Federal Contract Information
Also known as: FCI
Federal Contract Information (FCI) is non-public information provided by or generated for the federal government under a contract to develop or deliver a product or service. It is the information type protected under FAR 52.204-21 and is the trigger for CMMC Level 1.
In more detail
FCI explicitly excludes information that the government has marked public or is otherwise routinely available — pricing on a published GSA schedule, a public solicitation, your own commercial offering. It includes everything else that exists because of the contract: drawings, statements of work, internal correspondence with the contracting officer, performance data.
FCI is unmarked. There is no "FCI" stamp the government applies. Contractors are expected to treat all non-public contract information as FCI unless explicitly told otherwise.
Related terms
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections — and at the contractual level, CMMC Level 2.
- Covered Defense Information
Covered Defense Information (CDI) is the subset of CUI that DoD specifically requires contractors to protect under DFARS 252.204-7012. It includes unclassified controlled technical information and other information that requires safeguarding when in support of a DoD contract.
- FAR 52.204-21
FAR 52.204-21 is the Federal Acquisition Regulation clause that requires federal contractors to apply 15 basic safeguarding requirements to systems that process, store, or transmit Federal Contract Information (FCI). It is the regulatory basis for CMMC Level 1 — the 15 Level 1 practices are drawn directly from paragraph (b)(1) of this clause.
- CMMC Level 1
CMMC Level 1 is the lowest of the three CMMC certification tiers, covering contractors who handle Federal Contract Information (FCI) but not CUI. It requires implementing the 15 safeguarding requirements in FAR 52.204-21(b)(1), an annual self-assessment, and an annual senior-official affirmation posted in SPRS.
Read more in the Library
- What Is FCI? The 90-Second Definition That Decides Your CMMC Level (2026)
FCI is the routine non-public information you handle under a federal contract. It's what triggers CMMC Level 1 — and it's almost certainly already in your inbox.
- CUI vs FCI: What's the Difference? (With 12 Real Examples) — 2026
FCI triggers CMMC Level 1. CUI triggers CMMC Level 2. Mix them up and you'll either over-spend by $20k or under-comply on a federal contract.
- Do I Even Need CMMC? A 4-Question Decision Tree for 2026
Half the small businesses asking about CMMC don't actually need it — and the other half need it more urgently than they realize. Four questions and you'll know where you stand.