR 52.204-21 applies to all federal contracts above the micro-purchase threshold. The SPRS affirmation piece is currently DoD only.

If I never get a document marked CUI, am I always Level 1?

Almost always — unless your contract contains DFARS 252.204-7012, which anticipates CUI even before the first document arrives. Check the clauses in your contract.