StealthTech
Here’s a situation that comes up more than you’d think. A defense contractor has been working government contracts for years. They take data security seriously — password policies, locked file cabinets, access controls on shared drives. Then they start working through CMMC compliance and someone asks: “So what type of government data are you actually handling?”
Silence.
Not because they don’t care, but because no one has ever framed the question that way before. They know the data is sensitive. They know it’s government-related. But whether it’s FCI or CUI — and why that distinction even matters — is something they’ve never had to think through explicitly.
That’s a problem, because the type of data you handle isn’t just a classification label. It determines which CMMC level applies to you, how many controls you need to implement, whether you can self-attest or need a third-party assessor, and ultimately what compliance is going to cost you. Getting this wrong — in either direction — has real consequences.
This article breaks it down plainly so you know exactly where you stand.
What Is Federal Contract Information?
Federal Contract Information, or FCI, is defined in FAR 52.204-21 as information provided by or generated for the government under a contract to develop or deliver a product or service — that isn’t intended for public release.
In everyday terms: if you’re working on a government contract and you’re generating or receiving information that’s specific to that work and not meant to be shared publicly, that’s FCI. It’s a broad category by design.
What does it look like in practice? Think statements of work, deliverable reports, contract correspondence with your contracting officer, internal documents you created specifically to fulfill the contract, pricing details, and project schedules tied to government work. If it was created in the course of doing government work and it’s not something the government has approved for public distribution, it’s almost certainly FCI.
What it’s not: publicly available specifications, information the government has already released, or general business records that have nothing to do with the contract itself.
The compliance implication: FCI triggers CMMC Level 1 — 17 basic cybersecurity practices pulled from FAR 52.204-21. Level 1 allows annual self-attestation, meaning you don’t need a third-party auditor. But self-attestation is still a legal commitment. Signing off on compliance you haven’t actually achieved creates False Claims Act exposure.
What Is Controlled Unclassified Information?
CUI — Controlled Unclassified Information — is a step up in both sensitivity and specificity. It’s government-created or government-owned information that requires safeguarding under law, federal regulation, or government-wide policy. The critical word there is “requires.” CUI isn’t just information someone decided to be careful with — it’s information that has a legal or regulatory basis for protection.
It’s also not classified. CUI sits in the space between publicly available information and classified national security data. The National Archives and Records Administration (NARA) maintains a CUI Registry that lists over 100 designated categories. For data to qualify as CUI, it has to fall into one of those categories — it can’t just feel sensitive.
For DoD contractors, the CUI categories that come up most often include:
- Technical data and engineering drawings
- Export-controlled information covered under EAR or ITAR
- Acquisition and procurement-sensitive information
- Personally identifiable information (PII) shared by a government agency
- Controlled technical information tied to defense systems
In practice, you’re dealing with CUI when you’re working with defense specifications, technical manuals marked with CUI designations, contract data requirements that involve sensitive design data, or research deliverables developed under DoD funding agreements.
The compliance implication: CUI triggers CMMC Level 2 — 110 security practices aligned to NIST SP 800-171. Most Level 2 contracts require a formal assessment by a Certified Third-Party Assessment Organization (C3PAO). This is where the real compliance investment is for most defense contractors, and why understanding whether you have CUI matters so much before you budget or bid.
The Key Differences Side by Side
The simplest way to keep these straight:
FCI is broad. Almost any information you generate or receive under a federal contract qualifies, as long as it’s not meant for public release. It’s governed by FAR 52.204-21 and drives CMMC Level 1.
CUI is specific. It must fall into a NARA-designated category to qualify, and it’s governed by DFARS 252.204-7012 and NIST SP 800-171. It drives CMMC Level 2.
One thing that trips people up: CUI must be marked with a CUI designation — but legacy documents and older contracts often aren’t. The absence of a CUI marking does not mean the information isn’t CUI. Classification follows the content and its category, not whether someone stamped a header on the document. If you’re working with older technical data from DoD contracts and no one has reviewed it for CUI content, that’s a gap worth closing.
Another common point of confusion: not every piece of sensitive business information is either of these things. Internal financial data, HR records, and proprietary business information that exist independently of your government work don’t fall into FCI or CUI. The classification only attaches to information that’s tied to the government contract relationship.
Which Contracts Trigger Which Requirements?
The fastest way to figure out where you stand is to look at your contract clauses.
If your contract includes FAR 52.204-21, you have FCI obligations. This clause shows up in nearly every federal contract for goods or services, including a lot of commercial item contracts. It’s the baseline, and almost no DoD contractor is below it.
If your contract includes DFARS 252.204-7012, you have CUI obligations. This clause signals that the work involves controlled technical information or other CUI, and it requires you to implement the NIST SP 800-171 controls and report cyber incidents to DoD within 72 hours. Finding this clause in your contract is the clearest signal that CMMC Level 2 readiness is in your future.
Some common contract types and where they typically land:
- General IT services or administrative support to federal agencies — usually FCI only
- Facilities management or logistics contracts — often FCI, occasionally CUI depending on the information involved
- Defense research and development contracts — almost always CUI
- Weapons system development or technical engineering work — CUI, and often multiple CUI categories at once
- Contracts involving access to military personnel records or PII — CUI
One important nuance for subcontractors: your data type is determined by what the prime contractor actually passes down to you, not by what the prime handles overall. A prime might work with CUI at the program level but share only FCI with a sub who handles logistics or administrative tasks. That determination needs to be documented and confirmed — not assumed — because primes are responsible for ensuring their subs understand exactly what obligations come with the data they’re receiving.
What Gets Contractors into Trouble
A few patterns come up repeatedly when contractors mishandle this distinction. The first is assuming that unmarked data is unprotected data. If you’re working with technical documentation from a DoD program and nobody ever put a CUI marking on it, that doesn’t give you a free pass. The question is what the document contains and whether its content falls into a CUI category — not whether someone applied a header.
The second is treating FCI as a lower priority because the bar is lower. It’s a relative bar, not an optional one. The 17 Level 1 practices exist for a reason, and self-attestation without actually implementing them is a legal risk, not a paperwork shortcut.
The third is letting classification sit static across a contract’s lifecycle. The data environment on a multi-year DoD contract often evolves. What starts as straightforward FCI can take on CUI characteristics as technical depth increases, as government-furnished data gets introduced, or as the scope of deliverables changes. Building a classification review into your contract management process — not just at award — prevents surprises.
Getting It Right: A Practical Starting Point
You don’t need a compliance program overhaul to start getting clarity on this. A few concrete steps cover most of the ground:
- Pull your active DoD contracts and search for FAR 52.204-21 and DFARS 252.204-7012. Map each contract to FCI or CUI based on what you find.
- Do a data flow walkthrough. Identify where contract information enters your organization, how it moves, where it’s stored, and who has access — including any vendors or subcontractors.
- Check the NARA CUI Registry at archives.gov if you’re uncertain whether specific data qualifies. The categories are listed with descriptions, and it’s a public resource.
- Document your classification decisions in your System Security Plan. Don’t rely on institutional memory or informal understanding. If it’s not written down, it doesn’t hold up in an assessment.
- Build a review into your contract management process so that classification gets revisited at major milestones — not just at award.
The Bottom Line
FCI and CUI aren’t just government acronyms to memorize for a compliance checklist. They’re the foundation of your entire CMMC strategy. Misclassifying down means you’re out of compliance and exposed. Misclassifying up means you’re spending money on controls you don’t actually need.
The rules here are more defined than they might seem from the outside. The contract clauses tell you what applies. The NARA registry tells you what qualifies as CUI. And a structured data flow mapping exercise tells you where that data actually lives in your environment. If you’ve never done a formal classification review, or if you’re not confident your current scoping reflects what’s actually in your contracts, that’s the right place to start.
Ready to clarify your data classification and CMMC obligations?
Stealth Technology Gropu works with DoD contractors to cut through the complexity — from data classification reviews to full CMMC readiness assessments. We’ll give you a straight picture of where you stand and what needs to happen next. Call us at (617) 903-5559 or visit our contact page for more information.
